source-git / libsmi

Clone
Source Code
GIT

Blame tools/dump-boilerplate.c

c8 c8s master
  1.   9ccfef57021fc11762c2d05202e79369ff0b6231
  2.   tools
  3.   dump-boilerplate.c
Blob History Raw
Packit Service 9ccfef 
/*
Packit Service 9ccfef 
 * dump-boilerplate.c --
Packit Service 9ccfef 
 *
Packit Service 9ccfef 
 *      Operations to dump security considerations boilerplates SMI modules.
Packit Service 9ccfef 
 *
Packit Service 9ccfef 
 * Copyright (c) 2008 J. Schoenwaelder, Technical University of Braunschweig.
Packit Service 9ccfef 
 *
Packit Service 9ccfef 
 * See the file "COPYING" for information on usage and redistribution
Packit Service 9ccfef 
 * of this file, and for a DISCLAIMER OF ALL WARRANTIES.
Packit Service 9ccfef 
 *
Packit Service 9ccfef 
 * @(#) $Id: dump-identifiers.c 5758 2006-08-16 21:10:05Z schoenw $
Packit Service 9ccfef 
 */
Packit Service 9ccfef
Packit Service 9ccfef 
#include <config.h>
Packit Service 9ccfef
Packit Service 9ccfef 
#include <stdlib.h>
Packit Service 9ccfef 
#include <stdio.h>
Packit Service 9ccfef 
#include <stdarg.h>
Packit Service 9ccfef 
#include <string.h>
Packit Service 9ccfef 
#include <ctype.h>
Packit Service 9ccfef 
#include <time.h>
Packit Service 9ccfef
Packit Service 9ccfef 
#include "smi.h"
Packit Service 9ccfef 
#include "smidump.h"
Packit Service 9ccfef
Packit Service 9ccfef
Packit Service 9ccfef 
static int moduleLen = 0;
Packit Service 9ccfef 
static int identifierLen = 0;
Packit Service 9ccfef
Packit Service 9ccfef 
static void fprintBoilerplate(FILE *f, int modc, SmiModule **modv)
Packit Service 9ccfef 
{
Packit Service 9ccfef 
    SmiNode   *smiNode;
Packit Service 9ccfef 
    int	      i, roobjs = 0, rwobjs = 0;
Packit Service 9ccfef
Packit Service 9ccfef 
    for (i = 0; i < modc; i++) {
Packit Service 9ccfef 
	for (smiNode = smiGetFirstNode(modv[i], SMI_NODEKIND_ANY);
Packit Service 9ccfef 
	     smiNode;
Packit Service 9ccfef 
	     smiNode = smiGetNextNode(smiNode, SMI_NODEKIND_ANY)) {
Packit Service 9ccfef 
	    if (!smiNode->name) continue;
Packit Service 9ccfef 
	    if (smiNode->access == SMI_ACCESS_READ_WRITE) {
Packit Service 9ccfef 
		rwobjs++;
Packit Service 9ccfef 
	    }
Packit Service 9ccfef 
	    if (smiNode->access == SMI_ACCESS_READ_WRITE
Packit Service 9ccfef 
		|| smiNode->access == SMI_ACCESS_READ_ONLY
Packit Service 9ccfef 
		|| smiNode->access == SMI_ACCESS_NOTIFY) {
Packit Service 9ccfef 
		roobjs++;
Packit Service 9ccfef 
	    }
Packit Service 9ccfef 
	}
Packit Service 9ccfef 
    }
Packit Service 9ccfef
Packit Service 9ccfef 
    if (roobjs == 0 && rwobjs == 0) {
Packit Service 9ccfef 
	fprintf(f,
Packit Service 9ccfef 
		"This module does not define any management objects.  Instead, it\n"
Packit Service 9ccfef 
		"defines a set of textual conventions which may be used by other MIB\n"
Packit Service 9ccfef 
		"modules to define management objects.\n"
Packit Service 9ccfef 
		"\n"
Packit Service 9ccfef 
		"Meaningful security considerations can only be written in the MIB\n"
Packit Service 9ccfef 
		"modules that define management objects.  This document has therefore\n"
Packit Service 9ccfef 
		"no impact on the security of the Internet.\n");
Packit Service 9ccfef 
	return;
Packit Service 9ccfef 
    }
Packit Service 9ccfef
Packit Service 9ccfef 
    if (rwobjs) {
Packit Service 9ccfef 
	fprintf(f,
Packit Service 9ccfef 
		"# if you have any read-write and/or read-create objects, please\n"
Packit Service 9ccfef 
		"# describe their specific sensitivity or vulnerability.\n"
Packit Service 9ccfef 
		"# RFC 2669 has a very good example.\n"
Packit Service 9ccfef 
		"\n"
Packit Service 9ccfef 
		"There are a number of management objects defined in this MIB module\n"
Packit Service 9ccfef 
		"with a MAX-ACCESS clause of read-write and/or read-create.  Such\n"
Packit Service 9ccfef 
		"objects may be considered sensitive or vulnerable in some network\n"
Packit Service 9ccfef 
		"environments.  The support for SET operations in a non-secure\n"
Packit Service 9ccfef 
		"environment without proper protection can have a negative effect on\n"
Packit Service 9ccfef 
		"network operations.  These are the tables and objects and their\n"
Packit Service 9ccfef 
		"sensitivity/vulnerability:\n"
Packit Service 9ccfef 
		"\n");
Packit Service 9ccfef 
	for (i = 0; i < modc; i++) {
Packit Service 9ccfef 
	    for (smiNode = smiGetFirstNode(modv[i], SMI_NODEKIND_ANY);
Packit Service 9ccfef 
		 smiNode;
Packit Service 9ccfef 
		 smiNode = smiGetNextNode(smiNode, SMI_NODEKIND_ANY)) {
Packit Service 9ccfef 
		if (smiNode->access == SMI_ACCESS_READ_WRITE
Packit Service 9ccfef 
		    && smiNode->name) {
Packit Service 9ccfef 
		    fprintf(f, "  %-*s # explain sensitivity\n",
Packit Service 9ccfef 
			    identifierLen, smiNode->name);
Packit Service 9ccfef 
		}
Packit Service 9ccfef 
	    }
Packit Service 9ccfef 
	    fprintf(f, "\n");
Packit Service 9ccfef 
	}
Packit Service 9ccfef 
    } else {
Packit Service 9ccfef 
	fprintf(f,
Packit Service 9ccfef 
		"There are no management objects defined in this MIB module that have\n"
Packit Service 9ccfef 
		"a MAX-ACCESS clause of read-write and/or read-create.  So, if this\n"
Packit Service 9ccfef 
		"MIB module is implemented correctly, then there is no risk that an\n"
Packit Service 9ccfef 
		"intruder can alter or create any management objects of this MIB\n"
Packit Service 9ccfef 
		"module via direct SNMP SET operations.\n"
Packit Service 9ccfef 
		"\n");
Packit Service 9ccfef 
    }
Packit Service 9ccfef
Packit Service 9ccfef 
    if (roobjs) {
Packit Service 9ccfef 
	fprintf(f,
Packit Service 9ccfef 
		"# for all MIB modules you must evaluate whether any readable objects\n"
Packit Service 9ccfef 
		"# are sensitive or vulnerable (for instance, if they might reveal\n"
Packit Service 9ccfef 
		"# customer information or violate personal privacy laws such as\n"
Packit Service 9ccfef 
		"# those of the European Union if exposed to unathorized parties)\n"
Packit Service 9ccfef 
		"\n"
Packit Service 9ccfef 
		"Some of the readable objects in this MIB module (i.e., objects with a\n"
Packit Service 9ccfef 
		"MAX-ACCESS other than not-accessible) may be considered sensitive or\n"
Packit Service 9ccfef 
		"vulnerable in some network environments.  It is thus important to\n"
Packit Service 9ccfef 
		"control even GET and/or NOTIFY access to these objects and possibly\n"
Packit Service 9ccfef 
		"to even encrypt the values of these objects when sending them over\n"
Packit Service 9ccfef 
		"the network via SNMP.  These are the tables and objects and their\n"
Packit Service 9ccfef 
		"sensitivity/vulnerability:\n"
Packit Service 9ccfef 
		"\n");
Packit Service 9ccfef
Packit Service 9ccfef 
	for (i = 0; i < modc; i++) {
Packit Service 9ccfef 
	    for (smiNode = smiGetFirstNode(modv[i], SMI_NODEKIND_ANY);
Packit Service 9ccfef 
		 smiNode;
Packit Service 9ccfef 
		 smiNode = smiGetNextNode(smiNode, SMI_NODEKIND_ANY)) {
Packit Service 9ccfef 
		if ((smiNode->access == SMI_ACCESS_READ_WRITE
Packit Service 9ccfef 
		     || smiNode->access == SMI_ACCESS_READ_ONLY
Packit Service 9ccfef 
		     || smiNode->access == SMI_ACCESS_NOTIFY)
Packit Service 9ccfef 
		    && smiNode->name) {
Packit Service 9ccfef 
		    fprintf(f, "  %-*s # explain sensitivity\n",
Packit Service 9ccfef 
			    identifierLen, smiNode->name);
Packit Service 9ccfef 
		}
Packit Service 9ccfef 
	    }
Packit Service 9ccfef 
	    fprintf(f, "\n");
Packit Service 9ccfef 
	}
Packit Service 9ccfef
Packit Service 9ccfef 
	fprintf(f,
Packit Service 9ccfef 
		"SNMP versions prior to SNMPv3 did not include adequate security.\n"
Packit Service 9ccfef 
		"Even if the network itself is secure (for example by using IPsec),\n"
Packit Service 9ccfef 
		"even then, there is no control as to who on the secure network is\n"
Packit Service 9ccfef 
		"allowed to access and GET/SET (read/change/create/delete) the objects\n"
Packit Service 9ccfef 
		"in this MIB module.\n"
Packit Service 9ccfef 
		"\n"
Packit Service 9ccfef 
		"It is RECOMMENDED that implementers consider the security features as\n"
Packit Service 9ccfef 
		"provided by the SNMPv3 framework (see [RFC3410], section 8),\n"
Packit Service 9ccfef 
		"including full support for the SNMPv3 cryptographic mechanisms (for\n"
Packit Service 9ccfef 
		"authentication and privacy).\n"
Packit Service 9ccfef 
		"\n"
Packit Service 9ccfef 
		"Further, deployment of SNMP versions prior to SNMPv3 is NOT\n"
Packit Service 9ccfef 
		"RECOMMENDED.  Instead, it is RECOMMENDED to deploy SNMPv3 and to\n"
Packit Service 9ccfef 
		"enable cryptographic security.  It is then a customer/operator\n"
Packit Service 9ccfef 
		"responsibility to ensure that the SNMP entity giving access to an\n"
Packit Service 9ccfef 
		"instance of this MIB module is properly configured to give access to\n"
Packit Service 9ccfef 
		"the objects only to those principals (users) that have legitimate\n"
Packit Service 9ccfef 
		"rights to indeed GET or SET (change/create/delete) them.\n"
Packit Service 9ccfef 
		"\n");
Packit Service 9ccfef 
    }
Packit Service 9ccfef 
}
Packit Service 9ccfef
Packit Service 9ccfef
Packit Service 9ccfef
Packit Service 9ccfef 
static void dumpBoilerplate(int modc, SmiModule **modv, int flags,
Packit Service 9ccfef 
			    char *output)
Packit Service 9ccfef 
{
Packit Service 9ccfef 
    SmiNode   *smiNode;
Packit Service 9ccfef 
    int	      i, len;
Packit Service 9ccfef 
    FILE      *f = stdout;
Packit Service 9ccfef
Packit Service 9ccfef 
    if (output) {
Packit Service 9ccfef 
	f = fopen(output, "w");
Packit Service 9ccfef 
	if (!f) {
Packit Service 9ccfef 
	    fprintf(stderr, "smidump: cannot open %s for writing: ", output);
Packit Service 9ccfef 
	    perror(NULL);
Packit Service 9ccfef 
	    exit(1);
Packit Service 9ccfef 
	}
Packit Service 9ccfef 
    }
Packit Service 9ccfef
Packit Service 9ccfef 
    for (moduleLen = 0, identifierLen = 0, i = 0; i < modc; i++) {
Packit Service 9ccfef 
	for (smiNode = smiGetFirstNode(modv[i], SMI_NODEKIND_ANY);
Packit Service 9ccfef 
	     smiNode;
Packit Service 9ccfef 
	     smiNode = smiGetNextNode(smiNode, SMI_NODEKIND_ANY)) {
Packit Service 9ccfef 
	    if (smiNode->name) {
Packit Service 9ccfef 
		len = strlen(smiNode->name);
Packit Service 9ccfef 
		if (len > identifierLen) identifierLen = len;
Packit Service 9ccfef 
	    }
Packit Service 9ccfef 
	}
Packit Service 9ccfef 
    }
Packit Service 9ccfef
Packit Service 9ccfef 
    if (flags & SMIDUMP_FLAG_UNITE) {
Packit Service 9ccfef
Packit Service 9ccfef 
	if (! (flags & SMIDUMP_FLAG_SILENT)) {
Packit Service 9ccfef 
	    fprintf(f, "# united security considerations boilerplate (generated by smidump "
Packit Service 9ccfef 
		    SMI_VERSION_STRING ")\n\n");
Packit Service 9ccfef 
	}
Packit Service 9ccfef
Packit Service 9ccfef 
	if (! (flags & SMIDUMP_FLAG_SILENT) && (flags & SMIDUMP_FLAG_ERROR)) {
Packit Service 9ccfef 
	    fprintf(f, "# WARNING: this output may be incorrect due to "
Packit Service 9ccfef 
		    "significant parse errors\n\n");
Packit Service 9ccfef 
	}
Packit Service 9ccfef
Packit Service 9ccfef 
	fprintBoilerplate(f, modc, modv);
Packit Service 9ccfef
Packit Service 9ccfef 
    } else {
Packit Service 9ccfef
Packit Service 9ccfef 
	for (i = 0; i < modc; i++) {
Packit Service 9ccfef
Packit Service 9ccfef 
	    if (! (flags & SMIDUMP_FLAG_SILENT)) {
Packit Service 9ccfef 
		fprintf(f, "# %s security considerations boilerplate (generated by smidump "
Packit Service 9ccfef 
			SMI_VERSION_STRING ")\n\n",
Packit Service 9ccfef 
			modv[i]->name);
Packit Service 9ccfef 
	    }
Packit Service 9ccfef
Packit Service 9ccfef 
	    if (! (flags & SMIDUMP_FLAG_SILENT) && (flags & SMIDUMP_FLAG_ERROR)) {
Packit Service 9ccfef 
		fprintf(f, "# WARNING: this output may be incorrect due to "
Packit Service 9ccfef 
			"significant parse errors\n\n");
Packit Service 9ccfef 
	    }
Packit Service 9ccfef
Packit Service 9ccfef 
	    fprintBoilerplate(f, 1, &(modv[i]));
Packit Service 9ccfef 
	}
Packit Service 9ccfef 
    }
Packit Service 9ccfef
Packit Service 9ccfef 
    if (fflush(f) || ferror(f)) {
Packit Service 9ccfef 
	perror("smidump: write error");
Packit Service 9ccfef 
	exit(1);
Packit Service 9ccfef 
    }
Packit Service 9ccfef
Packit Service 9ccfef 
    if (output) {
Packit Service 9ccfef 
	fclose(f);
Packit Service 9ccfef 
    }
Packit Service 9ccfef 
}
Packit Service 9ccfef
Packit Service 9ccfef
Packit Service 9ccfef
Packit Service 9ccfef 
void initBoilerplate()
Packit Service 9ccfef 
{
Packit Service 9ccfef
Packit Service 9ccfef 
    static SmidumpDriver driver = {
Packit Service 9ccfef 
	"boilerplate",
Packit Service 9ccfef 
	dumpBoilerplate,
Packit Service 9ccfef 
	SMI_FLAG_NODESCR,
Packit Service 9ccfef 
	0,
Packit Service 9ccfef 
	"generate security considerations boilerplate text",
Packit Service 9ccfef 
	NULL,
Packit Service 9ccfef 
	NULL
Packit Service 9ccfef 
    };
Packit Service 9ccfef
Packit Service 9ccfef 
    smidumpRegisterDriver(&driver);
Packit Service 9ccfef 
}

Powered by Pagure 5.13.3

SSH Hostkey/Fingerprint | Documentation