imv_policy_manager: Added capability to execute an allow or block shell command string
authorAndreas Steffen <andreas.steffen@strongswan.org>
Sun, 26 Apr 2015 08:55:24 +0000 (10:55 +0200)
committerAndreas Steffen <andreas.steffen@strongswan.org>
Sun, 26 Apr 2015 08:55:24 +0000 (10:55 +0200)
conf/Makefile.am
conf/options/imv_policy_manager.opt [new file with mode: 0644]
src/libimcv/imv/imv_policy_manager.c
testing/tests/tnc/tnccs-20-pdp-pt-tls/evaltest.dat
testing/tests/tnc/tnccs-20-pdp-pt-tls/hosts/alice/etc/iptables.rules
testing/tests/tnc/tnccs-20-pdp-pt-tls/hosts/alice/etc/strongswan.conf
testing/tests/tnc/tnccs-20-pdp-pt-tls/hosts/moon/etc/ipsec.conf [new file with mode: 0644]
testing/tests/tnc/tnccs-20-pdp-pt-tls/hosts/moon/etc/ipsec.secrets [new file with mode: 0644]
testing/tests/tnc/tnccs-20-pdp-pt-tls/hosts/moon/etc/strongswan.conf [new file with mode: 0644]
testing/tests/tnc/tnccs-20-pdp-pt-tls/test.conf

index f10af25..7cee0cb 100644 (file)
@@ -14,6 +14,7 @@ options = \
        options/charon-logging.opt \
        options/charon-systemd.opt \
        options/imcv.opt \
+       options/imv_policy_manager.opt \
        options/manager.opt \
        options/medsrv.opt \
        options/pacman.opt \
diff --git a/conf/options/imv_policy_manager.opt b/conf/options/imv_policy_manager.opt
new file mode 100644 (file)
index 0000000..6ed0efc
--- /dev/null
@@ -0,0 +1,13 @@
+imv_policy_manager.database =
+       Database URI for the database that stores the package information. If it
+       contains a password, make sure to adjust the permissions of the config file
+       accordingly.
+
+imv_policy_manager.load = sqlite
+       Plugins to load in IMV policy manager.
+
+imv_policy_manager.command_allow =
+       Shell command to be executed with recommendation allow.
+
+imv_policy_manager.command_block =
+       Shell command to be executed with all other recommendations. 
index 9f7e4e8..b730f8c 100644 (file)
@@ -255,7 +255,8 @@ static bool policy_stop(database_t *db, int session_id)
        enumerator_t *e;
        int rec, policy, final_rec, id_type;
        chunk_t id_value;
-       char *result, *ip_address = NULL;
+       char *result, *format, *ip_address = NULL;
+       char command[512];
        bool success = TRUE;
 
        /* store all workitem results for this session in the results table */
@@ -334,6 +335,25 @@ static bool policy_stop(database_t *db, int session_id)
        fprintf(stderr, "recommendation for access requestor %s is %N\n",
                        ip_address ? ip_address : "0.0.0.0",
                        TNC_IMV_Action_Recommendation_names, final_rec);
+
+       if (final_rec == TNC_IMV_ACTION_RECOMMENDATION_ALLOW)
+       {
+               format = lib->settings->get_str(lib->settings,
+                                               "imv_policy_manager.command_allow", NULL);
+       }
+       else
+       {
+               format = lib->settings->get_str(lib->settings,
+                                               "imv_policy_manager.command_block", NULL);
+       }
+       if (format && ip_address)
+       {
+               /* the IP address can occur at most twice in the command string */
+               snprintf(command, sizeof(command), format, ip_address, ip_address);
+               success = system(command) == 0;
+               fprintf(stderr, "%s system command: %s\n",
+                           success ? "successful" : "failed", command);
+       }
        free(ip_address);
 
        return success;
index 3b48073..c3409fd 100644 (file)
@@ -9,6 +9,8 @@ alice::cat /var/log/daemon.log::certificate status is good::YES
 alice::cat /var/log/daemon.log::skipping SASL, client already authenticated by TLS certificate::YES
 alice::cat /var/log/daemon.log::user AR identity.*C=CH, O=Linux strongSwan, OU=Accounting, CN=dave@strongswan.org.*authenticated by certificate::YES
 alice::cat /var/log/daemon.log::received SWID tag inventory with ... items for request 3 at eid 1 of epoch::YES
+alice::cat /var/log/daemon.log::successful system command: ssh root@moon.*logger -t charon -p auth.alert.*host with IP address 192.168.0.200 is blocked::YES
+moon:: cat /var/log/auth.log::host with IP address 192.168.0.200 is blocked::YES
 alice::cat /var/log/daemon.log::accepting PT-TLS stream from PH_IP_CAROL::YES
 alice::cat /var/log/daemon.log::SASL PLAIN authentication successful::YES
 alice::cat /var/log/daemon.log::SASL client identity is.*carol::YES
@@ -17,3 +19,5 @@ alice::cat /var/log/daemon.log::received SWID tag ID inventory with ... items fo
 alice::cat /var/log/daemon.log::1 SWID tag target::YES
 alice::cat /var/log/daemon.log::received SWID tag inventory with 1 item for request 9 at eid 1 of epoch::YES
 alice::cat /var/log/daemon.log::regid.2004-03.org.strongswan_strongSwan-::YES
+alice::cat /var/log/daemon.log::successful system command: ssh root@moon.*logger -t charon -p auth.alert.*host with IP address 192.168.0.100 is allowed::YES
+moon::cat /var/log/auth.log::host with IP address 192.168.0.100 is allowed::YES
index 1586214..48b1cf5 100644 (file)
 -A INPUT  -i eth0 -p tcp --dport 271 -j ACCEPT
 -A OUTPUT -o eth0 -p tcp --sport 271 -j ACCEPT
 
-# allow ssh
+# allow inbound ssh
 -A INPUT  -p tcp --dport 22 -j ACCEPT
 -A OUTPUT -p tcp --sport 22 -j ACCEPT
 
+# allow outbound ssh
+-A OUTPU  -p tcp --dport 22 -j ACCEPT
+-A INPUT  -p tcp --sport 22 -j ACCEPT
+
 # allow crl fetch from winnetou
 -A INPUT  -i eth0 -p tcp --sport 80 -s 192.168.0.150 -j ACCEPT
 -A OUTPUT -o eth0 -p tcp --dport 80 -d 192.168.0.150 -j ACCEPT
index 935973c..857e6d6 100644 (file)
@@ -27,3 +27,8 @@ libimcv {
     }
   }
 }
+
+imv_policy_manager {
+  command_allow = ssh root@moon 'logger -t charon -p auth.alert "\"host with IP address %s is allowed\""'
+  command_block = ssh root@moon 'logger -t charon -p auth.alert "\"host with IP address %s is blocked\""'
+}
diff --git a/testing/tests/tnc/tnccs-20-pdp-pt-tls/hosts/moon/etc/ipsec.conf b/testing/tests/tnc/tnccs-20-pdp-pt-tls/hosts/moon/etc/ipsec.conf
new file mode 100644 (file)
index 0000000..ecd9d47
--- /dev/null
@@ -0,0 +1,3 @@
+# /etc/ipsec.conf - strongSwan IPsec configuration file
+
+# this file is not used in this scenario 
diff --git a/testing/tests/tnc/tnccs-20-pdp-pt-tls/hosts/moon/etc/ipsec.secrets b/testing/tests/tnc/tnccs-20-pdp-pt-tls/hosts/moon/etc/ipsec.secrets
new file mode 100644 (file)
index 0000000..41cf8f8
--- /dev/null
@@ -0,0 +1,3 @@
+# /etc/ipsec.secrets - strongSwan IPsec secrets file
+
+# this file is not used in this scenario 
diff --git a/testing/tests/tnc/tnccs-20-pdp-pt-tls/hosts/moon/etc/strongswan.conf b/testing/tests/tnc/tnccs-20-pdp-pt-tls/hosts/moon/etc/strongswan.conf
new file mode 100644 (file)
index 0000000..d99a4b7
--- /dev/null
@@ -0,0 +1,3 @@
+# /etc/strongswan.conf - strongSwan configuration file
+
+# this file is not used in this scenario 
index 0887e4d..5f4f8e7 100644 (file)
@@ -18,7 +18,7 @@ TCPDUMPHOSTS="moon"
 # Guest instances on which IPsec is started
 # Used for IPsec logging purposes
 #
-IPSECHOSTS="carol dave alice"
+IPSECHOSTS="carol moon dave alice"
 
 # Guest instances on which FreeRadius is started
 #