From f20f4f40a015a6593fe698fa6d065312e6cb71bb Mon Sep 17 00:00:00 2001 From: Chris Meyers Date: Thu, 27 Jul 2017 10:39:43 -0400 Subject: [PATCH] trim insights content to only what the UI needs --- awx/api/views.py | 4 +- awx/main/tests/data/insights.json | 724 +++++++++++++++++++++ awx/main/tests/data/insights.py | 9 + awx/main/tests/unit/utils/test_insights.py | 24 + awx/main/utils/insights.py | 42 ++ 5 files changed, 802 insertions(+), 1 deletion(-) create mode 100644 awx/main/tests/data/insights.json create mode 100644 awx/main/tests/data/insights.py create mode 100644 awx/main/tests/unit/utils/test_insights.py create mode 100644 awx/main/utils/insights.py diff --git a/awx/api/views.py b/awx/api/views.py index e783b94d0b..62c0082678 100644 --- a/awx/api/views.py +++ b/awx/api/views.py @@ -74,6 +74,7 @@ from awx.main.utils import ( decrypt_field, ) from awx.main.utils.filters import SmartFilter +from awx.main.utils.insights import filter_insights_api_response from awx.api.permissions import * # noqa from awx.api.renderers import * # noqa @@ -2097,7 +2098,8 @@ class HostInsights(GenericAPIView): return (dict(error=_('Failed to gather reports and maintenance plans from Insights API at URL {}. Server responded with {} status code and message {}').format(url, res.status_code, res.content)), status.HTTP_500_INTERNAL_SERVER_ERROR) try: - return (dict(insights_content=res.json()), status.HTTP_200_OK) + filtered_insights_content = filter_insights_api_response(res.json()) + return (dict(insights_content=filtered_insights_content), status.HTTP_200_OK) except ValueError: return (dict(error=_('Expected JSON response from Insights but instead got {}').format(res.content)), status.HTTP_500_INTERNAL_SERVER_ERROR) diff --git a/awx/main/tests/data/insights.json b/awx/main/tests/data/insights.json new file mode 100644 index 0000000000..204985ab2f --- /dev/null +++ b/awx/main/tests/data/insights.json @@ -0,0 +1,724 @@ +{ + "toString": "$REDACTED$", + "isCheckingIn": false, + "system_id": "11111111-1111-1111-1111-111111111111", + "display_name": null, + "remote_branch": null, + "remote_leaf": null, + "account_number": "1111111", + "hostname": "$REDACTED$", + "parent_id": null, + "system_type_id": 105, + "last_check_in": "2017-07-21T07:07:29.000Z", + "stale_ack": false, + "type": "machine", + "product": "rhel", + "created_at": "2017-07-20T17:26:53.000Z", + "updated_at": "2017-07-21T07:07:29.000Z", + "unregistered_at": null, + "reports": [{ + "details": { + "vulnerable_setting": "hosts: files dns myhostname", + "affected_package": "glibc-2.17-105.el7", + "error_key": "GLIBC_CVE_2015_7547" + }, + "id": 955802695, + "rule_id": "CVE_2015_7547_glibc|GLIBC_CVE_2015_7547", + "system_id": "11111111-1111-1111-1111-111111111111", + "account_number": "1111111", + "uuid": "11111111111111111111111111111111", + "date": "2017-07-21T07:07:29.000Z", + "rule": { + "summary_html": "

A critical security flaw in the glibc library was found. It allows an attacker to crash an application built against that library or, potentially, execute arbitrary code with privileges of the user running the application.

\n", + "generic_html": "

The glibc library is vulnerable to a stack-based buffer overflow security flaw. A remote attacker could create specially crafted DNS responses that could cause the libresolv part of the library, which performs dual A/AAAA DNS queries, to crash or potentially execute code with the permissions of the user running the library. The issue is only exposed when libresolv is called from the nss_dns NSS service module. This flaw is known as CVE-2015-7547.

\n", + "more_info_html": "\n", + "severity": "ERROR", + "ansible": true, + "ansible_fix": false, + "ansible_mitigation": false, + "rule_id": "CVE_2015_7547_glibc|GLIBC_CVE_2015_7547", + "error_key": "GLIBC_CVE_2015_7547", + "plugin": "CVE_2015_7547_glibc", + "description": "Remote code execution vulnerability in libresolv via crafted DNS response (CVE-2015-7547)", + "summary": "A critical security flaw in the `glibc` library was found. It allows an attacker to crash an application built against that library or, potentially, execute arbitrary code with privileges of the user running the application.", + "generic": "The `glibc` library is vulnerable to a stack-based buffer overflow security flaw. A remote attacker could create specially crafted DNS responses that could cause the `libresolv` part of the library, which performs dual A/AAAA DNS queries, to crash or potentially execute code with the permissions of the user running the library. The issue is only exposed when `libresolv` is called from the nss_dns NSS service module. This flaw is known as [CVE-2015-7547](https://access.redhat.com/security/cve/CVE-2015-7547).", + "reason": "

This host is vulnerable because it has vulnerable package glibc-2.17-105.el7 installed and DNS is enabled in /etc/nsswitch.conf:

\n
hosts:      files dns myhostname\n

The glibc library is vulnerable to a stack-based buffer overflow security flaw. A remote attacker could create specially crafted DNS responses that could cause the libresolv part of the library, which performs dual A/AAAA DNS queries, to crash or potentially execute code with the permissions of the user running the library. The issue is only exposed when libresolv is called from the nss_dns NSS service module. This flaw is known as CVE-2015-7547.

\n", + "type": null, + "more_info": "* For more information about the flaw see [CVE-2015-7547](https://access.redhat.com/security/cve/CVE-2015-7547).\n* To learn how to upgrade packages, see \"[What is yum and how do I use it?](https://access.redhat.com/solutions/9934)\"\n* The Customer Portal page for the [Red Hat Security Team](https://access.redhat.com/security/) contains more information about policies, procedures, and alerts for Red Hat Products.\n* The Security Team also maintains a frequently updated blog at [securityblog.redhat.com](https://securityblog.redhat.com).", + "active": true, + "node_id": "2168451", + "category": "Security", + "retired": false, + "reboot_required": false, + "publish_date": "2016-10-31T04:08:35.000Z", + "rec_impact": 4, + "rec_likelihood": 2, + "resolution": "

Red Hat recommends updating glibc and restarting the affected system:

\n
# yum update glibc\n# reboot\n

Alternatively, you can restart all affected services, but because this vulnerability affects a large amount of applications on the system, the best solution is to restart the system.

\n" + }, + "maintenance_actions": [{ + "done": false, + "id": 305205, + "maintenance_plan": { + "maintenance_id": 29315, + "name": "RHEL Demo Infrastructure", + "description": null, + "start": null, + "end": null, + "created_by": "$READACTED$", + "silenced": false, + "hidden": false, + "suggestion": null, + "remote_branch": null, + "allow_reboot": true + } + }, { + "done": false, + "id": 305955, + "maintenance_plan": { + "maintenance_id": 29335, + "name": "RHEL Demo All Systems", + "description": null, + "start": null, + "end": null, + "created_by": "$READACTED$", + "silenced": false, + "hidden": false, + "suggestion": null, + "remote_branch": null, + "allow_reboot": true + } + }] + }, { + "details": { + "affected_kernel": "3.10.0-327.el7", + "error_key": "KERNEL_CVE-2016-0728" + }, + "id": 955802705, + "rule_id": "CVE_2016_0728_kernel|KERNEL_CVE-2016-0728", + "system_id": "11111111-1111-1111-1111-111111111111", + "account_number": "1111111", + "uuid": "11111111111111111111111111111111", + "date": "2017-07-21T07:07:29.000Z", + "rule": { + "summary_html": "

A vulnerability in the Linux kernel allowing local privilege escalation was discovered. The issue was reported as CVE-2016-0728.

\n", + "generic_html": "

A vulnerability in the Linux kernel rated Important was discovered. The use-after-free flaw relates to the way the Linux kernel's key management subsystem handles keyring object reference counting in certain error paths of the join_session_keyring() function. A local, unprivileged user could use this flaw to escalate their privileges on the system. The issue was reported as CVE-2016-0728.

\n

Red Hat recommends that you update the kernel and reboot the system. If you cannot reboot now, consider applying the systemtap patch to update your running kernel.

\n", + "more_info_html": "\n", + "severity": "WARN", + "ansible": true, + "ansible_fix": false, + "ansible_mitigation": false, + "rule_id": "CVE_2016_0728_kernel|KERNEL_CVE-2016-0728", + "error_key": "KERNEL_CVE-2016-0728", + "plugin": "CVE_2016_0728_kernel", + "description": "Kernel key management subsystem vulnerable to local privilege escalation (CVE-2016-0728)", + "summary": "A vulnerability in the Linux kernel allowing local privilege escalation was discovered. The issue was reported as [CVE-2016-0728](https://access.redhat.com/security/cve/cve-2016-0728).", + "generic": "A vulnerability in the Linux kernel rated **Important** was discovered. The use-after-free flaw relates to the way the Linux kernel's key management subsystem handles keyring object reference counting in certain error paths of the join_session_keyring() function. A local, unprivileged user could use this flaw to escalate their privileges on the system. The issue was reported as [CVE-2016-0728](https://access.redhat.com/security/cve/cve-2016-0728).\n\nRed Hat recommends that you update the kernel and reboot the system. If you cannot reboot now, consider applying the [systemtap patch](https://bugzilla.redhat.com/attachment.cgi?id=1116284&action=edit) to update your running kernel.", + "reason": "

A vulnerability in the Linux kernel rated Important was discovered. The use-after-free flaw relates to the way the Linux kernel's key management subsystem handles keyring object reference counting in certain error paths of the join_session_keyring() function. A local, unprivileged user could use this flaw to escalate their privileges on the system. The issue was reported as CVE-2016-0728.

\n

The host is vulnerable as it is running kernel-3.10.0-327.el7.

\n", + "type": null, + "more_info": "* For more information about the flaws and versions of the package that are vulnerable see [CVE-2016-0728](https://access.redhat.com/security/cve/cve-2016-0728).\n* To learn how to upgrade packages, see \"[What is yum and how do I use it?](https://access.redhat.com/solutions/9934)\"\n* The Customer Portal page for the [Red Hat Security Team](https://access.redhat.com/security/) contains more information about policies, procedures, and alerts for Red Hat Products.\n* The Security Team also maintains a frequently updated blog at [securityblog.redhat.com](https://securityblog.redhat.com).", + "active": true, + "node_id": "2130791", + "category": "Security", + "retired": false, + "reboot_required": false, + "publish_date": "2016-10-31T04:08:37.000Z", + "rec_impact": 2, + "rec_likelihood": 2, + "resolution": "

Red Hat recommends that you update kernel and reboot. If you cannot reboot now, consider applying the systemtap patch to update your running kernel.

\n
# yum update kernel\n# reboot\n-or-\n# debuginfo-install kernel     (or equivalent)\n# stap -vgt -Gfix_p=1 -Gtrace_p=0 cve20160728e.stp\n
" + }, + "maintenance_actions": [{ + "done": false, + "id": 305215, + "maintenance_plan": { + "maintenance_id": 29315, + "name": "RHEL Demo Infrastructure", + "description": null, + "start": null, + "end": null, + "created_by": "$READACTED$", + "silenced": false, + "hidden": false, + "suggestion": null, + "remote_branch": null, + "allow_reboot": true + } + }, { + "done": false, + "id": 306205, + "maintenance_plan": { + "maintenance_id": 29335, + "name": "RHEL Demo All Systems", + "description": null, + "start": null, + "end": null, + "created_by": "$READACTED$", + "silenced": false, + "hidden": false, + "suggestion": null, + "remote_branch": null, + "allow_reboot": true + } + }] + }, { + "details": { + "processes_listening_int": [ + ["neutron-o", "127.0.0.1", "6633"], + ["ovsdb-ser", "127.0.0.1", "6640"] + ], + "processes_listening_ext": [ + ["CPU", "0.0.0.0", "5900"], + ["libvirtd", "", "::16509"], + ["master", "", ":1:25"], + ["qemu-kvm", "0.0.0.0", "5900"], + ["vnc_worke", "0.0.0.0", "5900"], + ["worker", "0.0.0.0", "5900"] + ], + "error_key": "OPENSSL_CVE_2016_0800_DROWN_LISTENING", + "processes_listening": [ + ["CPU", "0.0.0.0", "5900"], + ["libvirtd", "", "::16509"], + ["master", "", ":1:25"], + ["neutron-o", "127.0.0.1", "6633"], + ["ovsdb-ser", "127.0.0.1", "6640"], + ["qemu-kvm", "0.0.0.0", "5900"], + ["vnc_worke", "0.0.0.0", "5900"], + ["worker", "0.0.0.0", "5900"] + ], + "processes_names": ["/usr/bin/", "CPU", "ceilomete", "gmain", "handler6", "libvirtd", "master", "neutron-o", "neutron-r", "nova-comp", "ovs-vswit", "ovsdb-cli", "ovsdb-ser", "pickup", "privsep-h", "qemu-kvm", "qmgr", "redhat-ac", "revalidat", "tuned", "urcu3", "virtlogd", "vnc_worke", "worker"], + "vulnerable_package": "openssl-libs-1.0.1e-42.el7_1.9" + }, + "id": 955802715, + "rule_id": "CVE_2016_0800_openssl_drown|OPENSSL_CVE_2016_0800_DROWN_LISTENING", + "system_id": "11111111-1111-1111-1111-111111111111", + "account_number": "1111111", + "uuid": "11111111111111111111111111111111", + "date": "2017-07-21T07:07:29.000Z", + "rule": { + "summary_html": "

A new cross-protocol attack against SSLv2 protocol has been found. It has been assigned CVE-2016-0800 and is referred to as DROWN - Decrypting RSA using Obsolete and Weakened eNcryption. An attacker can decrypt passively collected TLS sessions between up-to-date client and server which supports SSLv2.

\n", + "generic_html": "

A new cross-protocol attack against a vulnerability in the SSLv2 protocol has been found. It can be used to passively decrypt collected TLS/SSL sessions from any connection that used an RSA key exchange cypher suite on a server that supports SSLv2. Even if a given service does not support SSLv2 the connection is still vulnerable if another service does and shares the same RSA private key.

\n

A more efficient variant of the attack exists against unpatched OpenSSL servers using versions that predate security advisories released on March 19, 2015 (see CVE-2015-0293).

\n", + "more_info_html": "\n", + "severity": "ERROR", + "ansible": true, + "ansible_fix": false, + "ansible_mitigation": false, + "rule_id": "CVE_2016_0800_openssl_drown|OPENSSL_CVE_2016_0800_DROWN_LISTENING", + "error_key": "OPENSSL_CVE_2016_0800_DROWN_LISTENING", + "plugin": "CVE_2016_0800_openssl_drown", + "description": "OpenSSL with externally listening processes vulnerable to session decryption (CVE-2016-0800/DROWN)", + "summary": "A new cross-protocol attack against SSLv2 protocol has been found. It has been assigned [CVE-2016-0800](https://access.redhat.com/security/cve/CVE-2016-0800) and is referred to as DROWN - Decrypting RSA using Obsolete and Weakened eNcryption. An attacker can decrypt passively collected TLS sessions between up-to-date client and server which supports SSLv2.", + "generic": "A new cross-protocol attack against a vulnerability in the SSLv2 protocol has been found. It can be used to passively decrypt collected TLS/SSL sessions from any connection that used an RSA key exchange cypher suite on a server that supports SSLv2. Even if a given service does not support SSLv2 the connection is still vulnerable if another service does and shares the same RSA private key.\n\nA more efficient variant of the attack exists against unpatched OpenSSL servers using versions that predate security advisories released on March 19, 2015 (see [CVE-2015-0293](https://access.redhat.com/security/cve/CVE-2015-0293)).", + "reason": "

This host is vulnerable because it has vulnerable package openssl-libs-1.0.1e-42.el7_1.9 installed.

\n

It also runs the following processes that use OpenSSL libraries:

\n\n\n\n\n\n

The following processes that use OpenSSL libraries are listening on the sockets bound to public IP addresses:

\n\n\n\n\n\n\n\n\n\n

A new cross-protocol attack against a vulnerability in the SSLv2 protocol has been found. It can be used to passively decrypt collected TLS/SSL sessions from any connection that used an RSA key exchange cypher suite on a server that supports SSLv2. Even if a given service does not support SSLv2 the connection is still vulnerable if another service does and shares the same RSA private key.

\n

A more efficient variant of the attack exists against unpatched OpenSSL servers using versions that predate security advisories released on March 19, 2015 (see CVE-2015-0293).

\n", + "type": null, + "more_info": "* For more information about the flaw see [CVE-2016-0800](https://access.redhat.com/security/cve/CVE-2016-0800)\n* To learn how to upgrade packages, see \"[What is yum and how do I use it?](https://access.redhat.com/solutions/9934)\"\n* The Customer Portal page for the [Red Hat Security Team](https://access.redhat.com/security/) contains more information about policies, procedures, and alerts for Red Hat Products.\n* The Security Team also maintains a frequently updated blog at [securityblog.redhat.com](https://securityblog.redhat.com).", + "active": true, + "node_id": "2174451", + "category": "Security", + "retired": false, + "reboot_required": false, + "publish_date": "2016-10-31T04:08:33.000Z", + "rec_impact": 3, + "rec_likelihood": 4, + "resolution": "

Red Hat recommends that you update openssl and restart the affected system:

\n
# yum update openssl\n# reboot\n

Alternatively, you can restart all affected services (that is, the ones linked to the openssl library), especially those listening on public IP addresses.

\n" + }, + "maintenance_actions": [{ + "done": false, + "id": 305225, + "maintenance_plan": { + "maintenance_id": 29315, + "name": "RHEL Demo Infrastructure", + "description": null, + "start": null, + "end": null, + "created_by": "$READACTED$", + "silenced": false, + "hidden": false, + "suggestion": null, + "remote_branch": null, + "allow_reboot": true + } + }, { + "done": false, + "id": 306435, + "maintenance_plan": { + "maintenance_id": 29335, + "name": "RHEL Demo All Systems", + "description": null, + "start": null, + "end": null, + "created_by": "$READACTED$", + "silenced": false, + "hidden": false, + "suggestion": null, + "remote_branch": null, + "allow_reboot": true + } + }] + }, { + "details": { + "vulnerable_kernel": "3.10.0-327.el7", + "package_name": "kernel", + "error_key": "KERNEL_CVE_2016_5195_2" + }, + "id": 955802725, + "rule_id": "CVE_2016_5195_kernel|KERNEL_CVE_2016_5195_2", + "system_id": "11111111-1111-1111-1111-111111111111", + "account_number": "1111111", + "uuid": "11111111111111111111111111111111", + "date": "2017-07-21T07:07:29.000Z", + "rule": { + "summary_html": "

A flaw was found in the Linux kernel's memory subsystem. An unprivileged local user could use this flaw to write to files they would normally only have read-only access to and thus increase their privileges on the system.

\n", + "generic_html": "

A race condition was found in the way Linux kernel's memory subsystem handled breakage of the read only shared mappings COW situation on write access. An unprivileged local user could use this flaw to write to files they should normally have read-only access to, and thus increase their privileges on the system.

\n

A process that is able to mmap a file is able to race Copy on Write (COW) page creation (within get_user_pages) with madvise(MADV_DONTNEED) kernel system calls. This would allow modified pages to bypass the page protection mechanism and modify the mapped file. The vulnerability could be abused by allowing an attacker to modify existing setuid files with instructions to elevate permissions. This attack has been found in the wild.

\n

Red Hat recommends that you update the kernel package.

\n", + "more_info_html": "\n", + "severity": "WARN", + "ansible": true, + "ansible_fix": false, + "ansible_mitigation": false, + "rule_id": "CVE_2016_5195_kernel|KERNEL_CVE_2016_5195_2", + "error_key": "KERNEL_CVE_2016_5195_2", + "plugin": "CVE_2016_5195_kernel", + "description": "Kernel vulnerable to privilege escalation via permission bypass (CVE-2016-5195)", + "summary": "A flaw was found in the Linux kernel's memory subsystem. An unprivileged local user could use this flaw to write to files they would normally only have read-only access to and thus increase their privileges on the system.", + "generic": "A race condition was found in the way Linux kernel's memory subsystem handled breakage of the read only shared mappings COW situation on write access. An unprivileged local user could use this flaw to write to files they should normally have read-only access to, and thus increase their privileges on the system.\n\nA process that is able to mmap a file is able to race Copy on Write (COW) page creation (within get_user_pages) with madvise(MADV_DONTNEED) kernel system calls. This would allow modified pages to bypass the page protection mechanism and modify the mapped file. The vulnerability could be abused by allowing an attacker to modify existing setuid files with instructions to elevate permissions. This attack has been found in the wild. \n\nRed Hat recommends that you update the kernel package.\n", + "reason": "

A flaw was found in the Linux kernel's memory subsystem. An unprivileged local user could use this flaw to write to files they would normally have read-only access to and thus increase their privileges on the system.

\n

This host is affected because it is running kernel 3.10.0-327.el7.

\n", + "type": null, + "more_info": "* For more information about the flaw see [CVE-2016-5195](https://access.redhat.com/security/cve/CVE-2016-5195)\n* To learn how to upgrade packages, see \"[What is yum and how do I use it?](https://access.redhat.com/solutions/9934)\"\n* The Customer Portal page for the [Red Hat Security Team](https://access.redhat.com/security/) contains more information about policies, procedures, and alerts for Red Hat Products.\n* The Security Team also maintains a frequently updated blog at [securityblog.redhat.com](https://securityblog.redhat.com).", + "active": true, + "node_id": "2706661", + "category": "Security", + "retired": false, + "reboot_required": true, + "publish_date": "2016-10-31T04:08:33.000Z", + "rec_impact": 2, + "rec_likelihood": 2, + "resolution": "

Red Hat recommends that you update the kernel package and restart the system:

\n
# yum update kernel\n# reboot\n
" + }, + "maintenance_actions": [{ + "done": false, + "id": 305235, + "maintenance_plan": { + "maintenance_id": 29315, + "name": "RHEL Demo Infrastructure", + "description": null, + "start": null, + "end": null, + "created_by": "$READACTED$", + "silenced": false, + "hidden": false, + "suggestion": null, + "remote_branch": null, + "allow_reboot": true + } + }, { + "done": false, + "id": 306705, + "maintenance_plan": { + "maintenance_id": 29335, + "name": "RHEL Demo All Systems", + "description": null, + "start": null, + "end": null, + "created_by": "$READACTED$", + "silenced": false, + "hidden": false, + "suggestion": null, + "remote_branch": null, + "allow_reboot": true + } + }] + }, { + "details": { + "mitigation_conf": "no", + "sysctl_live_ack_limit": "100", + "package_name": "kernel", + "sysctl_live_ack_limit_line": "net.ipv4.tcp_challenge_ack_limit = 100", + "error_key": "KERNEL_CVE_2016_5696_URGENT", + "vulnerable_kernel": "3.10.0-327.el7", + "sysctl_conf_ack_limit": "100", + "sysctl_conf_ack_limit_line": "net.ipv4.tcp_challenge_ack_limit = 100 # Implicit default", + "mitigation_live": "no" + }, + "id": 955802735, + "rule_id": "CVE_2016_5696_kernel|KERNEL_CVE_2016_5696_URGENT", + "system_id": "11111111-1111-1111-1111-111111111111", + "account_number": "1111111", + "uuid": "11111111111111111111111111111111", + "date": "2017-07-21T07:07:29.000Z", + "rule": { + "summary_html": "

A flaw in the Linux kernel's TCP/IP networking subsystem implementation of the RFC 5961 challenge ACK rate limiting was found that could allow an attacker located on different subnet to inject or take over a TCP connection between a server and client without needing to use a traditional man-in-the-middle (MITM) attack.

\n", + "generic_html": "

A flaw was found in the implementation of the Linux kernel's handling of networking challenge ack (RFC 5961) where an attacker is able to determine the\nshared counter. This flaw allows an attacker located on different subnet to inject or take over a TCP connection between a server and client without needing to use a traditional man-in-the-middle (MITM) attack.

\n

Red Hat recommends that you update the kernel package or apply mitigations.

\n", + "more_info_html": "\n", + "severity": "ERROR", + "ansible": true, + "ansible_fix": false, + "ansible_mitigation": false, + "rule_id": "CVE_2016_5696_kernel|KERNEL_CVE_2016_5696_URGENT", + "error_key": "KERNEL_CVE_2016_5696_URGENT", + "plugin": "CVE_2016_5696_kernel", + "description": "Kernel vulnerable to man-in-the-middle via payload injection", + "summary": "A flaw in the Linux kernel's TCP/IP networking subsystem implementation of the [RFC 5961](https://tools.ietf.org/html/rfc5961) challenge ACK rate limiting was found that could allow an attacker located on different subnet to inject or take over a TCP connection between a server and client without needing to use a traditional man-in-the-middle (MITM) attack.", + "generic": "A flaw was found in the implementation of the Linux kernel's handling of networking challenge ack ([RFC 5961](https://tools.ietf.org/html/rfc5961)) where an attacker is able to determine the\nshared counter. This flaw allows an attacker located on different subnet to inject or take over a TCP connection between a server and client without needing to use a traditional man-in-the-middle (MITM) attack. \n\nRed Hat recommends that you update the kernel package or apply mitigations.", + "reason": "

A flaw was found in the implementation of the Linux kernel's handling of networking challenge ack (RFC 5961) where an attacker is able to determine the\nshared counter. This flaw allows an attacker located on different subnet to inject or take over a TCP connection between a server and client without needing to use a traditional man-in-the-middle (MITM) attack.

\n

This host is affected because it is running kernel 3.10.0-327.el7.

\n

Your currently loaded kernel configuration contains this setting:

\n
net.ipv4.tcp_challenge_ack_limit = 100\n

Your currently stored kernel configuration is:

\n
net.ipv4.tcp_challenge_ack_limit = 100  # Implicit default\n

There is currently no mitigation applied and your system is vulnerable.

\n", + "type": null, + "more_info": "* For more information about the flaw see [CVE-2016-5696](https://access.redhat.com/security/cve/CVE-2016-5696)\n* To learn how to upgrade packages, see \"[What is yum and how do I use it?](https://access.redhat.com/solutions/9934)\"\n* The Customer Portal page for the [Red Hat Security Team](https://access.redhat.com/security/) contains more information about policies, procedures, and alerts for Red Hat Products.\n* The Security Team also maintains a frequently updated blog at [securityblog.redhat.com](https://securityblog.redhat.com).", + "active": true, + "node_id": "2438571", + "category": "Security", + "retired": false, + "reboot_required": false, + "publish_date": "2016-10-31T04:08:32.000Z", + "rec_impact": 4, + "rec_likelihood": 2, + "resolution": "

Red Hat recommends that you update the kernel package and restart the system:

\n
# yum update kernel\n# reboot\n

or

\n

Alternatively, this issue can be addressed by applying the following mitigations until the machine is restarted with the updated kernel package.

\n

Edit /etc/sysctl.conf file as root, add the mitigation configuration, and reload the kernel configuration:

\n
# echo "net.ipv4.tcp_challenge_ack_limit = 2147483647" >> /etc/sysctl.conf \n# sysctl -p\n
" + }, + "maintenance_actions": [{ + "done": false, + "id": 305245, + "maintenance_plan": { + "maintenance_id": 29315, + "name": "RHEL Demo Infrastructure", + "description": null, + "start": null, + "end": null, + "created_by": "$READACTED$", + "silenced": false, + "hidden": false, + "suggestion": null, + "remote_branch": null, + "allow_reboot": true + } + }, { + "done": false, + "id": 306975, + "maintenance_plan": { + "maintenance_id": 29335, + "name": "RHEL Demo All Systems", + "description": null, + "start": null, + "end": null, + "created_by": "$READACTED$", + "silenced": false, + "hidden": false, + "suggestion": null, + "remote_branch": null, + "allow_reboot": true + } + }, { + "done": false, + "id": 316055, + "maintenance_plan": { + "maintenance_id": 30575, + "name": "Fix the problem", + "description": null, + "start": null, + "end": null, + "created_by": "asdavis@redhat.com", + "silenced": false, + "hidden": false, + "suggestion": null, + "remote_branch": null, + "allow_reboot": true + } + }] + }, { + "details": { + "kernel_left_fully_exploitable": true, + "vulnerable_kernel_version_release": "3.10.0-327.el7", + "kernel_kpatch_applied": false, + "kernel_vulnerable": true, + "glibc_left_fully_exploitable": true, + "vulnerable_glibc": { + "PACKAGE_NAMES": ["glibc"], + "PACKAGES": ["glibc-2.17-105.el7"] + }, + "kernel_stap_applied": false, + "error_key": "CVE_2017_1000364_KERNEL_CVE_2017_1000366_GLIBC_EXPLOITABLE", + "vulnerable_kernel_name": "kernel", + "nothing_left_fully_exploitable": false, + "glibc_vulnerable": true + }, + "id": 955802745, + "rule_id": "CVE_2017_1000366_glibc|CVE_2017_1000364_KERNEL_CVE_2017_1000366_GLIBC_EXPLOITABLE", + "system_id": "11111111-1111-1111-1111-111111111111", + "account_number": "1111111", + "uuid": "11111111111111111111111111111111", + "date": "2017-07-21T07:07:29.000Z", + "rule": { + "summary_html": "

A flaw was found in the way memory is being allocated on the stack for user space binaries. It has been assigned CVE-2017-1000364 and CVE-2017-1000366. An unprivileged local user can use this flaw to execute arbitrary code as root and increase their privileges on the system.

\n", + "generic_html": "

A flaw was found in the way memory is being allocated on the stack for user space binaries. It has been assigned CVE-2017-1000364 and CVE-2017-1000366. An unprivileged local user can use this flaw to execute arbitrary code as root and increase their privileges on the system.

\n

If heap and stack memory regions are adjacent to each other, an attacker can use this flaw to jump over the heap/stack gap, cause controlled memory corruption on process stack or heap, and thus increase their privileges on the system.

\n

An attacker must have access to a local account on the system.

\n

Red Hat recommends that you update the kernel and glibc.

\n", + "more_info_html": "\n", + "severity": "WARN", + "ansible": true, + "ansible_fix": false, + "ansible_mitigation": false, + "rule_id": "CVE_2017_1000366_glibc|CVE_2017_1000364_KERNEL_CVE_2017_1000366_GLIBC_EXPLOITABLE", + "error_key": "CVE_2017_1000364_KERNEL_CVE_2017_1000366_GLIBC_EXPLOITABLE", + "plugin": "CVE_2017_1000366_glibc", + "description": "Kernel and glibc vulnerable to local privilege escalation via stack and heap memory clash (CVE-2017-1000364 and CVE-2017-1000366)", + "summary": "A flaw was found in the way memory is being allocated on the stack for user space binaries. It has been assigned [CVE-2017-1000364](https://access.redhat.com/security/cve/CVE-2017-1000364) and [CVE-2017-1000366](https://access.redhat.com/security/cve/CVE-2017-1000366). An unprivileged local user can use this flaw to execute arbitrary code as root and increase their privileges on the system.\n", + "generic": "A flaw was found in the way memory is being allocated on the stack for user space binaries. It has been assigned CVE-2017-1000364 and CVE-2017-1000366. An unprivileged local user can use this flaw to execute arbitrary code as root and increase their privileges on the system.\n\nIf heap and stack memory regions are adjacent to each other, an attacker can use this flaw to jump over the heap/stack gap, cause controlled memory corruption on process stack or heap, and thus increase their privileges on the system. \n\nAn attacker must have access to a local account on the system.\n\nRed Hat recommends that you update the kernel and glibc.\n", + "reason": "

A flaw was found in kernel and glibc in the way memory is being allocated on the stack for user space binaries.

\n

The host is affected because it is running kernel-3.10.0-327.el7 and using glibc-2.17-105.el7.

\n", + "type": null, + "more_info": "* For more information about the flaw, see [the vulnerability article](https://access.redhat.com/security/vulnerabilities/stackguard) and [CVE-2017-1000364](https://access.redhat.com/security/cve/CVE-2017-1000364) and [CVE-2017-1000366](https://access.redhat.com/security/cve/CVE-2017-1000366).\n* To learn how to upgrade packages, see [What is yum and how do I use it?](https://access.redhat.com/solutions/9934).\n* The Customer Portal page for the [Red Hat Security Team](https://access.redhat.com/security/) contains more information about policies, procedures, and alerts for Red Hat products.\n* The Security Team also maintains a frequently updated blog at [securityblog.redhat.com](https://securityblog.redhat.com).\n", + "active": true, + "node_id": null, + "category": "Security", + "retired": false, + "reboot_required": true, + "publish_date": "2017-06-19T15:00:00.000Z", + "rec_impact": 2, + "rec_likelihood": 2, + "resolution": "

Red Hat recommends updating the kernel and glibc packages and rebooting the system.

\n
# yum update kernel glibc\n# reboot\n
" + }, + "maintenance_actions": [{ + "done": false, + "id": 305255, + "maintenance_plan": { + "maintenance_id": 29315, + "name": "RHEL Demo Infrastructure", + "description": null, + "start": null, + "end": null, + "created_by": "$READACTED$", + "silenced": false, + "hidden": false, + "suggestion": null, + "remote_branch": null, + "allow_reboot": true + } + }, { + "done": false, + "id": 307415, + "maintenance_plan": { + "maintenance_id": 29335, + "name": "RHEL Demo All Systems", + "description": null, + "start": null, + "end": null, + "created_by": "$READACTED$", + "silenced": false, + "hidden": false, + "suggestion": null, + "remote_branch": null, + "allow_reboot": true + } + }] + }, { + "details": { + "PACKAGE_NAMES": ["sudo"], + "PACKAGES": ["sudo-1.8.6p7-16.el7"], + "error_key": "CVE_2017_1000367_SUDO" + }, + "id": 955802755, + "rule_id": "CVE_2017_1000367_sudo|CVE_2017_1000367_SUDO", + "system_id": "11111111-1111-1111-1111-111111111111", + "account_number": "1111111", + "uuid": "11111111111111111111111111111111", + "date": "2017-07-21T07:07:29.000Z", + "rule": { + "summary_html": "

A local privilege escalation flaw was found in sudo. A local user having sudo access on the system,\ncould use this flaw to execute arbitrary commands as root. This issue was reported as\nCVE-2017-1000367

\n", + "generic_html": "

A local privilege escalation flaw was found in sudo. All versions of sudo package shipped with RHEL 5, 6 and 7 are vulnerable\nto a local privilege escalation vulnerability. A flaw was found in the way get_process_ttyname() function obtained\ninformation about the controlling terminal of the sudo process from the status file in the proc filesystem.\nThis allows a local user who has any level of sudo access on the system to execute arbitrary commands as root or\nin certain conditions escalate his privileges to root.

\n

Red Hat recommends that you update update the sudo package.

\n", + "more_info_html": "\n", + "severity": "WARN", + "ansible": true, + "ansible_fix": true, + "ansible_mitigation": false, + "rule_id": "CVE_2017_1000367_sudo|CVE_2017_1000367_SUDO", + "error_key": "CVE_2017_1000367_SUDO", + "plugin": "CVE_2017_1000367_sudo", + "description": "sudo vulnerable to local privilege escalation via process TTY name parsing (CVE-2017-1000367)", + "summary": "A local privilege escalation flaw was found in `sudo`. A local user having sudo access on the system,\ncould use this flaw to execute arbitrary commands as root. This issue was reported as\n[CVE-2017-1000367](https://access.redhat.com/security/cve/CVE-2017-1000367)", + "generic": "A local privilege escalation flaw was found in `sudo`. All versions of sudo package shipped with RHEL 5, 6 and 7 are vulnerable\nto a local privilege escalation vulnerability. A flaw was found in the way `get_process_ttyname()` function obtained\ninformation about the controlling terminal of the sudo process from the status file in the proc filesystem.\nThis allows a local user who has any level of sudo access on the system to execute arbitrary commands as root or\nin certain conditions escalate his privileges to root.\n\nRed Hat recommends that you update update the `sudo` package.\n", + "reason": "

This machine is vulnerable because it has vulnerable sudo package sudo-1.8.6p7-16.el7 installed.

\n", + "type": null, + "more_info": "* For more information about the remote code execution flaw [CVE-2017-1000367](https://access.redhat.com/security/cve/CVE-2017-1000367) see [knowledge base article](https://access.redhat.com/security/vulnerabilities/3059071).\n* To learn how to upgrade packages, see \"[What is yum and how do I use it?](https://access.redhat.com/solutions/9934)\"\n* To better understand [sudo](https://www.sudo.ws/), see [Sudo in a Nutshell](https://www.sudo.ws/intro.html)\n* The Customer Portal page for the [Red Hat Security Team](https://access.redhat.com/security/) contains more information about policies, procedures, and alerts for Red Hat Products.\n* The Security Team also maintains a frequently updated blog at [securityblog.redhat.com](https://securityblog.redhat.com).\n", + "active": true, + "node_id": "3059071", + "category": "Security", + "retired": false, + "reboot_required": false, + "publish_date": "2017-05-30T13:30:00.000Z", + "rec_impact": 2, + "rec_likelihood": 2, + "resolution": "

Red Hat recommends that you update the sudo package.

\n
# yum update sudo\n
" + }, + "maintenance_actions": [{ + "done": false, + "id": 305265, + "maintenance_plan": { + "maintenance_id": 29315, + "name": "RHEL Demo Infrastructure", + "description": null, + "start": null, + "end": null, + "created_by": "$READACTED$", + "silenced": false, + "hidden": false, + "suggestion": null, + "remote_branch": null, + "allow_reboot": true + } + }, { + "done": false, + "id": 308075, + "maintenance_plan": { + "maintenance_id": 29335, + "name": "RHEL Demo All Systems", + "description": null, + "start": null, + "end": null, + "created_by": "$READACTED$", + "silenced": false, + "hidden": false, + "suggestion": null, + "remote_branch": null, + "allow_reboot": true + } + }] + }, { + "details": { + "mod_loading_disabled": false, + "package_name": "kernel", + "error_key": "KERNEL_CVE_2017_2636", + "vulnerable_kernel": "3.10.0-327.el7", + "mod_loaded": false, + "mitigation_info": true + }, + "id": 955802765, + "rule_id": "CVE_2017_2636_kernel|KERNEL_CVE_2017_2636", + "system_id": "11111111-1111-1111-1111-111111111111", + "account_number": "1111111", + "uuid": "11111111111111111111111111111111", + "date": "2017-07-21T07:07:29.000Z", + "rule": { + "summary_html": "

A vulnerability in the Linux kernel allowing local privilege escalation was discovered.\nThe issue was reported as CVE-2017-2636.

\n", + "generic_html": "

A use-after-free flaw was found in the Linux kernel implementation of the HDLC (High-Level Data Link Control) TTY line discipline implementation. It has been assigned CVE-2017-2636.

\n

An unprivileged local user could use this flaw to execute arbitrary code in kernel memory and increase their privileges on the system. The kernel uses a TTY subsystem to take and show terminal output to connected systems. An attacker crafting specific-sized memory allocations could abuse this mechanism to place a kernel function pointer with malicious instructions to be executed on behalf of the attacker.

\n

An attacker must have access to a local account on the system; this is not a remote attack. Exploiting this flaw does not require Microgate or SyncLink hardware to be in use.

\n

Red Hat recommends that you use the proposed mitigation to disable the N_HDLC module.

\n", + "more_info_html": "\n", + "severity": "WARN", + "ansible": true, + "ansible_fix": false, + "ansible_mitigation": false, + "rule_id": "CVE_2017_2636_kernel|KERNEL_CVE_2017_2636", + "error_key": "KERNEL_CVE_2017_2636", + "plugin": "CVE_2017_2636_kernel", + "description": "Kernel vulnerable to local privilege escalation via n_hdlc module (CVE-2017-2636)", + "summary": "A vulnerability in the Linux kernel allowing local privilege escalation was discovered.\nThe issue was reported as [CVE-2017-2636](https://access.redhat.com/security/cve/CVE-2017-2636).\n", + "generic": "A use-after-free flaw was found in the Linux kernel implementation of the HDLC (High-Level Data Link Control) TTY line discipline implementation. It has been assigned CVE-2017-2636.\n\nAn unprivileged local user could use this flaw to execute arbitrary code in kernel memory and increase their privileges on the system. The kernel uses a TTY subsystem to take and show terminal output to connected systems. An attacker crafting specific-sized memory allocations could abuse this mechanism to place a kernel function pointer with malicious instructions to be executed on behalf of the attacker.\n\nAn attacker must have access to a local account on the system; this is not a remote attack. Exploiting this flaw does not require Microgate or SyncLink hardware to be in use.\n\nRed Hat recommends that you use the proposed mitigation to disable the N_HDLC module.\n", + "reason": "

A use-after-free flaw was found in the Linux kernel implementation of the HDLC (High-Level Data Link Control) TTY line discipline implementation.

\n

This host is affected because it is running kernel 3.10.0-327.el7.

\n", + "type": null, + "more_info": "* For more information about the flaw, see [CVE-2017-2636](https://access.redhat.com/security/cve/CVE-2017-2636) and [CVE-2017-2636 article](https://access.redhat.com/security/vulnerabilities/CVE-2017-2636).\n* The Customer Portal page for the [Red Hat Security Team](https://access.redhat.com/security/) contains more information about policies, procedures, and alerts for Red Hat products.\n* The Security Team also maintains a frequently updated blog at [securityblog.redhat.com](https://securityblog.redhat.com).\n", + "active": true, + "node_id": null, + "category": "Security", + "retired": false, + "reboot_required": false, + "publish_date": "2017-05-16T12:00:00.000Z", + "rec_impact": 2, + "rec_likelihood": 2, + "resolution": "

Red Hat recommends updating the kernel package and rebooting the system.

\n
# yum update kernel\n# reboot\n

Alternatively, apply one of the following mitigations:

\n

Disable loading of N_HDLC kernel module:

\n
# echo "install n_hdlc /bin/true" >> /etc/modprobe.d/disable-n_hdlc.conf\n
" + }, + "maintenance_actions": [{ + "done": false, + "id": 305275, + "maintenance_plan": { + "maintenance_id": 29315, + "name": "RHEL Demo Infrastructure", + "description": null, + "start": null, + "end": null, + "created_by": "$READACTED$", + "silenced": false, + "hidden": false, + "suggestion": null, + "remote_branch": null, + "allow_reboot": true + } + }, { + "done": false, + "id": 308675, + "maintenance_plan": { + "maintenance_id": 29335, + "name": "RHEL Demo All Systems", + "description": null, + "start": null, + "end": null, + "created_by": "$READACTED$", + "silenced": false, + "hidden": false, + "suggestion": null, + "remote_branch": null, + "allow_reboot": true + } + }] + }, { + "details": { + "kvr": "3.10.0-327.el7", + "error_key": "IPMI_LIST_CORRUPTION_CRASH" + }, + "id": 955826995, + "rule_id": "ipmi_list_corruption_crash|IPMI_LIST_CORRUPTION_CRASH", + "system_id": "11111111-1111-1111-1111-111111111111", + "account_number": "1111111", + "uuid": "11111111111111111111111111111111", + "date": "2017-07-21T07:07:29.000Z", + "rule": { + "summary_html": "

Kernel occasionally panics when running ipmitool command due to a bug in the ipmi message handler.

\n", + "generic_html": "

Kernel occasionally panics when running ipmitool due to a bug in the ipmi message handler.

\n", + "more_info_html": "

For how to upgrade the kernel to a specific version, refer to How do I upgrade the kernel to a particular version manually?.

\n", + "severity": "WARN", + "ansible": false, + "ansible_fix": false, + "ansible_mitigation": false, + "rule_id": "ipmi_list_corruption_crash|IPMI_LIST_CORRUPTION_CRASH", + "error_key": "IPMI_LIST_CORRUPTION_CRASH", + "plugin": "ipmi_list_corruption_crash", + "description": "Kernel panic occurs when running ipmitool command with specific kernels", + "summary": "Kernel occasionally panics when running `ipmitool` command due to a bug in the ipmi message handler.\n", + "generic": "Kernel occasionally panics when running `ipmitool` due to a bug in the ipmi message handler.\n", + "reason": "

This host is running kernel 3.10.0-327.el7 with the IPMI management tool installed.\nKernel panics can occur when running ipmitool.

\n", + "type": null, + "more_info": "For how to upgrade the kernel to a specific version, refer to [How do I upgrade the kernel to a particular version manually?](https://access.redhat.com/solutions/161803).\n", + "active": true, + "node_id": "2690791", + "category": "Stability", + "retired": false, + "reboot_required": true, + "publish_date": null, + "rec_impact": 3, + "rec_likelihood": 1, + "resolution": "

Red Hat recommends that you complete the following steps to fix this issue:

\n
    \n\n
  1. Upgrade kernel to the version 3.10.0-327.36.1.el7 or later:
    2. \n\n\n# yum update kernel\n\n
  2. Restart the host with the new kernel.
    3. \n\n# reboot\n\n
\n" + }, + "maintenance_actions": [{ + "done": false, + "id": 305285, + "maintenance_plan": { + "maintenance_id": 29315, + "name": "RHEL Demo Infrastructure", + "description": null, + "start": null, + "end": null, + "created_by": "$READACTED$", + "silenced": false, + "hidden": false, + "suggestion": null, + "remote_branch": null, + "allow_reboot": true + } + }, { + "done": false, + "id": 310145, + "maintenance_plan": { + "maintenance_id": 29335, + "name": "RHEL Demo All Systems", + "description": null, + "start": null, + "end": null, + "created_by": "$READACTED$", + "silenced": false, + "hidden": false, + "suggestion": null, + "remote_branch": null, + "allow_reboot": true + } + }] + }] +} diff --git a/awx/main/tests/data/insights.py b/awx/main/tests/data/insights.py new file mode 100644 index 0000000000..325dff7ba8 --- /dev/null +++ b/awx/main/tests/data/insights.py @@ -0,0 +1,9 @@ +import json +import os + + +dir_path = os.path.dirname(os.path.realpath(__file__)) + +with open(os.path.join(dir_path, 'insights.json')) as data_file: + TEST_INSIGHTS_PLANS = json.loads(data_file.read()) + diff --git a/awx/main/tests/unit/utils/test_insights.py b/awx/main/tests/unit/utils/test_insights.py new file mode 100644 index 0000000000..fe160e666f --- /dev/null +++ b/awx/main/tests/unit/utils/test_insights.py @@ -0,0 +1,24 @@ +# Copyright (c) 2017 Ansible Tower by Red Hat +# All Rights Reserved. + + +from awx.main.utils.insights import filter_insights_api_response +from awx.main.tests.data.insights import TEST_INSIGHTS_PLANS + + +def test_filter_insights_api_response(): + actual = filter_insights_api_response(TEST_INSIGHTS_PLANS) + + assert actual['last_check_in'] == '2017-07-21T07:07:29.000Z' + assert len(actual['reports']) == 9 + assert actual['reports'][0]['maintenance_actions'][0]['maintenance_plan']['name'] == "RHEL Demo Infrastructure" + assert actual['reports'][0]['maintenance_actions'][0]['maintenance_plan']['maintenance_id'] == 29315 + assert actual['reports'][0]['rule']['severity'] == 'ERROR' + assert actual['reports'][0]['rule']['description'] == 'Remote code execution vulnerability in libresolv via crafted DNS response (CVE-2015-7547)' + assert actual['reports'][0]['rule']['category'] == 'Security' + assert actual['reports'][0]['rule']['summary'] == ("A critical security flaw in the `glibc` library was found. " + "It allows an attacker to crash an application built against " + "that library or, potentially, execute arbitrary code with " + "privileges of the user running the application.") + assert actual['reports'][0]['rule']['ansible_fix'] is False + diff --git a/awx/main/utils/insights.py b/awx/main/utils/insights.py new file mode 100644 index 0000000000..5bca633b3f --- /dev/null +++ b/awx/main/utils/insights.py @@ -0,0 +1,42 @@ +# Copyright (c) 2017 Ansible Tower by Red Hat +# All Rights Reserved. + + +def filter_insights_api_response(json): + new_json = {} + ''' + 'last_check_in', + 'reports.[].rule.severity', + 'reports.[].rule.description', + 'reports.[].rule.category', + 'reports.[].rule.summary', + 'reports.[].rule.ansible_fix', + 'reports.[].maintenance_actions.[].maintenance_plan.name', + 'reports.[].maintenance_actions.[].maintenance_plan.maintenance_id', + ''' + + if 'last_check_in' in json: + new_json['last_check_in'] = json['last_check_in'] + if 'reports' in json: + new_json['reports'] = [] + for rep in json['reports']: + new_report = { + 'rule': {}, + 'maintenance_actions': [] + } + if 'rule' in rep: + for k in ['severity', 'description', 'category', 'summary', 'ansible_fix',]: + if k in rep['rule']: + new_report['rule'][k] = rep['rule'][k] + + for action in rep.get('maintenance_actions', []): + new_action = {'maintenance_plan': {}} + if 'maintenance_plan' in action: + for k in ['name', 'maintenance_id']: + if k in action['maintenance_plan']: + new_action['maintenance_plan'][k] = action['maintenance_plan'][k] + new_report['maintenance_actions'].append(new_action) + + new_json['reports'].append(new_report) + return new_json +