From: Andreas Steffen <andreas.steffen@strongswan.org>
Date: Thu, 29 Nov 2012 23:12:38 +0000 (+0100)
Subject: store detected improper OS settings in database
X-Git-Tag: 5.0.2dr4~138
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=2b61f7baa372a7a52f177764954a76b8e77ec0c5;p=thirdparty%2Fstrongswan.git

store detected improper OS settings in database
---

diff --git a/src/libimcv/plugins/imv_os/imv_os.c b/src/libimcv/plugins/imv_os/imv_os.c
index 16906bc357..65538df07e 100644
--- a/src/libimcv/plugins/imv_os/imv_os.c
+++ b/src/libimcv/plugins/imv_os/imv_os.c
@@ -374,7 +374,9 @@ static TNC_Result receive_message(imv_state_t *state, imv_msg_t *in_msg)
 		!os_state->get_angel_count(os_state))
 	{
 		int device_id, count, count_update, count_blacklist, count_ok;
+		u_int os_settings;
 
+		os_settings = os_state->get_os_settings(os_state);
 		os_state->get_count(os_state, &count, &count_update, &count_blacklist,
 									  &count_ok);
 		DBG1(DBG_IMV, "processed %d packages: %d not updated, %d blacklisted, "
@@ -387,11 +389,10 @@ static TNC_Result receive_message(imv_state_t *state, imv_msg_t *in_msg)
 		{
 			os_db->set_device_info(os_db, device_id,
 						os_state->get_info(os_state, NULL, NULL, NULL),
-						count, count_update, count_blacklist);
+						count, count_update, count_blacklist, os_settings);
 		}
 
-		if (count_update || count_blacklist ||
-			os_state->get_os_settings(os_state))
+		if (count_update || count_blacklist || os_settings)
 		{
 			state->set_recommendation(state,
 								TNC_IMV_ACTION_RECOMMENDATION_ISOLATE,
diff --git a/src/libimcv/plugins/imv_os/imv_os_database.c b/src/libimcv/plugins/imv_os/imv_os_database.c
index 23164b668a..eb4c2acbc3 100644
--- a/src/libimcv/plugins/imv_os/imv_os_database.c
+++ b/src/libimcv/plugins/imv_os/imv_os_database.c
@@ -215,11 +215,12 @@ METHOD(imv_os_database_t, get_device_id, int,
 
 METHOD(imv_os_database_t, set_device_info, void,
 	private_imv_os_database_t *this,  int device_id, char *os_info,
-	int count, int count_update, int count_blacklist)
+	int count, int count_update, int count_blacklist, u_int flags)
 {
 	enumerator_t *e;
 	time_t last_time;
 	int pid = 0, last_pid = 0, last_count_update = 0, last_count_blacklist = 0;
+	u_int last_flags;
 	bool found = FALSE;
 
 	/* get primary key of OS info string if it exists */
@@ -241,32 +242,35 @@ METHOD(imv_os_database_t, set_device_info, void,
 
 	/* get latest device info record if it exists */
 	e = this->db->query(this->db,
-			"SELECT time, product, count_update, count_blacklist "
+			"SELECT time, product, count_update, count_blacklist, flags "
 			"FROM device_infos WHERE device = ? ORDER BY time DESC",
-			 DB_INT, device_id, DB_UINT, DB_INT, DB_INT, DB_INT);
+			 DB_INT, device_id, DB_UINT, DB_INT, DB_INT, DB_INT, DB_UINT);
 	if (e)
 	{
 		found = e->enumerate(e, &last_time, &last_pid, &last_count_update,
-								&last_count_blacklist);
+								&last_count_blacklist, &last_flags);
 		e->destroy(e);
 	}
-	if (found && !last_count_update && !last_count_blacklist && pid == last_pid)
+	if (found && !last_count_update && !last_count_blacklist && !last_flags &&
+		pid == last_pid)
 	{
 		/* update device info */
 		this->db->execute(this->db, NULL,
 			"UPDATE device_infos SET time = ?, count = ?, count_update = ?, "
-			"count_blacklist = ? WHERE device = ? AND time = ?",
+			"count_blacklist = ?, flags = ? WHERE device = ? AND time = ?",
 			 DB_UINT, time(NULL), DB_INT, count, DB_INT, count_update,
-			 DB_INT, count_blacklist, DB_INT, device_id, DB_UINT, last_time);
+			 DB_INT, count_blacklist, DB_UINT, flags,
+			 DB_INT, device_id, DB_UINT, last_time);
 	}
 	else
 	{
 		/* insert device info */
 		this->db->execute(this->db, NULL,
-			"INSERT INTO device_infos (device, time, product, "
-			"count, count_update, count_blacklist) VALUES (?, ?, ?, ?, ?, ?)",
+			"INSERT INTO device_infos (device, time, product, count, "
+			"count_update, count_blacklist, flags) VALUES (?, ?, ?, ?, ?, ?, ?)",
 			 DB_INT, device_id, DB_UINT, time(NULL), DB_INT, pid,
-			 DB_INT, count, DB_INT, count_update, DB_INT, count_blacklist);
+			 DB_INT, count, DB_INT, count_update, DB_INT, count_blacklist,
+			 DB_UINT, flags);
 	}
 }
 
diff --git a/src/libimcv/plugins/imv_os/imv_os_database.h b/src/libimcv/plugins/imv_os/imv_os_database.h
index a98ecb5440..9ce748f9b9 100644
--- a/src/libimcv/plugins/imv_os/imv_os_database.h
+++ b/src/libimcv/plugins/imv_os/imv_os_database.h
@@ -57,9 +57,11 @@ struct imv_os_database_t {
 	* @param count					Number of installed packages
 	* @param count_update			Number of packages to be updated
 	* @param count_blacklist		Number of blacklisted packages
+	* @param flags					Various flags, e.g. illegal OS settings
 	*/
 	void (*set_device_info)(imv_os_database_t *this, int device_id, char *os_info,
-							int count, int count_update, int count_blacklist);
+							int count, int count_update, int count_blacklist,
+							u_int flags);
 
 	/**
 	* Destroys an imv_os_database_t object.
diff --git a/src/libpts/plugins/imv_attestation/attest_db.c b/src/libpts/plugins/imv_attestation/attest_db.c
index 73a8c744ef..68a114c6f7 100644
--- a/src/libpts/plugins/imv_attestation/attest_db.c
+++ b/src/libpts/plugins/imv_attestation/attest_db.c
@@ -799,19 +799,20 @@ METHOD(attest_db_t, list_devices, void,
 	time_t timestamp;
 	int id, last_id = 0, device_count = 0;
 	int count, count_update, count_blacklist;
+	u_int tstamp, flags = 0;
 
 	e = this->db->query(this->db,
 			"SELECT d.id, d.value, i.time, i.count, i.count_update, "
-			"i.count_blacklist, p.name FROM devices AS d "
+			"i.count_blacklist, i.flags, p.name FROM devices AS d "
 			"JOIN device_infos AS i ON d.id = i.device "
 			"JOIN products AS p ON p.id = i.product "
 			"ORDER BY d.value, i.time DESC",
-			 DB_INT, DB_BLOB, DB_UINT, DB_INT, DB_INT, DB_INT, DB_TEXT);
+			 DB_INT, DB_BLOB, DB_UINT, DB_INT, DB_INT, DB_INT, DB_UINT, DB_TEXT);
 
 	if (e)
 	{
-		while (e->enumerate(e, &id, &value, &timestamp, &count, &count_update,
-							   &count_blacklist, &product))
+		while (e->enumerate(e, &id, &value, &tstamp, &count, &count_update,
+							   &count_blacklist, &flags, &product))
 		{
 			if (id != last_id)
 			{
@@ -819,8 +820,9 @@ METHOD(attest_db_t, list_devices, void,
 				device_count++;
 				last_id = id;
 			}
-			printf("      %T, %4d, %3d, %3d, '%s'\n", &timestamp, TRUE,
-				   count, count_update, count_blacklist, product);
+			timestamp = tstamp;
+			printf("      %T, %4d, %3d, %3d, %1u, '%s'\n", &timestamp, TRUE,
+				   count, count_update, count_blacklist, flags, product);
 		}
 		e->destroy(e);
 		printf("%d device%s found\n", device_count,