Merge pull request #27 from Wenzel/checksec_stats_seaborn

Checksec stats

Author: Wenzel

README.md

@@ -96,9 +96,27 @@ available on `pip`.
 Follow the instructions in the `db` directory to run a it inside a docker
 container.
 
+## VM setup
+
+OSWatcher works on VMs stored in `libvirt`, either via `qemu:///session`
+or `qemu:///system`.
+
+Note: `qemu:///session` is recommended as it requires less permission
+and should work without further configuration.
+
+The only setup required is to specify a `release_date` in `JSON` format, so that
+the capture tool can insert this information in the database as well.
+
+-> In the VM XML `<description>` field, add the following content:
+~~~JSON
+{"release_date": "2012-04-01"}
+~~~
+
+You can use edit `virsh edit <domain>` or `virt-manager` tool which should be easier.
+
 ## Usage
 
-The VM name will be searched via `Libvirt`.
+Start the capture tool on a `VM` and specify the hooks configuration.
 
 ~~~
 (venv) $ python -m oswatcher <vm_name> hooks.json

apps/checksec_stats.py

@@ -1,25 +1,38 @@
 #!/usr/bin/env python3
 
 """
-Usage: script.py [options] <os>
+Usage:
+    script.py --list
+    script.py [options] <os_regex>
 
 Options:
     -h --help                       Display this message
+    -l --list                       List available OS in the database
     -d --debug                      Enable debug output
 """
 
 
 import sys
 import logging
+from datetime import datetime
 from collections import Counter
 
+import matplotlib
+import matplotlib.pyplot as plt
+import seaborn as sns
+import pandas as pd
 from docopt import docopt
 from py2neo import Graph
 
 from oswatcher.model import OS
 
 DB_PASSWORD = "admin"
-
+PROTECTIONS = ['relro', 'canary', 'nx', 'fortify_source', 'rpath', 'runpath', 'symtables']
+OS_CHECKSEC_QUERY = """
+MATCH (os:OS)-[:OWNS_FILESYSTEM]->(root:Inode)-[:HAS_CHILD*]->(i:Inode)
+WHERE os.name = '{}' AND i.checksec = True
+RETURN i
+"""
 
 def init_logger(debug=False):
     logging_level = logging.INFO
@@ -37,41 +50,75 @@ def main(args):
     logging.info('connect to Neo4j DB')
     graph = Graph(password=DB_PASSWORD)
 
-    os_name = args['<os>']
-    os =  OS.match(graph).where("_.name = '{}'".format(os_name)).first()
-    if os is None:
-        logging.info('unable to find OS %s in the database', os_name)
+    # list ?
+    if args['--list']:
         logging.info('available operating systems:')
         for os in OS.match(graph):
-            logging.info('⭢ %s', os.name)
+            logging.info('\t%s', os.name)
+        return
+
+    os_regex = args['<os_regex>']
+    os_match = OS.match(graph).where("_.name =~ '{}'".format(os_regex))
+    if os_match is None:
+        logging.info('unable to find OS that matches \'%s\' regex in the database', os_regex)
         return 1
 
-    # TODO translate to py2neo API
-    checksec_inodes = graph.run("MATCH (os:OS)-[:OWNS_FILESYSTEM]->(root:Inode)-[:HAS_CHILD*]->(i:Inode) WHERE os.name = 'ubuntu16.04' AND i.checksec = True return i")
-    c = Counter()
-    for node in checksec_inodes:
-        inode = node['i']
-        logging.debug('%s: %s', inode['name'], inode['mime_type'])
-        c['total'] += 1
-        if inode['relro']:
-            c['relro'] += 1
-        if inode['canary']:
-            c['canary'] += 1
-        if inode['nx']:
-            c['nx'] += 1
-        if inode['rpath']:
-            c['rpath'] += 1
-        if inode['runpath']:
-            c['runpath'] += 1
-        if inode['symtables']:
-            c['symtables'] += 1
-        if inode['fortify_source']:
-            c['fortify_source'] += 1
-
-    logging.info('Results for %s', os.name)
-    logging.info('Total binaries: %d', c['total'])
-    for feature in ['relro', 'canary', 'nx', 'rpath', 'runpath', 'symtables', 'fortify_source']:
-        logging.info('%s: %.1f%%', feature, c[feature] * 100 / c['total'])
+    os_df_list = []
+    # iterate over OS list, sorted by release date, converted from string to date object
+    for os in sorted(os_match, key=lambda x: datetime.strptime(x.release_date, '%Y-%m-%d')):
+        # TODO translate to py2neo API
+        checksec_inodes = graph.run(OS_CHECKSEC_QUERY.format(os.name))
+        c = Counter()
+        for node in checksec_inodes:
+            inode = node['i']
+            logging.debug('%s: %s', inode['name'], inode['mime_type'])
+            c['total'] += 1
+            if inode['relro']:
+                c['relro'] += 1
+            if inode['canary']:
+                c['canary'] += 1
+            if inode['nx']:
+                c['nx'] += 1
+            if inode['rpath']:
+                c['rpath'] += 1
+            if inode['runpath']:
+                c['runpath'] += 1
+            if inode['symtables']:
+                c['symtables'] += 1
+            if inode['fortify_source']:
+                c['fortify_source'] += 1
+
+        logging.info('Results for %s', os.name)
+        logging.info('Total binaries: %d', c['total'])
+        for feature in PROTECTIONS:
+            logging.info('%s: %.1f%%', feature, c[feature] * 100 / c['total'])
+
+        # fix matplotlib, uses agg by default, non-gui backend
+        matplotlib.use('tkagg')
+        sns.set_style('whitegrid')
+
+        per_data = []
+        for feature in PROTECTIONS:
+            value = c[feature] * 100 / c['total']
+            per_data.append(value)
+        # initialize OS Panda DataFrame
+        df = pd.DataFrame({'Protections': PROTECTIONS, 'Percentage': per_data, 'OS': os.name})
+        os_df_list.append(df)
+
+    # concatenate all the individual DataFrames
+    main_df = pd.concat(os_df_list, ignore_index=True)
+
+    logging.info('Displaying results...')
+    if len(os_df_list) == 1:
+        ax = sns.barplot(x="Protections", y="Percentage", data=main_df)
+        ax.set_title('{} binary security overview'.format(os_regex))
+    else:
+        ax = sns.barplot(x="Protections", y="Percentage", hue="OS", data=main_df)
+        ax.set_title('binary security overview for regex "{}"'.format(os_regex))
+    # show plot
+    plt.legend(loc='upper right')
+    plt.show()
+
 
 if __name__ == '__main__':
     args = docopt(__doc__)

hooks/system.py

@@ -1,5 +1,8 @@
 # sys
 import logging
+import json
+from datetime import datetime
+import xml.etree.ElementTree as ET
 
 # local
 from oswatcher.model import OS
@@ -23,7 +26,18 @@ def __init__(self, parameters):
         self.context.subscribe('protocol_end', self.insert_operating_system)
 
     def build_operating_system(self, event):
-        self.os = OS(self.domain_name)
+        xml = self.context.domain.XMLDesc()
+        root = ET.fromstring(xml)
+        # find description
+        elems = root.findall('./description')
+        if not elems:
+            raise RuntimeError('could not find description in XML, it contains the metadata !')
+        desc = elems[0]
+        try:
+            metadata = json.loads(desc.text)
+        except json.JSONDecodeError:
+            raise RuntimeError('Could not load JSON metadata')
+        self.os = OS(self.domain_name, metadata['release_date'])
 
     def add_filesystem(self, event):
         logging.info('Adding root filesystem to OS node')

oswatcher/capture.py

@@ -9,6 +9,7 @@
 from tempfile import NamedTemporaryFile, TemporaryDirectory, gettempdir
 
 # local
+from oswatcher.model import OS
 from oswatcher.utils import get_hard_disk
 
 # 3rd
@@ -21,6 +22,12 @@
 __SCRIPT_DIR = os.path.dirname(os.path.realpath(sys.argv[0]))
 DB_PASSWORD = "admin"
 DESKTOP_READY_DELAY = 180
+SUBGRAPH_DELETE_OS = """
+MATCH (o:OS)-[*0..]-(x)
+WHERE o.name = "{}"
+WITH DISTINCT x
+DETACH DELETE x
+"""
 
 
 class QEMUDomainContextFactory(QEMUContextFactory):
@@ -85,10 +92,11 @@ def protocol(environement):
 
 
 def init_logger(debug=False):
+    formatter = "%(asctime)s;%(levelname)s;%(message)s"
     logging_level = logging.INFO
     if debug:
         logging_level = logging.DEBUG
-    logging.basicConfig(level=logging_level)
+    logging.basicConfig(level=logging_level, format=formatter)
     # suppress annoying log output
     logging.getLogger("httpstream").setLevel(logging.WARNING)
     logging.getLogger("neo4j.bolt").setLevel(logging.WARNING)
@@ -105,7 +113,7 @@ def main(args):
     hooks_config = {}
     with open(hooks_config_path) as f:
         hooks_config = json.load(f)
-    logging.info('connect to Neo4j DB')
+    logging.info('Connect to Neo4j DB')
     graph = Graph(password=DB_PASSWORD)
 
     if 'configuration' not in hooks_config:
@@ -123,12 +131,36 @@ def main(args):
     hooks_config['configuration']['debug'] = debug
 
     # delete entire graph ?
-    if "delete" in hooks_config['configuration']:
-        logging.info("Deleting all nodes in graph database")
-        graph.delete_all()
-        # reset GraphQL IDL
-        graph.run("CALL graphql.idl(null)")
+    try:
+        delete = hooks_config['configuration']['delete']
+    except KeyError:
+        pass
+    else:
+        if delete:
+            logging.info("Deleting all nodes in graph database")
+            graph.delete_all()
+            # reset GraphQL IDL
+            graph.run("CALL graphql.idl(null)")
+
+    # replace existing OS ?
+    os_match = OS.match(graph).where("_.name = '{}'".format(vm_name))
+    try:
+        replace = hooks_config['configuration']['replace']
+    except KeyError:
+        # assume replace = False
+        if os_match.first():
+            logging.info('OS already inserted, exiting')
+            return
+    else:
+        if not replace and os_match.first():
+            logging.info('OS already inserted, exiting')
+            return
+        elif os_match.first():
+            # replace = True and an OS already exists
+            logging.info('Deleting previous OS')
+            graph.run(SUBGRAPH_DELETE_OS.format(vm_name))
 
     with QEMUDomainContextFactory(vm_name, uri) as context:
         with Environment(context, hooks_config) as environment:
+            logging.info('Capturing %s', vm_name)
             protocol(environment)

oswatcher/model.py

@@ -6,12 +6,14 @@
 
 class OS(GraphObject):
 
-    def __init__(self, name):
+    def __init__(self, name, release_date):
         super().__init__()
         self.name = name
+        self.release_date = release_date
 
     # properties
     name = Property()
+    release_date = Property()
 
     # relationships
     root_fileystem = RelatedTo("Inode", "OWNS_FILESYSTEM")

packer-templates/import_libvirt.py

@@ -2,7 +2,7 @@
 
 """
 Usage:
-    import_libvirt.py [options] <disk_image>
+    import_libvirt.py [options] <disk_image>...
 
 Options:
     -h --help                   Show this screen.
@@ -36,14 +36,14 @@ def prepare_domain_xml(vm_name, osw_image_path):
         return domain_xml
 
 
-def setup_storage_pool(con, pool_name, pool_path):
+def setup_storage_pool(con, pool_name):
     # check for storage pool
     try:
         pool = con.storagePoolLookupByName(pool_name)
     except libvirt.libvirtError:
         # build oswatcher pool xml
         path_elem = tree.Element('path')
-        path_elem.text = str(pool_path)
+        path_elem.text = str(POOL_PATH)
         target_elem = tree.Element('target')
         target_elem.append(path_elem)
         name_elem = tree.Element('name')
@@ -62,7 +62,11 @@ def setup_storage_pool(con, pool_name, pool_path):
     if not pool.isActive():
         pool.build()
         pool.create()
-    return pool
+    xml = pool.XMLDesc()
+    root = tree.fromstring(xml)
+    path_elem = root.findall('./target/path')[0]
+    pool_path = Path(path_elem.text)
+    return pool, pool_path
 
 
 def append_qcow(disk_image):
@@ -71,7 +75,7 @@ def append_qcow(disk_image):
     return disk_image
 
 
-def setup_domain(con, vm_name, pool, disk_image, pool_path):
+def setup_domain(con, vm_name, pool, pool_path, disk_image):
     # check if domain is already defined
     domain_name = '{}-{}'.format(PREFIX, disk_image.stem)
     if not vm_name:
@@ -101,18 +105,20 @@ def main(args):
         log_level = logging.DEBUG
     logging.basicConfig(level=log_level, format='%(message)s')
 
-    disk_image = Path(args['<disk_image>']).absolute()
+    disk_image_list = args['<disk_image>']
     pool_name = args['--pool-name']
     vm_name = args['--vm-name']
     uri = args['--connection']
     con = libvirt.open(uri)
 
-    pool = setup_storage_pool(con, pool_name, POOL_PATH)
-    setup_domain(con, vm_name, pool, disk_image, POOL_PATH)
-    # remove output-qemu
-    logging.info('Removing output-qemu')
-    output_qemu_path = Path(SCRIPT_DIR / PACKER_OUTPUT_DIR)
-    shutil.rmtree(str(output_qemu_path))
+    for disk_image in disk_image_list:
+        disk_image = Path(disk_image).absolute()
+        pool, pool_path = setup_storage_pool(con, pool_name)
+        setup_domain(con, vm_name, pool, pool_path, disk_image)
+        # remove output-qemu
+        logging.info('Removing output-qemu')
+        output_qemu_path = Path(SCRIPT_DIR / PACKER_OUTPUT_DIR)
+        shutil.rmtree(str(output_qemu_path), ignore_errors=True)
 
 
 if __name__ == '__main__':

requirements.txt

@@ -2,3 +2,4 @@ docopt
 libvirt-python
 py2neo
 python-see
+seaborn