store detected improper OS settings in database
authorAndreas Steffen <andreas.steffen@strongswan.org>
Thu, 29 Nov 2012 23:12:38 +0000 (00:12 +0100)
committerAndreas Steffen <andreas.steffen@strongswan.org>
Thu, 29 Nov 2012 23:12:48 +0000 (00:12 +0100)
src/libimcv/plugins/imv_os/imv_os.c
src/libimcv/plugins/imv_os/imv_os_database.c
src/libimcv/plugins/imv_os/imv_os_database.h
src/libpts/plugins/imv_attestation/attest_db.c

index 16906bc..65538df 100644 (file)
@@ -374,7 +374,9 @@ static TNC_Result receive_message(imv_state_t *state, imv_msg_t *in_msg)
                !os_state->get_angel_count(os_state))
        {
                int device_id, count, count_update, count_blacklist, count_ok;
+               u_int os_settings;
 
+               os_settings = os_state->get_os_settings(os_state);
                os_state->get_count(os_state, &count, &count_update, &count_blacklist,
                                                                          &count_ok);
                DBG1(DBG_IMV, "processed %d packages: %d not updated, %d blacklisted, "
@@ -387,11 +389,10 @@ static TNC_Result receive_message(imv_state_t *state, imv_msg_t *in_msg)
                {
                        os_db->set_device_info(os_db, device_id,
                                                os_state->get_info(os_state, NULL, NULL, NULL),
-                                               count, count_update, count_blacklist);
+                                               count, count_update, count_blacklist, os_settings);
                }
 
-               if (count_update || count_blacklist ||
-                       os_state->get_os_settings(os_state))
+               if (count_update || count_blacklist || os_settings)
                {
                        state->set_recommendation(state,
                                                                TNC_IMV_ACTION_RECOMMENDATION_ISOLATE,
index 23164b6..eb4c2ac 100644 (file)
@@ -215,11 +215,12 @@ METHOD(imv_os_database_t, get_device_id, int,
 
 METHOD(imv_os_database_t, set_device_info, void,
        private_imv_os_database_t *this,  int device_id, char *os_info,
-       int count, int count_update, int count_blacklist)
+       int count, int count_update, int count_blacklist, u_int flags)
 {
        enumerator_t *e;
        time_t last_time;
        int pid = 0, last_pid = 0, last_count_update = 0, last_count_blacklist = 0;
+       u_int last_flags;
        bool found = FALSE;
 
        /* get primary key of OS info string if it exists */
@@ -241,32 +242,35 @@ METHOD(imv_os_database_t, set_device_info, void,
 
        /* get latest device info record if it exists */
        e = this->db->query(this->db,
-                       "SELECT time, product, count_update, count_blacklist "
+                       "SELECT time, product, count_update, count_blacklist, flags "
                        "FROM device_infos WHERE device = ? ORDER BY time DESC",
-                        DB_INT, device_id, DB_UINT, DB_INT, DB_INT, DB_INT);
+                        DB_INT, device_id, DB_UINT, DB_INT, DB_INT, DB_INT, DB_UINT);
        if (e)
        {
                found = e->enumerate(e, &last_time, &last_pid, &last_count_update,
-                                                               &last_count_blacklist);
+                                                               &last_count_blacklist, &last_flags);
                e->destroy(e);
        }
-       if (found && !last_count_update && !last_count_blacklist && pid == last_pid)
+       if (found && !last_count_update && !last_count_blacklist && !last_flags &&
+               pid == last_pid)
        {
                /* update device info */
                this->db->execute(this->db, NULL,
                        "UPDATE device_infos SET time = ?, count = ?, count_update = ?, "
-                       "count_blacklist = ? WHERE device = ? AND time = ?",
+                       "count_blacklist = ?, flags = ? WHERE device = ? AND time = ?",
                         DB_UINT, time(NULL), DB_INT, count, DB_INT, count_update,
-                        DB_INT, count_blacklist, DB_INT, device_id, DB_UINT, last_time);
+                        DB_INT, count_blacklist, DB_UINT, flags,
+                        DB_INT, device_id, DB_UINT, last_time);
        }
        else
        {
                /* insert device info */
                this->db->execute(this->db, NULL,
-                       "INSERT INTO device_infos (device, time, product, "
-                       "count, count_update, count_blacklist) VALUES (?, ?, ?, ?, ?, ?)",
+                       "INSERT INTO device_infos (device, time, product, count, "
+                       "count_update, count_blacklist, flags) VALUES (?, ?, ?, ?, ?, ?, ?)",
                         DB_INT, device_id, DB_UINT, time(NULL), DB_INT, pid,
-                        DB_INT, count, DB_INT, count_update, DB_INT, count_blacklist);
+                        DB_INT, count, DB_INT, count_update, DB_INT, count_blacklist,
+                        DB_UINT, flags);
        }
 }
 
index a98ecb5..9ce748f 100644 (file)
@@ -57,9 +57,11 @@ struct imv_os_database_t {
        * @param count                                  Number of installed packages
        * @param count_update                   Number of packages to be updated
        * @param count_blacklist                Number of blacklisted packages
+       * @param flags                                  Various flags, e.g. illegal OS settings
        */
        void (*set_device_info)(imv_os_database_t *this, int device_id, char *os_info,
-                                                       int count, int count_update, int count_blacklist);
+                                                       int count, int count_update, int count_blacklist,
+                                                       u_int flags);
 
        /**
        * Destroys an imv_os_database_t object.
index 73a8c74..68a114c 100644 (file)
@@ -799,19 +799,20 @@ METHOD(attest_db_t, list_devices, void,
        time_t timestamp;
        int id, last_id = 0, device_count = 0;
        int count, count_update, count_blacklist;
+       u_int tstamp, flags = 0;
 
        e = this->db->query(this->db,
                        "SELECT d.id, d.value, i.time, i.count, i.count_update, "
-                       "i.count_blacklist, p.name FROM devices AS d "
+                       "i.count_blacklist, i.flags, p.name FROM devices AS d "
                        "JOIN device_infos AS i ON d.id = i.device "
                        "JOIN products AS p ON p.id = i.product "
                        "ORDER BY d.value, i.time DESC",
-                        DB_INT, DB_BLOB, DB_UINT, DB_INT, DB_INT, DB_INT, DB_TEXT);
+                        DB_INT, DB_BLOB, DB_UINT, DB_INT, DB_INT, DB_INT, DB_UINT, DB_TEXT);
 
        if (e)
        {
-               while (e->enumerate(e, &id, &value, &timestamp, &count, &count_update,
-                                                          &count_blacklist, &product))
+               while (e->enumerate(e, &id, &value, &tstamp, &count, &count_update,
+                                                          &count_blacklist, &flags, &product))
                {
                        if (id != last_id)
                        {
@@ -819,8 +820,9 @@ METHOD(attest_db_t, list_devices, void,
                                device_count++;
                                last_id = id;
                        }
-                       printf("      %T, %4d, %3d, %3d, '%s'\n", &timestamp, TRUE,
-                                  count, count_update, count_blacklist, product);
+                       timestamp = tstamp;
+                       printf("      %T, %4d, %3d, %3d, %1u, '%s'\n", &timestamp, TRUE,
+                                  count, count_update, count_blacklist, flags, product);
                }
                e->destroy(e);
                printf("%d device%s found\n", device_count,