From 79b5a33c11a111706b23e89dbbc5d6b76cb4e322 Mon Sep 17 00:00:00 2001 From: Andreas Steffen Date: Sun, 26 Apr 2015 10:55:24 +0200 Subject: [PATCH] imv_policy_manager: Added capability to execute an allow or block shell command string --- conf/Makefile.am | 1 + conf/options/imv_policy_manager.opt | 13 +++++++++++ src/libimcv/imv/imv_policy_manager.c | 22 ++++++++++++++++++- .../tnc/tnccs-20-pdp-pt-tls/evaltest.dat | 4 ++++ .../hosts/alice/etc/iptables.rules | 6 ++++- .../hosts/alice/etc/strongswan.conf | 5 +++++ .../hosts/moon/etc/ipsec.conf | 3 +++ .../hosts/moon/etc/ipsec.secrets | 3 +++ .../hosts/moon/etc/strongswan.conf | 3 +++ .../tests/tnc/tnccs-20-pdp-pt-tls/test.conf | 2 +- 10 files changed, 59 insertions(+), 3 deletions(-) create mode 100644 conf/options/imv_policy_manager.opt create mode 100644 testing/tests/tnc/tnccs-20-pdp-pt-tls/hosts/moon/etc/ipsec.conf create mode 100644 testing/tests/tnc/tnccs-20-pdp-pt-tls/hosts/moon/etc/ipsec.secrets create mode 100644 testing/tests/tnc/tnccs-20-pdp-pt-tls/hosts/moon/etc/strongswan.conf diff --git a/conf/Makefile.am b/conf/Makefile.am index f10af25a2..7cee0cbd6 100644 --- a/conf/Makefile.am +++ b/conf/Makefile.am @@ -14,6 +14,7 @@ options = \ options/charon-logging.opt \ options/charon-systemd.opt \ options/imcv.opt \ + options/imv_policy_manager.opt \ options/manager.opt \ options/medsrv.opt \ options/pacman.opt \ diff --git a/conf/options/imv_policy_manager.opt b/conf/options/imv_policy_manager.opt new file mode 100644 index 000000000..6ed0efc2a --- /dev/null +++ b/conf/options/imv_policy_manager.opt @@ -0,0 +1,13 @@ +imv_policy_manager.database = + Database URI for the database that stores the package information. If it + contains a password, make sure to adjust the permissions of the config file + accordingly. + +imv_policy_manager.load = sqlite + Plugins to load in IMV policy manager. + +imv_policy_manager.command_allow = + Shell command to be executed with recommendation allow. + +imv_policy_manager.command_block = + Shell command to be executed with all other recommendations. diff --git a/src/libimcv/imv/imv_policy_manager.c b/src/libimcv/imv/imv_policy_manager.c index 9f7e4e8f4..b730f8c41 100644 --- a/src/libimcv/imv/imv_policy_manager.c +++ b/src/libimcv/imv/imv_policy_manager.c @@ -255,7 +255,8 @@ static bool policy_stop(database_t *db, int session_id) enumerator_t *e; int rec, policy, final_rec, id_type; chunk_t id_value; - char *result, *ip_address = NULL; + char *result, *format, *ip_address = NULL; + char command[512]; bool success = TRUE; /* store all workitem results for this session in the results table */ @@ -334,6 +335,25 @@ static bool policy_stop(database_t *db, int session_id) fprintf(stderr, "recommendation for access requestor %s is %N\n", ip_address ? ip_address : "0.0.0.0", TNC_IMV_Action_Recommendation_names, final_rec); + + if (final_rec == TNC_IMV_ACTION_RECOMMENDATION_ALLOW) + { + format = lib->settings->get_str(lib->settings, + "imv_policy_manager.command_allow", NULL); + } + else + { + format = lib->settings->get_str(lib->settings, + "imv_policy_manager.command_block", NULL); + } + if (format && ip_address) + { + /* the IP address can occur at most twice in the command string */ + snprintf(command, sizeof(command), format, ip_address, ip_address); + success = system(command) == 0; + fprintf(stderr, "%s system command: %s\n", + success ? "successful" : "failed", command); + } free(ip_address); return success; diff --git a/testing/tests/tnc/tnccs-20-pdp-pt-tls/evaltest.dat b/testing/tests/tnc/tnccs-20-pdp-pt-tls/evaltest.dat index 3b48073e6..c3409fd66 100644 --- a/testing/tests/tnc/tnccs-20-pdp-pt-tls/evaltest.dat +++ b/testing/tests/tnc/tnccs-20-pdp-pt-tls/evaltest.dat @@ -9,6 +9,8 @@ alice::cat /var/log/daemon.log::certificate status is good::YES alice::cat /var/log/daemon.log::skipping SASL, client already authenticated by TLS certificate::YES alice::cat /var/log/daemon.log::user AR identity.*C=CH, O=Linux strongSwan, OU=Accounting, CN=dave@strongswan.org.*authenticated by certificate::YES alice::cat /var/log/daemon.log::received SWID tag inventory with ... items for request 3 at eid 1 of epoch::YES +alice::cat /var/log/daemon.log::successful system command: ssh root@moon.*logger -t charon -p auth.alert.*host with IP address 192.168.0.200 is blocked::YES +moon:: cat /var/log/auth.log::host with IP address 192.168.0.200 is blocked::YES alice::cat /var/log/daemon.log::accepting PT-TLS stream from PH_IP_CAROL::YES alice::cat /var/log/daemon.log::SASL PLAIN authentication successful::YES alice::cat /var/log/daemon.log::SASL client identity is.*carol::YES @@ -17,3 +19,5 @@ alice::cat /var/log/daemon.log::received SWID tag ID inventory with ... items fo alice::cat /var/log/daemon.log::1 SWID tag target::YES alice::cat /var/log/daemon.log::received SWID tag inventory with 1 item for request 9 at eid 1 of epoch::YES alice::cat /var/log/daemon.log::regid.2004-03.org.strongswan_strongSwan-::YES +alice::cat /var/log/daemon.log::successful system command: ssh root@moon.*logger -t charon -p auth.alert.*host with IP address 192.168.0.100 is allowed::YES +moon::cat /var/log/auth.log::host with IP address 192.168.0.100 is allowed::YES diff --git a/testing/tests/tnc/tnccs-20-pdp-pt-tls/hosts/alice/etc/iptables.rules b/testing/tests/tnc/tnccs-20-pdp-pt-tls/hosts/alice/etc/iptables.rules index 1586214d8..48b1cf5a6 100644 --- a/testing/tests/tnc/tnccs-20-pdp-pt-tls/hosts/alice/etc/iptables.rules +++ b/testing/tests/tnc/tnccs-20-pdp-pt-tls/hosts/alice/etc/iptables.rules @@ -13,10 +13,14 @@ -A INPUT -i eth0 -p tcp --dport 271 -j ACCEPT -A OUTPUT -o eth0 -p tcp --sport 271 -j ACCEPT -# allow ssh +# allow inbound ssh -A INPUT -p tcp --dport 22 -j ACCEPT -A OUTPUT -p tcp --sport 22 -j ACCEPT +# allow outbound ssh +-A OUTPU -p tcp --dport 22 -j ACCEPT +-A INPUT -p tcp --sport 22 -j ACCEPT + # allow crl fetch from winnetou -A INPUT -i eth0 -p tcp --sport 80 -s 192.168.0.150 -j ACCEPT -A OUTPUT -o eth0 -p tcp --dport 80 -d 192.168.0.150 -j ACCEPT diff --git a/testing/tests/tnc/tnccs-20-pdp-pt-tls/hosts/alice/etc/strongswan.conf b/testing/tests/tnc/tnccs-20-pdp-pt-tls/hosts/alice/etc/strongswan.conf index 935973c36..857e6d6d6 100644 --- a/testing/tests/tnc/tnccs-20-pdp-pt-tls/hosts/alice/etc/strongswan.conf +++ b/testing/tests/tnc/tnccs-20-pdp-pt-tls/hosts/alice/etc/strongswan.conf @@ -27,3 +27,8 @@ libimcv { } } } + +imv_policy_manager { + command_allow = ssh root@moon 'logger -t charon -p auth.alert "\"host with IP address %s is allowed\""' + command_block = ssh root@moon 'logger -t charon -p auth.alert "\"host with IP address %s is blocked\""' +} diff --git a/testing/tests/tnc/tnccs-20-pdp-pt-tls/hosts/moon/etc/ipsec.conf b/testing/tests/tnc/tnccs-20-pdp-pt-tls/hosts/moon/etc/ipsec.conf new file mode 100644 index 000000000..ecd9d47aa --- /dev/null +++ b/testing/tests/tnc/tnccs-20-pdp-pt-tls/hosts/moon/etc/ipsec.conf @@ -0,0 +1,3 @@ +# /etc/ipsec.conf - strongSwan IPsec configuration file + +# this file is not used in this scenario diff --git a/testing/tests/tnc/tnccs-20-pdp-pt-tls/hosts/moon/etc/ipsec.secrets b/testing/tests/tnc/tnccs-20-pdp-pt-tls/hosts/moon/etc/ipsec.secrets new file mode 100644 index 000000000..41cf8f84b --- /dev/null +++ b/testing/tests/tnc/tnccs-20-pdp-pt-tls/hosts/moon/etc/ipsec.secrets @@ -0,0 +1,3 @@ +# /etc/ipsec.secrets - strongSwan IPsec secrets file + +# this file is not used in this scenario diff --git a/testing/tests/tnc/tnccs-20-pdp-pt-tls/hosts/moon/etc/strongswan.conf b/testing/tests/tnc/tnccs-20-pdp-pt-tls/hosts/moon/etc/strongswan.conf new file mode 100644 index 000000000..d99a4b78a --- /dev/null +++ b/testing/tests/tnc/tnccs-20-pdp-pt-tls/hosts/moon/etc/strongswan.conf @@ -0,0 +1,3 @@ +# /etc/strongswan.conf - strongSwan configuration file + +# this file is not used in this scenario diff --git a/testing/tests/tnc/tnccs-20-pdp-pt-tls/test.conf b/testing/tests/tnc/tnccs-20-pdp-pt-tls/test.conf index 0887e4d09..5f4f8e725 100644 --- a/testing/tests/tnc/tnccs-20-pdp-pt-tls/test.conf +++ b/testing/tests/tnc/tnccs-20-pdp-pt-tls/test.conf @@ -18,7 +18,7 @@ TCPDUMPHOSTS="moon" # Guest instances on which IPsec is started # Used for IPsec logging purposes # -IPSECHOSTS="carol dave alice" +IPSECHOSTS="carol moon dave alice" # Guest instances on which FreeRadius is started # -- 2.39.2