From 1dacb53dbc1e9a9d63431ecf1f972a141cbfc8ae Mon Sep 17 00:00:00 2001 From: Cayo Puigdefabregas Date: Thu, 26 Sep 2024 10:00:53 +0200 Subject: [PATCH] add hid to snapshot --- ID-workbench-script.py | 429 +++++++++++++++++++++++++++++++++++++++++ requirements.txt | 1 + 2 files changed, 430 insertions(+) create mode 100644 ID-workbench-script.py diff --git a/ID-workbench-script.py b/ID-workbench-script.py new file mode 100644 index 0000000..81df698 --- /dev/null +++ b/ID-workbench-script.py @@ -0,0 +1,429 @@ +# -*- coding: utf-8 -*- + +import os +import json +import uuid +import hashlib +import argparse +import configparser + +import ntplib +import requests + + +from datetime import datetime +from dmidecode import DMIParse + + +CHASSIS_DH = { + 'Tower': {'desktop', 'low-profile', 'tower', 'server'}, + 'Docking': {'docking'}, + 'AllInOne': {'all-in-one'}, + 'Microtower': {'mini-tower', 'space-saving', 'mini'}, + 'PizzaBox': {'pizzabox'}, + 'Lunchbox': {'lunchbox'}, + 'Stick': {'stick'}, + 'Netbook': {'notebook', 'sub-notebook'}, + 'Handheld': {'handheld'}, + 'Laptop': {'portable', 'laptop'}, + 'Convertible': {'convertible'}, + 'Detachable': {'detachable'}, + 'Tablet': {'tablet'}, + 'Virtual': {'_virtual'}, +} + + +def logs(f): + def wrapper(*args, **kwargs): + try: + return f(*args, **kwargs) + except Exception as err: + print("WARNING!! {}".format(err)) + return '' + + return wrapper + + +## Utility Functions for find ID ## +def get_network_cards(child, nets): + if child['id'] == 'network': + nets.append(child) + if child.get('children'): + [get_network_cards(x, nets) for x in child['children']] + +@logs +def get_mac(lshw): + nets = [] + get_network_cards(json.loads(lshw), nets) + nets_sorted = sorted(nets, key=lambda x: x['businfo']) + + if nets_sorted: + return nets_sorted[0]['serial'] + + +def get_chassis(dmi): + chassis = dmi.get("Chassis")[0].get("Type", '_virtual') + lower_type = chassis.lower() + for k, v in CHASSIS_DH.items(): + if lower_type in v: + return k + return "n/a" + + +def get_hid(snapshot): + dmidecode_raw = snapshot["data"]["dmidecode"] + dmi = DMIParse(dmidecode_raw) + + manufacturer = dmi.manufacturer().strip() + model = dmi.model().strip() + chassis = get_chassis(dmi) + serial_number = dmi.serial_number() + sku = dmi.get("System")[0].get("SKU Number", "n/a").strip() + + if not snapshot["data"].get('lshw'): + hid = f"{manufacturer}{model}{chassis}{serial_number}{sku}" + return hashlib.sha3_256(hid.encode()).hexdigest() + + lshw = snapshot["data"]["lshw"] + # mac = get_mac2(hwinfo_raw) or "" + mac = get_mac(lshw) or "" + if not mac: + print("WARNING!! No there are MAC address") + + print(f"{manufacturer}{model}{chassis}{serial_number}{sku}{mac}") + + hid = f"{manufacturer}{model}{chassis}{serial_number}{sku}{mac}" + hashid = hashlib.sha3_256(hid.encode()).hexdigest() + print(hashid) + + return hashid + + +## Utility Functions ## + +@logs +def exec_cmd(cmd): + return os.popen(cmd).read() + +@logs +def exec_cmd_erase(cmd): + print(cmd) + return '' + # return os.popen(cmd).read() + + +def gen_code(): + uid = str(uuid.uuid4()).encode('utf-8') + return hashlib.shake_256(uid).hexdigest(3) + +## End Utility functions ## + + +SNAPSHOT_BASE = { + 'timestamp': str(datetime.now()), + 'type': 'Snapshot', + 'uuid': str(uuid.uuid4()), + 'code': gen_code(), + 'software': "EreuseWorkbench", + 'version': "0.0.1", + 'data': {}, + 'erase': [] +} + + +## Command Functions ## +## Erase Functions ## +## Xavier Functions ## +def erase_basic(disk): + """ + Basic Erasure + https://tsapps.nist.gov/publication/get_pdf.cfm?pub_id=917935 + + Settings for basic data erasure using shred Linux command. + A software-based fast non-100%-secured way of erasing data storage. + + Performs 1 pass overwriting one round using all zeros. + Compliant with NIST SP-800-8y8. + + In settings appear: + + WB_ERASE = EraseBasic + WB_ERASE_STEPS = 1 + WB_ERASE_LEADING_ZEROS = False + + """ + cmd = f'shred -vn 1 /dev/{disk}' + return [exec_cmd_erase(cmd)] + + +def erase_baseline(disk): + """ + Baseline Secure Erasure + Settings for advanced data erasure using badblocks Linux software. + A secured-way of erasing data storages, erase hidden areas, + checking the erase sector by sector. + + Performs 1 pass overwriting each sector with zeros and a final verification. + Compliant with HMG Infosec Standard 5 Baseline. + + In settings appear: + + WB_ERASE = EraseSectors + WB_ERASE_STEPS = 1 + WB_ERASE_LEADING_ZEROS = True + + WB_ERASE_1_METHOD = EraseBasic + WB_ERASE_1_STEP_TYPE = 0 + WB_ERASE_2_METHOD = EraseSectors + WB_ERASE_2_STEP_TYPE = 1 + """ + result = [] + cmd = f'shred -zvn 0 /dev/{disk}' + result.append(exec_cmd_erase(cmd)) + cmd = f'badblocks -st random -w /dev/{disk}' + result.append(exec_cmd_erase(cmd)) + return result + + +def erase_enhanced(disk): + """ + Enhanced Secure Erasure + Settings for advanced data erasure using badblocks Linux software. + A secured-way of erasing data storages, erase hidden areas, + checking the erase sector by sector. + + Performs 3 passes overwriting every sector with zeros and ones, + and final verification. Compliant with HMG Infosec Standard 5 Enhanced. + + In settings appear: + + WB_ERASE = EraseSectors + WB_ERASE_LEADING_ZEROS = True + + WB_ERASE_1_METHOD = EraseBasic + WB_ERASE_1_STEP_TYPE = 1 + WB_ERASE_2_METHOD = EraseBasic + WB_ERASE_2_STEP_TYPE = 0 + WB_ERASE_3_METHOD = EraseSectors + WB_ERASE_3_STEP_TYPE = 1 + """ + result = [] + cmd = f'shred -vn 1 /dev/{disk}' + result.append(exec_cmd_erase(cmd)) + cmd = f'shred -zvn 0 /dev/{disk}' + result.append(exec_cmd_erase(cmd)) + ## creo que realmente seria asi (3 pases y una extra poniendo a ceros): + # shred -zvn 3 /def/{disk} + # tampoco estoy seguro que el badblocks haga un proceso de verificacion. + cmd = f'badblocks -st random -w /dev/{disk}' + result.append(exec_cmd_erase(cmd)) + return result + +## End Xavier Functions ## + +def ata_secure_erase_null(disk): + cmd_baseline = f'hdparm --user-master u --security-erase NULL /dev/{disk}' + return [exec_cmd_erase(cmd_baseline)] + + +def ata_secure_erase_enhanced(disk): + cmd_enhanced = f'hdparm --user-master u --security-erase-enhanced /dev/{disk}' + return [exec_cmd_erase(cmd_enhanced)] + + +def nvme_secure_erase(disk): + cmd_encrypted = f'nvme format /dev/{disk} --ses=1' + return [exec_cmd_erase(cmd_encrypted)] + + +## End Erase Functions ## + +@logs +def get_disks(): + disks = json.loads( + exec_cmd('lsblk -Jdo NAME,TYPE,MOUNTPOINTS,ROTA,TRAN') + ) + return disks.get('blockdevices', []) + +@logs +def gen_erase(all_disks, type_erase, user_disk=None): + erase = [] + for disk in all_disks: + if user_disk and disk['name'] not in user_disk: + continue + + if disk['type'] != 'disk': + continue + + if 'boot' in disk['mountpoints']: + continue + + if not disk['rota']: + # if soport nvme erase + erase.append(nvme_secure_erase(disk['name'])) + elif disk['tran'] in ['ata', 'sata']: + # if soport ata erase + if type_erase == 'basic': + erase.append(ata_secure_erase_null(disk['name'])) + elif type_erase == 'baseline': + erase.append(ata_secure_erase_null(disk['name'])) + elif type_erase == 'enhanced': + erase.append(ata_secure_erase_enhanced(disk['name'])) + else: + # For old disks + if type_erase == 'basic': + erase.append(erase_basic(disk['name'])) + elif type_erase == 'baseline': + erase.append(erase_baseline(disk['name'])) + elif type_erase == 'enhanced': + erase.append(erase_enhanced(disk['name'])) + return erase + + +@logs +def exec_smart(disk): + cmd = f'smartctl -x --json=cosviu /dev/{disk}' + return json.loads(exec_cmd(cmd)) + + +@logs +def smartctl(all_disks, disk=None): + + if disk: + return exec_smart(disk) + + data_list = [] + for disk in all_disks: + if disk['type'] == 'disk': + data = exec_smart(disk['name']) + data_list.append(data) + + return data_list + +## End Command Functions ## + + +def get_data(all_disks): + lshw = 'sudo lshw -json' + hwinfo = 'sudo hwinfo --reallyall' + dmidecode = 'sudo dmidecode' + data = { + 'lshw': exec_cmd(lshw), + 'disks': smartctl(all_disks), + 'hwinfo': exec_cmd(hwinfo), + 'dmidecode': exec_cmd(dmidecode) + } + + return data + + +def gen_snapshot(all_disks): + snapshot = SNAPSHOT_BASE.copy() + snapshot['data'] = get_data(all_disks) + snapshot['hid'] = get_hid(snapshot) + return snapshot + + +def save_snapshot_in_disk(snapshot, path): + filename = "{}/{}_{}.json".format( + path, + datetime.now().strftime("%Y%m%d-%H_%M_%S"), + snapshot['uuid'] + ) + print(f"workbench: INFO: Snapshot written in path '{filename}'") + with open(filename, "w") as f: + f.write(json.dumps(snapshot)) + + +# TODO sanitize url, if url is like this, it fails +# url = 'http://127.0.0.1:8000/api/snapshot/' +def send_snapshot_to_devicehub(snapshot, token, url): + headers = { + f"Authorization": "Basic {token}", + "Content-Type": "application/json" + } + try: + requests.post(url, data=json.dumps(snapshot), headers=headers) + print(f"workbench: INFO: Snapshot sent to '{url}'") + except: + print(f"workbench: ERROR: Snapshot not remotely sent. URL '{url}' is unreachable. Do you have internet? Is your server up & running?") + +@logs +def sync_time(): + # is neccessary? + ntplib.NTPClient() + response = client.request('pool.ntp.org') + +def load_config(config_file="settings.ini"): + """ + Tries to load configuration from a config file. + """ + config = configparser.ConfigParser() + + if os.path.exists(config_file): + # If config file exists, read from it + + print(f"workbench: INFO: Found config file in path: '{config_file}'.") + config.read(config_file) + path = config.get('settings', 'path', fallback=os.getcwd()) + # TODO validate that has http:// start + url = config.get('settings', 'url', fallback=None) + token = config.get('settings', 'token', fallback=None) + # TODO validate that the device exists? + device = config.get('settings', 'device', fallback=None) + erase = config.get('settings', 'erase', fallback=None) + else: + print(f"workbench: ERROR: Config file '{config_file}' not found. Using default values.") + path = os.path.join(os.getcwd()) + url, token, device, erase = None, None, None, None + + return { + 'path': path, + 'url': url, + 'token': token, + 'device': device, + 'erase': erase + } + +def parse_args(): + """ + Parse config argument, if available + """ + parser = argparse.ArgumentParser(description="Optional config loader for workbench.") + parser.add_argument( + '--config', + help="Path to the config file. Defaults to 'settings.ini' in the current directory.", + default="settings.ini" # Fallback to 'settings.ini' by default + ) + return parser.parse_args() + +def main(): + vline='\n___________\n\n' + print(f"{vline}workbench: START\n") + + # Parse the command-line arguments + args = parse_args() + + # Load the config file, either specified via --config or the default 'settings.ini' + config_file = args.config + + config = load_config(config_file) + + all_disks = get_disks() + snapshot = gen_snapshot(all_disks) + + if config['erase'] and config['device']: + snapshot['erase'] = gen_erase(all_disks, config['erase'], user_disk=config['device']) + elif config['erase']: + snapshot['erase'] = gen_erase(all_disks, config['erase']) + + save_snapshot_in_disk(snapshot, config['path']) + + if config['url']: + send_snapshot_to_devicehub(snapshot, config['token'], config['url']) + + print(f"\nworkbench: END{vline}") + + +if __name__ == '__main__': + main() diff --git a/requirements.txt b/requirements.txt index e3c22db..3e75d84 100644 --- a/requirements.txt +++ b/requirements.txt @@ -1,2 +1,3 @@ ntplib requests +py-dmidecode==0.1.3