imv-os: Updated security update evaluation
authorAndreas Steffen <andreas.steffen@strongswan.org>
Thu, 31 Aug 2017 16:52:04 +0000 (18:52 +0200)
committerAndreas Steffen <andreas.steffen@strongswan.org>
Fri, 1 Sep 2017 10:42:24 +0000 (12:42 +0200)
src/libimcv/plugins/imv_os/imv_os_agent.c
src/libimcv/plugins/imv_os/imv_os_database.c
src/libimcv/plugins/imv_os/imv_os_state.c
src/libimcv/plugins/imv_os/imv_os_state.h
testing/tests/tnc/tnccs-20-os/hosts/carol/etc/strongswan.conf
testing/tests/tnc/tnccs-20-os/hosts/dave/etc/strongswan.conf
testing/tests/tnc/tnccs-20-os/hosts/moon/etc/strongswan.conf

index 4bf6c7e..3fa3d09 100644 (file)
@@ -705,8 +705,7 @@ METHOD(imv_agent_if_t, batch_ending, TNC_Result,
                                        eval = fail ? TNC_IMV_EVALUATION_RESULT_NONCOMPLIANT_MINOR :
                                                                  TNC_IMV_EVALUATION_RESULT_COMPLIANT;
                                        snprintf(result_str, BUF_LEN, "processed %d packages: "
-                                                       "%d not updated, %d blacklisted, %d ok, "
-                                                       "%d unknown",
+                                                       "%d vulnerable, %d blacklisted, %d ok, %d unknown",
                                                        count, count_update, count_blacklist, count_ok,
                                                        count - count_update - count_blacklist - count_ok);
                                        break;
index 31b889b..049c844 100644 (file)
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2012-2014 Andreas Steffen
+ * Copyright (C) 2012-2017 Andreas Steffen
  * HSR Hochschule fuer Technik Rapperswil
  *
  * This program is free software; you can redistribute it and/or modify it
@@ -51,7 +51,7 @@ METHOD(imv_os_database_t, check_packages, status_t,
        char *product, *package, *release, *cur_release;
        chunk_t name, version;
        int pid, gid, security, blacklist;
-       int count = 0, count_ok = 0, count_no_match = 0, count_blacklist = 0;
+       int count = 0, count_ok = 0, count_security = 0, count_blacklist = 0;
        enumerator_t *e;
        status_t status = SUCCESS;
        bool found, match;
@@ -103,11 +103,8 @@ METHOD(imv_os_database_t, check_packages, status_t,
                if (!e->enumerate(e, &gid))
                {
                        /* package not present in database for any product - skip */
-                       if (os_type == OS_TYPE_ANDROID)
-                       {
-                               DBG2(DBG_IMV, "package '%s' (%.*s) not found",
-                                        package, version.len, version.ptr);
-                       }
+                       DBG2(DBG_IMV, "package '%s' (%.*s) not found",
+                                                  package, version.len, version.ptr);
                        free(package);
                        e->destroy(e);
                        continue;
@@ -148,36 +145,41 @@ METHOD(imv_os_database_t, check_packages, status_t,
                        {
                                if (blacklist)
                                {
-                                       DBG2(DBG_IMV, "package '%s' (%s) is blacklisted",
+                                       DBG1(DBG_IMV, "package '%s' (%s) is blacklisted",
                                                                   package, release);
                                        count_blacklist++;
                                        os_state->add_bad_package(os_state, package,
                                                                                          OS_PACKAGE_STATE_BLACKLIST);
                                }
+                               else if (security)
+                               {
+                                       DBG1(DBG_IMV, "package '%s' (%s) is vulnerable",
+                                                                  package, release);
+                                       os_state->add_bad_package(os_state, package,
+                                                                                         OS_PACKAGE_STATE_SECURITY);
+                                       count_security++;
+                               }
                                else
                                {
-                                       DBG2(DBG_IMV, "package '%s' (%s)%s is ok", package, release,
-                                                                  security ? " [s]" : "");
+                                       DBG2(DBG_IMV, "package '%s' (%s) is ok",
+                                                                  package, release);
                                        count_ok++;
                                }
                        }
                        else
                        {
                                DBG1(DBG_IMV, "package '%s' (%s) no match", package, release);
-                               count_no_match++;
-                               os_state->add_bad_package(os_state, package,
-                                                                                 OS_PACKAGE_STATE_SECURITY);
                        }
                }
                else
                {
-                       /* package not present in database for this product - skip */
+                       DBG2(DBG_IMV, "package '%s' (%s) unknown", package, release);
                }
                free(package);
                free(release);
        }
-       os_state->set_count(os_state, count, count_no_match,
-                                                                 count_blacklist, count_ok);
+       os_state->set_count(os_state, count, count_security, count_blacklist,
+                                               count_ok);
 
        return status;
 }
index ac826a7..af5daf0 100644 (file)
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2012-2014 Andreas Steffen
+ * Copyright (C) 2012-2017 Andreas Steffen
  * HSR Hochschule fuer Technik Rapperswil
  *
  * This program is free software; you can redistribute it and/or modify it
@@ -121,9 +121,9 @@ struct private_imv_os_state_t {
        int count;
 
        /**
-        * Number of not updated packages
+        * Number of vulnerable packages
         */
-       int count_update;
+       int count_security;
 
        /**
         * Number of blacklisted packages
@@ -372,7 +372,7 @@ METHOD(imv_state_t, get_reason_string, bool,
        private_imv_os_state_t *this, enumerator_t *language_enumerator,
        chunk_t *reason_string, char **reason_language)
 {
-       if (!this->count_update && !this->count_blacklist & !this->os_settings)
+       if (!this->count_security && !this->count_blacklist & !this->os_settings)
        {
                return FALSE;
        }
@@ -383,7 +383,7 @@ METHOD(imv_state_t, get_reason_string, bool,
        DESTROY_IF(this->reason_string);
        this->reason_string = imv_reason_string_create(*reason_language, "\n");
 
-       if (this->count_update || this->count_blacklist)
+       if (this->count_security || this->count_blacklist)
        {
                this->reason_string->add_reason(this->reason_string, reason_packages);
        }
@@ -403,7 +403,7 @@ METHOD(imv_state_t, get_remediation_instructions, bool,
        imv_os_info_t *os_info;
        bool as_xml = FALSE;
 
-       if (!this->count_update && !this->count_blacklist & !this->os_settings)
+       if (!this->count_security && !this->count_blacklist & !this->os_settings)
        {
                return FALSE;
        }
@@ -430,7 +430,7 @@ METHOD(imv_state_t, get_remediation_instructions, bool,
        }
 
        /* List of packages in need of an update, if any */
-       if (this->count_update)
+       if (this->count_security)
        {
                this->remediation_string->add_instruction(this->remediation_string,
                                                        instr_update_packages_title,
@@ -492,26 +492,26 @@ METHOD(imv_os_state_t, get_handshake_state, imv_os_handshake_state_t,
 
 
 METHOD(imv_os_state_t, set_count, void,
-       private_imv_os_state_t *this, int count, int count_update,
+       private_imv_os_state_t *this, int count, int count_security,
        int count_blacklist, int count_ok)
 {
        this->count           += count;
-       this->count_update    += count_update;
+       this->count_security  += count_security;
        this->count_blacklist += count_blacklist;
        this->count_ok        += count_ok;
 }
 
 METHOD(imv_os_state_t, get_count, void,
-       private_imv_os_state_t *this, int *count, int *count_update,
+       private_imv_os_state_t *this, int *count, int *count_security,
        int *count_blacklist, int *count_ok)
 {
        if (count)
        {
                *count = this->count;
        }
-       if (count_update)
+       if (count_security)
        {
-               *count_update = this->count_update;
+               *count_security = this->count_security;
        }
        if (count_blacklist)
        {
index aa9b640..d73a474 100644 (file)
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2012-2014 Andreas Steffen
+ * Copyright (C) 2012-2017 Andreas Steffen
  * HSR Hochschule fuer Technik Rapperswil
  *
  * This program is free software; you can redistribute it and/or modify it
@@ -81,22 +81,22 @@ struct imv_os_state_t {
         * Set [or with multiple attributes increment] package counters
         *
         * @param count                         Number of processed packages
-        * @param count_update          Number of not updated packages
+        * @param count_security        Number of vulnerable packages
         * @param count_blacklist       Number of blacklisted packages
         * @param count_ok                      Number of whitelisted packages
         */
-       void (*set_count)(imv_os_state_t *this, int count, int count_update,
+       void (*set_count)(imv_os_state_t *this, int count, int count_security,
                                          int count_blacklist, int count_ok);
 
        /**
         * Set [or with multiple attributes increment] package counters
         *
         * @param count                         Number of processed packages
-        * @param count_update          Number of not updated packages
+        * @param count_security        Number of vulnerable packages
         * @param count_blacklist       Number of blacklisted packages
         * @param count_ok                      Number of whitelisted packages
         */
-       void (*get_count)(imv_os_state_t *this, int *count, int *count_update,
+       void (*get_count)(imv_os_state_t *this, int *count, int *count_security,
                                          int *count_blacklist, int *count_ok);
 
        /**
index ef90078..68c9330 100644 (file)
@@ -14,7 +14,7 @@ charon {
       default = 0
     }
     daemon {
-      tnc = 3
+      tnc = 2
       imc = 3
     }
   }
index 4af05ad..527efcc 100644 (file)
@@ -14,7 +14,7 @@ charon {
       default = 0
     }
     daemon {
-      tnc = 3
+      tnc = 2
       imc = 3
     }
   }
index 53c515f..a52bf0e 100644 (file)
@@ -14,7 +14,7 @@ charon {
       default = 0
     }
     daemon {
-      tnc = 3
+      tnc = 2
       imv = 3
     }
   }