Ability to close alerts, better descriptions, bug fixes

core/redis.py

@@ -123,6 +123,12 @@ def get_vuln_data(self):
           logger.error('Error retrieving key')
 
     return kv
+
+  def get_vuln_by_id(self, alert_id):
+    vuln = self.r.get(alert_id)
+    if vuln:
+      return pickle.loads(vuln)
+    return None
 
   def get_inventory_data(self):
     kv = {}

main.py

@@ -26,6 +26,7 @@
 from views.view_settings   import settings
 from views.view_scan       import scan
 from views.view_vulns      import vulns
+from views.view_alert      import alert
 from views.view_startover  import startover
 
 # Import REST API Endpoints
@@ -52,6 +53,7 @@
 app.register_blueprint(vulns)
 app.register_blueprint(settings)
 app.register_blueprint(scan)
+app.register_blueprint(alert)
 app.register_blueprint(startover)
 
 app.config.update(

rules/bruteforce/rule_basicauth-bf.py

@@ -12,11 +12,11 @@ class Rule:
   def __init__(self):
     self.rule = 'BRF_42FE'
     self.rule_severity = 4
-    self.rule_description = 'Checks if Basic Authentication is using weak credentials'
+    self.rule_description = 'This rule checks if a Web Server is configured with Basic Authentication using weak credentials'
     self.rule_confirm = 'Basic Authentication with Weak Credentials'
     self.rule_details = ''
     self.rule_mitigation = '''Basic Authentication is configured on the remote server with weak credentials.
-Change to a stronger password or alternatively use Single Sign On solution, such as Google.'''
+Change to a stronger password or alternatively use a Single Sign On solution.'''
     self.rule_doc_roots = COMMON_LOGIN_PATHS
     self.intensity = 3
 
@@ -46,9 +46,8 @@ def check_rule(self, ip, port, values, conf):
             for password in passwords:
               auth_attempt = requests.get(resp.url, auth = HTTPBasicAuth(username, password))
               if auth_attempt is not None and auth_attempt.status_code == 200:
-
-                self.rule_details = 'Credentials are set to {}:{} at {}'.format(username, password, uri)
-                js_data = {
+                self.rule_details = 'Basic Authentication Credentials are set to {}:{} at {}'.format(username, password, uri)
+                rds.store_vuln({
                 'ip':ip,
                 'port':port,
                 'domain':domain,
@@ -58,8 +57,6 @@ def check_rule(self, ip, port, values, conf):
                 'rule_confirm':self.rule_confirm,
                 'rule_details':self.rule_details,
                 'rule_mitigation':self.rule_mitigation
-                }
-
-                rds.store_vuln(js_data)
+                })
 
     return

rules/bruteforce/rule_ftp-bf.py

@@ -10,11 +10,11 @@ class Rule:
   def __init__(self):
     self.rule = 'BRF_AZZ0'
     self.rule_severity = 4
-    self.rule_description = 'Checks if FTP is configured with weak credentials'
+    self.rule_description = 'This rule checks if an FTP server is configured to accept remote connections using weak credentials'
     self.rule_confirm = 'Remote Server with weak FTP credentials'
     self.rule_details = ''
-    self.rule_mitigation = '''FTP Server Allows connections with a weak password. 
-FTP must not be listening on an external interface, and if required, it must allow only specific source IP addresses, in addition to a strong password authentication.'''
+    self.rule_mitigation = '''FTP Server allows remote connections be accepted using a weak password. 
+FTP should not be listening on an external interface. If required, it is recommended to allow only specific source IP addresses, in addition to a strong password authentication.'''
     self.intensity = 3
 
   def ftp_attack(self, ip, username, password):
@@ -51,8 +51,8 @@ def check_rule(self, ip, port, values, conf):
     for username in usernames:
       for password in passwords:
         if self.ftp_attack(ip, username, password):
-          self.rule_details = 'Credentials are set to: {}:{}'.format(username, password)
-          js_data = {
+          self.rule_details = 'FTP Server Credentials are set to: {}:{}'.format(username, password)
+          rds.store_vuln({
             'ip':ip,
             'port':port,
             'domain':domain,
@@ -62,8 +62,7 @@ def check_rule(self, ip, port, values, conf):
             'rule_confirm':self.rule_confirm,
             'rule_details':self.rule_details,
             'rule_mitigation':self.rule_mitigation
-          }
-          rds.store_vuln(js_data)
+          })
 
     return
 

rules/bruteforce/rule_mongodb-bf.py

@@ -10,11 +10,13 @@ class Rule:
   def __init__(self):
     self.rule = 'BRF_H7J5'
     self.rule_severity = 4
-    self.rule_description = 'Checks if MongoDB is configured with weak credentials'
+    self.rule_description = 'This rule checks if MongoDB server is configured to accept remote connections using weak credentials'
     self.rule_confirm = 'Remote Server with weak MongoDB credentials'
     self.rule_details = ''
-    self.rule_mitigation = '''MongoDB Server Allows connections with a weak password. 
-MongoDB must not be listening on an external interface, and if required, it must allow only specific source IP addresses, in addition to a strong password authentication.'''
+    self.rule_mitigation = '''MongoDB Server allows cremote onnections with a weak password. 
+MongoDB must not be listening on an external interface, and if required, it must allow only specific source IP addresses, in addition to a strong password authentication.
+Refer to the MongoDB hardening guide for more information: https://docs.mongodb.com/manual/administration/security-checklist/
+'''
     self.intensity = 3
 
   def mongodb_attack(self, ip, port, username, password):
@@ -55,7 +57,7 @@ def check_rule(self, ip, port, values, conf):
 
     # Check if MongoDB is configured with or without authentication
     if self.mongodb_attack(ip, port, None, None):
-      js_data = {
+      rds.store_vuln({
         'ip': ip,
         'port': port,
         'domain': domain,
@@ -65,8 +67,7 @@ def check_rule(self, ip, port, values, conf):
         'rule_confirm': 'Remote server with no authentication on MongoDB',
         'rule_details': 'MongoDB is configured with no authentication',
         'rule_mitigation': self.rule_mitigation
-      }
-      rds.store_vuln(js_data)
+      })
       return
 
     if not c.get_cfg_allow_bf():

rules/bruteforce/rule_mysql-bf.py

@@ -10,11 +10,12 @@ class Rule:
   def __init__(self):
     self.rule = 'BRF_4F74'
     self.rule_severity = 4
-    self.rule_description = 'Checks if MySQL is configured with weak credentials'
+    self.rule_description = 'This rule checks if MySQL is configured to accept remote connections using weak credentials'
     self.rule_confirm = 'Remote Server with weak MySQL credentials'
     self.rule_details = ''
     self.rule_mitigation = '''MySQL Allows connections with a weak password. 
-MySQL must not be listening on an external interface, and if required, it must allow only specific source IP addresses, in addition to a strong password authentication.'''
+MySQL must not be listening on an external interface, and if required, it must allow only specific source IP addresses, in addition to a strong password authentication.
+Refer to the MySQL Hardening Guideline for more information: https://dev.mysql.com/doc/refman/8.0/en/security-guidelines.html'''
     self.intensity = 3
 
   def mysql_attack(self, ip, username, password):
@@ -48,8 +49,8 @@ def check_rule(self, ip, port, values, conf):
     for username in usernames:
       for password in passwords:
         if self.mysql_attack(ip, username, password):
-          self.rule_details = 'Credentials are set to: {}'.format(result)
-          js_data = {
+          self.rule_details = 'MySQL Credentials are set to: {}:{}'.format(username, password)
+          rds.store_vuln({
             'ip':ip,
             'port':port,
             'domain':domain,
@@ -59,8 +60,7 @@ def check_rule(self, ip, port, values, conf):
             'rule_confirm':self.rule_confirm,
             'rule_details':self.rule_details,
             'rule_mitigation':self.rule_mitigation
-          }
-          rds.store_vuln(js_data)
+          })
 
     return
 

rules/bruteforce/rule_psql-bf.py

@@ -9,11 +9,12 @@ class Rule:
   def __init__(self):
     self.rule = 'BRF_DC78'
     self.rule_severity = 4
-    self.rule_description = 'Checks if PostgreSQL is configured with weak credentials'
+    self.rule_description = 'This rule checks if PostgreSQL is configured to accept remote connections using weak credentials'
     self.rule_confirm = 'Remote Server with weak PostgreSQL credentials'
     self.rule_details = ''
     self.rule_mitigation = '''PostgreSQL Allows connections with a weak password. 
-PostgreSQL must not be listening on an external interface, and if required, it must allow only specific source IP addresses, in addition to a strong password authentication.'''
+PostgreSQL must not be listening on an external interface, and if required, it must allow only specific source IP addresses, in addition to a strong password authentication.
+Refer to the PostgreSQL Hardening Guideline for more information: https://www.postgresql.org/docs/7.0/security.htm'''
     self.intensity = 3
 
   def psql_attack(self, ip, username, password):
@@ -48,8 +49,8 @@ def check_rule(self, ip, port, values, conf):
     for username in usernames:
       for password in passwords:
         if self.psql_attack(ip, username, password):
-          self.rule_details = 'Credentials are set to {}:{}'.format(username, password)
-          js_data = {
+          self.rule_details = 'PostgreSQL Credentials are set to {}:{}'.format(username, password)
+          rds.store_vuln({
             'ip': ip,
             'port': port,
             'domain': domain,
@@ -59,8 +60,7 @@ def check_rule(self, ip, port, values, conf):
             'rule_confirm': self.rule_confirm,
             'rule_details': self.rule_details,
             'rule_mitigation': self.rule_mitigation
-          }
-          rds.store_vuln(js_data)
+          })
           return
 
     return

rules/bruteforce/rule_redis-bf.py

@@ -9,11 +9,12 @@ class Rule:
   def __init__(self):
     self.rule = 'BRF_DD00'
     self.rule_severity = 4
-    self.rule_description = 'Checks if Redis is configured with weak credentials'
+    self.rule_description = 'This rule checks if Redis is configured to accept remote connections using weak credentials'
     self.rule_confirm = 'Remote Server with weak Redis credentials'
     self.rule_details = ''
     self.rule_mitigation = '''Redis Server Allows connections with a weak password. 
-Redis must not be listening on an external interface, and if required, it must allow only specific source IP addresses, in addition to a strong password authentication.'''
+Redis must not be listening on an external interface, and if required, it must allow only specific source IP addresses, in addition to a strong password authentication.
+Refer to the Redis Hardening Guidelines for more information: https://redis.io/topics/security'''
     self.intensity = 3
 
   def redis_attack(self, ip, port, password):
@@ -58,7 +59,7 @@ def check_rule(self, ip, port, values, conf):
         for password in passwords:  
           if self.redis_attack(ip, port, password):
             self.rule_details = 'Redis Credentials are set to: {}'.format(password)
-            js_data = {
+            rds.store_vuln({
               'ip':ip,
               'port':port,
               'domain':domain,
@@ -68,8 +69,7 @@ def check_rule(self, ip, port, values, conf):
               'rule_confirm':self.rule_confirm,
               'rule_details':self.rule_details,
               'rule_mitigation':self.rule_mitigation
-            }
-            rds.store_vuln(js_data)
+            })
             return
     except:
       return

rules/bruteforce/rule_ssh-bf.py

@@ -12,12 +12,13 @@ class Rule:
   def __init__(self):
     self.rule = 'BRF_A953'
     self.rule_severity = 4
-    self.rule_description = 'Checks if SSH is set with a weak password'
+    self.rule_description = 'This rule checks if an SSH Server is configured to accept remote connections using weak credentials'
     self.rule_confirm = 'Remote server with weak credentials'
     self.rule_details = ''
     self.rule_mitigation = '''SSH Allows connections with a weak password. 
 SSH must allow only trusted sources remote access, such as specific IP addresses, and use stronger authentication such as \
-Public Key Authentication, in addition to a strong password authentication.'''
+Public Key Authentication, in addition to a strong password authentication.
+Refer to an OpenSSH Hardening Guidelines for more information: https://linux-audit.com/audit-and-harden-your-ssh-configuration/'''
     self.intensity = 3
 
   def ssh_attack(self, ip, port, username, password):
@@ -57,8 +58,8 @@ def check_rule(self, ip, port, values, conf):
         for username in usernames:
           for password in passwords:
             if self.ssh_attack(ip, port, username, password):
-              self.rule_details = 'Credentials are set to {}:{}'.format(username, password)
-              js_data = {
+              self.rule_details = 'SSH Server Credentials are set to {}:{}'.format(username, password)
+              rds.store_vuln({
                 'ip':ip,
                 'port':port,
                 'domain':domain,
@@ -68,7 +69,6 @@ def check_rule(self, ip, port, values, conf):
                 'rule_confirm':self.rule_confirm,
                 'rule_details':self.rule_details,
                 'rule_mitigation':self.rule_mitigation
-              }
-              rds.store_vuln(js_data)
+              })
 
     return

rules/configuration/rule_actuator.py

@@ -1,16 +1,17 @@
 from core.redis  import rds
 from core.triage import Triage
-from core.parser import ScanParser, ConfParser
+from core.parser import ScanParser
 
 class Rule:
   def __init__(self):
     self.rule = 'CFG_9B88'
     self.rule_severity = 3
-    self.rule_description = 'Actuator Misconfiguration'
-    self.rule_confirm = 'Remote Server Actuator is misconfigured'
+    self.rule_description = 'This rule checks for misconfigurations in Spring Boot Actuator'
+    self.rule_confirm = 'Spring Boot Actuator is misconfigured'
     self.rule_details = ''
     self.rule_mitigation = '''Server has a misconfigured Actuator, which is potentially leaking out sensitive data. \
-Restrict access to the endpoint to trusted sources only.'''
+Restrict access to the endpoint to trusted sources only.
+Refer to the following Spring Boot Actuator Hardening Guideline for more information: https://www.devglan.com/spring-security/securing-spring-boot-actuator-endpoints-with-spring-security'''
     self.rule_match_string = {
                               '/admin/dump':{
                                 'app':'SPRING_BOOT_ACTUATOR_DUMP',
@@ -57,7 +58,6 @@ def __init__(self):
 
 
   def check_rule(self, ip, port, values, conf):
-    c = ConfParser(conf)
     t = Triage()
     p = ScanParser(port, values)
 
@@ -68,17 +68,15 @@ def check_rule(self, ip, port, values, conf):
       return
 
     for uri, values in self.rule_match_string.items():
-      app_name = values['app']
       app_title = values['title']
 
       resp = t.http_request(ip, port, uri=uri)
 
       if resp is not None:
         for match in values['match']:
           if match in resp.text:
-            self.rule_details = 'Exposed {} at {}'.format(app_title, uri)
-
-            js_data = {
+            self.rule_details = 'Exposed {} at {}'.format(app_title, resp.url)  
+            rds.store_vuln({
               'ip':ip,
               'port':port,
               'domain':domain,
@@ -88,8 +86,6 @@ def check_rule(self, ip, port, values, conf):
               'rule_confirm':self.rule_confirm,
               'rule_details':self.rule_details,
               'rule_mitigation':self.rule_mitigation
-            }
-
-            rds.store_vuln(js_data)   
+            })   
 
     return

rules/configuration/rule_apache.py

@@ -1,16 +1,17 @@
 from core.redis  import rds
 from core.triage import Triage
-from core.parser import ScanParser, ConfParser
+from core.parser import ScanParser
 
 class Rule:
   def __init__(self):
     self.rule = 'CFG_91Z0'
     self.rule_severity = 1
-    self.rule_description = 'Checks for Apache Misconfigurations'
-    self.rule_confirm = 'Apache Server Misconfiguration'
+    self.rule_description = 'This rule checks for Apache Web Server Misconfigurations'
+    self.rule_confirm = 'Misconfigured Apache Server'
     self.rule_details = ''
     self.rule_mitigation = '''Apache Web Server is misconfigured and exposes one or more files \
-related to configuration, statistics or example servlets.'''
+related to configuration, statistics or example servlets.
+Refer to an Apache Hardening Guideline for more information: https://geekflare.com/apache-web-server-hardening-security/'''
     self.rule_match_string = {
                               '/server-status':{
                                 'app':'APACHE_SERVER_STATUS',
@@ -37,7 +38,6 @@ def __init__(self):
 
 
   def check_rule(self, ip, port, values, conf):
-    c = ConfParser(conf)
     t = Triage()
     p = ScanParser(port, values)
 
@@ -55,8 +55,8 @@ def check_rule(self, ip, port, values, conf):
       if resp is not None:
         for match in values['match']:
           if match in resp.text:
-            self.rule_details = 'Apache misconfiguration - {} at {}'.format(app_title, uri)
-            js_data = {
+            self.rule_details = 'Apache misconfiguration - {} at {}'.format(app_title, resp.url)
+            rds.store_vuln({
               'ip':ip,
               'port':port,
               'domain':domain,
@@ -66,6 +66,5 @@ def check_rule(self, ip, port, values, conf):
               'rule_confirm':self.rule_confirm,
               'rule_details':self.rule_details,
               'rule_mitigation':self.rule_mitigation
-            }
-            rds.store_vuln(js_data)
+            })
     return