From fc373b64a6afb09acd18fad7c87bec48fd708446 Mon Sep 17 00:00:00 2001 From: Andreas Steffen Date: Thu, 31 Aug 2017 18:52:04 +0200 Subject: [PATCH] imv-os: Updated security update evaluation --- src/libimcv/plugins/imv_os/imv_os_agent.c | 3 +- src/libimcv/plugins/imv_os/imv_os_database.c | 34 ++++++++++--------- src/libimcv/plugins/imv_os/imv_os_state.c | 24 ++++++------- src/libimcv/plugins/imv_os/imv_os_state.h | 10 +++--- .../hosts/carol/etc/strongswan.conf | 2 +- .../hosts/dave/etc/strongswan.conf | 2 +- .../hosts/moon/etc/strongswan.conf | 2 +- 7 files changed, 39 insertions(+), 38 deletions(-) diff --git a/src/libimcv/plugins/imv_os/imv_os_agent.c b/src/libimcv/plugins/imv_os/imv_os_agent.c index 4bf6c7e215..3fa3d09655 100644 --- a/src/libimcv/plugins/imv_os/imv_os_agent.c +++ b/src/libimcv/plugins/imv_os/imv_os_agent.c @@ -705,8 +705,7 @@ METHOD(imv_agent_if_t, batch_ending, TNC_Result, eval = fail ? TNC_IMV_EVALUATION_RESULT_NONCOMPLIANT_MINOR : TNC_IMV_EVALUATION_RESULT_COMPLIANT; snprintf(result_str, BUF_LEN, "processed %d packages: " - "%d not updated, %d blacklisted, %d ok, " - "%d unknown", + "%d vulnerable, %d blacklisted, %d ok, %d unknown", count, count_update, count_blacklist, count_ok, count - count_update - count_blacklist - count_ok); break; diff --git a/src/libimcv/plugins/imv_os/imv_os_database.c b/src/libimcv/plugins/imv_os/imv_os_database.c index 31b889b74f..049c844bc5 100644 --- a/src/libimcv/plugins/imv_os/imv_os_database.c +++ b/src/libimcv/plugins/imv_os/imv_os_database.c @@ -1,5 +1,5 @@ /* - * Copyright (C) 2012-2014 Andreas Steffen + * Copyright (C) 2012-2017 Andreas Steffen * HSR Hochschule fuer Technik Rapperswil * * This program is free software; you can redistribute it and/or modify it @@ -51,7 +51,7 @@ METHOD(imv_os_database_t, check_packages, status_t, char *product, *package, *release, *cur_release; chunk_t name, version; int pid, gid, security, blacklist; - int count = 0, count_ok = 0, count_no_match = 0, count_blacklist = 0; + int count = 0, count_ok = 0, count_security = 0, count_blacklist = 0; enumerator_t *e; status_t status = SUCCESS; bool found, match; @@ -103,11 +103,8 @@ METHOD(imv_os_database_t, check_packages, status_t, if (!e->enumerate(e, &gid)) { /* package not present in database for any product - skip */ - if (os_type == OS_TYPE_ANDROID) - { - DBG2(DBG_IMV, "package '%s' (%.*s) not found", - package, version.len, version.ptr); - } + DBG2(DBG_IMV, "package '%s' (%.*s) not found", + package, version.len, version.ptr); free(package); e->destroy(e); continue; @@ -148,36 +145,41 @@ METHOD(imv_os_database_t, check_packages, status_t, { if (blacklist) { - DBG2(DBG_IMV, "package '%s' (%s) is blacklisted", + DBG1(DBG_IMV, "package '%s' (%s) is blacklisted", package, release); count_blacklist++; os_state->add_bad_package(os_state, package, OS_PACKAGE_STATE_BLACKLIST); } + else if (security) + { + DBG1(DBG_IMV, "package '%s' (%s) is vulnerable", + package, release); + os_state->add_bad_package(os_state, package, + OS_PACKAGE_STATE_SECURITY); + count_security++; + } else { - DBG2(DBG_IMV, "package '%s' (%s)%s is ok", package, release, - security ? " [s]" : ""); + DBG2(DBG_IMV, "package '%s' (%s) is ok", + package, release); count_ok++; } } else { DBG1(DBG_IMV, "package '%s' (%s) no match", package, release); - count_no_match++; - os_state->add_bad_package(os_state, package, - OS_PACKAGE_STATE_SECURITY); } } else { - /* package not present in database for this product - skip */ + DBG2(DBG_IMV, "package '%s' (%s) unknown", package, release); } free(package); free(release); } - os_state->set_count(os_state, count, count_no_match, - count_blacklist, count_ok); + os_state->set_count(os_state, count, count_security, count_blacklist, + count_ok); return status; } diff --git a/src/libimcv/plugins/imv_os/imv_os_state.c b/src/libimcv/plugins/imv_os/imv_os_state.c index ac826a77cf..af5daf0fc9 100644 --- a/src/libimcv/plugins/imv_os/imv_os_state.c +++ b/src/libimcv/plugins/imv_os/imv_os_state.c @@ -1,5 +1,5 @@ /* - * Copyright (C) 2012-2014 Andreas Steffen + * Copyright (C) 2012-2017 Andreas Steffen * HSR Hochschule fuer Technik Rapperswil * * This program is free software; you can redistribute it and/or modify it @@ -121,9 +121,9 @@ struct private_imv_os_state_t { int count; /** - * Number of not updated packages + * Number of vulnerable packages */ - int count_update; + int count_security; /** * Number of blacklisted packages @@ -372,7 +372,7 @@ METHOD(imv_state_t, get_reason_string, bool, private_imv_os_state_t *this, enumerator_t *language_enumerator, chunk_t *reason_string, char **reason_language) { - if (!this->count_update && !this->count_blacklist & !this->os_settings) + if (!this->count_security && !this->count_blacklist & !this->os_settings) { return FALSE; } @@ -383,7 +383,7 @@ METHOD(imv_state_t, get_reason_string, bool, DESTROY_IF(this->reason_string); this->reason_string = imv_reason_string_create(*reason_language, "\n"); - if (this->count_update || this->count_blacklist) + if (this->count_security || this->count_blacklist) { this->reason_string->add_reason(this->reason_string, reason_packages); } @@ -403,7 +403,7 @@ METHOD(imv_state_t, get_remediation_instructions, bool, imv_os_info_t *os_info; bool as_xml = FALSE; - if (!this->count_update && !this->count_blacklist & !this->os_settings) + if (!this->count_security && !this->count_blacklist & !this->os_settings) { return FALSE; } @@ -430,7 +430,7 @@ METHOD(imv_state_t, get_remediation_instructions, bool, } /* List of packages in need of an update, if any */ - if (this->count_update) + if (this->count_security) { this->remediation_string->add_instruction(this->remediation_string, instr_update_packages_title, @@ -492,26 +492,26 @@ METHOD(imv_os_state_t, get_handshake_state, imv_os_handshake_state_t, METHOD(imv_os_state_t, set_count, void, - private_imv_os_state_t *this, int count, int count_update, + private_imv_os_state_t *this, int count, int count_security, int count_blacklist, int count_ok) { this->count += count; - this->count_update += count_update; + this->count_security += count_security; this->count_blacklist += count_blacklist; this->count_ok += count_ok; } METHOD(imv_os_state_t, get_count, void, - private_imv_os_state_t *this, int *count, int *count_update, + private_imv_os_state_t *this, int *count, int *count_security, int *count_blacklist, int *count_ok) { if (count) { *count = this->count; } - if (count_update) + if (count_security) { - *count_update = this->count_update; + *count_security = this->count_security; } if (count_blacklist) { diff --git a/src/libimcv/plugins/imv_os/imv_os_state.h b/src/libimcv/plugins/imv_os/imv_os_state.h index aa9b640766..d73a47412c 100644 --- a/src/libimcv/plugins/imv_os/imv_os_state.h +++ b/src/libimcv/plugins/imv_os/imv_os_state.h @@ -1,5 +1,5 @@ /* - * Copyright (C) 2012-2014 Andreas Steffen + * Copyright (C) 2012-2017 Andreas Steffen * HSR Hochschule fuer Technik Rapperswil * * This program is free software; you can redistribute it and/or modify it @@ -81,22 +81,22 @@ struct imv_os_state_t { * Set [or with multiple attributes increment] package counters * * @param count Number of processed packages - * @param count_update Number of not updated packages + * @param count_security Number of vulnerable packages * @param count_blacklist Number of blacklisted packages * @param count_ok Number of whitelisted packages */ - void (*set_count)(imv_os_state_t *this, int count, int count_update, + void (*set_count)(imv_os_state_t *this, int count, int count_security, int count_blacklist, int count_ok); /** * Set [or with multiple attributes increment] package counters * * @param count Number of processed packages - * @param count_update Number of not updated packages + * @param count_security Number of vulnerable packages * @param count_blacklist Number of blacklisted packages * @param count_ok Number of whitelisted packages */ - void (*get_count)(imv_os_state_t *this, int *count, int *count_update, + void (*get_count)(imv_os_state_t *this, int *count, int *count_security, int *count_blacklist, int *count_ok); /** diff --git a/testing/tests/tnc/tnccs-20-os/hosts/carol/etc/strongswan.conf b/testing/tests/tnc/tnccs-20-os/hosts/carol/etc/strongswan.conf index ef90078f2a..68c9330ffa 100644 --- a/testing/tests/tnc/tnccs-20-os/hosts/carol/etc/strongswan.conf +++ b/testing/tests/tnc/tnccs-20-os/hosts/carol/etc/strongswan.conf @@ -14,7 +14,7 @@ charon { default = 0 } daemon { - tnc = 3 + tnc = 2 imc = 3 } } diff --git a/testing/tests/tnc/tnccs-20-os/hosts/dave/etc/strongswan.conf b/testing/tests/tnc/tnccs-20-os/hosts/dave/etc/strongswan.conf index 4af05ad318..527efccf26 100644 --- a/testing/tests/tnc/tnccs-20-os/hosts/dave/etc/strongswan.conf +++ b/testing/tests/tnc/tnccs-20-os/hosts/dave/etc/strongswan.conf @@ -14,7 +14,7 @@ charon { default = 0 } daemon { - tnc = 3 + tnc = 2 imc = 3 } } diff --git a/testing/tests/tnc/tnccs-20-os/hosts/moon/etc/strongswan.conf b/testing/tests/tnc/tnccs-20-os/hosts/moon/etc/strongswan.conf index 53c515f776..a52bf0e63a 100644 --- a/testing/tests/tnc/tnccs-20-os/hosts/moon/etc/strongswan.conf +++ b/testing/tests/tnc/tnccs-20-os/hosts/moon/etc/strongswan.conf @@ -14,7 +14,7 @@ charon { default = 0 } daemon { - tnc = 3 + tnc = 2 imv = 3 } } -- 2.47.3