imv_policy_manager: Added capability to execute an allow or block shell command string
This commit is contained in:
parent
ce354443bf
commit
79b5a33c11
|
@ -14,6 +14,7 @@ options = \
|
|||
options/charon-logging.opt \
|
||||
options/charon-systemd.opt \
|
||||
options/imcv.opt \
|
||||
options/imv_policy_manager.opt \
|
||||
options/manager.opt \
|
||||
options/medsrv.opt \
|
||||
options/pacman.opt \
|
||||
|
|
|
@ -0,0 +1,13 @@
|
|||
imv_policy_manager.database =
|
||||
Database URI for the database that stores the package information. If it
|
||||
contains a password, make sure to adjust the permissions of the config file
|
||||
accordingly.
|
||||
|
||||
imv_policy_manager.load = sqlite
|
||||
Plugins to load in IMV policy manager.
|
||||
|
||||
imv_policy_manager.command_allow =
|
||||
Shell command to be executed with recommendation allow.
|
||||
|
||||
imv_policy_manager.command_block =
|
||||
Shell command to be executed with all other recommendations.
|
|
@ -255,7 +255,8 @@ static bool policy_stop(database_t *db, int session_id)
|
|||
enumerator_t *e;
|
||||
int rec, policy, final_rec, id_type;
|
||||
chunk_t id_value;
|
||||
char *result, *ip_address = NULL;
|
||||
char *result, *format, *ip_address = NULL;
|
||||
char command[512];
|
||||
bool success = TRUE;
|
||||
|
||||
/* store all workitem results for this session in the results table */
|
||||
|
@ -334,6 +335,25 @@ static bool policy_stop(database_t *db, int session_id)
|
|||
fprintf(stderr, "recommendation for access requestor %s is %N\n",
|
||||
ip_address ? ip_address : "0.0.0.0",
|
||||
TNC_IMV_Action_Recommendation_names, final_rec);
|
||||
|
||||
if (final_rec == TNC_IMV_ACTION_RECOMMENDATION_ALLOW)
|
||||
{
|
||||
format = lib->settings->get_str(lib->settings,
|
||||
"imv_policy_manager.command_allow", NULL);
|
||||
}
|
||||
else
|
||||
{
|
||||
format = lib->settings->get_str(lib->settings,
|
||||
"imv_policy_manager.command_block", NULL);
|
||||
}
|
||||
if (format && ip_address)
|
||||
{
|
||||
/* the IP address can occur at most twice in the command string */
|
||||
snprintf(command, sizeof(command), format, ip_address, ip_address);
|
||||
success = system(command) == 0;
|
||||
fprintf(stderr, "%s system command: %s\n",
|
||||
success ? "successful" : "failed", command);
|
||||
}
|
||||
free(ip_address);
|
||||
|
||||
return success;
|
||||
|
|
|
@ -9,6 +9,8 @@ alice::cat /var/log/daemon.log::certificate status is good::YES
|
|||
alice::cat /var/log/daemon.log::skipping SASL, client already authenticated by TLS certificate::YES
|
||||
alice::cat /var/log/daemon.log::user AR identity.*C=CH, O=Linux strongSwan, OU=Accounting, CN=dave@strongswan.org.*authenticated by certificate::YES
|
||||
alice::cat /var/log/daemon.log::received SWID tag inventory with ... items for request 3 at eid 1 of epoch::YES
|
||||
alice::cat /var/log/daemon.log::successful system command: ssh root@moon.*logger -t charon -p auth.alert.*host with IP address 192.168.0.200 is blocked::YES
|
||||
moon:: cat /var/log/auth.log::host with IP address 192.168.0.200 is blocked::YES
|
||||
alice::cat /var/log/daemon.log::accepting PT-TLS stream from PH_IP_CAROL::YES
|
||||
alice::cat /var/log/daemon.log::SASL PLAIN authentication successful::YES
|
||||
alice::cat /var/log/daemon.log::SASL client identity is.*carol::YES
|
||||
|
@ -17,3 +19,5 @@ alice::cat /var/log/daemon.log::received SWID tag ID inventory with ... items fo
|
|||
alice::cat /var/log/daemon.log::1 SWID tag target::YES
|
||||
alice::cat /var/log/daemon.log::received SWID tag inventory with 1 item for request 9 at eid 1 of epoch::YES
|
||||
alice::cat /var/log/daemon.log::regid.2004-03.org.strongswan_strongSwan-::YES
|
||||
alice::cat /var/log/daemon.log::successful system command: ssh root@moon.*logger -t charon -p auth.alert.*host with IP address 192.168.0.100 is allowed::YES
|
||||
moon::cat /var/log/auth.log::host with IP address 192.168.0.100 is allowed::YES
|
||||
|
|
|
@ -13,10 +13,14 @@
|
|||
-A INPUT -i eth0 -p tcp --dport 271 -j ACCEPT
|
||||
-A OUTPUT -o eth0 -p tcp --sport 271 -j ACCEPT
|
||||
|
||||
# allow ssh
|
||||
# allow inbound ssh
|
||||
-A INPUT -p tcp --dport 22 -j ACCEPT
|
||||
-A OUTPUT -p tcp --sport 22 -j ACCEPT
|
||||
|
||||
# allow outbound ssh
|
||||
-A OUTPU -p tcp --dport 22 -j ACCEPT
|
||||
-A INPUT -p tcp --sport 22 -j ACCEPT
|
||||
|
||||
# allow crl fetch from winnetou
|
||||
-A INPUT -i eth0 -p tcp --sport 80 -s 192.168.0.150 -j ACCEPT
|
||||
-A OUTPUT -o eth0 -p tcp --dport 80 -d 192.168.0.150 -j ACCEPT
|
||||
|
|
|
@ -27,3 +27,8 @@ libimcv {
|
|||
}
|
||||
}
|
||||
}
|
||||
|
||||
imv_policy_manager {
|
||||
command_allow = ssh root@moon 'logger -t charon -p auth.alert "\"host with IP address %s is allowed\""'
|
||||
command_block = ssh root@moon 'logger -t charon -p auth.alert "\"host with IP address %s is blocked\""'
|
||||
}
|
||||
|
|
|
@ -0,0 +1,3 @@
|
|||
# /etc/ipsec.conf - strongSwan IPsec configuration file
|
||||
|
||||
# this file is not used in this scenario
|
|
@ -0,0 +1,3 @@
|
|||
# /etc/ipsec.secrets - strongSwan IPsec secrets file
|
||||
|
||||
# this file is not used in this scenario
|
|
@ -0,0 +1,3 @@
|
|||
# /etc/strongswan.conf - strongSwan configuration file
|
||||
|
||||
# this file is not used in this scenario
|
|
@ -18,7 +18,7 @@ TCPDUMPHOSTS="moon"
|
|||
# Guest instances on which IPsec is started
|
||||
# Used for IPsec logging purposes
|
||||
#
|
||||
IPSECHOSTS="carol dave alice"
|
||||
IPSECHOSTS="carol moon dave alice"
|
||||
|
||||
# Guest instances on which FreeRadius is started
|
||||
#
|
||||
|
|
Loading…
Reference in New Issue