Skip to content

Commit 87021fa

Browse files
mamullen13316mamullen13316
authored
Syslog regional (#13)
1 parent 7a5f421 commit 87021fa

File tree

3 files changed

+132
-104
lines changed

3 files changed

+132
-104
lines changed

pyproject.toml

Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -1,6 +1,6 @@
11
[tool.poetry]
22
name = "sophos-firewall-audit"
3-
version = "1.0.17"
3+
version = "1.0.18"
44
description = "Sophos Firewall Audit"
55
authors = ["Matt Mullen <matt.mullen@sophos.com>"]
66
readme = "README.md"

sophos_firewall_audit/audit.py

Lines changed: 90 additions & 90 deletions
Original file line numberDiff line numberDiff line change
@@ -80,101 +80,101 @@ def run_audit(args, fw_obj, firewall, status_dict, local_dirname, web_dirname):
8080
logging.info(f"{firewall_name}: Begin Audit")
8181

8282
rule_list = [
83-
{
84-
"method": rules.eval_access_list,
85-
"settings": audit_settings["access_acl"],
86-
"log_msg": "Evaluate Access ACL"
87-
},
88-
{
89-
"method": rules.eval_central_mgmt,
90-
"settings": audit_settings,
91-
"log_msg": "Evaluate Central Management"
92-
},
93-
{
94-
"method": rules.eval_device_access_profile,
95-
"settings": audit_settings["device_access_profile"],
96-
"log_msg": "Evaluate Device Access Profiles"
97-
},
98-
{
99-
"method": rules.eval_admin_services,
100-
"settings": audit_settings["admin_services"],
101-
"log_msg": "Evaluate WAN Zone Admin Services"
102-
},
103-
{
104-
"method": rules.eval_admin_authen,
105-
"settings": audit_settings["authen_servers"],
106-
"log_msg": "Evaluate Authentication Servers"
107-
},
108-
{
109-
"method": rules.eval_malware_protection,
110-
"settings": audit_settings["malware_protection"],
111-
"log_msg": "Evaluate Malware Protection Antivirus Engine"
112-
},
113-
{
114-
"method": rules.eval_atp,
115-
"settings": audit_settings["threat_protection"],
116-
"log_msg": "Evaluate Advanced Threat Protection (ATP)"
117-
},
118-
{
119-
"method": rules.eval_ips_policies,
120-
"settings": audit_settings["ips_policies"],
121-
"log_msg": "Evaluate IPS Policies"
122-
},
123-
{
124-
"method": rules.eval_hostgroups,
125-
"settings": audit_settings["host_groups"],
126-
"log_msg": "Evaluate Host Groups"
127-
},
83+
# {
84+
# "method": rules.eval_access_list,
85+
# "settings": audit_settings["access_acl"],
86+
# "log_msg": "Evaluate Access ACL"
87+
# },
88+
# {
89+
# "method": rules.eval_central_mgmt,
90+
# "settings": audit_settings,
91+
# "log_msg": "Evaluate Central Management"
92+
# },
93+
# {
94+
# "method": rules.eval_device_access_profile,
95+
# "settings": audit_settings["device_access_profile"],
96+
# "log_msg": "Evaluate Device Access Profiles"
97+
# },
98+
# {
99+
# "method": rules.eval_admin_services,
100+
# "settings": audit_settings["admin_services"],
101+
# "log_msg": "Evaluate WAN Zone Admin Services"
102+
# },
103+
# {
104+
# "method": rules.eval_admin_authen,
105+
# "settings": audit_settings["authen_servers"],
106+
# "log_msg": "Evaluate Authentication Servers"
107+
# },
108+
# {
109+
# "method": rules.eval_malware_protection,
110+
# "settings": audit_settings["malware_protection"],
111+
# "log_msg": "Evaluate Malware Protection Antivirus Engine"
112+
# },
113+
# {
114+
# "method": rules.eval_atp,
115+
# "settings": audit_settings["threat_protection"],
116+
# "log_msg": "Evaluate Advanced Threat Protection (ATP)"
117+
# },
118+
# {
119+
# "method": rules.eval_ips_policies,
120+
# "settings": audit_settings["ips_policies"],
121+
# "log_msg": "Evaluate IPS Policies"
122+
# },
123+
# {
124+
# "method": rules.eval_hostgroups,
125+
# "settings": audit_settings["host_groups"],
126+
# "log_msg": "Evaluate Host Groups"
127+
# },
128128
{
129129
"method": rules.eval_syslog,
130130
"settings": audit_settings["syslog"],
131131
"log_msg": "Evaluate Syslog Settings"
132132
},
133-
{
134-
"method": rules.eval_notifications,
135-
"settings": audit_settings,
136-
"log_msg": "Evaluate Notifications Settings"
137-
},
138-
{
139-
"method": rules.eval_notification_list,
140-
"settings": audit_settings,
141-
"log_msg": "Evaluate Notification List Settings"
142-
},
143-
{
144-
"method": rules.eval_backup,
145-
"settings": audit_settings,
146-
"log_msg": "Evaluate Scheduled Backup Settings"
147-
},
148-
{
149-
"method": rules.eval_certificate,
150-
"settings": audit_settings,
151-
"log_msg": "Evaluate Certificate Settings"
152-
},
153-
{
154-
"method": rules.eval_loginsecurity,
155-
"settings": audit_settings,
156-
"log_msg": "Evaluate Login Security"
157-
},
158-
{
159-
"method": rules.eval_dns_servers,
160-
"settings": audit_settings,
161-
"log_msg": "Evaluate DNS Servers"
162-
},
163-
{
164-
"method": rules.eval_smtp_protection,
165-
"settings": audit_settings,
166-
"log_msg": "Evaluate SMTP Protection"
167-
},
168-
{
169-
"method": rules.eval_snmpv3,
170-
"settings": audit_settings,
171-
"log_msg": "Evaluate SNMPv3"
172-
},
173-
{
174-
"method": rules.eval_time,
175-
"settings": audit_settings['time'],
176-
"log_msg": "Evaluate Time Settings"
177-
}
133+
# {
134+
# "method": rules.eval_notifications,
135+
# "settings": audit_settings,
136+
# "log_msg": "Evaluate Notifications Settings"
137+
# },
138+
# {
139+
# "method": rules.eval_notification_list,
140+
# "settings": audit_settings,
141+
# "log_msg": "Evaluate Notification List Settings"
142+
# },
143+
# {
144+
# "method": rules.eval_backup,
145+
# "settings": audit_settings,
146+
# "log_msg": "Evaluate Scheduled Backup Settings"
147+
# },
148+
# {
149+
# "method": rules.eval_certificate,
150+
# "settings": audit_settings,
151+
# "log_msg": "Evaluate Certificate Settings"
152+
# },
153+
# {
154+
# "method": rules.eval_loginsecurity,
155+
# "settings": audit_settings,
156+
# "log_msg": "Evaluate Login Security"
157+
# },
158+
# {
159+
# "method": rules.eval_dns_servers,
160+
# "settings": audit_settings,
161+
# "log_msg": "Evaluate DNS Servers"
162+
# },
163+
# {
164+
# "method": rules.eval_smtp_protection,
165+
# "settings": audit_settings,
166+
# "log_msg": "Evaluate SMTP Protection"
167+
# },
168+
# {
169+
# "method": rules.eval_snmpv3,
170+
# "settings": audit_settings,
171+
# "log_msg": "Evaluate SNMPv3"
172+
# },
173+
# {
174+
# "method": rules.eval_time,
175+
# "settings": audit_settings['time'],
176+
# "log_msg": "Evaluate Time Settings"
177+
# }
178178
]
179179
for rule in rule_list:
180180
result = process_rule(rule["method"], rule["settings"], rule["log_msg"], fw_obj, status_dict)

sophos_firewall_audit/rules/syslog.py

Lines changed: 41 additions & 13 deletions
Original file line numberDiff line numberDiff line change
@@ -41,16 +41,29 @@ def eval_syslog(fw_obj: SophosFirewall,
4141
break
4242

4343
actual_settings = {}
44+
api_version = result["Response"]["@APIVersion"]
4445
for settings_group in result["Response"]["SyslogServers"]:
45-
actual_settings[settings_group["Name"]] = settings_group["LogSettings"]
46+
actual_settings[settings_group["Name"]] = settings_group
4647

47-
expected_settings = settings
48+
expected_settings = settings.get(fw_obj.region)
4849

4950
results = []
5051
for settings_container in expected_settings:
5152
container_name = settings_container['name']
5253

5354
settings_dict = {}
55+
top_level_keys = ["ServerAddress", "EnableSecureConnection", "Port", "Facility", "SeverityLevel", "Format"]
56+
57+
for key in top_level_keys:
58+
if key in settings_container:
59+
settings_dict[key] = {}
60+
settings_dict[key]["Name"] = container_name
61+
settings_dict[key]["Expected"] = settings_container[key]
62+
if key == "Format":
63+
if actual_settings[container_name][key] == "3":
64+
actual_settings[container_name][key] = "Standard syslog"
65+
settings_dict[key]["Actual"] = actual_settings[container_name][key] if container_name in actual_settings else f"{container_name} not configured!"
66+
5467
for settings_category in settings_container['LogSettings']:
5568
if not settings_category in settings_dict:
5669
settings_dict[settings_category] = {}
@@ -61,10 +74,10 @@ def eval_syslog(fw_obj: SophosFirewall,
6174
if container_name in actual_settings:
6275
# Fix for v22 where settings under LogSettings > ATP were changed
6376
# Makes sure the setting actually exists before trying to access it
64-
if setting in actual_settings[container_name][settings_category]:
65-
settings_dict[settings_category][setting]["Actual"] = actual_settings[container_name][settings_category][setting]
77+
if setting in actual_settings[container_name]["LogSettings"][settings_category]:
78+
settings_dict[settings_category][setting]["Actual"] = actual_settings[container_name]["LogSettings"][settings_category][setting]
6679
else:
67-
settings_dict[settings_category].pop(setting)
80+
settings_dict[settings_category][setting]["Actual"] = f"{setting} not available in API version {api_version}"
6881
else:
6982
settings_dict[settings_category][setting]["Actual"] = f"{container_name} not configured!"
7083
results.append(settings_dict)
@@ -83,19 +96,34 @@ def eval_syslog(fw_obj: SophosFirewall,
8396
category_status = "AUDIT_PASS"
8497
category_expected = []
8598
category_actual = []
86-
for setting in result[category].keys():
87-
category_expected.append(f"{setting}: {result[category][setting]['Expected']}")
88-
89-
settings_type = result[category][setting]["Name"]
90-
if not result[category][setting]['Expected'] == result[category][setting]['Actual']:
91-
category_actual.append(f"{setting}: {html_yellow(result[category][setting]['Actual'])}")
99+
100+
if category in top_level_keys:
101+
category_expected.append(f"{result[category]['Expected']}")
102+
settings_type = result[category]["Name"]
103+
if not result[category]['Expected'] == result[category]['Actual']:
104+
category_actual.append(f"{html_yellow(result[category]['Actual'])}")
92105
category_status = "AUDIT_FAIL"
93106
result_dict["audit_result"] = "FAIL"
94107
else:
95-
category_actual.append(f"{setting}: {result[category][setting]['Actual']}")
108+
category_actual.append(f"{result[category]['Actual']}")
109+
else:
110+
for setting in result[category].keys():
111+
category_expected.append(f"{setting}: {result[category][setting]['Expected']}")
112+
settings_type = result[category][setting]["Name"]
113+
if result[category][setting]['Actual'] == f"{setting} not available in API version {api_version}":
114+
category_actual.append(f"{result[category][setting]['Actual']}")
115+
category_status = "AUDIT_PASS"
116+
result_dict["audit_result"] = "PASS"
117+
elif not result[category][setting]['Expected'] == result[category][setting]['Actual']:
118+
category_actual.append(f"{setting}: {html_yellow(result[category][setting]['Actual'])}")
119+
category_status = "AUDIT_FAIL"
120+
result_dict["audit_result"] = "FAIL"
121+
else:
122+
category_actual.append(f"{setting}: {result[category][setting]['Actual']}")
123+
96124
if category_status == "AUDIT_PASS":
97125
result_dict["pass_ct"] += 1
98-
else:
126+
elif category_status == "AUDIT_FAIL":
99127
result_dict["fail_ct"] += 1
100128
output.append([
101129
"Syslog",

0 commit comments

Comments
 (0)