Analyzing apache

audit/system/plugins/apache.py

@@ -1,10 +1,17 @@
 #!/usr/bin/env python3
 
-def apache() -> list:
-    ssl = list()
+def apache_protocols() -> dict:
+    ssl = dict()
 
     # Check if apaches has disabled the bad SSL/TLS version
-
+    ssl["description"] = "Disable deprecated SSL/TLS versions"
+    ssl["level"] = "high"
+    ssl["protocols"] = list()
+    # https://httpd.apache.org/docs/trunk/ssl/ssl_howto.html
+    ssl["protocols"].append("-TLSv1")
+    ssl["protocols"].append("-TLSv1.1")
+    ssl["protocols"].append("-SSLv3")
+    ssl["recommand_value"] = "SSLProtocol all -SSLv3 -TLSv1 -TLSv1.1"
 
     return ssl
 

core/plugins/apache.py

@@ -3,12 +3,12 @@
 import re
 from os import listdir
 from os.path import isdir
-from audit.system.plugins.apache import apache
+from audit.system.plugins.apache import apache_protocols
 
 
 class Apache:
     def __init__(self, arguments):
-        self._objects = apache()
+        self._ssl_versions = apache_protocols()
         self._reports = dict()
         self._apache_directory = arguments["apache_directory"]
 
@@ -20,12 +20,12 @@ class Apache:
 
     def runAudit(self):
         print("Running test for Apache")
-        self._runParsing()
+        self._analyzingSslVersion()
 
     def getReports(self) -> dict:
         return self._reports
 
-    def _runParsing(self):
+    def _analyzingSslVersion(self):
         # Check if the file exist
         path = f"{self._apache_directory}/sites-available"
         if isdir(path):
@@ -37,6 +37,8 @@ class Apache:
             self._reports['audit'] = False
             self._reports["msg"] = "No directory found"
 
+        print(self._reports)
+
     def _parseFile(self, fdata):
         data = fdata.read()
         lines = data.splitlines()
@@ -47,7 +49,40 @@ class Apache:
             # check if SSL is enable for the VirtualHost
             grSSLEngine = re.search("SSLEngine on", line)
             if grSSLEngine:
+                self._check_ssl_version(lines)
+
+    def _check_ssl_version(self, lines):
+        findProtocol = False
+        protocolsFound = list()
+        for line in lines:
+            line = line.decode("utf-8")
+
+            grSSLProtocol = re.search("SSLProtocol", line)
+            if grSSLProtocol:
+                for protocol in self._ssl_versions["protocols"]:
+                    if protocol in line:
                         print(line)
+                        protocolsFound.append(protocol)
+                        findProtocol = True
+
+        print(protocolsFound)
+
+        if len(self._ssl_versions) == len(protocolsFound):
+            print("Success")
+        else:
+            print("Failed")
+
+        if findProtocol:
+            self._reports["ssl"]["result"] = "success"
+        else:
+            self._reports["ssl"]["result"] = "failed"
+
+        
+        self._reports["ssl"]["description"] = \
+            self._ssl_versions["description"]
+        self._reports["ssl"]["level"] = self._ssl_versions["level"]
+        self._reports["ssl"]["recommand_value"] = \
+            self._ssl_versions["recommand_value"]
 
     def _check_value_exist(self, line, value) -> bool:
         grValue = re.search(value, line)
@@ -66,4 +101,4 @@ class Apache:
               - description: description of the vulnerability
               - level: high, medium or low
         """
-        self._reports['apache'] = dict()
+        self._reports['ssl'] = dict()