|
|
30a705 |
From b061168bdae759c88e9ef93f3620edae404e69fe Mon Sep 17 00:00:00 2001
|
|
|
30a705 |
From: Stepan Broz <sbroz@redhat.com>
|
|
|
30a705 |
Date: Thu, 26 Sep 2019 12:56:00 +0200
|
|
|
30a705 |
Subject: [PATCH] [libreswan] New plugin for "libreswan" IPsec
|
|
|
30a705 |
|
|
|
30a705 |
The "libreswan" package is replacing "openswan" in many distributions.
|
|
|
30a705 |
This plugin is replacing the original "openswan" plugin that it is
|
|
|
30a705 |
based on.
|
|
|
30a705 |
|
|
|
30a705 |
This plugin will now run for both "libreswan" and "openswan" packages,
|
|
|
30a705 |
or when the configuration file "/etc/ipsec.conf" is present.
|
|
|
30a705 |
|
|
|
30a705 |
Data collected now include configuration, current status, XFRM policy
|
|
|
30a705 |
and state, XFRM statistics, basic information about certificates and
|
|
|
30a705 |
the NSS database.
|
|
|
30a705 |
|
|
|
30a705 |
No private data (keys, certificates, secrets) are collected, authenti-
|
|
|
30a705 |
cation and encryption keys are removed from the output of
|
|
|
30a705 |
"ip xfrm state", and also from "ipsec barf" when running with the
|
|
|
30a705 |
"ipsec-barf" option set.
|
|
|
30a705 |
|
|
|
30a705 |
Signed-off-by: Stepan Broz <sbroz@redhat.com>
|
|
|
30a705 |
---
|
|
|
30a705 |
sos/plugins/{openswan.py => libreswan.py} | 37 ++++++++++++++++++-----
|
|
|
30a705 |
1 file changed, 30 insertions(+), 7 deletions(-)
|
|
|
30a705 |
rename sos/plugins/{openswan.py => libreswan.py} (50%)
|
|
|
30a705 |
|
|
|
30a705 |
diff --git a/sos/plugins/openswan.py b/sos/plugins/libreswan.py
|
|
|
30a705 |
similarity index 50%
|
|
|
30a705 |
rename from sos/plugins/openswan.py
|
|
|
30a705 |
rename to sos/plugins/libreswan.py
|
|
|
30a705 |
index ce5581320..717329b87 100644
|
|
|
30a705 |
--- a/sos/plugins/openswan.py
|
|
|
30a705 |
+++ b/sos/plugins/libreswan.py
|
|
|
30a705 |
@@ -1,4 +1,5 @@
|
|
|
30a705 |
# Copyright (C) 2007 Sadique Puthen <sputhenp@redhat.com>
|
|
|
30a705 |
+# Copyright (C) 2019 Red Hat Inc., Stepan Broz <sbroz@redhat.com>
|
|
|
30a705 |
|
|
|
30a705 |
# This file is part of the sos project: https://github.com/sosreport/sos
|
|
|
30a705 |
#
|
|
|
30a705 |
@@ -11,29 +12,38 @@
|
|
|
30a705 |
from sos.plugins import Plugin, RedHatPlugin, DebianPlugin, UbuntuPlugin
|
|
|
30a705 |
|
|
|
30a705 |
|
|
|
30a705 |
-class Openswan(Plugin, RedHatPlugin, DebianPlugin, UbuntuPlugin):
|
|
|
30a705 |
- """Openswan IPsec
|
|
|
30a705 |
+class Libreswan(Plugin, RedHatPlugin, DebianPlugin, UbuntuPlugin):
|
|
|
30a705 |
+ """Libreswan IPsec
|
|
|
30a705 |
"""
|
|
|
30a705 |
|
|
|
30a705 |
- plugin_name = 'openswan'
|
|
|
30a705 |
- profiles = ('network', 'security')
|
|
|
30a705 |
+ plugin_name = 'libreswan'
|
|
|
30a705 |
+ profiles = ('network', 'security', 'openshift')
|
|
|
30a705 |
option_list = [
|
|
|
30a705 |
("ipsec-barf", "collect the output of the ipsec barf command",
|
|
|
30a705 |
"slow", False)
|
|
|
30a705 |
]
|
|
|
30a705 |
|
|
|
30a705 |
files = ('/etc/ipsec.conf',)
|
|
|
30a705 |
- packages = ('openswan', 'libreswan')
|
|
|
30a705 |
+ packages = ('libreswan', 'openswan')
|
|
|
30a705 |
|
|
|
30a705 |
def setup(self):
|
|
|
30a705 |
self.add_copy_spec([
|
|
|
30a705 |
"/etc/ipsec.conf",
|
|
|
30a705 |
- "/etc/ipsec.d"
|
|
|
30a705 |
+ "/etc/ipsec.d",
|
|
|
30a705 |
+ "/proc/net/xfrm_stat"
|
|
|
30a705 |
])
|
|
|
30a705 |
|
|
|
30a705 |
# although this is 'verification' it's normally a very quick
|
|
|
30a705 |
# operation so is not conditional on --verify
|
|
|
30a705 |
- self.add_cmd_output("ipsec verify")
|
|
|
30a705 |
+ self.add_cmd_output([
|
|
|
30a705 |
+ 'ipsec verify',
|
|
|
30a705 |
+ 'ipsec whack --status',
|
|
|
30a705 |
+ 'ipsec whack --listall',
|
|
|
30a705 |
+ 'certutil -L -d sql:/etc/ipsec.d',
|
|
|
30a705 |
+ 'ip xfrm policy',
|
|
|
30a705 |
+ 'ip xfrm state'
|
|
|
30a705 |
+ ])
|
|
|
30a705 |
+
|
|
|
30a705 |
if self.get_option("ipsec-barf"):
|
|
|
30a705 |
self.add_cmd_output("ipsec barf")
|
|
|
30a705 |
|
|
|
30a705 |
@@ -44,4 +54,17 @@ def setup(self):
|
|
|
30a705 |
'/etc/ipsec.d/*.secrets'
|
|
|
30a705 |
])
|
|
|
30a705 |
|
|
|
30a705 |
+ def postproc(self):
|
|
|
30a705 |
+ # Remove any sensitive data.
|
|
|
30a705 |
+ # "ip xfrm state" output contains encryption or authentication private
|
|
|
30a705 |
+ # keys:
|
|
|
30a705 |
+ xfrm_state_regexp = r'(aead|auth|auth-trunc|enc)' \
|
|
|
30a705 |
+ r'(\s.*\s)(0x[0-9a-f]+)'
|
|
|
30a705 |
+ self.do_cmd_output_sub("state", xfrm_state_regexp,
|
|
|
30a705 |
+ r"\1\2********")
|
|
|
30a705 |
+
|
|
|
30a705 |
+ if self.get_option("ipsec-barf"):
|
|
|
30a705 |
+ self.do_cmd_output_sub("barf", xfrm_state_regexp,
|
|
|
30a705 |
+ r"\1\2********")
|
|
|
30a705 |
+
|
|
|
30a705 |
# vim: set et ts=4 sw=4 :
|