List,
I've been working on a method to parse a PDF or TXT document and
output the results to XML over at Experts Exchange.
http://www.experts-exchange.com/Programming/Languages/Scripting/Perl/Q_24439630.html
You may view the attached document or if the mailing list doesn't
allow here is a copy of the document I would like to parse:
http://filedb.experts-exchange.com/incoming/2009/05_w22/143310/XenApp-Secure-Gateway-Server-VL0.txt
Basically I would like to take the following code and modify it to
parse a TXT instead of a PDF document:
#!/usr/bin/perl
use strict;
use warnings;
use Data::Dumper;
use CAM::PDF;
my $pdf = CAM::PDF->new('XenApp_WebInterface_Server_VL04.pdf');
my $text;
foreach (1..$pdf->numPages) {
$text .= $pdf->getPageText($_);
}
while($text =~ /Vulnerability Key:\s*
(\S+)\s+STIG ID:\s*
(\S+)\s+Release Number:\s*
(\S+)\s+Status:\s*
(\S+)\s+Short Name:\s*
(\S+)\s+Long Name:\s*
(\S+)\s+IA Controls:\s*
(\S+)\s+Categories:\s*
(\S+)\s+Effective Date:\s*
(\S+)\s+Condition:\s*
(\S+)\s+Policy:\s*
(\S+)/g) {
print "<Vuln>
<Vulnerability_Key_>$1</Vulnerability_Key_>
<STIG_ID>$2</STIG_ID_>
<Release_Number_>$3</Release_Number_>
<Status_>$4</Status_>
<Short_Name_>$5</Short_Name_>
<Long_Name_>$6</Long_Name_>
<IA_Controls_><IA_Control><ID>$7<ID></IA_Control></IA_Controls_>
<Categories_>$8</Categories_>
<Effective_Date_>$9</Effective_Date_>
<Condition_><subitem><title>$10</title><data></data></subitem></Condition_>
<Policy_>$11</Policy_>
</Vuln>\n";
}
VL04
Page 1 of 8
For Official Use Only
When this document is printed, the document needs to be stamped top and bottom
with the appropriate classification.
VL04 -Vulnerabilities by Asset Property Element (for Vulnerability Maintainers)
Vulnerability Key: V0018219
STIG ID: CTX0700
Release Number: 1
Status: Working
Short Name: Secure Gateway servers are not located in the DMZ.
Long Name: Secure Gateway servers are not located in the DMZ or screened
subnet.
IA Controls: ECSC-1 Security Configuration Compliance
Categories: 4.4 DMZ
Effective Date:
Condition:
XenApp Secure Gateway Server (Target: XenApp Secure Gateway Server)
Policy: All Policies
MAC /
Confidentiality
Grid:
I -Mission Critical II -Mission Support III -Administrative
Classified
Sensitive
Public
STIG ID: CTX0700
Severity: Category II
Long Name: Secure Gateway servers are not located in the DMZ or screened
subnet.
Vulnerability
The Secure Gateway is an application that runs as a service on a server that is
deployed in the
Discussion:
DMZ. The server running the Secure Gateway represents a single point of access
to the secure,
enterprise network. The Secure Gateway acts as an intermediary for every
connection request
originating from the Internet to the enterprise network. The Secure Gateway
allows the tunneling of
all ICA client traffic using SSL/TLS. The Secure Gateway manages the
connectivity and encryption
across the public Internet and hides the XenApp farm from potential intruders.
Responsibility: Information Assurance Officer
References:
Department of Defense Instruction 8500.2 (DODI 8500.2)
Checks:
CTX0700 (Manual)
Check with the Network reviewer or system administrator to obtain the external,
internal, and DMZ
IP addresses of the firewall. Once these IP addresses have been obtained,
review the IP address
configuration on Secure Gateway servers. Access the Secure Gateway server and
type the
following at the command prompt:
C:\>ipconfig /all
1. If the IP address is on the same network as the DMZ firewall interface, this
is not a finding.
2. If the IP address is on the same internal network as the internal interface
of the firewall, this is a
finding.
3. If the IP address is on the same network as the outside interface of the
firewall, this is a finding.
Fixes:
CTX0700 (Manual)
Place the Secure Gateway server in the DMZ or screened subnet.
https://vms.disa.mil/VL04.aspx
3/12/2009
�
VL04
Page 2 of 8
Vulnerability Key: V0018220
STIG ID: CTX0710
Release Number: 1
Status: Working
Short Name: Secure Gateway certs are not DoD approved certs
Long Name: Secure Gateway certificates are not DoD approved certificates.
IA Controls: DCNR-1 Non-repudiation
Categories: 1.2 PKI
Effective Date:
Condition:
XenApp Secure Gateway Server (Target: XenApp Secure Gateway Server)
Policy: All Policies
MAC /
Confidentiality
Grid:
I -Mission Critical II -Mission Support III -Administrative
Classified
Sensitive
Public
STIG ID: CTX0710
Severity: Category II
Long Name: Secure Gateway certificates are not DoD approved certificates.
Vulnerability
User sessions with Citrix Secure Gateway should be encrypted since transmitting
data in plaintext
Discussion:
may be viewed as it travels through the network. User sessions may be initiated
from ICA clients.
To encrypt session data, the sending component, the client, applies ciphers to
alter the data before
transmitting it. The receiving component uses a key to decrypt the data,
returning it to its original
form. To ensure the protection of the data transmitted to and from external
network connections, all
user sessions with Secure Gateway will be encrypted with a FIPS 140-2
encryption algorithm. The
purpose of the PKI certificate is to provide electronic identification of the
server, and provide secure
encrypted communications between the server and the user. Department of Defense
(DoD)
servers, identified in DODI 8520.2 as Private Web Servers, require installation
of a Public Key
Infrastructure (PKI) certificate to support strong authentication and the
Secure Sockets Layer (SSL)
protocol.
Responsibility: Information Assurance Officer
References:
Department of Defense Instruction 8500.2 (DODI 8500.2)
Checks:
CTX0710 (Manual)
1. Access the Secure Gateway Server and review the certificates in the
following location:
C:\Windows or %SystemRoot% VERIFY\SSL Relay\keystore\certs
If no valid DoD certificate and private key are present here this is a finding.
This directory should
contain a DoD certificate and key only (server.crt and server.key). Validate
the certificate is listed
in the InstallRoot3.0_SAG.pdf document. The DoD certificates that are listed in
the
InstallRoot3.0_SAG.pdf document are listed in Section 1, Appendix B. If the
certificate is not listed
here this is a finding.
NOTE: The InstallRoot3.0.6 _SAG.pdf document can be downloaded from the
following link:
https://www.us.army.mil/suite/portal/index.jsp. Select Files and search for the
InstallRoot folder.
Select the InstallRoot folder and select the InstallRoot3.0.6_SAG.pdf document
to download.
Fixes:
CTX0710 (Manual)
Employ signed DoD certificates on Citrix Secure Gateway Server. To create SSL
certificates,
perform the following:
1. You will need several programs to create the openssl certificates. These
include Activestate
Perl, openssl for Win32, and Visual C++ 2008 Redistribute. To get these
programs go to the
following websites and download them:
https://vms.disa.mil/VL04.aspx
3/12/2009
�
VL04 Page 3 of Page 3 of 8
Activestate Perl
-http://www.activestate.com/store/freedownload.aspx?prdGuid=81fbce82-6bd549bc-
a915-08d58c2648ca
Openssl for Win32 – http://www.slproweb.com
Openssl for Win32 – http://www.slproweb.com
Visual C++ 2008 Redistribute -http://www.microsoft.com/downloads/details.aspx?
familyid=9B2DA534-3E03-4391-8A4D-074B9F2BC1BF&displaylang=en
2. Navigate to the OpenSSL directory (c:\openssl\bin\) on the Secure Gateway
server.
3. Generate the RSA key for the server and the certificate signing request
(CSR):
openssl req -new -out filename.csr
When prompted enter the following: (Do not type the quotations)
For Country Name, type “US”
For State or Province Name, type “.”
For Locality Name, type “.”
For Organization Name, type “U.S. Government”
For Organizational Unit Name, type “OU=DISA, OU=PKI, OU=DoD”
For Common Name, type your Fully Qualified Domain Name of your server
(i.e.server.disa.mil)
For Email Address, type your email address
4. The output from this command will yield two files: filename.csr and
privkey.pem
5. Upload/Copy the filename.csr to the Regular SSL Server Enrollment Form for
the DoD PKI site.
You may use either of the two sites below.
CA-13 URL -https://ca-13.c3pki.chamb.disa.mil/ca
CA-14 URL -https://ca-14.c3pki.den.disa.mil/ca
6. You will be emailed that your certificate is ready and you will retrieve
your signed certificate
from the CA.
7. In addition, you must create a PFX-formatted certificate file specific for
Windows. The
filename.pfx file is a concatenation of the server’s certificate and private
key, exported in the PFX
format; this file is then copied to the sub-directory on the Secure Gateway
server.
Perform the following command: (filename is the name of your certificate file)
C:\openssl\bin\Openssl pkcs12 –export in filename.crt –inkey privkey.pem –name
filename –
passout pass:testpassword –out filename.pfx
8. Put the new signed certificate, private key, and filename.pfx in the
C:\Windows\SSL
Relay\keystore\certs directory. Move the old certificates from the directory
and put them
somewhere safe for backup purposes.
Vulnerability Key: V0018221
STIG ID: CTX0720
Release Number: 1
Status: Working
Short Name: Secure Gateway server secure protocol set to COM.
Long Name: Secure Gateway server secure protocol is set to COM.
IA Controls: DCNR-1 Non-repudiation
Categories: 1.2 PKI
Effective Date:
Condition:
XenApp Secure Gateway Server (Target: XenApp Secure Gateway Server)
Policy: All Policies
MAC /
Confidentiality
Grid:
I -Mission Critical II -Mission Support III -Administrative
Classified
https://vms.disa.mil/VL04.aspx 3/12/2009
�
VL04
Page 4 of 8
Sensitive
Public
STIG ID: CTX0720
Severity: Category II
Long Name: Secure Gateway server secure protocol is set to COM.
Vulnerability User sessions with Citrix Secure Gateway should be encrypted
since transmitting data in plaintext
Discussion:
may be viewed as it travels through the network. User sessions may be initiated
from ICA clients.
To encrypt session data, the sending component, the client, applies ciphers to
alter the data before
transmitting it. The receiving component uses a key to decrypt the data,
returning it to its original
form. To ensure the protection of the data transmitted to and from external
network connections, all
user sessions with Secure Gateway will be encrypted with a Federal Information
Processing
Standard (FIPS) 140-2 encryption algorithm. The US government requires the use
of TLS to secure
data communications. FIPS 140 is a standard for cryptography. The XenApp COM
cipher suites
are: SSL_RSA_WITH_RC4_128_MD5 and SSL_RSA_WITH_RC4_128_SHA. The GOV cipher
suite is: SSL_RSA_WITH_3DES_EDE_CBC_SHA. The XenApp GOV cipher suite meets the
required FIPS requirements.
Responsibility: Information Assurance Officer
References:
Department of Defense Instruction 8500.2 (DODI 8500.2)
Checks:
CTX0720 (Manual)
Access the Secure Gateway server and perform the following:
1. Select Start > All Programs > Citrix > Management Consoles > Secure Gateway
Management
Console.
2. Open the Secure Gateway Configuration.
3. Select Advanced.
4. Click through the wizard and verify that Transport Layer Security (TLSv1)
and GOV cipher suite
is selected. If these are not selected, this is a finding.
Fixes:
CTX0720 (Manual)
Configure the secure protocols to TLS and GOV.
Vulnerability Key: V0018222
STIG ID: CTX0730
Release Number: 1
Status: Working
Short Name: STA server traffic is not encrypted.
Long Name: Secure Gateway server to Secure Ticket Authority (STA) server
traffic is not encrypted.
IA Controls: ECCT-1 Encryption for Confidentiality (Data in Transit)
ECCT-2 Encryption for Confidentiality (Data in Transit)
Categories: 8.1 Encrypted Data in Transit
Effective Date:
Condition:
XenApp Secure Gateway Server (Target: XenApp Secure Gateway Server)
Policy: All Policies
MAC /
Confidentiality
Grid:
I -Mission Critical II -Mission Support III -Administrative
Classified
Sensitive
Public
STIG ID: CTX0730
https://vms.disa.mil/VL04.aspx
3/12/2009
�
VL04
Page 5 of 8
Severity: Category II
Long Name: Secure Gateway server to Secure Ticket Authority (STA) server
traffic is not encrypted.
Vulnerability The Secure Gateway may be configured as a gateway between
SSL/TLS-enabled clients and
Discussion:
servers. The enclave traffic between XenApp servers and the Secure Gateway
server is encrypted
using SSL/TLS. This ensures that XenApp servers are able publish information
remotely without
compromising security. The Secure Gateway transparently encrypts and
authenticates all
connections to protect against eavesdropping and data tampering. Without this
encryption, traffic
between the XenApp server and the Secure Gateway is sent in plaintext.
Responsibility: Information Assurance Officer
References: Department of Defense Instruction 8500.2 (DODI 8500.2)
Checks:
CTX0730 (Manual)
Access the Secure Gateway server and perform the following:
1. Select Start > All Programs > Citrix > Management Consoles > Secure Gateway
Management
Console.
2. Open the Secure Gateway Configuration.
3. Select Advanced.
4. Click through the wizard until you get to the “Details of the server running
the Secure Ticket
Authority (STA)”. Click on Modify in the “Servers running the STA:” box.
5. Verify that the “Protocol Settings:” box has the “Secure traffic between the
STA and the Secure
Gateway” checked. If not, this is a finding.
Fixes:
CTX0730 (Manual)
Encrypt all traffic between the secure gateway and the XenApp STA server.
Vulnerability Key: V0018225
STIG ID: CTX0740
Release Number: 1
Status: Working
Short Name: Web Interface traffic is not encrypted.
Long Name: Secure Gateway to Web Interface traffic is not encrypted.
IA Controls: ECCT-1 Encryption for Confidentiality (Data in Transit)
ECCT-2 Encryption for Confidentiality (Data in Transit)
Categories: 8.1 Encrypted Data in Transit
Effective Date:
Condition:
XenApp Secure Gateway Server (Target: XenApp Secure Gateway Server)
Policy: All Policies
MAC /
Confidentiality
Grid:
I -Mission Critical II -Mission Support III -Administrative
Classified
Sensitive
Public
STIG ID: CTX0740
Severity: Category II
Long Name: Secure Gateway to Web Interface traffic is not encrypted.
Vulnerability
Discussion:
The Secure Gateway may be configured as a gateway between SSL/TLS-enabled
clients and
servers. The Web Interface traffic between the Secure Gateway server is
encrypted using
SSL/TLS. This ensures that Web Interface servers are able to publish
information remotely without
compromising security. The Secure Gateway transparently encrypts and
authenticates all
connections to protect against eavesdropping and data tampering. Without this
encryption, traffic
https://vms.disa.mil/VL04.aspx
3/12/2009
�
VL04 Page 6 of Page 6 of 8
between the Web Interface server and the Secure Gateway is sent in plaintext.
Plaintext sessions
are vulnerable to a number of attacks to include man-in-the-middle attacks, TCP
Hijacking, and
replay. Information that may be obtained may include user credentials and
client session
information including text.
Responsibility: Information Assurance Officer
References: Department of Defense Instruction 8500.2 (DODI 8500.2)
Checks:
CTX0740 (Manual)
If the Web Interface is installed on the same server, this check is not
applicable. To determine if
the Web Interface is installed on the same then server perform the following:
1. Select Start > Control Panel > Add or Remove Programs.
2. If Citrix Web Interface is installed, then open the Access Management
Console and verify that
there is a website created for publishing applications.
If the Web Interface is not installed on the same server, perform the
following:
1. Select Start > All Programs > Citrix > Management Consoles > Secure Gateway
Management
Console.
2. Open the Secure Gateway Configuration.
3. Select Advanced.
4. Click through the wizard until you get to the “Details of the server running
the Web Interface”.
Verify that the “Secure traffic between the Web Interface and the Secure
Gateway” is checked. If
not, this is a finding.
Fixes:
CTX0740 (Manual)
Encrypt traffic between the Web Interface server and Secure Gateway server.
Vulnerability Key: V0018226
STIG ID: CTX0750
Release Number: 1
Status: Working
Short Name: Concurrent connection limits are unlimited.
Long Name: Secure Gateway concurrent connection limits are configured to
unlimited.
IA Controls: ECLO-1 Logon
Categories: 12.4 CM Process
Effective Date:
Condition:
XenApp Secure Gateway Server (Target: XenApp Secure Gateway Server)
Policy: All Policies
MAC /
Confidentiality
Grid:
I -Mission Critical II -Mission Support III -Administrative
Classified
Sensitive
Public
STIG ID: CTX0750
Severity: Category II
Long Name: Secure Gateway concurrent connection limits are configured to
unlimited.
Vulnerability By configuring the concurrent connection to unlimited, this may
create a denial of service to users
Discussion: trying to access the Secure Gateway server. To ensure XenApp
applications do not consume or
cripple the Secure Gateway server, specify the maximum number of concurrent
connections for
the server. The default concurrent connection limit is 250.
Responsibility: Information Assurance Officer
https://vms.disa.mil/VL04.aspx 3/12/2009
�
VL04
Page 7 of 8
References: Department of Defense Instruction 8500.2 (DODI 8500.2)
Checks:
CTX0750 (Manual)
Access the Secure Gateway server and perform the following:
1. Select Start > All Programs > Citrix > Management Consoles > Secure Gateway
Management
Console.
2. Open the Secure Gateway Configuration.
3. Select Advanced.
4. Click through the wizard until you get to the “Connection Parameters”.
Verify that
the “Unlimited” checkbox is not checked in the “Concurrent connection limits”.
If it is, this is a
finding. The default "Concurrent connection limits" is 250.
Fixes:
CTX0750 (Manual)
Do not configure concurrent connection limits to unlimited.
Vulnerability Key: V0018231
STIG ID: CTX0760
Release Number: 1
Status: Working
Short Name: No connection timeout limit is configured.
Long Name: Secure Gateway is not configured with a connection timeout limit.
IA Controls: ECLO-1 Logon
ECLO-2 Logon
Categories: 12.4 CM Process
Effective Date:
Condition:
XenApp Secure Gateway Server (Target: XenApp Secure Gateway Server)
Policy: All Policies
MAC /
Confidentiality
Grid:
I -Mission Critical II -Mission Support III -Administrative
Classified
Sensitive
Public
STIG ID: CTX0760
Severity: Category II
Long Name: Secure Gateway is not configured with a connection timeout limit.
Vulnerability
The connection timeout limit is set in minutes. If the connection timeout is
configured to unlimited,
Discussion:
then chances increase that a user may get distracted and walk away from the
client device,
potentially leaving the session accessible to unauthorized users.
Responsibility: Information Assurance Officer
References:
Department of Defense Instruction 8500.2 (DODI 8500.2)
Checks:
CTX0760 (Manual)
Access the Secure Gateway server and perform the following:
1. Select Start > All Programs > Citrix > Management Consoles > Secure Gateway
Management
Console.
2. Open the Secure Gateway Configuration.
3. Select Advanced.
4. Click through the wizard until you get to the “Connection Parameters”.
Verify that the “No
connection timeout” box is checked. If it is, this is a finding.
https://vms.disa.mil/VL04.aspx
3/12/2009
�
VL04
Page 8 of 8
Fixes:
CTX0760 (Manual)
Configure connection timeouts for all Secure Gateway server sessions.
Vulnerability Key: V0018232
STIG ID: CTX0770
Release Number: 1
Status: Working
Short Name: Secure Gateway Server has incorrect VMS posture.
Long Name: The Secure Gateway Server is not configured in VMS with the correct
posture.
IA Controls: VIVM-1 Vulnerability Management
Categories: 12.5 IAVM Process
Effective Date:
Condition:
XenApp Secure Gateway Server (Target: XenApp Secure Gateway Server)
Policy:
All Policies
MAC /
Confidentiality
Grid:
I -Mission Critical II -Mission Support III -Administrative
Classified
Sensitive
Public
STIG ID: CTX0770
Severity: Category II
Long Name: The Secure Gateway Server is not configured in VMS with the correct
posture.
Vulnerability Correctly configuring XenApp assets in VMS will ensure that the
appropriate vulnerabilities are
Discussion: assigned to the asset. If the asset is not configured with the
correct posture, vulnerabilities may be
open on the asset. These open vulnerabilities may allow an attacker to access
the system.
Responsibility: Information Assurance Officer
References: Department of Defense Instruction 8500.2 (DODI 8500.2)
Checks:
CTX0770 (Manual)
If VMS is used and check CTX0680 is a finding, this should automatically be
marked as a finding
as well. If the assets are registered in VMS, verify that the following
postures are registered. If
any of the postures are not registered, this is a finding.
Win2k3
AntiVirus
XenApp Secure Gateway Server
Fixes:
CTX0770 (Manual)
Configure all Secure Gateway assets into VMS with the correct posture.
Vulnerability Count -8
For Official Use Only
https://vms.disa.mil/VL04.aspx
3/12/2009
�
--
To unsubscribe, e-mail: beginners-unsubscr...@perl.org
For additional commands, e-mail: beginners-h...@perl.org
http://learn.perl.org/
