From b061168bdae759c88e9ef93f3620edae404e69fe Mon Sep 17 00:00:00 2001

From: Stepan Broz <sbroz@redhat.com>

Date: Thu, 26 Sep 2019 12:56:00 +0200

Subject: [PATCH] [libreswan] New plugin for "libreswan" IPsec

The "libreswan" package is replacing "openswan" in many distributions.

This plugin is replacing the original "openswan" plugin that it is

based on.

This plugin will now run for both "libreswan" and "openswan" packages,

or when the configuration file "/etc/ipsec.conf" is present.

Data collected now include configuration, current status, XFRM policy

and state, XFRM statistics, basic information about certificates and

the NSS database.

No private data (keys, certificates, secrets) are collected, authenti-

cation and encryption keys are removed from the output of

"ip xfrm state", and also from "ipsec barf" when running with the

"ipsec-barf" option set.

Signed-off-by: Stepan Broz <sbroz@redhat.com>

---

 sos/plugins/{openswan.py => libreswan.py} | 37 ++++++++++++++++++-----

 1 file changed, 30 insertions(+), 7 deletions(-)

 rename sos/plugins/{openswan.py => libreswan.py} (50%)

diff --git a/sos/plugins/openswan.py b/sos/plugins/libreswan.py

similarity index 50%

rename from sos/plugins/openswan.py

rename to sos/plugins/libreswan.py

index ce5581320..717329b87 100644

--- a/sos/plugins/openswan.py

+++ b/sos/plugins/libreswan.py

@@ -1,4 +1,5 @@

 # Copyright (C) 2007 Sadique Puthen <sputhenp@redhat.com>

+# Copyright (C) 2019 Red Hat Inc., Stepan Broz <sbroz@redhat.com>

 # This file is part of the sos project: https://github.com/sosreport/sos

 #

@@ -11,29 +12,38 @@

 from sos.plugins import Plugin, RedHatPlugin, DebianPlugin, UbuntuPlugin

-class Openswan(Plugin, RedHatPlugin, DebianPlugin, UbuntuPlugin):

-    """Openswan IPsec

+class Libreswan(Plugin, RedHatPlugin, DebianPlugin, UbuntuPlugin):

+    """Libreswan IPsec

     """

-    plugin_name = 'openswan'

-    profiles = ('network', 'security')

+    plugin_name = 'libreswan'

+    profiles = ('network', 'security', 'openshift')

     option_list = [

         ("ipsec-barf", "collect the output of the ipsec barf command",

          "slow", False)

     ]

     files = ('/etc/ipsec.conf',)

-    packages = ('openswan', 'libreswan')

+    packages = ('libreswan', 'openswan')

     def setup(self):

         self.add_copy_spec([

             "/etc/ipsec.conf",

-            "/etc/ipsec.d"

+            "/etc/ipsec.d",

+            "/proc/net/xfrm_stat"

         ])

         # although this is 'verification' it's normally a very quick

         # operation so is not conditional on --verify

-        self.add_cmd_output("ipsec verify")

+        self.add_cmd_output([

+            'ipsec verify',

+            'ipsec whack --status',

+            'ipsec whack --listall',

+            'certutil -L -d sql:/etc/ipsec.d',

+            'ip xfrm policy',

+            'ip xfrm state'

+        ])

+

         if self.get_option("ipsec-barf"):

             self.add_cmd_output("ipsec barf")

@@ -44,4 +54,17 @@ def setup(self):

             '/etc/ipsec.d/*.secrets'

         ])

+    def postproc(self):

+        # Remove any sensitive data.

+        # "ip xfrm state" output contains encryption or authentication private

+        # keys:

+        xfrm_state_regexp = r'(aead|auth|auth-trunc|enc)' \

+                            r'(\s.*\s)(0x[0-9a-f]+)'

+        self.do_cmd_output_sub("state", xfrm_state_regexp,

+                               r"\1\2********")

+

+        if self.get_option("ipsec-barf"):

+            self.do_cmd_output_sub("barf", xfrm_state_regexp,

+                                   r"\1\2********")

+

 # vim: set et ts=4 sw=4 :