Use attest database in tnc/tnccs-20-os scenario
This commit is contained in:
parent
9fab0a58d3
commit
0f499f41dc
|
@ -0,0 +1,107 @@
|
|||
/* Products */
|
||||
|
||||
INSERT INTO products (
|
||||
name
|
||||
) VALUES (
|
||||
'Debian 7.0'
|
||||
);
|
||||
|
||||
INSERT INTO products (
|
||||
name
|
||||
) VALUES (
|
||||
'Debian 7.0 i686'
|
||||
);
|
||||
|
||||
INSERT INTO products (
|
||||
name
|
||||
) VALUES (
|
||||
'Debian 7.0 x86_64'
|
||||
);
|
||||
|
||||
INSERT INTO products (
|
||||
name
|
||||
) VALUES (
|
||||
'Ubuntu 12.04'
|
||||
);
|
||||
|
||||
INSERT INTO products (
|
||||
name
|
||||
) VALUES (
|
||||
'Ubuntu 12.04 i686'
|
||||
);
|
||||
|
||||
INSERT INTO products (
|
||||
name
|
||||
) VALUES (
|
||||
'Ubuntu 12.04 x86_64'
|
||||
);
|
||||
|
||||
INSERT INTO products (
|
||||
name
|
||||
) VALUES (
|
||||
'Ubuntu 12.10'
|
||||
);
|
||||
|
||||
INSERT INTO products (
|
||||
name
|
||||
) VALUES (
|
||||
'Ubuntu 12.10 i686'
|
||||
);
|
||||
|
||||
INSERT INTO products (
|
||||
name
|
||||
) VALUES (
|
||||
'Ubuntu 12.10 x86_64'
|
||||
);
|
||||
|
||||
/* Packages */
|
||||
|
||||
INSERT INTO packages (
|
||||
name
|
||||
) VALUES (
|
||||
'libssl-dev'
|
||||
);
|
||||
|
||||
INSERT INTO packages (
|
||||
name
|
||||
) VALUES (
|
||||
'libssl1.0.0'
|
||||
);
|
||||
|
||||
INSERT INTO packages (
|
||||
name
|
||||
) VALUES (
|
||||
'libssl1.0.0-dbg'
|
||||
);
|
||||
|
||||
INSERT INTO packages (
|
||||
name
|
||||
) VALUES (
|
||||
'openssl'
|
||||
);
|
||||
|
||||
/* Versions */
|
||||
|
||||
INSERT INTO versions (
|
||||
package, product, release, time
|
||||
) values (
|
||||
1, 1, '1.0.1e-2', 1366531494
|
||||
);
|
||||
|
||||
INSERT INTO versions (
|
||||
package, product, release, time
|
||||
) values (
|
||||
2, 1, '1.0.1e-2', 1366531494
|
||||
);
|
||||
|
||||
INSERT INTO versions (
|
||||
package, product, release, time
|
||||
) values (
|
||||
3, 1, '1.0.1e-2', 1366531494
|
||||
);
|
||||
|
||||
INSERT INTO versions (
|
||||
package, product, release, time
|
||||
) values (
|
||||
4, 1, '1.0.1e-2', 1366531494
|
||||
);
|
|
@ -0,0 +1,146 @@
|
|||
/* PTS SQLite database */
|
||||
|
||||
DROP TABLE IF EXISTS files;
|
||||
CREATE TABLE files (
|
||||
id INTEGER NOT NULL PRIMARY KEY AUTOINCREMENT,
|
||||
type INTEGER NOT NULL,
|
||||
path TEXT NOT NULL
|
||||
);
|
||||
DROP INDEX IF EXISTS files_path;
|
||||
CREATE INDEX files_path ON files (
|
||||
path
|
||||
);
|
||||
|
||||
DROP TABLE IF EXISTS products;
|
||||
CREATE TABLE products (
|
||||
id INTEGER NOT NULL PRIMARY KEY AUTOINCREMENT,
|
||||
name TEXT NOT NULL
|
||||
);
|
||||
DROP INDEX IF EXISTS products_name;
|
||||
CREATE INDEX products_name ON products (
|
||||
name
|
||||
);
|
||||
|
||||
DROP TABLE IF EXISTS product_file;
|
||||
CREATE TABLE product_file (
|
||||
product INTEGER NOT NULL,
|
||||
file INTEGER NOT NULL,
|
||||
measurement INTEGER DEFAULT 0,
|
||||
metadata INTEGER DEFAULT 0,
|
||||
PRIMARY KEY (product, file)
|
||||
);
|
||||
|
||||
DROP TABLE IF EXISTS file_hashes;
|
||||
CREATE TABLE file_hashes (
|
||||
file INTEGER NOT NULL,
|
||||
directory INTEGER DEFAULT 0,
|
||||
product INTEGER NOT NULL,
|
||||
key INTEGER DEFAULT 0,
|
||||
algo INTEGER NOT NULL,
|
||||
hash BLOB NOT NULL,
|
||||
PRIMARY KEY(file, directory, product, algo)
|
||||
);
|
||||
|
||||
DROP TABLE IF EXISTS keys;
|
||||
CREATE TABLE keys (
|
||||
id INTEGER NOT NULL PRIMARY KEY AUTOINCREMENT,
|
||||
keyid BLOB NOT NULL,
|
||||
owner TEXT NOT NULL
|
||||
);
|
||||
DROP INDEX IF EXISTS keys_keyid;
|
||||
CREATE INDEX keys_keyid ON keys (
|
||||
keyid
|
||||
);
|
||||
DROP INDEX IF EXISTS keys_owner;
|
||||
CREATE INDEX keys_owner ON keys (
|
||||
owner
|
||||
);
|
||||
|
||||
DROP TABLE IF EXISTS components;
|
||||
CREATE TABLE components (
|
||||
id INTEGER NOT NULL PRIMARY KEY AUTOINCREMENT,
|
||||
vendor_id INTEGER NOT NULL,
|
||||
name INTEGER NOT NULL,
|
||||
qualifier INTEGER DEFAULT 0
|
||||
);
|
||||
|
||||
|
||||
DROP TABLE IF EXISTS key_component;
|
||||
CREATE TABLE key_component (
|
||||
key INTEGER NOT NULL,
|
||||
component INTEGER NOT NULL,
|
||||
depth INTEGER DEFAULT 0,
|
||||
seq_no INTEGER DEFAULT 0,
|
||||
PRIMARY KEY (key, component)
|
||||
);
|
||||
|
||||
|
||||
DROP TABLE IF EXISTS component_hashes;
|
||||
CREATE TABLE component_hashes (
|
||||
component INTEGER NOT NULL,
|
||||
key INTEGER NOT NULL,
|
||||
seq_no INTEGER NOT NULL,
|
||||
pcr INTEGER NOT NULL,
|
||||
algo INTEGER NOT NULL,
|
||||
hash BLOB NOT NULL,
|
||||
PRIMARY KEY(component, key, seq_no, algo)
|
||||
);
|
||||
|
||||
DROP TABLE IF EXISTS packages;
|
||||
CREATE TABLE packages (
|
||||
id INTEGER NOT NULL PRIMARY KEY AUTOINCREMENT,
|
||||
name TEXT NOT NULL
|
||||
);
|
||||
DROP INDEX IF EXISTS packages_name;
|
||||
CREATE INDEX packages_name ON packages (
|
||||
name
|
||||
);
|
||||
|
||||
DROP TABLE IF EXISTS versions;
|
||||
CREATE TABLE versions (
|
||||
id INTEGER NOT NULL PRIMARY KEY AUTOINCREMENT,
|
||||
package INTEGER NOT NULL,
|
||||
product INTEGER NOT NULL,
|
||||
release TEXT NOT NULL,
|
||||
security INTEGER DEFAULT 0,
|
||||
time INTEGER DEFAULT 0
|
||||
);
|
||||
DROP INDEX IF EXISTS versions_release;
|
||||
CREATE INDEX versions_release ON versions (
|
||||
release
|
||||
);
|
||||
DROP INDEX IF EXISTS versions_package_product;
|
||||
CREATE INDEX versions_package_product ON versions (
|
||||
package, product
|
||||
);
|
||||
|
||||
DROP TABLE IF EXISTS devices;
|
||||
CREATE TABLE devices (
|
||||
id INTEGER NOT NULL PRIMARY KEY AUTOINCREMENT,
|
||||
value BLOB NOT NULL
|
||||
);
|
||||
DROP INDEX IF EXISTS devices_id;
|
||||
CREATE INDEX devices_value ON devices (
|
||||
value
|
||||
);
|
||||
|
||||
DROP TABLE IF EXISTS device_infos;
|
||||
CREATE TABLE device_infos (
|
||||
id INTEGER NOT NULL PRIMARY KEY AUTOINCREMENT,
|
||||
device INTEGER NOT NULL,
|
||||
time INTEGER NOT NULL,
|
||||
ar_id INTEGER DEFAULT 0,
|
||||
product INTEGER DEFAULT 0,
|
||||
count INTEGER DEFAULT 0,
|
||||
count_update INTEGER DEFAULT 0,
|
||||
count_blacklist INTEGER DEFAULT 0,
|
||||
flags INTEGER DEFAULT 0
|
||||
);
|
||||
|
||||
DROP TABLE IF EXISTS identities;
|
||||
CREATE TABLE identities (
|
||||
id INTEGER NOT NULL PRIMARY KEY AUTOINCREMENT,
|
||||
type INTEGER NOT NULL,
|
||||
data BLOB NOT NULL,
|
||||
UNIQUE (type, data)
|
||||
);
|
|
@ -6,8 +6,10 @@ dave:: cat /var/log/daemon.log::PB-TNC access recommendation is 'Quarantined'::Y
|
|||
dave:: cat /var/log/daemon.log::EAP method EAP_TTLS succeeded, MSK established::YES
|
||||
dave:: cat /var/log/daemon.log::authentication of 'moon.strongswan.org' with EAP successful::YES
|
||||
dave:: cat /var/log/daemon.log::CHILD_SA home{1} established.*TS 192.168.0.200/32 === 10.1.0.16/28::YES
|
||||
moon:: ipsec attest --devices 2> /dev/null::Debian 7.0 x86_64.*carol@strongswan.org::YES
|
||||
moon:: cat /var/log/daemon.log::added group membership 'allow'::YES
|
||||
moon:: cat /var/log/daemon.log::authentication of 'carol@strongswan.org' with EAP successful::YES
|
||||
moon:: ipsec attest --devices 2> /dev/null::Windows 1.2.3.*dave@strongswan.org::YES
|
||||
moon:: cat /var/log/daemon.log::added group membership 'isolate'::YES
|
||||
moon:: cat /var/log/daemon.log::authentication of 'dave@strongswan.org' with EAP successful::YES
|
||||
moon:: ipsec statusall 2> /dev/null::rw-allow.*10.1.0.0/28 === 192.168.0.100/32::YES
|
||||
|
@ -16,4 +18,3 @@ carol::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_req=1::YES
|
|||
carol::ping -c 1 PH_IP_VENUS::64 bytes from PH_IP_VENUS: icmp_req=1::NO
|
||||
dave:: ping -c 1 PH_IP_VENUS::64 bytes from PH_IP_VENUS: icmp_req=1::YES
|
||||
dave:: ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_req=1::NO
|
||||
|
||||
|
|
|
@ -1,7 +1,7 @@
|
|||
# /etc/strongswan.conf - strongSwan configuration file
|
||||
|
||||
charon {
|
||||
load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 revocation hmac stroke kernel-netlink socket-default eap-identity eap-ttls eap-md5 eap-tnc tnc-imv tnc-tnccs tnccs-20 updown
|
||||
load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 revocation hmac stroke kernel-netlink socket-default eap-identity eap-ttls eap-md5 eap-tnc tnc-imv tnc-tnccs tnccs-20 updown sqlite
|
||||
multiple_authentication=no
|
||||
plugins {
|
||||
eap-ttls {
|
||||
|
@ -18,7 +18,14 @@ charon {
|
|||
libimcv {
|
||||
plugins {
|
||||
imv-os {
|
||||
database = sqlite:///etc/pts/config.db
|
||||
request_installed_packages = yes
|
||||
}
|
||||
}
|
||||
}
|
||||
|
||||
attest {
|
||||
load = random nonce openssl sqlite
|
||||
database = sqlite:///etc/pts/config.db
|
||||
}
|
||||
|
||||
|
|
|
@ -5,3 +5,4 @@ moon::iptables-restore < /etc/iptables.flush
|
|||
carol::iptables-restore < /etc/iptables.flush
|
||||
dave::iptables-restore < /etc/iptables.flush
|
||||
carol::echo 1 > /proc/sys/net/ipv4/ip_forward
|
||||
moon::rm /etc/pts/config.db
|
||||
|
|
|
@ -2,6 +2,8 @@ moon::iptables-restore < /etc/iptables.rules
|
|||
carol::iptables-restore < /etc/iptables.rules
|
||||
dave::iptables-restore < /etc/iptables.rules
|
||||
carol::echo 0 > /proc/sys/net/ipv4/ip_forward
|
||||
dave::echo aabbccddeeff11223344556677889900 > /var/lib/dbus/machine-id
|
||||
moon::cd /etc/pts; cat tables.sql data.sql | sqlite3 config.db
|
||||
moon::cat /etc/tnc_config
|
||||
carol::cat /etc/tnc_config
|
||||
dave::cat /etc/tnc_config
|
||||
|
@ -12,3 +14,5 @@ carol::sleep 1
|
|||
carol::ipsec up home
|
||||
dave::ipsec up home
|
||||
dave::sleep 1
|
||||
moon::ipsec attest --packages --product 'Debian 7.0'
|
||||
moon::ipsec attest --devices
|
||||
|
|
Loading…
Reference in New Issue