From: <om...@re...> - 2011-09-29 12:53:34
|
From: Ondrej Moris <om...@re...> This patch removes all the files related to trustedprograms racoon test and outdated by ipsec. The next patches will pull in the new ipsec related files. Signed-off-by: Ondrej Moris <om...@re...> --- audit/network/system/psk.txt.in | 18 -- audit/network/system/psk.txt.in_body | 1 - audit/network/system/psk.txt.in_footer | 2 - audit/network/system/psk.txt.in_header | 14 -- audit/network/system/racoon.conf | 39 ----- audit/network/system/rc.local | 46 ------ audit/network/system/setkey.conf.in | 218 ------------------------- audit/network/system/setkey.conf.in_footer | 1 - audit/network/system/setkey.conf.in_header | 15 -- audit/network/system/setkey.conf.in_ipv4 | 66 -------- audit/network/system/setkey.conf.in_ipv6 | 66 -------- audit/trustedprograms/tests/test_racoon.bash | 226 -------------------------- 12 files changed, 0 insertions(+), 712 deletions(-) delete mode 100644 audit/network/system/psk.txt.in delete mode 100644 audit/network/system/psk.txt.in_body delete mode 100644 audit/network/system/psk.txt.in_footer delete mode 100644 audit/network/system/psk.txt.in_header delete mode 100644 audit/network/system/racoon.conf delete mode 100644 audit/network/system/rc.local delete mode 100644 audit/network/system/setkey.conf.in delete mode 100644 audit/network/system/setkey.conf.in_footer delete mode 100644 audit/network/system/setkey.conf.in_header delete mode 100644 audit/network/system/setkey.conf.in_ipv4 delete mode 100644 audit/network/system/setkey.conf.in_ipv6 delete mode 100755 audit/trustedprograms/tests/test_racoon.bash diff --git a/audit/network/system/psk.txt.in b/audit/network/system/psk.txt.in deleted file mode 100644 index 0ff6d55..0000000 --- a/audit/network/system/psk.txt.in +++ /dev/null @@ -1,18 +0,0 @@ -# file for pre-shared keys used for IKE authentication -# format is: 'identifier' 'key' -# For example: -# -# 10.1.1.1 flibbertigibbet -# www.example.com 12345 -# fo...@ww... micropachycephalosaurus - -###################################################################### -# LSPP Test Configuration -###################################################################### - -127.0.0.1 mekmitasdigoat -::1 mekmitasdigoat -%LOCAL_IPV4% mekmitasdigoat -%LOCAL_IPV6% mekmitasdigoat -%REMOTE_IPV4% mekmitasdigoat -%REMOTE_IPV6% mekmitasdigoat diff --git a/audit/network/system/psk.txt.in_body b/audit/network/system/psk.txt.in_body deleted file mode 100644 index 5381383..0000000 --- a/audit/network/system/psk.txt.in_body +++ /dev/null @@ -1 +0,0 @@ -%ADDRESS% mekmitasdigoat diff --git a/audit/network/system/psk.txt.in_footer b/audit/network/system/psk.txt.in_footer deleted file mode 100644 index 25daa10..0000000 --- a/audit/network/system/psk.txt.in_footer +++ /dev/null @@ -1,2 +0,0 @@ - -###################################################################### diff --git a/audit/network/system/psk.txt.in_header b/audit/network/system/psk.txt.in_header deleted file mode 100644 index 26c7d0d..0000000 --- a/audit/network/system/psk.txt.in_header +++ /dev/null @@ -1,14 +0,0 @@ -# file for pre-shared keys used for IKE authentication -# format is: 'identifier' 'key' -# For example: -# -# 10.1.1.1 flibbertigibbet -# www.example.com 12345 -# fo...@ww... micropachycephalosaurus - -###################################################################### -# LSPP Test Configuration -###################################################################### - -127.0.0.1 mekmitasdigoat -::1 mekmitasdigoat diff --git a/audit/network/system/racoon.conf b/audit/network/system/racoon.conf deleted file mode 100644 index 44d5c1e..0000000 --- a/audit/network/system/racoon.conf +++ /dev/null @@ -1,39 +0,0 @@ -# -# This file contains the IKE configuration for the IPsec subsystem - -path include "/etc/racoon"; -path pre_shared_key "/etc/racoon/psk.txt"; -path certificate "/etc/racoon/certs"; - -###################################################################### -# LSPP Test Configuration -###################################################################### - -remote anonymous -{ - exchange_mode main,aggressive; - doi ipsec_doi; - situation identity_only; - - my_identifier address; - - lifetime time 2 hours; - initial_contact on; - proposal_check obey; - - proposal { - encryption_algorithm 3des; - hash_algorithm sha1; - authentication_method pre_shared_key; - dh_group 2; - } -} - -sainfo anonymous -{ - pfs_group 2; - lifetime time 1 hour; - encryption_algorithm 3des, aes; - authentication_algorithm hmac_sha1; - compression_algorithm deflate; -} diff --git a/audit/network/system/rc.local b/audit/network/system/rc.local deleted file mode 100644 index 0ff7027..0000000 --- a/audit/network/system/rc.local +++ /dev/null @@ -1,46 +0,0 @@ -#!/bin/sh -############################################################################### -# (c) Copyright Hewlett-Packard Development Company, L.P., 2007 -# -# This program is free software: you can redistribute it and/or modify -# it under the terms of version 2 the GNU General Public License as -# published by the Free Software Foundation. -# -# This program is distributed in the hope that it will be useful, -# but WITHOUT ANY WARRANTY; without even the implied warranty of -# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the -# GNU General Public License for more details. -# -# You should have received a copy of the GNU General Public License -# along with this program. If not, see <http://www.gnu.org/licenses/>. -############################################################################### -# -# This script will be executed *after* all the other init scripts. -# You can put your own initialization stuff in here if you don't -# want to do the full Sys V style init stuff. - -touch /var/lock/subsys/local - -# Source function library. -. /etc/init.d/functions - -###################################################################### -# LSPP Test Configuration -###################################################################### - -# XXX - this could probably use some cleanup if time permits - -# Setup IPv6 -# enabling the following line disables IPv6 autoconfiguration -#echo 0 > /proc/sys/net/ipv6/conf/all/autoconf - -# Setup IPsec -echo -n "Configuring IPsec for the LSPP tests: " -/sbin/setkey -f /etc/racoon/setkey.conf && (success; echo) || (failure; echo) -echo 0 > /proc/sys/net/ipv4/conf/lo/disable_xfrm -echo 0 > /proc/sys/net/ipv4/conf/lo/disable_policy - -# [Re]start racoon -killproc racoon -echo -n "Starting racoon for the LSPP tests: " -daemon /usr/sbin/racoon; echo diff --git a/audit/network/system/setkey.conf.in b/audit/network/system/setkey.conf.in deleted file mode 100644 index 37de717..0000000 --- a/audit/network/system/setkey.conf.in +++ /dev/null @@ -1,218 +0,0 @@ -#!/sbin/setkey -f -# -# This file contains the SPD configuration for the IPsec subsystem - -# clear the SAD and SPD -flush; -spdflush; - -###################################################################### -# LSPP Test Configuration -###################################################################### - -# NOTE: please see http://www.nsa.gov/selinux/list-archive/0609/16874.cfm -# and the setkey manpage for details on using labeled IPsec - -# ESP between this machine and itself using IPv4/TCP -spdadd 127.0.0.1 127.0.0.1[5300] tcp - -ctx 1 1 "system_u:object_r:ipsec_spd_t:s0-s15:c0.c1023" - -P out ipsec esp/transport//require; -spdadd 127.0.0.1[5300] 127.0.0.1 tcp - -ctx 1 1 "system_u:object_r:ipsec_spd_t:s0-s15:c0.c1023" - -P in ipsec esp/transport//require; - -# AH between this machine and the test server using IPv4/TCP -spdadd %LOCAL_IPV4% %REMOTE_IPV4%[5300] tcp - -ctx 1 1 "system_u:object_r:ipsec_spd_t:s0-s15:c0.c1023" - -P out ipsec ah/transport//require; -spdadd %REMOTE_IPV4%[5300] %LOCAL_IPV4% tcp - -ctx 1 1 "system_u:object_r:ipsec_spd_t:s0-s15:c0.c1023" - -P in ipsec ah/transport//require; -spdadd %LOCAL_IPV4%[5300] %REMOTE_IPV4% tcp - -ctx 1 1 "system_u:object_r:ipsec_spd_t:s0-s15:c0.c1023" - -P in ipsec ah/transport//require; -spdadd %REMOTE_IPV4% %LOCAL_IPV4%[5300] tcp - -ctx 1 1 "system_u:object_r:ipsec_spd_t:s0-s15:c0.c1023" - -P out ipsec ah/transport//require; - -# ESP between this machine and itself using IPv4/UDP -# only allow SystemLow (s0) on port 5300 -spdadd 127.0.0.1 127.0.0.1[5300] udp - -ctx 1 1 "system_u:object_r:ipsec_spd_t:s0" - -P out ipsec esp/transport//require; -spdadd 127.0.0.1 127.0.0.1[5300] udp - -ctx 1 1 "system_u:object_r:ipsec_spd_t:s0:c0-s15:c0.c1023" - -P out discard; -spdadd 127.0.0.1[5300] 127.0.0.1 udp - -ctx 1 1 "system_u:object_r:ipsec_spd_t:s0" - -P in ipsec esp/transport//require; -spdadd 127.0.0.1[5300] 127.0.0.1 udp - -ctx 1 1 "system_u:object_r:ipsec_spd_t:s0:c0-s15:c0.c1023" - -P in discard; -# only allow SystemHigh (s15:c0.c1023) on port 5301 -spdadd 127.0.0.1 127.0.0.1[5301] udp - -ctx 1 1 "system_u:object_r:ipsec_spd_t:s15:c0.c1023" - -P out ipsec esp/transport//require; -spdadd 127.0.0.1 127.0.0.1[5301] udp - -ctx 1 1 "system_u:object_r:ipsec_spd_t:s0-s15:c0.c1022" - -P out discard; -spdadd 127.0.0.1[5301] 127.0.0.1 udp - -ctx 1 1 "system_u:object_r:ipsec_spd_t:s15:c0.c1023" - -P in ipsec esp/transport//require; -spdadd 127.0.0.1[5301] 127.0.0.1 udp - -ctx 1 1 "system_u:object_r:ipsec_spd_t:s0-s15:c0.c1022" - -P in discard; - -# AH between this machine and the test server using IPv4/UDP -# only allow SystemLow (s0) on port 5300 -spdadd %LOCAL_IPV4% %REMOTE_IPV4%[5300] udp - -ctx 1 1 "system_u:object_r:ipsec_spd_t:s0" - -P out ipsec ah/transport//require; -spdadd %LOCAL_IPV4% %REMOTE_IPV4%[5300] udp - -ctx 1 1 "system_u:object_r:ipsec_spd_t:s0:c0-s15:c0.c1023" - -P out discard; -spdadd %REMOTE_IPV4%[5300] %LOCAL_IPV4% udp - -ctx 1 1 "system_u:object_r:ipsec_spd_t:s0" - -P in ipsec ah/transport//require; -spdadd %REMOTE_IPV4%[5300] %LOCAL_IPV4% udp - -ctx 1 1 "system_u:object_r:ipsec_spd_t:s0:c0-s15:c0.c1023" - -P in discard; -spdadd %LOCAL_IPV4%[5300] %REMOTE_IPV4% udp - -ctx 1 1 "system_u:object_r:ipsec_spd_t:s0" - -P in ipsec ah/transport//require; -spdadd %LOCAL_IPV4%[5300] %REMOTE_IPV4% udp - -ctx 1 1 "system_u:object_r:ipsec_spd_t:s0:c0-s15:c0.c1023" - -P in discard; -spdadd %REMOTE_IPV4% %LOCAL_IPV4%[5300] udp - -ctx 1 1 "system_u:object_r:ipsec_spd_t:s0" - -P out ipsec ah/transport//require; -spdadd %REMOTE_IPV4% %LOCAL_IPV4%[5300] udp - -ctx 1 1 "system_u:object_r:ipsec_spd_t:s0:c0-s15:c0.c1023" - -P out discard; -# only allow SystemHigh (s15:c0.c1023) on port 5301 -spdadd %LOCAL_IPV4% %REMOTE_IPV4%[5301] udp - -ctx 1 1 "system_u:object_r:ipsec_spd_t:s15:c0.c1023" - -P out ipsec ah/transport//require; -spdadd %LOCAL_IPV4% %REMOTE_IPV4%[5301] udp - -ctx 1 1 "system_u:object_r:ipsec_spd_t:s0-s15:c0.c1022" - -P out discard; -spdadd %REMOTE_IPV4%[5301] %LOCAL_IPV4% udp - -ctx 1 1 "system_u:object_r:ipsec_spd_t:s15:c0.c1023" - -P in ipsec ah/transport//require; -spdadd %REMOTE_IPV4%[5301] %LOCAL_IPV4% udp - -ctx 1 1 "system_u:object_r:ipsec_spd_t:s0-s15:c0.c1022" - -P in discard; -spdadd %LOCAL_IPV4%[5301] %REMOTE_IPV4% udp - -ctx 1 1 "system_u:object_r:ipsec_spd_t:s15:c0.c1023" - -P in ipsec ah/transport//require; -spdadd %LOCAL_IPV4%[5301] %REMOTE_IPV4% udp - -ctx 1 1 "system_u:object_r:ipsec_spd_t:s0:c0-s15:c0.c1022" - -P in discard; -spdadd %REMOTE_IPV4% %LOCAL_IPV4%[5301] udp - -ctx 1 1 "system_u:object_r:ipsec_spd_t:s15:c0.c1023" - -P out ipsec ah/transport//require; -spdadd %REMOTE_IPV4% %LOCAL_IPV4%[5301] udp - -ctx 1 1 "system_u:object_r:ipsec_spd_t:s0:c0-s15:c0.c1022" - -P out discard; - -# ESP between this machine and itself using IPv6/TCP -spdadd ::1 ::1[5300] tcp - -ctx 1 1 "system_u:object_r:ipsec_spd_t:s0-s15:c0.c1023" - -P out ipsec esp/transport//require; -spdadd ::1[5300] ::1 tcp - -ctx 1 1 "system_u:object_r:ipsec_spd_t:s0-s15:c0.c1023" - -P in ipsec esp/transport//require; - -# AH between this machine and the test server using IPv6/TCP -spdadd %LOCAL_IPV6% %REMOTE_IPV6%[5300] tcp - -ctx 1 1 "system_u:object_r:ipsec_spd_t:s0-s15:c0.c1023" - -P out ipsec ah/transport//require; -spdadd %REMOTE_IPV6%[5300] %LOCAL_IPV6% tcp - -ctx 1 1 "system_u:object_r:ipsec_spd_t:s0-s15:c0.c1023" - -P in ipsec ah/transport//require; -spdadd %LOCAL_IPV6%[5300] %REMOTE_IPV6% tcp - -ctx 1 1 "system_u:object_r:ipsec_spd_t:s0-s15:c0.c1023" - -P in ipsec ah/transport//require; -spdadd %REMOTE_IPV6% %LOCAL_IPV6%[5300] tcp - -ctx 1 1 "system_u:object_r:ipsec_spd_t:s0-s15:c0.c1023" - -P out ipsec ah/transport//require; - -# ESP between this machine and itself using IPv6/UDP -# only allow SystemLow (s0) on port 5300 -spdadd ::1 ::1[5300] udp - -ctx 1 1 "system_u:object_r:ipsec_spd_t:s0" - -P out ipsec esp/transport//require; -spdadd ::1 ::1[5300] udp - -ctx 1 1 "system_u:object_r:ipsec_spd_t:s0:c0-s15:c0.c1023" - -P out discard; -spdadd ::1[5300] ::1 udp - -ctx 1 1 "system_u:object_r:ipsec_spd_t:s0" - -P in ipsec esp/transport//require; -spdadd ::1[5300] ::1 udp - -ctx 1 1 "system_u:object_r:ipsec_spd_t:s0:c0-s15:c0.c1023" - -P in discard; -# only allow SystemHigh (s15:c0.c1023) on port 5301 -spdadd ::1 ::1[5301] udp - -ctx 1 1 "system_u:object_r:ipsec_spd_t:s15:c0.c1023" - -P out ipsec esp/transport//require; -spdadd ::1 ::1[5301] udp - -ctx 1 1 "system_u:object_r:ipsec_spd_t:s0-s15:c0.c1022" - -P out discard; -spdadd ::1[5301] ::1 udp - -ctx 1 1 "system_u:object_r:ipsec_spd_t:s15:c0.c1023" - -P in ipsec esp/transport//require; -spdadd ::1[5301] ::1 udp - -ctx 1 1 "system_u:object_r:ipsec_spd_t:s0-s15:c0.c1022" - -P in discard; - -# AH between this machine and the test server using IPv6/UDP -# only allow SystemLow (s0) on port 5300 -spdadd %LOCAL_IPV6% %REMOTE_IPV6%[5300] udp - -ctx 1 1 "system_u:object_r:ipsec_spd_t:s0" - -P out ipsec ah/transport//require; -spdadd %LOCAL_IPV6% %REMOTE_IPV6%[5300] udp - -ctx 1 1 "system_u:object_r:ipsec_spd_t:s0:c0-s15:c0.c1023" - -P out discard; -spdadd %REMOTE_IPV6%[5300] %LOCAL_IPV6% udp - -ctx 1 1 "system_u:object_r:ipsec_spd_t:s0" - -P in ipsec ah/transport//require; -spdadd %REMOTE_IPV6%[5300] %LOCAL_IPV6% udp - -ctx 1 1 "system_u:object_r:ipsec_spd_t:s0:c0-s15:c0.c1023" - -P in discard; -spdadd %LOCAL_IPV6%[5300] %REMOTE_IPV6% udp - -ctx 1 1 "system_u:object_r:ipsec_spd_t:s0" - -P in ipsec ah/transport//require; -spdadd %LOCAL_IPV6%[5300] %REMOTE_IPV6% udp - -ctx 1 1 "system_u:object_r:ipsec_spd_t:s0:c0-s15:c0.c1023" - -P in discard; -spdadd %REMOTE_IPV6% %LOCAL_IPV6%[5300] udp - -ctx 1 1 "system_u:object_r:ipsec_spd_t:s0" - -P out ipsec ah/transport//require; -spdadd %REMOTE_IPV6% %LOCAL_IPV6%[5300] udp - -ctx 1 1 "system_u:object_r:ipsec_spd_t:s0:c0-s15:c0.c1023" - -P out discard; -# only allow SystemHigh (s15:c0.c1023) on port 5301 -spdadd %LOCAL_IPV6% %REMOTE_IPV6%[5301] udp - -ctx 1 1 "system_u:object_r:ipsec_spd_t:s15:c0.c1023" - -P out ipsec ah/transport//require; -spdadd %LOCAL_IPV6% %REMOTE_IPV6%[5301] udp - -ctx 1 1 "system_u:object_r:ipsec_spd_t:s0-s15:c0.c1022" - -P out discard; -spdadd %REMOTE_IPV6%[5301] %LOCAL_IPV6% udp - -ctx 1 1 "system_u:object_r:ipsec_spd_t:s15:c0.c1023" - -P in ipsec ah/transport//require; -spdadd %REMOTE_IPV6%[5301] %LOCAL_IPV6% udp - -ctx 1 1 "system_u:object_r:ipsec_spd_t:s0-s15:c0.c1022" - -P in discard; -spdadd %LOCAL_IPV6%[5301] %REMOTE_IPV6% udp - -ctx 1 1 "system_u:object_r:ipsec_spd_t:s15:c0.c1023" - -P in ipsec ah/transport//require; -spdadd %LOCAL_IPV6%[5301] %REMOTE_IPV6% udp - -ctx 1 1 "system_u:object_r:ipsec_spd_t:s0:c0-s15:c0.c1022" - -P in discard; -spdadd %REMOTE_IPV6% %LOCAL_IPV6%[5301] udp - -ctx 1 1 "system_u:object_r:ipsec_spd_t:s15:c0.c1023" - -P out ipsec ah/transport//require; -spdadd %REMOTE_IPV6% %LOCAL_IPV6%[5301] udp - -ctx 1 1 "system_u:object_r:ipsec_spd_t:s0:c0-s15:c0.c1022" - -P out discard; diff --git a/audit/network/system/setkey.conf.in_footer b/audit/network/system/setkey.conf.in_footer deleted file mode 100644 index d1b468a..0000000 --- a/audit/network/system/setkey.conf.in_footer +++ /dev/null @@ -1 +0,0 @@ -###################################################################### diff --git a/audit/network/system/setkey.conf.in_header b/audit/network/system/setkey.conf.in_header deleted file mode 100644 index cae59e0..0000000 --- a/audit/network/system/setkey.conf.in_header +++ /dev/null @@ -1,15 +0,0 @@ -#!/sbin/setkey -f -# -# This file contains the SPD configuration for the IPsec subsystem - -# clear the SAD and SPD -flush; -spdflush; - -###################################################################### -# LSPP Test Configuration -###################################################################### - -# NOTE: please see http://www.nsa.gov/selinux/list-archive/0609/16874.cfm -# and the setkey manpage for details on using labeled IPsec - diff --git a/audit/network/system/setkey.conf.in_ipv4 b/audit/network/system/setkey.conf.in_ipv4 deleted file mode 100644 index bb6c696..0000000 --- a/audit/network/system/setkey.conf.in_ipv4 +++ /dev/null @@ -1,66 +0,0 @@ -# AH between this machine and the test machine using IPv4/TCP -spdadd %LOCAL_IPV4% %REMOTE_IPV4%[5300] tcp - -ctx 1 1 "system_u:object_r:ipsec_spd_t:s0-s15:c0.c1023" - -P out ipsec ah/transport//require; -spdadd %REMOTE_IPV4%[5300] %LOCAL_IPV4% tcp - -ctx 1 1 "system_u:object_r:ipsec_spd_t:s0-s15:c0.c1023" - -P in ipsec ah/transport//require; -spdadd %LOCAL_IPV4%[5300] %REMOTE_IPV4% tcp - -ctx 1 1 "system_u:object_r:ipsec_spd_t:s0-s15:c0.c1023" - -P in ipsec ah/transport//require; -spdadd %REMOTE_IPV4% %LOCAL_IPV4%[5300] tcp - -ctx 1 1 "system_u:object_r:ipsec_spd_t:s0-s15:c0.c1023" - -P out ipsec ah/transport//require; - -# AH between this machine and the test machine using IPv4/UDP -# only allow SystemLow (s0) on port 5300 -spdadd %LOCAL_IPV4% %REMOTE_IPV4%[5300] udp - -ctx 1 1 "system_u:object_r:ipsec_spd_t:s0" - -P out ipsec ah/transport//require; -spdadd %LOCAL_IPV4% %REMOTE_IPV4%[5300] udp - -ctx 1 1 "system_u:object_r:ipsec_spd_t:s0:c0-s15:c0.c1023" - -P out discard; -spdadd %REMOTE_IPV4%[5300] %LOCAL_IPV4% udp - -ctx 1 1 "system_u:object_r:ipsec_spd_t:s0" - -P in ipsec ah/transport//require; -spdadd %REMOTE_IPV4%[5300] %LOCAL_IPV4% udp - -ctx 1 1 "system_u:object_r:ipsec_spd_t:s0:c0-s15:c0.c1023" - -P in discard; -spdadd %LOCAL_IPV4%[5300] %REMOTE_IPV4% udp - -ctx 1 1 "system_u:object_r:ipsec_spd_t:s0" - -P in ipsec ah/transport//require; -spdadd %LOCAL_IPV4%[5300] %REMOTE_IPV4% udp - -ctx 1 1 "system_u:object_r:ipsec_spd_t:s0:c0-s15:c0.c1023" - -P in discard; -spdadd %REMOTE_IPV4% %LOCAL_IPV4%[5300] udp - -ctx 1 1 "system_u:object_r:ipsec_spd_t:s0" - -P out ipsec ah/transport//require; -spdadd %REMOTE_IPV4% %LOCAL_IPV4%[5300] udp - -ctx 1 1 "system_u:object_r:ipsec_spd_t:s0:c0-s15:c0.c1023" - -P out discard; -# only allow SystemHigh (s15:c0.c1023) on port 5301 -spdadd %LOCAL_IPV4% %REMOTE_IPV4%[5301] udp - -ctx 1 1 "system_u:object_r:ipsec_spd_t:s15:c0.c1023" - -P out ipsec ah/transport//require; -spdadd %LOCAL_IPV4% %REMOTE_IPV4%[5301] udp - -ctx 1 1 "system_u:object_r:ipsec_spd_t:s0-s15:c0.c1022" - -P out discard; -spdadd %REMOTE_IPV4%[5301] %LOCAL_IPV4% udp - -ctx 1 1 "system_u:object_r:ipsec_spd_t:s15:c0.c1023" - -P in ipsec ah/transport//require; -spdadd %REMOTE_IPV4%[5301] %LOCAL_IPV4% udp - -ctx 1 1 "system_u:object_r:ipsec_spd_t:s0-s15:c0.c1022" - -P in discard; -spdadd %LOCAL_IPV4%[5301] %REMOTE_IPV4% udp - -ctx 1 1 "system_u:object_r:ipsec_spd_t:s15:c0.c1023" - -P in ipsec ah/transport//require; -spdadd %LOCAL_IPV4%[5301] %REMOTE_IPV4% udp - -ctx 1 1 "system_u:object_r:ipsec_spd_t:s0:c0-s15:c0.c1022" - -P in discard; -spdadd %REMOTE_IPV4% %LOCAL_IPV4%[5301] udp - -ctx 1 1 "system_u:object_r:ipsec_spd_t:s15:c0.c1023" - -P out ipsec ah/transport//require; -spdadd %REMOTE_IPV4% %LOCAL_IPV4%[5301] udp - -ctx 1 1 "system_u:object_r:ipsec_spd_t:s0:c0-s15:c0.c1022" - -P out discard; - diff --git a/audit/network/system/setkey.conf.in_ipv6 b/audit/network/system/setkey.conf.in_ipv6 deleted file mode 100644 index f36c223..0000000 --- a/audit/network/system/setkey.conf.in_ipv6 +++ /dev/null @@ -1,66 +0,0 @@ -# AH between this machine and the test machine using IPv6/TCP -spdadd %LOCAL_IPV6% %REMOTE_IPV6%[5300] tcp - -ctx 1 1 "system_u:object_r:ipsec_spd_t:s0-s15:c0.c1023" - -P out ipsec ah/transport//require; -spdadd %REMOTE_IPV6%[5300] %LOCAL_IPV6% tcp - -ctx 1 1 "system_u:object_r:ipsec_spd_t:s0-s15:c0.c1023" - -P in ipsec ah/transport//require; -spdadd %LOCAL_IPV6%[5300] %REMOTE_IPV6% tcp - -ctx 1 1 "system_u:object_r:ipsec_spd_t:s0-s15:c0.c1023" - -P in ipsec ah/transport//require; -spdadd %REMOTE_IPV6% %LOCAL_IPV6%[5300] tcp - -ctx 1 1 "system_u:object_r:ipsec_spd_t:s0-s15:c0.c1023" - -P out ipsec ah/transport//require; - -# AH between this machine and the test machine using IPv6/UDP -# only allow SystemLow (s0) on port 5300 -spdadd %LOCAL_IPV6% %REMOTE_IPV6%[5300] udp - -ctx 1 1 "system_u:object_r:ipsec_spd_t:s0" - -P out ipsec ah/transport//require; -spdadd %LOCAL_IPV6% %REMOTE_IPV6%[5300] udp - -ctx 1 1 "system_u:object_r:ipsec_spd_t:s0:c0-s15:c0.c1023" - -P out discard; -spdadd %REMOTE_IPV6%[5300] %LOCAL_IPV6% udp - -ctx 1 1 "system_u:object_r:ipsec_spd_t:s0" - -P in ipsec ah/transport//require; -spdadd %REMOTE_IPV6%[5300] %LOCAL_IPV6% udp - -ctx 1 1 "system_u:object_r:ipsec_spd_t:s0:c0-s15:c0.c1023" - -P in discard; -spdadd %LOCAL_IPV6%[5300] %REMOTE_IPV6% udp - -ctx 1 1 "system_u:object_r:ipsec_spd_t:s0" - -P in ipsec ah/transport//require; -spdadd %LOCAL_IPV6%[5300] %REMOTE_IPV6% udp - -ctx 1 1 "system_u:object_r:ipsec_spd_t:s0:c0-s15:c0.c1023" - -P in discard; -spdadd %REMOTE_IPV6% %LOCAL_IPV6%[5300] udp - -ctx 1 1 "system_u:object_r:ipsec_spd_t:s0" - -P out ipsec ah/transport//require; -spdadd %REMOTE_IPV6% %LOCAL_IPV6%[5300] udp - -ctx 1 1 "system_u:object_r:ipsec_spd_t:s0:c0-s15:c0.c1023" - -P out discard; -# only allow SystemHigh (s15:c0.c1023) on port 5301 -spdadd %LOCAL_IPV6% %REMOTE_IPV6%[5301] udp - -ctx 1 1 "system_u:object_r:ipsec_spd_t:s15:c0.c1023" - -P out ipsec ah/transport//require; -spdadd %LOCAL_IPV6% %REMOTE_IPV6%[5301] udp - -ctx 1 1 "system_u:object_r:ipsec_spd_t:s0-s15:c0.c1022" - -P out discard; -spdadd %REMOTE_IPV6%[5301] %LOCAL_IPV6% udp - -ctx 1 1 "system_u:object_r:ipsec_spd_t:s15:c0.c1023" - -P in ipsec ah/transport//require; -spdadd %REMOTE_IPV6%[5301] %LOCAL_IPV6% udp - -ctx 1 1 "system_u:object_r:ipsec_spd_t:s0-s15:c0.c1022" - -P in discard; -spdadd %LOCAL_IPV6%[5301] %REMOTE_IPV6% udp - -ctx 1 1 "system_u:object_r:ipsec_spd_t:s15:c0.c1023" - -P in ipsec ah/transport//require; -spdadd %LOCAL_IPV6%[5301] %REMOTE_IPV6% udp - -ctx 1 1 "system_u:object_r:ipsec_spd_t:s0:c0-s15:c0.c1022" - -P in discard; -spdadd %REMOTE_IPV6% %LOCAL_IPV6%[5301] udp - -ctx 1 1 "system_u:object_r:ipsec_spd_t:s15:c0.c1023" - -P out ipsec ah/transport//require; -spdadd %REMOTE_IPV6% %LOCAL_IPV6%[5301] udp - -ctx 1 1 "system_u:object_r:ipsec_spd_t:s0:c0-s15:c0.c1022" - -P out discard; - diff --git a/audit/trustedprograms/tests/test_racoon.bash b/audit/trustedprograms/tests/test_racoon.bash deleted file mode 100755 index 6953d0e..0000000 --- a/audit/trustedprograms/tests/test_racoon.bash +++ /dev/null @@ -1,226 +0,0 @@ -#!/bin/bash -# ============================================================================= -# (c) Copyright Hewlett-Packard Development Company, L.P., 2007 -# -# This program is free software: you can redistribute it and/or modify -# it under the terms of version 2 the GNU General Public License as -# published by the Free Software Foundation. -# -# This program is distributed in the hope that it will be useful, -# but WITHOUT ANY WARRANTY; without even the implied warranty of -# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the -# GNU General Public License for more details. -# -# You should have received a copy of the GNU General Public License -# along with this program. If not, see <http://www.gnu.org/licenses/>. -# ============================================================================= -# -# It is important to note that prior to running the tests below the -# system must be configured using the configuration templates in the -# "network/system" directory as directed by the test plan. Failure to -# configure the system correctly will result in test failures. -# -## PROGRAM: racoon -## PURPOSE: -## Verify that the racoon daemon correctly negotiates IPsec SAs with remote -## hosts and that when these SAs are added to the kernel's SAD the correct -## audit records are generated. There is also a test case to verify that the -## SAs are removed correctly but this is a duplicate of the setkey trusted -## program test. If either the SA is not created or the audit record is -## missing when racoon negotiates a new SA the test fails. The test procedure -## is as follows: -## 1. Flush any existing SAs from the kernel's SAD -## 2. Attempt to establish a new SA using racoon by talking to a remote -## test driver over a connection which is configured to require IPsec -## protection -## 3. Verify the SA was created and the audit trail is correct -## 4. Remove the SA from the kernel's SAD -## 5. Verify the SA was removed and an audit record was generated -## TESTCASE: negotiate a SA with racoon -## TESTCASE: remove the SAs - -source testcase.bash || exit 2 - -###################################################################### -# global variables -###################################################################### - -unset log_mark -unset ip_src ip_dst - -###################################################################### -# helper functions -###################################################################### - -# -# get_ipv4_addr - Get the local system's glboal IPv4 address -# -# INPUT -# none -# -# OUTPUT -# Writes the first global IPv4 address on the local system to stdout -# -# DESCRIPTION -# This function queries the local system, through the "ip" command, for a list -# of global IPv4 addresses, it then selects the first address in the list and -# writes it to stdout. -# -function get_ipv4_addr { - ip -o -f inet addr show scope global | head -n 1 | \ - awk 'BEGIN { FS = "[ \t]*|[ \t\\/]+" } { print $4 }' -} - -###################################################################### -# functions -###################################################################### - -# -# ipsec_add - Attempt to negotiate a new IPsec SA using racoon -# -# INPUT -# none -# -# OUTPUT -# none -# -# DESCRIPTION -# This function attempts to negotiate a IPsec SA with a remote node using the -# "racoon" daemon. The function does this by using a test driver on the remote -# node which the function configures to listen on IPv4/TCP port 5300. Once the -# remote test driver is waiting for new connections the function tries to -# connect to the remote test driver which triggers a SPD rule in the IPsec -# subsystem which sends a SA "acquire" message to the "racoon" daemon which -# then attempts to negotiate an IPsec SA with the remote host. If the "racoon" -# deamon is unable to negotiate a SA with the remote host the connection will -# fail. If this function can not setup the remote test driver or initiate a -# connection to the remote test driver it will fail, calling exit_error() in -# the process. -# -function ipsec_add { - declare setup_str="recv:ipv4,tcp,5300,0;" - declare msg_str="Hi Mom!" - - # determine the netcat variant - if which nc6 >& /dev/null; then - cmd_nc="nc6 ----idle-timeout=1 -w 1 " - elif which nc >& /dev/null; then - cmd_nc="nc -w 1 " - else - die "error: netcat not installed" - fi - - # do the setup - runcon -t lspp_test_netlabel_t -l SystemLow -- \ - $cmd_nc $ip_dst 5001 <<< $setup_str - [[ $? != 0 ]] && exit_error "unable to configure the remote system" - - # configure the remote system (try twice to allow for IKE negotiation) - runcon -t lspp_test_ipsec_t -l SystemLow -- \ - $cmd_nc $ip_dst 5300 <<< $msg_str - [[ $? == 0 ]] && return - sleep 2 - runcon -t lspp_test_ipsec_t -l SystemLow -- \ - $cmd_nc $ip_dst 5300 <<< $msg_str - [[ $? != 0 ]] && exit_error "unable to establish a SA" -} - -# -# ipsec_remove - Remove all IPsec SAs on the system -# -# INPUT -# none -# -# OUTPUT -# none -# -# DESCRIPTION -# This function attempts to flush/remove all SAs from the kernel IPsec -# subsystem, including the SAs negotiated in the ipsec_add() function. If this -# function can not flush/remove all the SAs from the kernel it will call the -# exit_error() function to signify failure. -# -function ipsec_remove { - # remove the SA - setkey -F - [[ $? != 0 ]] && exit_error "unable to remove the SA" -} - -# -# ipsec_add_verify - Verify that racoon did establish a new SA -# -# INPUT -# none -# -# OUTPUT -# none -# -# DESCRIPTION -# This function queries the kernel's SAD to see if the ipsec_add() function -# was successful in establishing a SA. In addition this function checks to see -# if an audit record was generated when the SA was established. If either the -# SA or the audit record is missing this function fails and calls the -# exit_fail() function. -# -function ipsec_add_verify { - # check the SA - setkey -D | grep -q "ah mode=transport" || \ - exit_fail "failed to add the SA" - augrok --seek=$log_mark type==MAC_IPSEC_ADDSA \ - sec_alg=1 sec_doi=1 sec_obj=staff_u:lspp_test_r:lspp_test_ipsec_t:s0 \ - src=$ip_src dst=$ip_dst protocol=AH res=1 || \ - exit_fail "missing audit record" -} - -# -# ipsec_remove_verify - Verify that the SAs have been removed -# -# INPUT -# none -# -# OUTPUT -# none -# -# DESCRIPTION -# This function queries the kernel's SAD to make sure the SAs have been removed -# and that an audit record was generated for the SAs established by the -# ipsec_add() function. If either any SAs are found or the SA removal audit -# records are missing the function fails and the exit_fail() function is -# called. -# -function ipsec_remove_verify { - # check the SA - setkey -D | grep -q "ah mode=transport" && \ - exit_fail "failed to remove the SA" - augrok --seek=$log_mark type==MAC_IPSEC_DELSA \ - sec_alg=1 sec_doi=1 sec_obj=staff_u:lspp_test_r:lspp_test_ipsec_t:s0 \ - src=$ip_src dst=$ip_dst protocol=AH res=1 || \ - exit_fail "missing audit record" -} - -###################################################################### -# main -###################################################################### - -set -x - -[[ -n $LBLNET_SVR_IPV4 ]] || exit_error -setkey -F || exit_error - -# setup the global variables -ip_src=$(get_ipv4_addr) -ip_dst=$LBLNET_SVR_IPV4 - -# mark the log for augrok later -log_mark=$(stat -c %s $audit_log) - -# attempt to negotiate a SA using racoon and verify the results -ipsec_add -ipsec_add_verify - -# attempt to remove the SA and verify the results -ipsec_remove -ipsec_remove_verify - -# if we made it this far everything is okay -exit_pass -- 1.7.1 |
From: <om...@re...> - 2011-09-29 12:53:32
|
From: Ondrej Moris <om...@re...> Signed-off-by: Ondrej Moris <om...@re...> --- audit/network/system/ipsec.conf.client | 129 ++++++++++++++++++++++++++++++++ 1 files changed, 129 insertions(+), 0 deletions(-) create mode 100644 audit/network/system/ipsec.conf.client diff --git a/audit/network/system/ipsec.conf.client b/audit/network/system/ipsec.conf.client new file mode 100644 index 0000000..8d26e13 --- /dev/null +++ b/audit/network/system/ipsec.conf.client @@ -0,0 +1,129 @@ +version 2.0 + +config setup + protostack=netkey + nat_traversal=yes + plutostderrlog=/var/log/pluto.log + +conn test1-1 + auto=route + authby=secret + type=transport + left=127.0.0.1 + right=127.0.0.1 + ike=3des-sha1 + phase2=esp + phase2alg=aes-sha1 + loopback=yes + labeled_ipsec=yes + policy_label=staff_u:lspp_test_r:lspp_harness_t:s0-s15:c0.c1023 + rightprotoport=tcp/4300 + +conn test1-2 + auto=add + authby=secret + type=transport + left=127.0.0.1 + right=127.0.0.1 + ike=3des-sha1 + phase2=esp + phase2alg=aes-sha1 + loopback=yes + labeled_ipsec=yes + policy_label=staff_u:lspp_test_r:lspp_harness_t:s0-s15:c0.c1023 + leftprotoport=tcp/4300 + +conn test2 + auto=route + authby=secret + type=transport + left=%LOCAL_IPV4% + right=%REMOTE_IPV4% + ike=3des-sha1 + phase2=ah + phase2alg=sha1 + labeled_ipsec=yes + policy_label=staff_u:lspp_test_r:lspp_harness_t:s0 + rightprotoport=tcp/4300 + +conn test3-1-1 + auto=route + authby=secret + type=transport + left=127.0.0.1 + right=127.0.0.1 + ike=3des-sha1 + phase2=esp + phase2alg=aes-sha1 + loopback=yes + labeled_ipsec=yes + policy_label=staff_u:lspp_test_r:lspp_harness_t:s0 + rightprotoport=udp/4300 + +conn test3-1-2 + auto=add + authby=secret + type=transport + left=127.0.0.1 + right=127.0.0.1 + ike=3des-sha1 + phase2=esp + phase2alg=aes-sha1 + loopback=yes + labeled_ipsec=yes + policy_label=staff_u:lspp_test_r:lspp_harness_t:s0 + leftprotoport=udp/4300 + +conn test3-2-1 + auto=route + authby=secret + type=transport + left=127.0.0.1 + right=127.0.0.1 + ike=3des-sha1 + phase2=esp + phase2alg=aes-sha1 + loopback=yes + labeled_ipsec=yes + policy_label=staff_u:lspp_test_r:lspp_harness_t:s15:c0.c1023 + rightprotoport=udp/4301 + +conn test3-2-2 + auto=add + authby=secret + type=transport + left=127.0.0.1 + right=127.0.0.1 + ike=3des-sha1 + phase2=esp + phase2alg=aes-sha1 + loopback=yes + labeled_ipsec=yes + policy_label=staff_u:lspp_test_r:lspp_harness_t:s15:c0.c1023 + rightprotoport=udp/4301 + +conn test4-1 + auto=route + authby=secret + type=transport + left=%LOCAL_IPV4% + right=%REMOTE_IPV4% + ike=3des-sha1 + phase2=ah + phase2alg=sha1 + labeled_ipsec=yes + policy_label=staff_u:lspp_test_r:lspp_harness_t:s0 + rightprotoport=udp/4300 + +conn test4-2 + auto=route + authby=secret + type=transport + left=%LOCAL_IPV4% + right=%REMOTE_IPV4% + ike=3des-sha1 + phase2=ah + phase2alg=sha1 + labeled_ipsec=yes + policy_label=staff_u:lspp_test_r:lspp_harness_t:s15:c0.c1023 + rightprotoport=udp/4301 -- 1.7.1 |
From: <om...@re...> - 2011-09-29 12:53:34
|
From: Ondrej Moris <om...@re...> Signed-off-by: Ondrej Moris <om...@re...> --- audit/network/system/ipsec.conf.server.in_body | 38 ++++++++++++++++++++++ audit/network/system/ipsec.conf.server.in_header | 6 +++ audit/network/system/ipsec.secrets | 1 + 3 files changed, 45 insertions(+), 0 deletions(-) create mode 100644 audit/network/system/ipsec.conf.server.in_body create mode 100644 audit/network/system/ipsec.conf.server.in_header create mode 100644 audit/network/system/ipsec.secrets diff --git a/audit/network/system/ipsec.conf.server.in_body b/audit/network/system/ipsec.conf.server.in_body new file mode 100644 index 0000000..0c22c6c --- /dev/null +++ b/audit/network/system/ipsec.conf.server.in_body @@ -0,0 +1,38 @@ +conn test2-%REMOTE_IPV4% + auto=route + authby=secret + type=transport + left=%REMOTE_IPV4% + right=%LOCAL_IPV4% + ike=3des-sha1 + phase2=ah + phase2alg=sha1 + labeled_ipsec=yes + policy_label=staff_u:lspp_test_r:lspp_harness_t:s0 + rightprotoport=tcp/4300 + +conn test4-1-%REMOTE_IPV4% + auto=route + authby=secret + type=transport + left=%REMOTE_IPV4% + right=%LOCAL_IPV4% + ike=3des-sha1 + phase2=ah + phase2alg=sha1 + labeled_ipsec=yes + policy_label=staff_u:lspp_test_r:lspp_harness_t:s0 + rightprotoport=udp/4300 + +conn test4-2-%REMOTE_IPV4% + auto=route + authby=secret + type=transport + left=%REMOTE_IPV4% + right=%LOCAL_IPV4% + ike=3des-sha1 + phase2=ah + phase2alg=sha1 + labeled_ipsec=yes + policy_label=staff_u:lspp_test_r:lspp_harness_t:s15:c0.c1023 + rightprotoport=udp/4301 diff --git a/audit/network/system/ipsec.conf.server.in_header b/audit/network/system/ipsec.conf.server.in_header new file mode 100644 index 0000000..3b815dc --- /dev/null +++ b/audit/network/system/ipsec.conf.server.in_header @@ -0,0 +1,6 @@ +version 2.0 + +config setup + protostack=netkey + nat_traversal=yes + plutostderrlog=/var/log/pluto.log diff --git a/audit/network/system/ipsec.secrets b/audit/network/system/ipsec.secrets new file mode 100644 index 0000000..e08ca5b --- /dev/null +++ b/audit/network/system/ipsec.secrets @@ -0,0 +1 @@ +: PSK "secret" -- 1.7.1 |
From: <om...@re...> - 2011-09-29 12:53:38
|
From: Ondrej Moris <om...@re...> Signed-off-by: Ondrej Moris <om...@re...> --- audit/network/system/rc.local.client | 46 ++++++++++++++++++++++++ audit/network/system/rc.local.server.in_body | 4 ++ audit/network/system/rc.local.server.in_footer | 1 + audit/network/system/rc.local.server.in_header | 37 +++++++++++++++++++ 4 files changed, 88 insertions(+), 0 deletions(-) create mode 100644 audit/network/system/rc.local.client create mode 100644 audit/network/system/rc.local.server.in_body create mode 100644 audit/network/system/rc.local.server.in_footer create mode 100644 audit/network/system/rc.local.server.in_header diff --git a/audit/network/system/rc.local.client b/audit/network/system/rc.local.client new file mode 100644 index 0000000..606da99 --- /dev/null +++ b/audit/network/system/rc.local.client @@ -0,0 +1,46 @@ +#!/bin/sh +############################################################################### +# (c) Copyright Hewlett-Packard Development Company, L.P., 2007 +# +# This program is free software: you can redistribute it and/or modify +# it under the terms of version 2 the GNU General Public License as +# published by the Free Software Foundation. +# +# This program is distributed in the hope that it will be useful, +# but WITHOUT ANY WARRANTY; without even the implied warranty of +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +# GNU General Public License for more details. +# +# You should have received a copy of the GNU General Public License +# along with this program. If not, see <http://www.gnu.org/licenses/>. +############################################################################### +# +# This script will be executed *after* all the other init scripts. +# You can put your own initialization stuff in here if you don't +# want to do the full Sys V style init stuff. + +touch /var/lock/subsys/local + +# Source function library. +. /etc/init.d/functions + +###################################################################### +# LSPP Test Configuration +###################################################################### + +# Setup IPsec +echo -n "Starting ipsec for the LSPP tests: " +echo 0 > /proc/sys/net/ipv4/conf/lo/disable_xfrm +echo 0 > /proc/sys/net/ipv4/conf/lo/disable_policy +ip xfrm state flush && ip xfrm policy flush +service ipsec status && service ipsec stop +service ipsec start && \ + ip xfrm policy add dir out src 127.0.0.1 dst 127.0.0.1 proto udp dport 4300 ctx staff_u:lspp_test_r:lspp_harness_t:s0:c0-s15:c0.c1023 action block && \ + ip xfrm policy add dir in src 127.0.0.1 dst 127.0.0.1 proto udp sport 4300 ctx staff_u:lspp_test_r:lspp_harness_t:s0:c0-s15:c0.c1023 action block && \ + ip xfrm policy add dir out src 127.0.0.1 dst 127.0.0.1 proto udp dport 4301 ctx staff_u:lspp_test_r:lspp_harness_t:s0-s15:c0.c1022 action block && \ + ip xfrm policy add dir in src 127.0.0.1 dst 127.0.0.1 proto udp sport 4301 ctx staff_u:lspp_test_r:lspp_harness_t:s0-s15:c0.c1022 action block && \ + ip xfrm policy add dir out src %LOCAL_IPV4% dst %REMOTE_IPV4% proto udp dport 4300 ctx staff_u:lspp_test_r:lspp_harness_t:s0:c0-s15:c0.c1023 action block && \ + ip xfrm policy add dir in src %REMOTE_IPV4% dst %LOCAL_IPV4% proto udp sport 4300 ctx staff_u:lspp_test_r:lspp_harness_t:s0:c0-s15:c0.c1023 action block && \ + ip xfrm policy add dir out src %LOCAL_IPV4% dst %REMOTE_IPV4% proto udp dport 4301 ctx staff_u:lspp_test_r:lspp_harness_t:s0-s15:c0.c1022 action block && \ + ip xfrm policy add dir in src %REMOTE_IPV4% dst %LOCAL_IPV4% proto udp sport 4301 ctx staff_u:lspp_test_r:lspp_harness_t:s0-s15:c0.c1022 action block && \ + (success; echo) || (failure; echo) diff --git a/audit/network/system/rc.local.server.in_body b/audit/network/system/rc.local.server.in_body new file mode 100644 index 0000000..083aee1 --- /dev/null +++ b/audit/network/system/rc.local.server.in_body @@ -0,0 +1,4 @@ + ip xfrm policy add dir in src %LOCAL_IPV4% dst %REMOTE_IPV4% proto udp sport 4300 ctx staff_u:lspp_test_r:lspp_harness_t:s0:c0-s15:c0.c1023 action block && \ + ip xfrm policy add dir out src %REMOTE_IPV4% dst %REMOTE_IPV4% proto udp dport 4300 ctx staff_u:lspp_test_r:lspp_harness_t:s0:c0-s15:c0.c1023 action block && \ + ip xfrm policy add dir out src %REMOTE_IPV4% dst %REMOTE_IPV4% proto udp dport 4301 ctx staff_u:lspp_test_r:lspp_harness_t:s0-s15:c0.c1022 action block && \ + ip xfrm policy add dir in src %LOCAL_IPV4% dst %REMOTE_IPV4% proto udp sport 4301 ctx staff_u:lspp_test_r:lspp_harness_t:s0-s15:c0.c1022 action block && \ diff --git a/audit/network/system/rc.local.server.in_footer b/audit/network/system/rc.local.server.in_footer new file mode 100644 index 0000000..c6384a6 --- /dev/null +++ b/audit/network/system/rc.local.server.in_footer @@ -0,0 +1 @@ + (success; echo) || (failure; echo) diff --git a/audit/network/system/rc.local.server.in_header b/audit/network/system/rc.local.server.in_header new file mode 100644 index 0000000..dd10404 --- /dev/null +++ b/audit/network/system/rc.local.server.in_header @@ -0,0 +1,37 @@ +#!/bin/sh +############################################################################### +# (c) Copyright Hewlett-Packard Development Company, L.P., 2007 +# +# This program is free software: you can redistribute it and/or modify +# it under the terms of version 2 the GNU General Public License as +# published by the Free Software Foundation. +# +# This program is distributed in the hope that it will be useful, +# but WITHOUT ANY WARRANTY; without even the implied warranty of +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +# GNU General Public License for more details. +# +# You should have received a copy of the GNU General Public License +# along with this program. If not, see <http://www.gnu.org/licenses/>. +############################################################################### +# +# This script will be executed *after* all the other init scripts. +# You can put your own initialization stuff in here if you don't +# want to do the full Sys V style init stuff. + +touch /var/lock/subsys/local + +# Source function library. +. /etc/init.d/functions + +###################################################################### +# LSPP Test Configuration +###################################################################### + +# Setup IPsec +echo -n "Starting ipsec for the LSPP tests: " +echo 0 > /proc/sys/net/ipv4/conf/lo/disable_xfrm +echo 0 > /proc/sys/net/ipv4/conf/lo/disable_policy +ip xfrm state flush && ip xfrm policy flush +service ipsec status && service ipsec stop +service ipsec start && \ -- 1.7.1 |
From: <om...@re...> - 2011-09-29 12:53:40
|
From: Ondrej Moris <om...@re...> Signed-off-by: Ondrej Moris <om...@re...> --- audit/network/system/Makefile | 36 +++++++++++++++++------------------- 1 files changed, 17 insertions(+), 19 deletions(-) diff --git a/audit/network/system/Makefile b/audit/network/system/Makefile index 56dc9f8..f1d9016 100644 --- a/audit/network/system/Makefile +++ b/audit/network/system/Makefile @@ -4,12 +4,12 @@ # This program is free software: you can redistribute it and/or modify # it under the terms of version 2 the GNU General Public License as # published by the Free Software Foundation. -# +# # This program is distributed in the hope that it will be useful, # but WITHOUT ANY WARRANTY; without even the implied warranty of # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the # GNU General Public License for more details. -# +# # You should have received a copy of the GNU General Public License # along with this program. If not, see <http://www.gnu.org/licenses/>. ############################################################################### @@ -34,6 +34,7 @@ getaddress: install_check @echo "Local IPv6 address -> %LOCAL_IPV6_RAW%" | ../addr_filter.bash install_client: install_setrans install_ipsec_client install_netlabel + cat rc.local.client | ../addr_filter.bash > rc.local install -o root -g root -m 755 rc.local /etc/rc.d if [[ ! -L /etc/rc3.d/S99local ]]; then \ (cd /etc/rc3.d; ln -s ../rc.local S99local); \ @@ -41,6 +42,13 @@ install_client: install_setrans install_ipsec_client install_netlabel restorecon /etc install_server: install_setrans install_ipsec_server install_netlabel + if [[ ! -f client_list.txt ]]; then \ + echo "error: file client_list.txt does not exist"; \ + exit 1; \ + fi + cat rc.local.server.in_header > rc.local + cat client_list.txt | ../addr_loop.bash -4 rc.local.server.in_body >> rc.local + cat rc.local.server.in_footer >> rc.local install -o root -g root -m 755 rc.local /etc/rc.d if [[ ! -L /etc/rc3.d/S99local ]]; then \ (cd /etc/rc3.d; ln -s ../rc.local S99local); \ @@ -73,26 +81,16 @@ install_netlabel: chkconfig netlabel on install_ipsec_client: install_check - cat setkey.conf.in | ../addr_filter.bash > setkey.conf - cat psk.txt.in | ../addr_filter.bash > psk.txt - install -o root -g root -m 600 racoon.conf /etc/racoon - install -o root -g root -m 600 psk.txt /etc/racoon - install -o root -g root -m 600 setkey.conf /etc/racoon + cat ipsec.conf.client | ../addr_filter.bash > ipsec.conf + install -o root -g root -m 600 ipsec.conf /etc/ipsec.conf + install -o root -g root -m 600 ipsec.secrets /etc/ipsec.secrets install_ipsec_server: install_check_server if [[ ! -f client_list.txt ]]; then \ echo "error: file client_list.txt does not exist"; \ exit 1; \ fi - cat setkey.conf.in_header > setkey.conf - cat client_list.txt | \ - ../addr_loop.bash -4 setkey.conf.in_ipv4 \ - -6 setkey.conf.in_ipv6 >> \ - setkey.conf - cat setkey.conf.in_footer >> setkey.conf - cat psk.txt.in_header > psk.txt - cat client_list.txt | ../addr_loop.bash -A psk.txt.in_body >> psk.txt - cat psk.txt.in_footer >> psk.txt - install -o root -g root -m 600 racoon.conf /etc/racoon - install -o root -g root -m 600 psk.txt /etc/racoon - install -o root -g root -m 600 setkey.conf /etc/racoon + cat ipsec.conf.server.in_header > ipsec.conf + cat client_list.txt | ../addr_loop.bash -4 ipsec.conf.server.in_body >> ipsec.conf + install -o root -g root -m 600 ipsec.conf /etc/ipsec.conf + install -o root -g root -m 600 ipsec.secrets /etc/ipsec.secrets -- 1.7.1 |
From: <om...@re...> - 2011-09-29 12:53:43
|
From: Ondrej Moris <om...@re...> Signed-off-by: Ondrej Moris <om...@re...> --- audit/trustedprograms/tests/test_ipsec.bash | 225 +++++++++++++++++++++++++++ 1 files changed, 225 insertions(+), 0 deletions(-) create mode 100755 audit/trustedprograms/tests/test_ipsec.bash diff --git a/audit/trustedprograms/tests/test_ipsec.bash b/audit/trustedprograms/tests/test_ipsec.bash new file mode 100755 index 0000000..5ee9f3c --- /dev/null +++ b/audit/trustedprograms/tests/test_ipsec.bash @@ -0,0 +1,225 @@ +#!/bin/bash +# ============================================================================= +# (c) Copyright Hewlett-Packard Development Company, L.P., 2007 +# +# This program is free software: you can redistribute it and/or modify +# it under the terms of version 2 the GNU General Public License as +# published by the Free Software Foundation. +# +# This program is distributed in the hope that it will be useful, +# but WITHOUT ANY WARRANTY; without even the implied warranty of +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +# GNU General Public License for more details. +# +# You should have received a copy of the GNU General Public License +# along with this program. If not, see <http://www.gnu.org/licenses/>. +# ============================================================================= +# +# It is important to note that prior to running the tests below the +# system must be configured using the configuration templates in the +# "network/system" directory as directed by the test plan. Failure to +# configure the system correctly will result in test failures. +# +## PROGRAM: ipsec +## PURPOSE: +## Verify that the ipsec daemon correctly negotiates IPsec SAs with remote +## hosts and that when these SAs are added to the kernel's SAD the correct +## audit records are generated. There is also a test case to verify that the +## SAs are removed correctly but this is a duplicate of the ip xfrm trusted +## program test. If either the SA is not created or the audit record is +## missing when ipsec negotiates a new SA the test fails. The test procedure +## is as follows: +## 1. Flush any existing SAs from the kernel's SAD +## 2. Attempt to establish a new SA using ipsec by talking to a remote +## test driver over a connection which is configured to require IPsec +## protection +## 3. Verify the SA was created and the audit trail is correct +## 4. Remove the SA from the kernel's SAD +## 5. Verify the SA was removed and an audit record was generated +## TESTCASE: negotiate a SA with ipsec +## TESTCASE: remove the SAs + +source testcase.bash || exit 2 + +###################################################################### +# global variables +###################################################################### + +unset log_mark +unset ip_src ip_dst + +###################################################################### +# helper functions +###################################################################### + +# +# get_ipv4_addr - Get the local system's glboal IPv4 address +# +# INPUT +# none +# +# OUTPUT +# Writes the first global IPv4 address on the local system to stdout +# +# DESCRIPTION +# This function queries the local system, through the "ip" command, for a list +# of global IPv4 addresses, it then selects the first address in the list and +# writes it to stdout. +# +function get_ipv4_addr { + ip -o -f inet addr show scope global | head -n 1 | \ + awk 'BEGIN { FS = "[ \t]*|[ \t\\/]+" } { print $4 }' +} + +###################################################################### +# functions +###################################################################### + +# +# ipsec_add - Attempt to negotiate a new IPsec SA using ipsec +# +# INPUT +# none +# +# OUTPUT +# none +# +# DESCRIPTION +# This function attempts to negotiate a IPsec SA with a remote node using the +# "ipsec" daemon. The function does this by using a test driver on the remote +# node which the function configures to listen on IPv4/TCP port 5300. Once the +# remote test driver is waiting for new connections the function tries to +# connect to the remote test driver which triggers a SPD rule in the IPsec +# subsystem which sends a SA "acquire" message to the "ipsec" daemon which +# then attempts to negotiate an IPsec SA with the remote host. If the "ipsec" +# deamon is unable to negotiate a SA with the remote host the connection will +# fail. If this function can not setup the remote test driver or initiate a +# connection to the remote test driver it will fail, calling exit_error() in +# the process. +# +function ipsec_add { + declare setup_str="recv:ipv4,tcp,4300,0;" + declare msg_str="Hi Mom!" + + # determine the netcat variant + if which nc6 >& /dev/null; then + cmd_nc="nc6 ----idle-timeout=1 -w 1 " + elif which nc >& /dev/null; then + cmd_nc="nc -w 30 -v " + else + die "error: netcat not installed" + fi + + # do the setup + runcon -t lspp_test_netlabel_t -l SystemLow -- \ + $cmd_nc $ip_dst 4001 <<< $setup_str & + + # configure the remote system (try twice to allow for IKE negotiation) + runcon -t lspp_harness_t -l SystemLow -- \ + $cmd_nc $ip_dst 4300 <<< $msg_str + [[ $? == 0 ]] && return + sleep 2 + runcon -t lspp_harness_t -l SystemLow -- \ + $cmd_nc $ip_dst 4300 <<< $msg_str + [[ $? != 0 ]] && exit_error "unable to establish a SA" +} + +# +# ipsec_remove - Remove all IPsec SAs on the system +# +# INPUT +# none +# +# OUTPUT +# none +# +# DESCRIPTION +# This function attempts to flush/remove all SAs from the kernel IPsec +# subsystem, including the SAs negotiated in the ipsec_add() function. If this +# function can not flush/remove all the SAs from the kernel it will call the +# exit_error() function to signify failure. +# +function ipsec_remove { + # remove the SA + ip xfrm state flush + [[ $? != 0 ]] && exit_error "unable to remove the SA" +} + +# +# ipsec_add_verify - Verify that ipsec did establish a new SA +# +# INPUT +# none +# +# OUTPUT +# none +# +# DESCRIPTION +# This function queries the kernel's SAD to see if the ipsec_add() function +# was successful in establishing a SA. In addition this function checks to see +# if an audit record was generated when the SA was established. If either the +# SA or the audit record is missing this function fails and calls the +# exit_fail() function. +# +function ipsec_add_verify { + # check the SA + ip xfrm state | grep -q "proto ah .* mode transport" || \ + exit_fail "failed to add the SA" + augrok --seek=$log_mark type==MAC_IPSEC_EVENT op=SAD-add \ + sec_alg=1 sec_doi=1 sec_obj=staff_u:lspp_test_r:lspp_harness_t:s0 \ + src=$ip_src dst=$ip_dst res=1 || \ + exit_fail "missing audit record" +} + +# +# ipsec_remove_verify - Verify that the SAs have been removed +# +# INPUT +# none +# +# OUTPUT +# none +# +# DESCRIPTION +# This function queries the kernel's SAD to make sure the SAs have been removed +# and that an audit record was generated for the SAs established by the +# ipsec_add() function. If either any SAs are found or the SA removal audit +# records are missing the function fails and the exit_fail() function is +# called. +# +function ipsec_remove_verify { + # check the SA + ip xfrm state | grep -q "proto esp .* mode transport" && \ + exit_fail "failed to remove the SA" + augrok --seek=$log_mark type==MAC_IPSEC_EVENT op=SAD-delete \ + sec_alg=1 sec_doi=1 sec_obj=staff_u:lspp_test_r:lspp_harness_t:s0 \ + src=$ip_src dst=$ip_dst res=1 || \ + exit_fail "missing audit record" +} + +###################################################################### +# main +###################################################################### + +set -x + +[[ -n $LBLNET_SVR_IPV4 ]] || exit_error +ip xfrm state flush || exit_error + +# setup the global variables +ip_src=$(get_ipv4_addr) +ip_dst=$LBLNET_SVR_IPV4 + +# mark the log for augrok later +log_mark=$(stat -c %s $audit_log) + +# attempt to negotiate a SA using ipsec and verify the results +ipsec_add +ipsec_add_verify + +# attempt to remove the SA and verify the results +ipsec_remove +ipsec_remove_verify + +# if we made it this far everything is okay +exit_pass -- 1.7.1 |
From: Ondrej M. <om...@re...> - 2011-09-29 13:13:39
|
Hi there, before applying these patches please note the following: * test_ipsec.bash (former test_racoon.bash) and related configuration contain IPv4 part only. I will add IPv6 support in another patch - test itself will not change, but openswan & SPD configuration in network/system will do (it will be slightly extended), and * due to insufficient policy in the testsuite, one have to run /etc/rc.local (as mentioned in README.run and README.netwrk_svr) _without_ run_init, otherwise ipsec won't start, this problem _is not_ introduced by these patches, we will extend policy to cover this. If you want to run the ipsec test, just executed rc.locas by 'bash /etc/rc.local' As far as I know, some of you wanted (trustedprograms) ipsec patches to be able to begin his work on networking tests, so there they are. On 09/29/2011 02:53 PM, om...@re... wrote: > From: Ondrej Moris<om...@re...> > > > Signed-off-by: Ondrej Moris<om...@re...> > --- > audit/trustedprograms/tests/test_ipsec.bash | 225 +++++++++++++++++++++++++++ > 1 files changed, 225 insertions(+), 0 deletions(-) > create mode 100755 audit/trustedprograms/tests/test_ipsec.bash > > diff --git a/audit/trustedprograms/tests/test_ipsec.bash b/audit/trustedprograms/tests/test_ipsec.bash > new file mode 100755 > index 0000000..5ee9f3c > --- /dev/null > +++ b/audit/trustedprograms/tests/test_ipsec.bash > @@ -0,0 +1,225 @@ > +#!/bin/bash > +# ============================================================================= > +# (c) Copyright Hewlett-Packard Development Company, L.P., 2007 > +# > +# This program is free software: you can redistribute it and/or modify > +# it under the terms of version 2 the GNU General Public License as > +# published by the Free Software Foundation. > +# > +# This program is distributed in the hope that it will be useful, > +# but WITHOUT ANY WARRANTY; without even the implied warranty of > +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the > +# GNU General Public License for more details. > +# > +# You should have received a copy of the GNU General Public License > +# along with this program. If not, see<http://www.gnu.org/licenses/>. > +# ============================================================================= > +# > +# It is important to note that prior to running the tests below the > +# system must be configured using the configuration templates in the > +# "network/system" directory as directed by the test plan. Failure to > +# configure the system correctly will result in test failures. > +# > +## PROGRAM: ipsec > +## PURPOSE: > +## Verify that the ipsec daemon correctly negotiates IPsec SAs with remote > +## hosts and that when these SAs are added to the kernel's SAD the correct > +## audit records are generated. There is also a test case to verify that the > +## SAs are removed correctly but this is a duplicate of the ip xfrm trusted > +## program test. If either the SA is not created or the audit record is > +## missing when ipsec negotiates a new SA the test fails. The test procedure > +## is as follows: > +## 1. Flush any existing SAs from the kernel's SAD > +## 2. Attempt to establish a new SA using ipsec by talking to a remote > +## test driver over a connection which is configured to require IPsec > +## protection > +## 3. Verify the SA was created and the audit trail is correct > +## 4. Remove the SA from the kernel's SAD > +## 5. Verify the SA was removed and an audit record was generated > +## TESTCASE: negotiate a SA with ipsec > +## TESTCASE: remove the SAs > + > +source testcase.bash || exit 2 > + > +###################################################################### > +# global variables > +###################################################################### > + > +unset log_mark > +unset ip_src ip_dst > + > +###################################################################### > +# helper functions > +###################################################################### > + > +# > +# get_ipv4_addr - Get the local system's glboal IPv4 address > +# > +# INPUT > +# none > +# > +# OUTPUT > +# Writes the first global IPv4 address on the local system to stdout > +# > +# DESCRIPTION > +# This function queries the local system, through the "ip" command, for a list > +# of global IPv4 addresses, it then selects the first address in the list and > +# writes it to stdout. > +# > +function get_ipv4_addr { > + ip -o -f inet addr show scope global | head -n 1 | \ > + awk 'BEGIN { FS = "[ \t]*|[ \t\\/]+" } { print $4 }' > +} > + > +###################################################################### > +# functions > +###################################################################### > + > +# > +# ipsec_add - Attempt to negotiate a new IPsec SA using ipsec > +# > +# INPUT > +# none > +# > +# OUTPUT > +# none > +# > +# DESCRIPTION > +# This function attempts to negotiate a IPsec SA with a remote node using the > +# "ipsec" daemon. The function does this by using a test driver on the remote > +# node which the function configures to listen on IPv4/TCP port 5300. Once the > +# remote test driver is waiting for new connections the function tries to > +# connect to the remote test driver which triggers a SPD rule in the IPsec > +# subsystem which sends a SA "acquire" message to the "ipsec" daemon which > +# then attempts to negotiate an IPsec SA with the remote host. If the "ipsec" > +# deamon is unable to negotiate a SA with the remote host the connection will > +# fail. If this function can not setup the remote test driver or initiate a > +# connection to the remote test driver it will fail, calling exit_error() in > +# the process. > +# > +function ipsec_add { > + declare setup_str="recv:ipv4,tcp,4300,0;" > + declare msg_str="Hi Mom!" > + > + # determine the netcat variant > + if which nc6>& /dev/null; then > + cmd_nc="nc6 ----idle-timeout=1 -w 1 " > + elif which nc>& /dev/null; then > + cmd_nc="nc -w 30 -v " > + else > + die "error: netcat not installed" > + fi > + > + # do the setup > + runcon -t lspp_test_netlabel_t -l SystemLow -- \ > + $cmd_nc $ip_dst 4001<<< $setup_str& > + > + # configure the remote system (try twice to allow for IKE negotiation) > + runcon -t lspp_harness_t -l SystemLow -- \ > + $cmd_nc $ip_dst 4300<<< $msg_str > + [[ $? == 0 ]]&& return > + sleep 2 > + runcon -t lspp_harness_t -l SystemLow -- \ > + $cmd_nc $ip_dst 4300<<< $msg_str > + [[ $? != 0 ]]&& exit_error "unable to establish a SA" > +} > + > +# > +# ipsec_remove - Remove all IPsec SAs on the system > +# > +# INPUT > +# none > +# > +# OUTPUT > +# none > +# > +# DESCRIPTION > +# This function attempts to flush/remove all SAs from the kernel IPsec > +# subsystem, including the SAs negotiated in the ipsec_add() function. If this > +# function can not flush/remove all the SAs from the kernel it will call the > +# exit_error() function to signify failure. > +# > +function ipsec_remove { > + # remove the SA > + ip xfrm state flush > + [[ $? != 0 ]]&& exit_error "unable to remove the SA" > +} > + > +# > +# ipsec_add_verify - Verify that ipsec did establish a new SA > +# > +# INPUT > +# none > +# > +# OUTPUT > +# none > +# > +# DESCRIPTION > +# This function queries the kernel's SAD to see if the ipsec_add() function > +# was successful in establishing a SA. In addition this function checks to see > +# if an audit record was generated when the SA was established. If either the > +# SA or the audit record is missing this function fails and calls the > +# exit_fail() function. > +# > +function ipsec_add_verify { > + # check the SA > + ip xfrm state | grep -q "proto ah .* mode transport" || \ > + exit_fail "failed to add the SA" > + augrok --seek=$log_mark type==MAC_IPSEC_EVENT op=SAD-add \ > + sec_alg=1 sec_doi=1 sec_obj=staff_u:lspp_test_r:lspp_harness_t:s0 \ > + src=$ip_src dst=$ip_dst res=1 || \ > + exit_fail "missing audit record" > +} > + > +# > +# ipsec_remove_verify - Verify that the SAs have been removed > +# > +# INPUT > +# none > +# > +# OUTPUT > +# none > +# > +# DESCRIPTION > +# This function queries the kernel's SAD to make sure the SAs have been removed > +# and that an audit record was generated for the SAs established by the > +# ipsec_add() function. If either any SAs are found or the SA removal audit > +# records are missing the function fails and the exit_fail() function is > +# called. > +# > +function ipsec_remove_verify { > + # check the SA > + ip xfrm state | grep -q "proto esp .* mode transport"&& \ > + exit_fail "failed to remove the SA" > + augrok --seek=$log_mark type==MAC_IPSEC_EVENT op=SAD-delete \ > + sec_alg=1 sec_doi=1 sec_obj=staff_u:lspp_test_r:lspp_harness_t:s0 \ > + src=$ip_src dst=$ip_dst res=1 || \ > + exit_fail "missing audit record" > +} > + > +###################################################################### > +# main > +###################################################################### > + > +set -x > + > +[[ -n $LBLNET_SVR_IPV4 ]] || exit_error > +ip xfrm state flush || exit_error > + > +# setup the global variables > +ip_src=$(get_ipv4_addr) > +ip_dst=$LBLNET_SVR_IPV4 > + > +# mark the log for augrok later > +log_mark=$(stat -c %s $audit_log) > + > +# attempt to negotiate a SA using ipsec and verify the results > +ipsec_add > +ipsec_add_verify > + > +# attempt to remove the SA and verify the results > +ipsec_remove > +ipsec_remove_verify > + > +# if we made it this far everything is okay > +exit_pass -- Ondrej Moriš, RHCE Quality Assurance Engineer BaseOS QE - Security Email: om...@re... Web: www.cz.redhat.com IRC: omoris at #qa #urt #brno, #penguins Red Hat Czech s.r.o., Purkyňova 99/71, 612 45, Brno, Czech Republic |
From: Linda K. <lin...@hp...> - 2011-09-29 17:18:57
|
Hi Ondrej, Ondrej Moriš wrote: > Hi there, before applying these patches please note the following: > > * test_ipsec.bash (former test_racoon.bash) and related configuration > contain IPv4 part only. I will add IPv6 support in another patch - test > itself will not change, but openswan & SPD configuration in > network/system will do (it will be slightly extended), and > > * due to insufficient policy in the testsuite, one have to run > /etc/rc.local (as mentioned in README.run and README.netwrk_svr) > _without_ run_init, otherwise ipsec won't start, this problem _is not_ > introduced by these patches, we will extend policy to cover this. If you > want to run the ipsec test, just executed rc.locas by 'bash /etc/rc.local' I think I was wrong when I said in our meeting today that if ipsec wouldn't start at boot time that it might be a problem in the core policy rather than our lspp_test policy. After looking at the rc.local changes, its most likely a problem with our lspp_test policy. We have policy in there for ipsec and it likely needs to be updated. > As far as I know, some of you wanted (trustedprograms) ipsec patches to > be able to begin his work on networking tests, so there they are. Yes, thanks very much. -- ljk > > On 09/29/2011 02:53 PM, om...@re... wrote: >> From: Ondrej Moris<om...@re...> >> >> >> Signed-off-by: Ondrej Moris<om...@re...> >> --- >> audit/trustedprograms/tests/test_ipsec.bash | 225 +++++++++++++++++++++++++++ >> 1 files changed, 225 insertions(+), 0 deletions(-) >> create mode 100755 audit/trustedprograms/tests/test_ipsec.bash >> >> diff --git a/audit/trustedprograms/tests/test_ipsec.bash b/audit/trustedprograms/tests/test_ipsec.bash >> new file mode 100755 >> index 0000000..5ee9f3c >> --- /dev/null >> +++ b/audit/trustedprograms/tests/test_ipsec.bash >> @@ -0,0 +1,225 @@ >> +#!/bin/bash >> +# ============================================================================= >> +# (c) Copyright Hewlett-Packard Development Company, L.P., 2007 >> +# >> +# This program is free software: you can redistribute it and/or modify >> +# it under the terms of version 2 the GNU General Public License as >> +# published by the Free Software Foundation. >> +# >> +# This program is distributed in the hope that it will be useful, >> +# but WITHOUT ANY WARRANTY; without even the implied warranty of >> +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the >> +# GNU General Public License for more details. >> +# >> +# You should have received a copy of the GNU General Public License >> +# along with this program. If not, see<http://www.gnu.org/licenses/>. >> +# ============================================================================= >> +# >> +# It is important to note that prior to running the tests below the >> +# system must be configured using the configuration templates in the >> +# "network/system" directory as directed by the test plan. Failure to >> +# configure the system correctly will result in test failures. >> +# >> +## PROGRAM: ipsec >> +## PURPOSE: >> +## Verify that the ipsec daemon correctly negotiates IPsec SAs with remote >> +## hosts and that when these SAs are added to the kernel's SAD the correct >> +## audit records are generated. There is also a test case to verify that the >> +## SAs are removed correctly but this is a duplicate of the ip xfrm trusted >> +## program test. If either the SA is not created or the audit record is >> +## missing when ipsec negotiates a new SA the test fails. The test procedure >> +## is as follows: >> +## 1. Flush any existing SAs from the kernel's SAD >> +## 2. Attempt to establish a new SA using ipsec by talking to a remote >> +## test driver over a connection which is configured to require IPsec >> +## protection >> +## 3. Verify the SA was created and the audit trail is correct >> +## 4. Remove the SA from the kernel's SAD >> +## 5. Verify the SA was removed and an audit record was generated >> +## TESTCASE: negotiate a SA with ipsec >> +## TESTCASE: remove the SAs >> + >> +source testcase.bash || exit 2 >> + >> +###################################################################### >> +# global variables >> +###################################################################### >> + >> +unset log_mark >> +unset ip_src ip_dst >> + >> +###################################################################### >> +# helper functions >> +###################################################################### >> + >> +# >> +# get_ipv4_addr - Get the local system's glboal IPv4 address >> +# >> +# INPUT >> +# none >> +# >> +# OUTPUT >> +# Writes the first global IPv4 address on the local system to stdout >> +# >> +# DESCRIPTION >> +# This function queries the local system, through the "ip" command, for a list >> +# of global IPv4 addresses, it then selects the first address in the list and >> +# writes it to stdout. >> +# >> +function get_ipv4_addr { >> + ip -o -f inet addr show scope global | head -n 1 | \ >> + awk 'BEGIN { FS = "[ \t]*|[ \t\\/]+" } { print $4 }' >> +} >> + >> +###################################################################### >> +# functions >> +###################################################################### >> + >> +# >> +# ipsec_add - Attempt to negotiate a new IPsec SA using ipsec >> +# >> +# INPUT >> +# none >> +# >> +# OUTPUT >> +# none >> +# >> +# DESCRIPTION >> +# This function attempts to negotiate a IPsec SA with a remote node using the >> +# "ipsec" daemon. The function does this by using a test driver on the remote >> +# node which the function configures to listen on IPv4/TCP port 5300. Once the >> +# remote test driver is waiting for new connections the function tries to >> +# connect to the remote test driver which triggers a SPD rule in the IPsec >> +# subsystem which sends a SA "acquire" message to the "ipsec" daemon which >> +# then attempts to negotiate an IPsec SA with the remote host. If the "ipsec" >> +# deamon is unable to negotiate a SA with the remote host the connection will >> +# fail. If this function can not setup the remote test driver or initiate a >> +# connection to the remote test driver it will fail, calling exit_error() in >> +# the process. >> +# >> +function ipsec_add { >> + declare setup_str="recv:ipv4,tcp,4300,0;" >> + declare msg_str="Hi Mom!" >> + >> + # determine the netcat variant >> + if which nc6>& /dev/null; then >> + cmd_nc="nc6 ----idle-timeout=1 -w 1 " >> + elif which nc>& /dev/null; then >> + cmd_nc="nc -w 30 -v " >> + else >> + die "error: netcat not installed" >> + fi >> + >> + # do the setup >> + runcon -t lspp_test_netlabel_t -l SystemLow -- \ >> + $cmd_nc $ip_dst 4001<<< $setup_str& >> + >> + # configure the remote system (try twice to allow for IKE negotiation) >> + runcon -t lspp_harness_t -l SystemLow -- \ >> + $cmd_nc $ip_dst 4300<<< $msg_str >> + [[ $? == 0 ]]&& return >> + sleep 2 >> + runcon -t lspp_harness_t -l SystemLow -- \ >> + $cmd_nc $ip_dst 4300<<< $msg_str >> + [[ $? != 0 ]]&& exit_error "unable to establish a SA" >> +} >> + >> +# >> +# ipsec_remove - Remove all IPsec SAs on the system >> +# >> +# INPUT >> +# none >> +# >> +# OUTPUT >> +# none >> +# >> +# DESCRIPTION >> +# This function attempts to flush/remove all SAs from the kernel IPsec >> +# subsystem, including the SAs negotiated in the ipsec_add() function. If this >> +# function can not flush/remove all the SAs from the kernel it will call the >> +# exit_error() function to signify failure. >> +# >> +function ipsec_remove { >> + # remove the SA >> + ip xfrm state flush >> + [[ $? != 0 ]]&& exit_error "unable to remove the SA" >> +} >> + >> +# >> +# ipsec_add_verify - Verify that ipsec did establish a new SA >> +# >> +# INPUT >> +# none >> +# >> +# OUTPUT >> +# none >> +# >> +# DESCRIPTION >> +# This function queries the kernel's SAD to see if the ipsec_add() function >> +# was successful in establishing a SA. In addition this function checks to see >> +# if an audit record was generated when the SA was established. If either the >> +# SA or the audit record is missing this function fails and calls the >> +# exit_fail() function. >> +# >> +function ipsec_add_verify { >> + # check the SA >> + ip xfrm state | grep -q "proto ah .* mode transport" || \ >> + exit_fail "failed to add the SA" >> + augrok --seek=$log_mark type==MAC_IPSEC_EVENT op=SAD-add \ >> + sec_alg=1 sec_doi=1 sec_obj=staff_u:lspp_test_r:lspp_harness_t:s0 \ >> + src=$ip_src dst=$ip_dst res=1 || \ >> + exit_fail "missing audit record" >> +} >> + >> +# >> +# ipsec_remove_verify - Verify that the SAs have been removed >> +# >> +# INPUT >> +# none >> +# >> +# OUTPUT >> +# none >> +# >> +# DESCRIPTION >> +# This function queries the kernel's SAD to make sure the SAs have been removed >> +# and that an audit record was generated for the SAs established by the >> +# ipsec_add() function. If either any SAs are found or the SA removal audit >> +# records are missing the function fails and the exit_fail() function is >> +# called. >> +# >> +function ipsec_remove_verify { >> + # check the SA >> + ip xfrm state | grep -q "proto esp .* mode transport"&& \ >> + exit_fail "failed to remove the SA" >> + augrok --seek=$log_mark type==MAC_IPSEC_EVENT op=SAD-delete \ >> + sec_alg=1 sec_doi=1 sec_obj=staff_u:lspp_test_r:lspp_harness_t:s0 \ >> + src=$ip_src dst=$ip_dst res=1 || \ >> + exit_fail "missing audit record" >> +} >> + >> +###################################################################### >> +# main >> +###################################################################### >> + >> +set -x >> + >> +[[ -n $LBLNET_SVR_IPV4 ]] || exit_error >> +ip xfrm state flush || exit_error >> + >> +# setup the global variables >> +ip_src=$(get_ipv4_addr) >> +ip_dst=$LBLNET_SVR_IPV4 >> + >> +# mark the log for augrok later >> +log_mark=$(stat -c %s $audit_log) >> + >> +# attempt to negotiate a SA using ipsec and verify the results >> +ipsec_add >> +ipsec_add_verify >> + >> +# attempt to remove the SA and verify the results >> +ipsec_remove >> +ipsec_remove_verify >> + >> +# if we made it this far everything is okay >> +exit_pass > > |
From: <om...@re...> - 2011-09-29 12:53:43
|
From: Ondrej Moris <om...@re...> Signed-off-by: Ondrej Moris <om...@re...> --- audit/trustedprograms/run.conf | 2 +- 1 files changed, 1 insertions(+), 1 deletions(-) diff --git a/audit/trustedprograms/run.conf b/audit/trustedprograms/run.conf index 7d86212..2b7f988 100644 --- a/audit/trustedprograms/run.conf +++ b/audit/trustedprograms/run.conf @@ -89,7 +89,7 @@ if [[ $PPROFILE == lspp ]]; then + lpq + netlabelctl + xinetd - + racoon + + ipsec + ip_xfrm + semodule + semodule_fail -- 1.7.1 |
From: Linda K. <lin...@hp...> - 2011-09-29 17:13:55
|
Thanks Ondrej, I've pulled in this patch series. -- ljk |