netpass-devel Mailing List for NetPass (Page 8)
Brought to you by:
jeffmurphy
Menu
▾
▴
netpass-devel — Developer Discussion
You can subscribe to this list here.
| 2004 |
Jan
|
Feb
|
Mar
|
Apr
|
May
|
Jun
|
Jul
|
Aug
|
Sep
(1) |
Oct
|
Nov
|
Dec
|
|---|---|---|---|---|---|---|---|---|---|---|---|---|
| 2005 |
Jan
|
Feb
|
Mar
|
Apr
(39) |
May
(103) |
Jun
(89) |
Jul
(22) |
Aug
(100) |
Sep
(21) |
Oct
(5) |
Nov
|
Dec
(7) |
| 2006 |
Jan
(25) |
Feb
(8) |
Mar
(12) |
Apr
(2) |
May
|
Jun
(1) |
Jul
(4) |
Aug
|
Sep
|
Oct
|
Nov
|
Dec
(4) |
| 2007 |
Jan
|
Feb
|
Mar
|
Apr
|
May
|
Jun
|
Jul
|
Aug
(3) |
Sep
(1) |
Oct
|
Nov
|
Dec
|
|
From: jeff m. <jef...@us...> - 2005-08-03 02:46:16
|
Update of /cvsroot/netpass/NetPass/bin In directory sc8-pr-cvs1.sourceforge.net:/tmp/cvs-serv19312/bin Added Files: update_nessus_plugins.sh Log Message: appstarter helper script, home page stats dialog component --- NEW FILE: update_nessus_plugins.sh --- #!/bin/sh /usr/local/bin/nessus-fetch --plugins /opt/netpass/bin/import_nessus_scans.pl exit 0 |
|
From: jeff m. <jef...@us...> - 2005-08-03 02:46:16
|
Update of /cvsroot/netpass/NetPass/www/components/Admin In directory sc8-pr-cvs1.sourceforge.net:/tmp/cvs-serv19312/www/components/Admin Added Files: DialogBulkMovePort Log Message: appstarter helper script, home page stats dialog component --- NEW FILE: DialogBulkMovePort --- <%doc> </%doc> <%perl> use Proc::ProcessTable; my $pt = new Proc::ProcessTable; my $running = 0; my @pl = (); foreach my $pte ( @{$pt->table} ){ if ($pte->cmndline =~ /^reset:\s(.*)/) { push @pl, $1; $running = 1; } } </%perl> <table border=0 width=550> <tr><th>Global Reset Status</th></tr> <tr><td class='gray' align='center'> % if (! $running) { Global Reset is not running. % } else { <input type='submit' name='stopGlobalReset' value='Stop Global Reset'> <PRE> % print join("\n", @pl); </PRE> % } <P><I>You may periodically hit Reload to update the status.</I> <P><I>If you are running in a Clustered (HA) Configuration, this page may be served by a server other than the one where the Global Reset is running. If that's the case, this status box will tell you that Global Reset is not running, even though it is running on the other NetPass server.</I> </td></tr> </table> |
|
From: jeff m. <jef...@us...> - 2005-08-03 02:45:17
|
Update of /cvsroot/netpass/NetPass In directory sc8-pr-cvs1.sourceforge.net:/tmp/cvs-serv19022 Modified Files: CHANGES MANIFEST install todo Log Message: some bug fixes, resetport.pl re-write, appstarter completion, install/initd tweaks Index: CHANGES =================================================================== RCS file: /cvsroot/netpass/NetPass/CHANGES,v retrieving revision 1.8 retrieving revision 1.9 diff -u -d -r1.8 -r1.9 --- CHANGES 31 Dec 2004 19:13:02 -0000 1.8 +++ CHANGES 3 Aug 2005 02:44:38 -0000 1.9 @@ -159,3 +159,22 @@ jcm added NetPass::Auth::LDAP, ..Auth::Unix and ..Auth::DB modules jcm moved NetPass::RADIUS to NetPass::Auth::Radius jcm moved doc/startup/* to install.d/init.d/* + +2005-08-01 + jcm admin UI over-haul. segment access by network/group + jcm client UI modifications. tie walk-thru messages to client's network + mtb snort integration + mtb netpass API + jcm moved config file into database + mtb migrated to mysql cluster + mtb service watcher (npsvc) + jcm macscan app + jcm appstarter app + jcm per-network/group policy settings + mtb basic incident tracking + jcm 'strikes' system + mtb lots of bugs created + jcm lots of bugs fixed + +2005-08-10 2.0 released + Index: todo =================================================================== RCS file: /cvsroot/netpass/NetPass/todo,v retrieving revision 1.2 retrieving revision 1.3 diff -u -d -r1.2 -r1.3 --- todo 17 Mar 2005 17:38:37 -0000 1.2 +++ todo 3 Aug 2005 02:44:38 -0000 1.3 @@ -3,22 +3,11 @@ changes - when user comes back update sw/po and ip fields based on mac - stash sw/po in ssession so we dont have to re-search when - we re-validate - - Admin/Scan/index.mhtml - http:// - - tie QC into dhcp so that we can verify that the given IP is really currently associated with the corresponding MAC search by time range with calendar button on various forms - per-message/scantype quarantine/unquarantine? - - stats arp table iptables entries @@ -28,11 +17,6 @@ -nessusScans table -> convert timestamps to DATETIMEs - - - - tree search if no bsw, pick on at random @@ -43,16 +27,6 @@ if state is PQUAR we dont tear down the session. so if you set the reg to QUAR, instead of a login page, they get the "ready to rescan" page. -BUG - reg two hosts on the same port. set them both to quarantined - and they both get the multi_mac message and neither can rescan - to get out! - -BUG - OS field not recording in table.... - - - multi-root networsk (spauld/wilk/rich) Index: install =================================================================== RCS file: /cvsroot/netpass/NetPass/install,v retrieving revision 1.22 retrieving revision 1.23 diff -u -d -r1.22 -r1.23 --- install 17 May 2005 15:13:14 -0000 1.22 +++ install 3 Aug 2005 02:44:38 -0000 1.23 @@ -336,7 +336,7 @@ lprint "copy $base/$cfg to /etc/$cfg, using netblocks=$netblocks\n"; if (-f "/etc/$cfg") { - lprint "hmm. /etc/$cfg already exists. we wont over-write it. abort.\n"; + lprint "hmm. /etc/$cfg already exists. We wont over-write it. We're going to skip\nthis section of the install.\n"; return; } @@ -354,7 +354,7 @@ "); - my $npserv = ask("Enter the IP addresses of all of you'r NetPass servers (a netblock is OK). + my $npserv = ask("Enter the IP addresses of all of your NetPass servers (a netblock is OK). We'll use this to permit MySQL traffic between those servers. Without this, MySQL cluster will not function. Enter the addresses on a single line, separated by spaces: @@ -1042,9 +1042,9 @@ ldie "cant open $cf for writing: $!" unless defined ($fh); foreach my $line (@orig) { if ($line =~ /redirect 302:http/) { - print "\t\tredirect 302:http://$sn/?url=%u\n"; + print $fh "\t\tredirect 302:http://$sn/?url=%u\n"; } else { - print $line; + print $fh $line; } } $fh->close; @@ -1279,7 +1279,7 @@ for (my $i=0 ; $i < $#$c ; $i++) { if ($c->[$i] =~ /$k/) { - splice(@$c, $i+1, 0, $l); + splice(@$c, $i, 1, $l); $i++; } } Index: MANIFEST =================================================================== RCS file: /cvsroot/netpass/NetPass/MANIFEST,v retrieving revision 1.50 retrieving revision 1.51 diff -u -d -r1.50 -r1.51 --- MANIFEST 23 Jun 2005 20:19:54 -0000 1.50 +++ MANIFEST 3 Aug 2005 02:44:38 -0000 1.51 @@ -24,6 +24,7 @@ bin/proc_counter.pl bin/portmover.pl bin/npapid.pl +bin/npsvc.pl bin/resetport-restart.sh bin/ciconf.pl bin/rm_stale_cookies.pl @@ -34,6 +35,7 @@ bin/rogue-dhcp-detect.pl bin/npsubagent.pl bin/npurlfilter.pl +bin/update_nessus_plugins.sh doc/cron.monthly/mysql_binlog_rotate doc/logrotate.d/apache doc/logrotate.d/netpass @@ -70,6 +72,7 @@ doc/npinline-l3.txt etc/netpass-example.conf etc/oui.txt +etc/npsvc.conf install.d/logrotate.d/apache install.d/logrotate.d/netpass install.d/logrotate.d/snort @@ -153,6 +156,8 @@ www/components/Admin/FormNPNessus www/components/Admin/FormNPPolicy www/components/Admin/FormNPSnort +www/components/Admin/DisplaySideLinks +www/components/Admin/DialogBulkMovePort www/components/Client/BeginScan www/components/Client/GetInfo www/components/Client/Login @@ -198,6 +203,7 @@ www/htdocs/Admin/help.mhtml www/htdocs/Admin/chpwd.mhtml www/htdocs/Admin/auth.mhtml +www/htdocs/Admin/addsidelink.mhtml www/htdocs/Admin/cmd/lockcfg.mhtml www/htdocs/Admin/cmd/setresult.mhtml www/htdocs/Admin/cmd/getRadiusSecret.mhtml |
|
From: jeff m. <jef...@us...> - 2005-08-03 02:44:49
|
Update of /cvsroot/netpass/NetPass/www/htdocs/OSSTemplate/css In directory sc8-pr-cvs1.sourceforge.net:/tmp/cvs-serv19022/www/htdocs/OSSTemplate/css Modified Files: site.css Log Message: some bug fixes, resetport.pl re-write, appstarter completion, install/initd tweaks Index: site.css =================================================================== RCS file: /cvsroot/netpass/NetPass/www/htdocs/OSSTemplate/css/site.css,v retrieving revision 1.10 retrieving revision 1.11 diff -u -d -r1.10 -r1.11 --- site.css 8 Jun 2005 16:35:42 -0000 1.10 +++ site.css 3 Aug 2005 02:44:40 -0000 1.11 @@ -79,12 +79,16 @@ color: #FFFFFF; } -.sbText { +.sbText { color: #FFFFFF; margin-left: 6px; margin-right: 6px; } +.sbText:link, .sbText:visited, .sbText:hover, .sbText:active, .sbText a { + color: #FFFFFF; +} + .sbLinks { color: #FFFFFF; margin-bottom: 6px; |
|
From: jeff m. <jef...@us...> - 2005-08-03 02:44:49
|
Update of /cvsroot/netpass/NetPass/www/htdocs/Admin/Scan In directory sc8-pr-cvs1.sourceforge.net:/tmp/cvs-serv19022/www/htdocs/Admin/Scan Modified Files: index.mhtml Log Message: some bug fixes, resetport.pl re-write, appstarter completion, install/initd tweaks Index: index.mhtml =================================================================== RCS file: /cvsroot/netpass/NetPass/www/htdocs/Admin/Scan/index.mhtml,v retrieving revision 1.5 retrieving revision 1.6 diff -u -d -r1.5 -r1.6 --- index.mhtml 4 May 2005 03:27:17 -0000 1.5 +++ index.mhtml 3 Aug 2005 02:44:40 -0000 1.6 @@ -372,7 +372,8 @@ if ($args->{"status:$id"} ne $args->{"statusOrig:$id"}) { $np->db->audit( - -user => $m->session->{'logged_in'}, + -user => $m->session->{'username'}, + -ip => $ENV{'REMOTE_ADDR'}, -msg => [ "ScanAdmin: $id status changed to", $status, "from", $args->{'statusOrig:'.$id} ]); } |
|
From: jeff m. <jef...@us...> - 2005-08-03 02:44:49
|
Update of /cvsroot/netpass/NetPass/www/htdocs/Admin In directory sc8-pr-cvs1.sourceforge.net:/tmp/cvs-serv19022/www/htdocs/Admin Modified Files: auth.mhtml autohandler gencfg.mhtml greset.mhtml index.mhtml switch.mhtml Log Message: some bug fixes, resetport.pl re-write, appstarter completion, install/initd tweaks Index: switch.mhtml =================================================================== RCS file: /cvsroot/netpass/NetPass/www/htdocs/Admin/switch.mhtml,v retrieving revision 1.4 retrieving revision 1.5 diff -u -d -r1.4 -r1.5 --- switch.mhtml 3 Jun 2005 16:59:55 -0000 1.4 +++ switch.mhtml 3 Aug 2005 02:44:39 -0000 1.5 @@ -45,6 +45,10 @@ } } +if ($switch && ($switch ne $WH) && !$submitButton) { + ($rocomm, $rwcomm) = $np->cfg->getCommunities($switch); +} + if ($#err > -1) { print "<P class='error'>The following errors occurred:</P> "; print "<OL><LI class='error'>", join("<LI class='error'>", @err), "</OL>"; Index: autohandler =================================================================== RCS file: /cvsroot/netpass/NetPass/www/htdocs/Admin/autohandler,v retrieving revision 1.16 retrieving revision 1.17 diff -u -d -r1.16 -r1.17 --- autohandler 19 Jul 2005 14:45:52 -0000 1.16 +++ autohandler 3 Aug 2005 02:44:39 -0000 1.17 @@ -66,7 +66,7 @@ %$m->comp("/Admin/DisplaySideLinks"); </DIV> <P><P> -<BR><H6><I><%join('.', (split(/\./, hostname))[0,1])%></I></H6> +<BR><I style='color:white;border: solid 1px white; padding: 2px; text-align:center;'><%join('.', (split(/\./, hostname))[0,1])%></I> <%perl> } Index: auth.mhtml =================================================================== RCS file: /cvsroot/netpass/NetPass/www/htdocs/Admin/auth.mhtml,v retrieving revision 1.6 retrieving revision 1.7 diff -u -d -r1.6 -r1.7 --- auth.mhtml 23 Jun 2005 20:21:09 -0000 1.6 +++ auth.mhtml 3 Aug 2005 02:44:39 -0000 1.7 @@ -42,6 +42,11 @@ $m->comp('/Admin/LockConfig', 'enableWhenLocked' => [ 'submitButton' ], 'init' => 0); my $lstat = $np->db->isConfigLocked(); +Radius and LDAP servers are shared. If you select Radius for both Client and Admin +authentication, you will see two "Radius Server" configuration areas, but they +both refer to the same information. So if you add a Radius server to one, it will +appear in both. + if ($submitButton eq "Commit Changes") { _log("DEBUG", "$whoami is changing system auth settings\n"); Index: index.mhtml =================================================================== RCS file: /cvsroot/netpass/NetPass/www/htdocs/Admin/index.mhtml,v retrieving revision 1.11 retrieving revision 1.12 diff -u -d -r1.11 -r1.12 --- index.mhtml 14 Jun 2005 21:12:07 -0000 1.11 +++ index.mhtml 3 Aug 2005 02:44:39 -0000 1.12 @@ -33,10 +33,12 @@ use SOAP::Lite; print $q->h2("System Status"); -print $q->start_form(-method=>"POST", -action => "index.mhtml"); +print $q->start_form(-method => "POST", -action => "index.mhtml"); snortStats($rw, \%ARGS); +$m->comp('/Admin/DialogBulkMovePort', 'isRoot' => $rw, %ARGS); + sub snortStats { my $rw = shift; my $args = shift; Index: greset.mhtml =================================================================== RCS file: /cvsroot/netpass/NetPass/www/htdocs/Admin/greset.mhtml,v retrieving revision 1.3 retrieving revision 1.4 diff -u -d -r1.3 -r1.4 --- greset.mhtml 27 Apr 2005 03:54:07 -0000 1.3 +++ greset.mhtml 3 Aug 2005 02:44:39 -0000 1.4 @@ -47,11 +47,14 @@ } if ($ARGS{'quarantineall'}) { - $np->db->reqAppAction('quarall', 'start', ''); - $np->db->audit( -user => $m->session->{'username'}, - -severity => "ALERT", - -msg => [ "Activated Quarantine All Global Reset" ]); - + if ($np->db->clearRegister()) { + $np->db->reqAppAction('quarall', 'start', ''); + $np->db->audit( -user => $m->session->{'username'}, + -severity => "ALERT", + -msg => [ "Activated Quarantine All Global Reset" ]); + } else { + print "<p class='error'>Failed to clear register table. Unquarantine all aborted.</P>"; + } } elsif ($ARGS{'unquarantineall'}) { $np->db->reqAppAction('unquarall', 'start', ''); $np->db->audit( -user => $m->session->{'username'}, @@ -60,11 +63,27 @@ } print $q->start_form(-name => 'form', -method => "POST"); -print "<h2>Global Reset</h2>"; -print "<FONT CLASS='error'>WARNING:</FONT>The following will cause a system wide reset.<BR>Make sure a global reset is exactly what you want to do.<P>"; -print "<TABLE CLASS='gray' CELLSPACING=2 CELLPADDING=2 BORDER=0 HEIGHT=200>"; -print "<TR><TH HEIGHT=25 WIDTH=200 COLSPAN=2>Global Reset</TH></TR><TR>"; -print "<TD ALIGN='center'>"; +</%perl> +<h2>Global Reset</h2> + +<FONT CLASS='error'>WARNING:</FONT>The following will cause <B>all managed ports</B> to be reset to the state you choose.<BR> +Make sure a global reset is exactly what you want to do. <P> + +If you choose to <B>quarantine</B> all ports then <B>all registration data will be deleted</B> thereby forcing +all users to go back through the registration process.<P> + +Once you've initiated the global reset, go to the +<a href="/Admin/index.mhtml">NetPass Admin Home</a> page to check its progress.<P> + +Also note that the status area on the Home page only shows the status of the <I>local</I> NetPass server. If you +are running in a Clustered (HA) Configuration, then the Global Reset process might be running on another server +and the home page <I>will not</I> show that it is running. Take note of the server you are attached to when +you start the global reset (the server name is in the lower left corner of this screen). + +<TABLE CLASS='gray' CELLSPACING=2 CELLPADDING=2 BORDER=0 HEIGHT=200> +<TR><TH HEIGHT=25 WIDTH=200 COLSPAN=2>Global Reset</TH></TR><TR> +<TD ALIGN='center'> +<%perl> print $q->button ( -name => 'quarall', -value => 'Quarantine All', Index: gencfg.mhtml =================================================================== RCS file: /cvsroot/netpass/NetPass/www/htdocs/Admin/gencfg.mhtml,v retrieving revision 1.19 retrieving revision 1.20 diff -u -d -r1.19 -r1.20 --- gencfg.mhtml 14 Jun 2005 16:38:26 -0000 1.19 +++ gencfg.mhtml 3 Aug 2005 02:44:39 -0000 1.20 @@ -88,9 +88,10 @@ } } - $np->db->reqAppAction('netpass', 'restart', '') if ($restartnetpass); - $np->db->reqAppAction('httpd', 'restart', '') if ($restarthttpd); - $np->db->reqAppAction('nessusd', 'restart', '') if ($restartnessus); + # the config is auto-reloaded. we dont need to do this anymore + #$np->db->reqAppAction('netpass', 'restart', '') if ($restartnetpass); + #$np->db->reqAppAction('httpd', 'restart', '') if ($restarthttpd); + #$np->db->reqAppAction('nessusd', 'restart', '') if ($restartnessus); $np->cfg->save(-user => $m->session->{'username'}); } |
|
From: jeff m. <jef...@us...> - 2005-08-03 02:44:49
|
Update of /cvsroot/netpass/NetPass/www/htdocs/Admin/Editor In directory sc8-pr-cvs1.sourceforge.net:/tmp/cvs-serv19022/www/htdocs/Admin/Editor Modified Files: index.mhtml Log Message: some bug fixes, resetport.pl re-write, appstarter completion, install/initd tweaks Index: index.mhtml =================================================================== RCS file: /cvsroot/netpass/NetPass/www/htdocs/Admin/Editor/index.mhtml,v retrieving revision 1.6 retrieving revision 1.7 diff -u -d -r1.6 -r1.7 --- index.mhtml 8 Jun 2005 16:35:42 -0000 1.6 +++ index.mhtml 3 Aug 2005 02:44:40 -0000 1.7 @@ -106,6 +106,8 @@ ); +$del = pop(@$del) if (ref($del) eq "ARRAY"); + return if(!$submit && !$search && !$del); if ($submit) { @@ -120,7 +122,7 @@ if ($del ne '') { if ($del !~ /;/) { - print "<P class='error'>Delete parse error.</P>"; + #print "<P class='error'>Delete parse error. ($del)</P>"; } else { my ($dN, $dG) = split(/;/, $del); if ($isRoot || grep /^$dG$/, @$rwGroups) { |
|
From: jeff m. <jef...@us...> - 2005-08-03 02:44:48
|
Update of /cvsroot/netpass/NetPass/bin In directory sc8-pr-cvs1.sourceforge.net:/tmp/cvs-serv19022/bin Modified Files: appstarter.pl macscan.pl portmover.pl proc_counter.pl resetport.pl Log Message: some bug fixes, resetport.pl re-write, appstarter completion, install/initd tweaks Index: appstarter.pl =================================================================== RCS file: /cvsroot/netpass/NetPass/bin/appstarter.pl,v retrieving revision 1.3 retrieving revision 1.4 diff -u -d -r1.3 -r1.4 --- appstarter.pl 12 Apr 2005 14:18:11 -0000 1.3 +++ appstarter.pl 3 Aug 2005 02:44:38 -0000 1.4 @@ -82,9 +82,10 @@ netpass /etc/init.d/netpass npcfgd /opt/netpass/bin/npcfgd.pl npstatusd /opt/netpass/bin/npstatusd.pl - npsnortd /opt/netpass/bin/npsnortd.pl - unquar-all /opt/netpass/bin/unquar-all.pl - quar-all /opt/netpass/bin/quar-all.pl + unquarall /opt/netpass/bin/bulk_moveport.pl -N 0.0.0.0/0 -a unquarantine + quarall /opt/netpass/bin/bulk_moveport.pl -N 0.0.0.0/0 -a quarantine + reload_nessus_plugins /opt/netpass/bin/update_nessus_plugins.sh + reload_snort_plugins /opt/netpass/bin/update_snort_plugins.sh Items in the /etc/init.d directory must accept the "stop" "start" "restart" and "status" command line parameter and must do the appropriate thing. @@ -125,27 +126,15 @@ use lib '/opt/netpass/lib'; use FileHandle; use Pod::Usage; +use Data::Dumper; + +use POSIX qw(:sys_wait_h setsid setuid setgid); use RUNONCE; use NetPass::LOG qw(_log _cont); my $myName = "appstarter"; -NetPass::LOG::init [ $myName, 'local0' ]; #*STDOUT; - -my $otherPid = RUNONCE::alreadyRunning($myName); - -if(defined($otherPid) && $otherPid) { - _log "ERROR", "i'm already running. pid=$otherPid\n"; - die "ERR: another copy of this script is already running pid=$otherPid"; -} - -require NetPass; -require NetPass::Config; - -$SIG{'ALRM'} = \&alarmHandler; - - my %opts; getopts('c:U:qnDh?', \%opts); pod2usage(2) if exists $opts{'h'} || exists $opts{'?'}; @@ -160,6 +149,32 @@ daemonize($myName, "/var/run/netpass"); } +if ($D) { + NetPass::LOG::init *STDOUT; +} else { + NetPass::LOG::init [ $myName, 'local0' ]; #*STDOUT; +} + +my $otherPid = RUNONCE::alreadyRunning($myName); + +if(defined($otherPid) && $otherPid) { + _log "ERROR", "i'm already running. pid=$otherPid\n"; + die "ERR: another copy of this script is already running pid=$otherPid"; +} + +require NetPass; +require NetPass::Config; + +sub REAPER { + my $child; + while (($child = waitpid(-1,WNOHANG)) > 0) { + } + $SIG{'CHLD'} = \&REAPER; +} + +$SIG{'ALRM'} = \&alarmHandler; +$SIG{'CHLD'} = \&REAPER; # just incase they fail to disassociate + print "new NP\n" if $D; my $np = new NetPass(-cstr => exists $opts{'c'} ? $opts{'c'} : undef, @@ -170,29 +185,124 @@ die "failed to connect to NetPass: $np" unless (ref($np) eq "NetPass"); while (1) { - _log "DEBUG", "wakeup: processing worklist\n" if $D; + _log ("DEBUG", "wakeup: processing worklist\n") if $D; RUNONCE::handleConnection(); - _log "DEBUG", "sleeping for 10 seconds.\n" if $D; - print scalar localtime(time()), " sleeping...\n" if $D; + my $x = $np->db->getAppAction(); + if (ref($x) ne "ARRAY") { + _log("ERROR", "getAppAction failed: $x\n"); + } else { + _log("DEBUG", "Worklist: ". Dumper($x). "\n"); - select(undef, undef, undef, 10.0); + foreach my $row (@$x) { + if ($row->[2] eq "start") { + if (isRunning($row->[1])) { + _log("WARNING", $row->[1]. " is already running, so wont start another copy.\n"); + # behavior is to ack the duplicate.XXX + } else { + start($row); + } + } + elsif ($row->[2] eq "stop") { + if (!isRunning($row->[1])) { + _log("WARNING", $row->[1]. " is not running, so cant stop.\n"); + } else { + stop($row) unless !isRunning($row->[1]); + } + } + } + } + + _log ("DEBUG", "sleeping for 10 seconds.\n") if $D; + sleep(10); +} + +sub isRunning { + my $cn = shift; + + _log("DEBUG", "isRunning $cn\n") if $D; + + my @pids = (); + if ($cn =~ /^([u]{0,1}[n]{0,1})quarall$/) { + use Proc::ProcessTable; + my $pt = new Proc::ProcessTable; + my $un = $1; + foreach my $pte (@{$pt->table}) { + push @pids, $pte->pid + if ($pte->cmndline =~ /^reset:\s${un}quarantine/); + } + _log("DEBUG", "isRunning looking for $cn found: ".join(',',@pids)."\n") if $D; + return @pids; + } + _log("DEBUG", "shouldnt be here\n"); } +sub start { + my $row = shift; + my ($rowid, $cmd, $junk, $as) = @$row; -exit 0; + if ($cmd eq "quarall") { + runAs("/opt/netpass/bin/bulk_moveport.pl -N 0.0.0.0/0 -a quarantine", $as); + } + elsif ($cmd eq "unquarall") { + runAs("/opt/netpass/bin/bulk_moveport.pl -N 0.0.0.0/0 -a unquarantine", $as); + } +} + +sub stop { + my $cmd = shift; + if ($cmd eq "quarall") { + # search for "reset: quarantine" + } + elsif ($cmd eq "unquarall") { + # search for "reset: unquarantine" + } +} + +sub runAs { + my $cmd = shift; + my $as = shift; + $as ||= "netpass"; + my ($uid,$gid) = (getpwnam($as))[2,3]; + if (!defined($uid)) { + _log("ERROR", "no such user $as\n"); + return; + } + unless ($cmd) { + _log("ERROR", "cmd empty\n"); + return; + } + + _log("DEBUG", qq{exec'ing as $as cmd "$cmd"\n}) if $D; + my $child = fork; + return if ($child); # parent + + open STDIN, '/dev/null'; + open STDOUT, '>/dev/null'; + setsid; + if (setgid($gid)) { + _log("ERROR", "child $$ failed to setgid($gid) $!\n"); + exit 0; + } + if (setuid($uid)) { + _log("ERROR", "child $$ failed to setuid($uid) $!\n"); + exit 0; + } + exec($cmd); + _log("ERROR", "child $$ failed to exec($cmd) $!\n"); + exit 0; +} +exit 0; # borrowed from mailgraph.pl sub daemonize { - use POSIX 'setsid'; - my ($myname, $pidDir) = (shift, shift); chdir $pidDir or die "$myname: can't chdir to $pidDir: $!"; -w $pidDir or die "$myname: can't write to $pidDir\n"; Index: macscan.pl =================================================================== RCS file: /cvsroot/netpass/NetPass/bin/macscan.pl,v retrieving revision 1.10 retrieving revision 1.11 diff -u -d -r1.10 -r1.11 --- macscan.pl 27 Apr 2005 03:54:06 -0000 1.10 +++ macscan.pl 3 Aug 2005 02:44:38 -0000 1.11 @@ -243,12 +243,14 @@ -network => $nw); if ($macscan == 0) { - _log("INFO", "macscan is disabled for this port: $switch/$p ($nw)\n"); + # too verbose + #_log("INFO", "macscan is disabled for this port: $switch/$p ($nw)\n"); next; } if ($multi_mac ne "ALL_OK") { - _log("INFO", "multi_mac is $multi_mac for this port: $switch/$p ($nw)\n"); + # too verbose + #_log("INFO", "multi_mac is $multi_mac for this port: $switch/$p ($nw)\n"); next; } Index: proc_counter.pl =================================================================== RCS file: /cvsroot/netpass/NetPass/bin/proc_counter.pl,v retrieving revision 1.4 retrieving revision 1.5 diff -u -d -r1.4 -r1.5 --- proc_counter.pl 12 Apr 2005 15:24:08 -0000 1.4 +++ proc_counter.pl 3 Aug 2005 02:44:38 -0000 1.5 @@ -69,7 +69,7 @@ my $insert = "INSERT INTO stats_procs (serverid, dt, proc, count) VALUES (?,NOW(),?,?)"; $np->db->{'dbh'}->do($delete); -my $sth = $np->dbh->{'dbh'}->prepare($insert); +my $sth = $np->db->{'dbh'}->prepare($insert); my $t = new Proc::ProcessTable; Index: resetport.pl =================================================================== RCS file: /cvsroot/netpass/NetPass/bin/resetport.pl,v retrieving revision 1.14 retrieving revision 1.15 diff -u -d -r1.14 -r1.15 --- resetport.pl 2 Jun 2005 19:59:08 -0000 1.14 +++ resetport.pl 3 Aug 2005 02:44:38 -0000 1.15 @@ -14,11 +14,12 @@ =head1 SYNOPSIS - resetport.pl [-c cstr] [-U user/pass] [-nqDh?] <traplog> + resetport.pl [-c cstr] [-U user/pass] [-t thread-queue-size] [-nqDh?] <traplog> -n "not really" -q be quiet. exit status only. -D enable debugging -c db connect string + -t thread queue size -U user/pass db user[/pass] =head1 OPTIONS @@ -54,6 +55,16 @@ C<OPTIONS="-Lf /opt/netpass/log/snmptraps.log -p /var/run/snmptrapd.pid -F '%#04.4y-%#02.2m-%02.2l %#02.2h:%#02.2j:%#02.2k TRAP %N;%w;%q;%A;%v\n' "> +=item B<-t thead-queue-size> + +A number denoting how many switches to delegate to each thread for monitoring. +The default is 20. If you have 100 switches in your NetPass configuration, +5 threads will be spawned. Each thread will handle incoming link up/down +processing. + +Each thread requires a connection to the database, so don't set this number +too low or you'll needless use DB resources. + =back =head1 DESCRIPTION @@ -90,9 +101,15 @@ use File::Tail; use threads; use threads::shared; +use Data::Dumper; use RUNONCE; +BEGIN { + use Config; + $Config{useithreads} or die "Recompile Perl with threads to run this program."; +} + my $otherPid = RUNONCE::alreadyRunning('resetport'); require NetPass; @@ -105,7 +122,7 @@ my %opts; -getopts('vnqDc:U:h?', \%opts); +getopts('vnqDt:c:U:h?', \%opts); pod2usage(1) if $#ARGV != 0; pod2usage(2) if exists $opts{'h'} || exists $opts{'?'}; @@ -154,53 +171,408 @@ # a mac on the port. my $unq = {}; +my $quar = {}; my $threads = {}; -my $myself = threads->self; +my $me = threads->self; + +my $ps = exists $opts{'t'} ? $opts{'t'} : 20; +my $threadPool = {}; +my $swThrAffin = {}; + +_log("DEBUG", "creating $ps threads\n"); + +for (my $i = 0 ; $i < $ps ; $i++) { + my %thrq : shared; + $thrq{'q'} = &share({}); + $thrq{'u'} = &share({}); + $thrq{'workLoad'} = 0; + share($thrq{'workLoad'}); + my $thr = new threads(\&thread_entry, \%thrq); + my $tid = $thr->tid; + $threadPool->{$tid} = {}; + $threadPool->{$tid}->{thro} = $thr; + $threadPool->{$tid}->{thrq} = \%thrq; +} + +_log("DEBUG", "parent entering endless loop\n"); while (1) { + _log("DEBUG", $me->tid." parent awake. checking log file.\n"); my @lines = (); while ($fh->predict == 0) { push @lines, $fh->read; } RUNONCE::handleConnection(); - processLines($np, $unq, \@lines); + processLines($np, $unq, $quar, \@lines); - foreach my $switch (keys %$unq) { - if (!defined($threads->{$switch}) || - !$myself->object($threads->{$switch}->tid)) { - # a thread doesnt exist for this switch - $threads->{$switch} = threads->create(\&procUQ, $switch); - _log("INFO", "spawning thread to handle $switch\n"); + my $alreadyDidThisSwitch = {}; + + foreach my $switch (keys %$unq, keys %$quar) { + next if (exists $alreadyDidThisSwitch->{$switch}); + $alreadyDidThisSwitch->{$switch} = 1; + + _log("DEBUG", $me->tid." processing work read from log file\n"); + my $tid; + + # if this switch isnt being handled by an existing + # thread, find a thread to handle it + + if (! exists($swThrAffin->{$switch}) ) { + # find a thread to assign it to + $tid = findThread($threadPool); + _log("DEBUG", $me->tid." findThread says to assign $switch to ".$tid."\n"); + $swThrAffin->{$switch} = $tid; + } else { + $tid = $swThrAffin->{$switch}; + _log("DEBUG", $me->tid." assigning work for $switch to $tid\n"); + } + + # add the work to the thread's queue + + _log("DEBUG", $me->tid." adding work (".join(',',@{$unq->{$switch}}).") to ".$tid."'s U queue\n") + if exists($unq->{$switch}); + _log("DEBUG", $me->tid." adding work (".join(',',@{$quar->{$switch}}).") to ".$tid."'s Q queue\n") + if exists($quar->{$switch}); + + { + lock(%{$threadPool->{$tid}->{'thrq'}}); + if (! exists $threadPool->{$tid}->{'thrq'}->{'u'}->{$switch}) { + $threadPool->{$tid}->{'thrq'}->{'u'}->{$switch} = &share([]); + } + if (! exists $threadPool->{$tid}->{'thrq'}->{'q'}->{$switch}) { + $threadPool->{$tid}->{'thrq'}->{'q'}->{$switch} = &share([]); + } + if ( exists $unq->{$switch} ) { + push @{$threadPool->{$tid}->{'thrq'}->{'u'}->{$switch}}, @{$unq->{$switch}} + if ($#{$unq->{$switch}} > -1); + delete $unq->{$switch}; + } + if ( exists $quar->{$switch} ) { + push @{$threadPool->{$tid}->{'thrq'}->{'q'}->{$switch}}, @{$quar->{$switch}} + if ($#{$quar->{$switch}} > -1); + delete $quar->{$switch}; + } } } - $myself->yield; - sleep(10); + $me->yield; + _log("DEBUG", $me->tid." parent done assigning work. sleeping.\n"); + sleep(11); } exit 0; =head1 PROGRAMMERS DOC +=head2 Overview + +This application is split into N threads. The main thread watches the +snmptrap.log file and parses new lines that appear in that file. If the +log entry indicates a link down trap, the main thread handles logging +the quarantine request to the database. + +If the log entry indicates a link up trap, the main thread will pass +that information (the switch and port) to a worker thread. It's the +job of the worker thread to watch the switch port for the appearance +of a MAC address, evaluate it and possibly unquarantine the port based +upon what the results of the MAC evaluation are. + +=head2 findThread( ) + +Search through the available threads and select one to handle the (new) +switch. Right now, this is fairly simple, just add it to the thread that +has the least switches. In the future, we might want to track switch +time and avoid threads that are bogged down with slow switches. + +=cut + +sub findThread { + my $tp = shift; + + my %qLens; + my $firstSeen; + + foreach my $tid (keys %$tp) { + lock($tp->{$tid}->{thrq}); + $qLens{$tid} = $tp->{$tid}->{'thrq'}->{'workLoad'}; + $firstSeen = $tid unless $firstSeen; + } + + my $assignToMe = ''; + my $min = ''; + + foreach my $tid (keys %qLens) { + if ( ($min eq '') || ($qLens{$tid} < $min ) ) { + $assignToMe = $tid; + $min = $qLens{$tid}; + } + } + + return $assignToMe || $firstSeen; +} + +=head2 removeFromQCheck($privQ, $privQT, $publicU, $switch) + +Given the public unquarantine (linkup) queue and the private +quarantine (linkdown) queue, private quarantine (linkdown) time +list and a switch: + +if a port on the pub queue is also on the priv queue, remove +it from the priv queue and remove it from the priv queue time. + +=cut + +sub removeFromQCheck { + my $priv = shift; + my $privT = shift; + my $pub = shift; + my $sw = shift; + + return unless ( (ref($priv) eq "HASH") && + (ref($pub) eq "HASH") && + (ref($privT) eq "ARRAY") && + (exists $priv->{$sw}) && + (exists $pub->{$sw}) ); + + # strip the ports from the priv queue + + foreach my $port (@{$pub->{$sw}}) { + @{$priv->{$sw}} = grep !/^$port$/, @{$priv->{$sw}}; + } + + # remove any times that no longer have associated ports + + for (my $port = 1 ; $port <= $#{$privT->{$sw}} ; $port++) { + $privT->{$sw}->[$port] = undef + if (! grep /^$port$/, @{$priv->{$sw}}); + } +} + +=head2 removeFromUCheck($privU, $publicQ, $switch) + +Given the public quarantine (linkdown) queue and the private +unquarantine (linkup) queue and a switch: + +if a port on the pub queue is also on the priv queue, remove +it from the priv queue. + +=cut + +sub removeFromUCheck { + my $priv = shift; + my $pub = shift; + my $sw = shift; + + return unless ( (ref($priv) eq "HASH") && + (ref($pub) eq "HASH") && + (exists $priv->{$sw}) && + (exists $pub->{$sw}) ); + + # strip the ports from the priv queue + + foreach my $port (@{$pub->{$sw}}) { + @{$priv->{$sw}} = grep !/^$port$/, @{$priv->{$sw}}; + } +} + +=head2 thread_entry( ) + +This is the entry point for the worker threads. This routine sits +in an endless loop watching for new work to be placed on the +queue. When it sees new work, it moves it from the queue to a +private queue. It then periodically calls procUQ() to process +the work. procUQ() will remove the work from the private queue +when it is finished, or leave it on the private queue if it +was not able to process the work. + +=cut + +sub thread_entry { + my $self = threads->self; + my $thrq = shift; + + my $pq = { + 'q' => {} , + 'u' => {} , + 'qt' => {} + }; + + print $self->tid(), " connecting to DB\n" if $opts{'D'}; + + my ($dbuser, $dbpass) = exists $opts{'U'} ? split('/', $opts{'U'}) : (undef, undef); + + my $np = new NetPass(-cstr => exists $opts{'c'} ? $opts{'c'} : undef, + -dbuser => $dbuser, -dbpass => $dbpass, + -debug => exists $opts{'D'} ? 0 : 0, #XXX + -quiet => exists $opts{'q'} ? 1 : 0); + + + if (ref($np) ne "NetPass") { + _log("ERROR", "failed to connect to NetPass: $np\n"); + return; + } + + + while(1) { + my $didWork = 0; + { + lock($thrq); + + my $wl = workLoad($pq); + $thrq->{'workLoad'} = $wl; + + #print $self->tid, " wakeup wl=$wl\n"; + + # move work to the private queues, deleting it from + # the public queue. if the port is not already on + # the linkdown queue, record the current time (and associate + # it with the port) so we can implement the linkflap + # tolerance feature. + + # the ports coming are guaranteed (by 'processLines') to be + # unique. iow, you wont see the same port on both the + # linkup and linkdown queues. so... + + # if the port is on the private linkup queue, and we see + # it on the public (newly detected) linkdown queue, then + # remove it from the private linkup queue as link is now + # down and we dont want to continue to process it as + # if link is up. a port may persist on the linkup queue + # for a while if unquar-on-linkup is enabled and no mac + # has appeared on the port. + + # also, if the port is on the private linkdown queue, and + # we see it on the public (newly detected) linkup queue then + # remove it from the private linkdown queue. because link + # is now up and we no longer want to process it for the + # linkdown event. ports may persist on the linkdown queue + # for a while if linkflap tolerance is enabled. + + my $alreadyDidThisSwitch = {}; + + foreach my $sw (keys %{$thrq->{'q'}}, keys %{$thrq->{'u'}}) { + next if (exists $alreadyDidThisSwitch->{$sw}); + $alreadyDidThisSwitch->{$sw} = 1; + + if (! exists $pq->{'q'}->{$sw}) { + $pq->{'q'}->{$sw} = &share([]); + $pq->{'qt'}->{$sw} = &share([]); + $pq->{'u'}->{$sw} = &share([]); + } + + #print $self->tid, " sw=$sw moving u..\n"; + + # run thru the new unquarantine ports (linkup ports) + # and see if any of them are on the private + # linkdown queue. if they are, remove them from the + # priv linkdown queue (quar 'q' queue) + + removeFromQCheck($pq->{'q'}, $pq->{'qt'}, + $thrq->{'u'}, $sw); + + # run thru the new quarantine ports (linkdown ports) + # and see if any of them are on the private + # linkup queue. if they are, remove them from the + # priv linkup queue (unquar 'u' queue) + + removeFromUCheck($pq->{'u'}, $thrq->{'q'}, $sw); + + # push the port onto the unquarantine work queue + # for this switch and then uniq that queue to remove + # duplicates. empty the public queue. + + push @{$pq->{'u'}->{$sw}}, @{$thrq->{'u'}->{$sw}}; + $pq->{'u'}->{$sw} = uniq($pq->{'u'}->{$sw}); + $thrq->{'u'}->{$sw} = &share([]); + + # push the port onto the quarantine work queue + # for this switch. if the port wasn't already on + # the queue, record the current time so we can + # to the linkflap tolerance feature. empty the + # public queue. + + #print $self->tid, " sw=$sw moving q..\n"; + + ($pq->{'q'}->{$sw}, + $pq->{'qt'}->{$sw}) + = linkflap_starttime_calculation($pq->{'q'}->{$sw}, + $pq->{'qt'}->{$sw}, + $thrq->{'q'}->{$sw}); + + $pq->{'q'}->{$sw} = uniq($pq->{'q'}->{$sw}); + $thrq->{'q'}->{$sw} = &share([]); + $pq = procUQ($pq, $np); + } + + } + sleep(10) unless $didWork; + } +} + +sub linkflap_starttime_calculation { + my $priv = shift; # private queue (arrayref) + my $ptl = shift; # port time list (arrayref) + my $pub = shift; # public queue (arrayref) + + return undef unless (ref($priv) eq "ARRAY"); + return undef unless (ref($ptl) eq "ARRAY"); + return undef unless (ref($pub) eq "ARRAY"); + + foreach my $port (@{$pub}) { + if (grep (/^$port$/, @{$priv})) { + # port is already on the list + } else { + # record the time at which we added + # this port to the queue + $ptl->[$port] = time(); + push @{$priv}, $port; + } + } + + return ($priv, $ptl); +} + + +sub uniq { + my $ar = shift; + return unless (ref($ar) eq "ARRAY"); + my %h = map { $_ => $_ } @{$ar}; + $ar = [ sort keys %h ]; + return $ar; +} + +sub workLoad { + my $pq = shift; + my $wl = 0; + if (ref($pq) eq "HASH") { + foreach my $sw (keys %{$pq->{'u'}}) { + $wl += @{$pq->{'u'}->{$sw}}; + } + foreach my $sw (keys %{$pq->{'q'}}) { + $wl += @{$pq->{'q'}->{$sw}}; + } + } + return $wl; +} + =head2 processLines(\@lines) This routine will take an array ref containing lines read from the file -and will parse them. For lines that show linkdown, we will immediately -quarantine the port. For lines that show linkup, we'll stash the -switch/port into a work-list ($unq) if unquar-on-linkup is set. +and will parse them. For lines that show linkdown, we will place them +on the work queue to be delegated to a thread for handling. + +For lines that show linkup, we'll place them on the work queue +if unquar-on-linkup is set. Periodically, that list will be processed by another routine. =cut sub processLines { - my ($np, $unq) = (shift, shift); + my ($np, $unq, $quar) = (shift, shift, shift); my $lines = shift; - # reload this value to be sure we have the current one - my $unq_on_linkup = $np->cfg->policy(-key => 'UNQUAR_ON_LINKUP') || "0"; - while (defined(my $l = shift @{$lines})) { chomp $l; @@ -234,66 +606,33 @@ next; } - _log("DEBUG", "checking if resetport is enabled...\n") if exists $opts{'D'}; + _log("DEBUG", "$switch/$port checking if resetport is enabled...\n") if exists $opts{'D'}; if (resetPortEnabled($np, $switch, $port) == 0) { - _log("DEBUG", "reset port is disabled for $switch $port. skipping.\n"); + _log("DEBUG", "$switch/$port reset port is disabled for $switch $port. skipping.\n"); next; } - _log("DEBUG", "yes it is...\n") if exists $opts{'D'}; - - _log("DEBUG", "ttype=$ttype sw=$switch port=$port\n") if exists $opts{'D'}; - - if ($ttype == 2) { # LINKDOWN - _log("INFO", "LINKDOWN quarantine $switch / $port\n"); + _log("DEBUG", "$switch/$port yes, reserport is enabled and ttype=$ttype\n") if exists $opts{'D'}; - # if the link is down, and this port is on our linkup worklist, - # remove it. + if ($ttype == 2) { # LINKDOWN + _log("INFO", "$switch/$port LINKDOWN\n"); - if (exists $unq->{$switch}) { - { - my @pl; - lock($unq->{$switch}); - while (my $p = shift @{$unq->{$switch}}) { - next if ($p =~ /^$port$/); - push @pl, $p; - } - push @{$unq->{$switch}}, @pl; - } - } + # if the port is already on the linkup queue, remove it from that + # queue (because this event - linkdown - occurred at a later time) - if (exists $opts{'n'}) { - _log("DEBUG", " not really!\n") if exists $opts{'D'}; - _log("INFO", "-n flag given. not really doing it.\n"); - } else { - $np->db->requestMovePort(-switch => $switch, -port => $port, - -vlan => 'quarantine', - -by => 'resetport.pl') || - _log("ERROR", $np->db->error()); - _log ("DEBUG", " backfrom dbh->requestMovePort\n") - if exists $opts{'D'}; - } + @{$unq->{$switch}} = grep !/^$port$/, @{$unq->{$switch}} if (exists ($unq->{$switch})); + $quar->{$switch} = [] if (!exists($quar->{$switch})); + push @{$quar->{$switch}}, $port; } - elsif (($ttype == 3) && ($unq_on_linkup ne "0")) { # LINKUP - _log("INFO", "LINKUP (maybe) unquarantine $switch / $port\n"); + elsif ($ttype == 3) { # LINKUP + _log("INFO", "$switch/$port LINKUP\n"); - # just record the switch, port. we process quar-on-linkup in a separate - # routine + # if the port is already on the linkdown queue, remove it from that + # queue (because this event - linkdown - occurred at a later time - if (exists($unq->{$switch})) { - { - lock($unq->{$switch}); - if (!grep {/^$port/} @{$unq->{$switch}}) { - push @{$unq->{$switch}}, $port; - } - } - } else { - $unq->{$switch} = &share([]); - { - lock($unq->{$switch}); - push @{$unq->{$switch}}, $port; - } - } + @{$quar->{$switch}} = grep !/^$port$/, @{$quar->{$switch}} if (exists ($quar->{$switch})); + $unq->{$switch} = [] if (!exists($unq->{$switch})); + push @{$unq->{$switch}}, $port; } } } @@ -309,169 +648,265 @@ show any attached macs) will be left on the list and reviewed again the next time we are called. -=cut - -sub procUQ { - my $switch = shift; +A port will be reviewed for a maximum of 1 hour. If we don't see a MAC +appear in that time, we stop looking. +=cut - print "thread connecting to DB\n" if $opts{'D'}; +# - my ($dbuser, $dbpass) = exists $opts{'U'} ? split('/', $opts{'U'}) : (undef, undef); +sub procUQ { + my $pq = shift; + my $np = shift; - my $np = new NetPass(-cstr => exists $opts{'c'} ? $opts{'c'} : undef, - -dbuser => $dbuser, -dbpass => $dbpass, - -debug => exists $opts{'D'} ? 1 : 0, - -quiet => exists $opts{'q'} ? 1 : 0); - - # reload this value to be sure we have the current one - my $unq_on_linkup = $np->cfg->policy(-key => 'UNQUAR_ON_LINKUP') || "0"; + my $self = threads->self; - if (ref($np) ne "NetPass") { - _log("ERROR", "failed to connect to NetPass: $np\n"); - threads->join; - return 1; - } + # process unquarantine (linkup) events - my $cn = ($np->cfg->getCommunities($switch))[1]; + my $switches = uniq [ keys %{$pq->{'u'}}, keys %{$pq->{'q'}} ]; - while (1) { - my @failed = (); + foreach my $switch (@$switches) { + my $cn = ($np->cfg->getCommunities($switch))[1]; - { # start lock - lock($unq->{$switch}); + my $failed = {}; - goto endlock if ($#{$unq->{$switch}} < 0); + next if (!exists($pq->{'u'}->{$switch}) && !exists($pq->{'q'}->{$switch})); + next if (($#{$pq->{'u'}->{$switch}} == -1) && ($#{$pq->{'q'}->{$switch}} == -1)); my $snmp = new SNMP::Device('hostname' => $switch, 'snmp_community' => $cn); my ($mp, $pm) = $snmp->get_mac_port_table(); - foreach my $port (@{$unq->{$switch}}) { - # figure out what macs are on this port - - _log("DEBUG", "link up $switch $port and unq_lu is $unq_on_linkup\n"); - - print "fetch maclist ($unq_on_linkup)\n" if exists $opts{'D'}; - my $macList = $pm->{$port}; - if (!defined($macList)) { - _log ("ERROR", "we want to unquar on linkup, but $switch doesnt have mac information available for port $port yet!\n"); - push @failed, $port; - next; - } - - print "macList=".join(',', @$macList)."\n" if exists $opts{'D'}; - - if ($unq_on_linkup eq "1") { - print "unq=ON findRegMac\n" if exists $opts{'D'}; + if (exists ($pq->{'u'}->{$switch})) { + foreach my $port (@{$pq->{'u'}->{$switch}}) { + + # if the port is on the 'q' queue, remove it from that queue since + # link is now, apparently, up. + + if (exists ($pq->{'q'}->{$switch})) { + _log("DEBUG", $self->tid(). " $switch $port possibly removing from 'q'\n"); + @{$pq->{'q'}->{$switch}} = grep !/^$port$/, @{$pq->{'q'}->{$switch}}; + if (exists ($pq->{'qt'}->{$switch})) { + $pq->{'qt'}->{$switch}->[$port] = undef; + } + } + + my $unq_on_linkup = $np->cfg->policy(-key => 'UNQUAR_ON_LINKUP') || "0"; + my $rppt = $np->cfg->policy(-key => 'RESETPORT_PORT_POLL_TIME') || 0; - # in order to move the port to unquarantine - # we just need to call validateMac on the first - # registered mac address we found. + # if possible, we'll resolve the switch/port to a specific network and the + # look to see if the above policy settings are over-ridden at the network or + # netgroup level. - my ($regMac, $regMacStatus) = findRegMac($np, $macList); - if (!defined($regMac)) { - _log ("WARNING", "no macs registered on $switch $port. leaving in quarantine.\n"); - } else { - _log("DEBUG", "regMac $regMac $regMacStatus\n") if exists $opts{'D'}; + my $curNw = $np->cfg->getMatchingNetwork(-switch => $switch, -port => $port); + if ($curNw =~ /^\d/) { + _log("DEBUG", $self->tid(). " sw=$switch po=$port nw=$curNw\n"); + $unq_on_linkup = $np->cfg->policy(-key => 'UNQUAR_ON_LINKUP', -network => $curNw); + $rppt = $np->cfg->policy(-key => 'RESETPORT_PORT_POLL_TIME', -network => $curNw); + } + + # figure out what macs are on this port + + _log("DEBUG", $self->tid. " link up $switch $port and unq_lu=$unq_on_linkup rppt=$rppt\n"); + + print $self->tid. " fetch maclist\n" if exists $opts{'D'}; + + if (!exists ($failed->{$switch})) { + $failed->{$switch} = []; + $failed->{$switch."PT"} = []; + } + + my $macList = $pm->{$port}; + if (!defined($macList)) { + _log ("ERROR", $self->tid(). + " we want to unquar on linkup, but $switch doesnt have mac information available for port $port yet!\n"); + push @{$failed->{$switch}}, $port; + $failed->{$switch."PT"}->[$port] = time(); #XXX + next; + } + + print "macList=".join(',', @$macList)."\n" if exists $opts{'D'}; + + if ($unq_on_linkup eq "1") { + print $self->tid(), " unq=ON findRegMac\n" if exists $opts{'D'}; - _log ("DEBUG", "found a registered mac ($regMac) on $switch $port\n"); - # if we are alone on this port, and are UNQUAR - # then unquarantine us + # in order to move the port to unquarantine + # we just need to call validateMac on the first + # registered mac address we found. - if ($#{$macList} == 0) { - _log ("DEBUG", "$regMac is alone on $switch $port. status is $regMacStatus\n"); - if ($regMacStatus =~ /UNQUAR$/) { - _log ("DEBUG", "$regMac unquarantine $switch $port\n"); - if(exists $opts{'n'}) { - _log("DEBUG", "not really!\n"); - } else { - $np->db->requestMovePort(-switch => $switch, -port => $port, - -vlan => 'unquarantine', -by => 'resetport.pl') || - push @failed, $port; - } - } else { - _log ("DEBUG", "$regMac leave quar $switch $port\n"); - } + my ($regMac, $regMacStatus) = findRegMac($np, $macList); + if (!defined($regMac)) { + _log ("WARNING", $self->tid(). " no macs registered on $switch $port. leaving in quarantine.\n"); } else { - # if we are not alone, then enforceMultiMacPolicy - # and do whatever it says to do (quar or unquar) + _log("DEBUG", $self->tid(). " regMac $regMac $regMacStatus\n") if exists $opts{'D'}; - _log ("DEBUG", "$switch $port has more than one mac on it. enforceMultiMacPolicy\n"); + _log ("DEBUG", $self->tid(). " found a registered mac ($regMac) on $switch $port\n"); + # if we are alone on this port, and are UNQUAR + # then unquarantine us - my ($_rv, $_sw, $_po) = $np->enforceMultiMacPolicy($regMac, '', $regMacStatus, - $switch, $port, - undef, {$port => $macList}); - if ($_rv =~ /UNQUAR$/) { - _log ("DEBUG", "$switch $port multiMac said to unquarantine the port.\n"); - if (exists $opts{'n'}) { - _log("DEBUG", "not really!\n"); + if ($#{$macList} == 0) { + _log ("DEBUG", $self->tid(). " $regMac is alone on $switch $port. status is $regMacStatus\n"); + if ($regMacStatus =~ /UNQUAR$/) { + _log ("DEBUG", $self->tid(). " $regMac unquarantine $switch $port\n"); + if(exists $opts{'n'}) { + _log("DEBUG", $self->tid(). " not really!\n"); + } else { + $np->db->requestMovePort(-switch => $switch, -port => $port, + -vlan => 'unquarantine', -by => 'resetport.pl') || + push @{$failed->{$switch}}, $port; + } } else { - $np->db->requestMovePort(-switch => $switch, -port => $port, - -vlan => 'unquarantine', -by => 'resetport.pl') || - push @failed, $port; + _log ("DEBUG", $self->tid(). " $regMac leave quar $switch $port\n"); } } else { - _log ("DEBUG", "$switch $port multiMac said to quarantine the port.\n"); + # if we are not alone, then enforceMultiMacPolicy + # and do whatever it says to do (quar or unquar) + + _log ("DEBUG", $self->tid(). " $switch $port has more than one mac on it. enforceMultiMacPolicy\n"); + + my ($_rv, $_sw, $_po) = $np->enforceMultiMacPolicy($regMac, '', $regMacStatus, + $switch, $port, + undef, {$port => $macList}); + if ($_rv =~ /UNQUAR$/) { + _log ("DEBUG", $self->tid(). " $switch $port multiMac said to unquarantine the port.\n"); + if (exists $opts{'n'}) { + _log("DEBUG", "not really!\n"); + } else { + $np->db->requestMovePort(-switch => $switch, -port => $port, + -vlan => 'unquarantine', -by => 'resetport.pl') || + push @{$failed->{$switch}}, $port; + } + } else { + _log ("DEBUG", $self->tid()." $switch $port multiMac said to quarantine the port.\n"); + } + } } + } + elsif($unq_on_linkup =~ /^ITDEPENDS$/) { + # "ITDEPENDS" means that in order to unquarantine this port + # the following must be true: + # + # if MULTI_MAC is ALL_OK then + # all of the clients on this port must be tagged as uqlinkup="yes" + # AND they all must be registered and P/UNQUAR. UQLinkUp_itDepends() + # does this in a single query. + # else + # XXX we're not going to implement the other MULTI_MAC cases yet + # endif + my $numOK = $np->db->UQLinkUp_itDependsCheck($macList); + my $mmpol = $np->cfg->policy(-key => 'MULTI_MAC'); + + if ( ($numOK == ($#$macList+1)) && ($mmpol eq "ALL_OK") ) { + _log ("DEBUG", $self->tid()." $switch $port 'itdepends' set. everything looks good. unquar port. ", + "numOK=$numOK numMacs=".($#$macList+1)." mmpol=$mmpol\n"); + if (exists $opts{'n'}) { + _log("DEBUG", $self->tid(). " not really!\n"); + } else { + $np->db->requestMovePort(-switch => $switch, + -port => $port, + -vlan => 'unquarantine', + -by => 'resetport.pl') || + push @{$failed->{$switch}}, $port; + } + } else { + _log ("DEBUG", $self->tid()." $switch $port 'itdepends' set. somethings not right. quar port. ", + "numOK=$numOK numMacs=".($#$macList+1)." mmpol=$mmpol maclist=(", + join(',', @$macList), + ")\n"); + } } - } - elsif($unq_on_linkup =~ /^ITDEPENDS$/) { - # "ITDEPENDS" means that in order to unquarantine this port - # the following must be true: - # - # if MULTI_MAC is ALL_OK then - # all of the clients on this port must be tagged as uqlinkup="yes" - # AND they all must be registered and P/UNQUAR. UQLinkUp_itDepends() - # does this in a single query. - # else - # XXX we're not going to implement the other MULTI_MAC cases yet - # endif - - my $numOK = $np->db->UQLinkUp_itDependsCheck($macList); - my $mmpol = $np->cfg->policy(-key => 'MULTI_MAC'); + } + + if (exists $pq->{'q'}->{$switch}) { + foreach my $port (@{$pq->{'q'}->{$switch}}) { + my $unq_on_linkup = $np->cfg->policy(-key => 'UNQUAR_ON_LINKUP') || "0"; + my $rppt = $np->cfg->policy(-key => 'RESETPORT_PORT_POLL_TIME') || 0; + my $lftol = $np->cfg->policy(-key => 'LINKFLAP_TOLERANCE') || 0; + + # if possible, we'll resolve the switch/port to a specific network and the + # look to see if the above policy settings are over-ridden at the network or + # netgroup level. + + my $curNw = $np->cfg->getMatchingNetwork(-switch => $switch, -port => $port); + if ($curNw =~ /^\d/) { + _log("DEBUG", $self->tid(). " sw=$switch po=$port nw=$curNw\n"); + $unq_on_linkup = $np->cfg->policy(-key => 'UNQUAR_ON_LINKUP', -network => $curNw); + $rppt = $np->cfg->policy(-key => 'RESETPORT_PORT_POLL_TIME', -network => $curNw); + $lftol = $np->cfg->policy(-key => 'LINKFLAP_TOLERANCE', -network => $curNw) || 0; + } - if ( ($numOK == ($#$macList+1)) && ($mmpol eq "ALL_OK") ) { - _log ("DEBUG", "$switch $port 'itdepends' set. everything looks good. unquar port. ", - "numOK=$numOK numMacs=".($#$macList+1)." mmpol=$mmpol\n"); - if (exists $opts{'n'}) { - _log("DEBUG", "not really!\n"); + _log("DEBUG", $self->tid. " link down $switch $port and unq_lu=$unq_on_linkup rppt=$rppt\n"); + + # if we have a link flap tolerance time set, dont do anything until the time has + # expired. if link comes back up on the port before the time expires, the port + # will be removed from the 'q' queue by the linkup code above. if the timer + # expires, quarantine the port. + + if ($rppt) { + if ($pq->{'qt'}->{$switch}->[$port]) { + # if we are on the 'u' list then link is up and we'll be + # removed from the 'u' list by the linkup code above. + + # if the timer has expired, tho, we should quarantine this port. + # otherwise leave the port on the 'q' list + + if ( time() - $pq->{'qt'}->{$switch}->[$port] > $lftol ) { + + $np->db->requestMovePort(-switch => $switch, -port => $port, + -vlan => 'quarantine', + -by => 'resetport.pl') || + _log("ERROR", $np->db->error()); + _log ("DEBUG", $self->tid()." quarantined $switch $port because rppt expired\n") + if exists $opts{'D'}; + + # remove the port from the linkdown queue since we've processed it + + @{$pq->{'q'}->{$switch}} = grep /!$port$/, @{$pq->{'q'}->{$switch}}; + $pq->{'qt'}->{$switch}->[$port] = undef; + } else { + _log ("DEBUG", $self->tid(). + " $switch $port has linkdown, but is recent, we'll wait a while: ". + (time() - $pq->{'qt'}->{$switch}->[$port])." secs old (of $lftol max)\n"); + } + } else { + _log ("DEBUG", $self->tid()." $switch $port has no first-seen time, but should.\n"); + $pq->{'qt'}->{$switch}->[$port] = time(); + } } else { - $np->db->requestMovePort(-switch => $switch, - -port => $port, - -vlan => 'unquarantine', + # rppt is not set (or set to zero) so immediate quarantine the port + + $np->db->requestMovePort(-switch => $switch, -port => $port, + -vlan => 'quarantine', -by => 'resetport.pl') || - push @failed, $port; - } - } else { - _log ("DEBUG", "$switch $port 'itdepends' set. somethings not right. quar port. ", - "numOK=$numOK numMacs=".($#$macList+1)." mmpol=$mmpol maclist=(", - join(',', @$macList), - ")\n"); + _log("ERROR", $np->db->error()); + _log ("DEBUG", $self->tid()." immediately quarantined $switch $port because rppt=0\n") + if exists $opts{'D'}; + + # remove the port from the linkdown queue since we've processed it + + @{$pq->{'q'}->{$switch}} = grep /!$port$/, @{$pq->{'q'}->{$switch}}; + $pq->{'qt'}->{$switch}->[$port] = undef; + } } } - } - # shift off all the ports we have worked on - while (shift @{$unq->{$switch}}) {} - # push on the ones that have failed so we can take care of - # them next time around. - push @{$unq->{$switch}}, @failed; - -endlock: - } # end lock - threads->yield; - sleep(5); - } # end while + # save the ports that have failed so we can take care of + # them next time around. since this is our private queue, + # no need to share it. + + if (exists $failed->{$switch}) { + @{$pq->{'u'}->{$switch}} = @{$failed->{$switch}}; + } else { + $pq->{'u'}->{$switch} = []; + } + } - # we shouldn't be leaving the while loop but if we are - # make sure we join up with the parent thread + } # end foreach - threads->join; - return 1; + return $pq; } Index: portmover.pl =================================================================== RCS file: /cvsroot/netpass/NetPass/bin/portmover.pl,v retrieving revision 1.5 retrieving revision 1.6 diff -u -d -r1.5 -r1.6 --- portmover.pl 27 Apr 2005 03:54:06 -0000 1.5 +++ portmover.pl 3 Aug 2005 02:44:38 -0000 1.6 @@ -16,6 +16,7 @@ moveport.pl [-c cstr] [-U user/pass] [-n] [-q] [-D] -c cstr db connect string -U user/pass db user[/pass] + -t thread queue size -n "not really" -q be quiet. exit status only. -D enable debugging @@ -47,6 +48,18 @@ Enable debugging output. This flag causes this script to run in the foreground. Otherwise, this script will detach and run in the background. +=item B<-t thead-queue-size> + +A number denoting how many switches to delegate to each thread for processing. +The default is 20. If you have 100 switches in your NetPass configuration, +5 threads will be spawned. Each thread will deal with moving ports back +and forth on the switches that are assigned to it. + +Each thread requires a connection to the database, so don't set this number +too low or you'll needless use DB resources. If you make the number too +high, then a slow switch or a large number of ports to be moved could +slow things down for many people. + =back =head1 DESCRIPTION |
|
From: jeff m. <jef...@us...> - 2005-08-03 02:44:47
|
Update of /cvsroot/netpass/NetPass/lib/NetPass In directory sc8-pr-cvs1.sourceforge.net:/tmp/cvs-serv19022/lib/NetPass Modified Files: API.pm DB.pm Log Message: some bug fixes, resetport.pl re-write, appstarter completion, install/initd tweaks Index: DB.pm =================================================================== RCS file: /cvsroot/netpass/NetPass/lib/NetPass/DB.pm,v retrieving revision 1.48 retrieving revision 1.49 diff -u -d -r1.48 -r1.49 --- DB.pm 19 Jul 2005 14:47:50 -0000 1.48 +++ DB.pm 3 Aug 2005 02:44:39 -0000 1.49 @@ -1563,7 +1563,7 @@ } _log ("INFO", qq{$whoami added user $u groups "$groups"}); $self->audit(-ip => $myip, -user => $whoami, -severity => 'ALERT', - "user added: $u groups: $groups"); + -msg => ["user added: $u groups: $groups"]); } else { @@ -1579,8 +1579,8 @@ return "db failure ".$self->{'dbh'}->errstr; } _log ("INFO", qq{$whoami modified user $u groups "$groups_orig" to "$groups"}); - $self->audit(-ip => $myip, -user => $whoami, -severity => 'ALERT', - "groups for $u changed from: $groups_orig to: $groups"); + $self->audit(-ip => $myip, -user => $whoami, -severity => 'ALERT', -msg => + ["groups for $u changed from: $groups_orig to: $groups"]); } } } @@ -1617,7 +1617,7 @@ return "invalid params (no groups given)"; } - $self->reconnect() || return "db failure"; + $self->reconnect() || return "db failure: disconnected"; my $gs = join(';', @groups); my $sql = qq{INSERT INTO users VALUES ('$user', '$gs')}; @@ -1629,18 +1629,52 @@ return 0; } -=head2 getAppAction () +=head2 getAppAction( ) -Fetch the current list of pending tasks for appStarter to perform. Returns a -reference to an array of array references. +Fetch the current list of pending tasks for appStarter to perform. - [ [ $application, $action, $actionAs] , [ $application, ... ] , ... ] +RETURNS + + a reference to an array of array references on success + + [ [ rowid, application, action, actionAs] , [ rowid, application, ... ] , ... ] + + "db failure" on failure =cut sub getAppAction { my $self = shift; + $self->reconnect() || return "db failure: disconnected"; + + my $aref = $self->{'dbh'}->selectall_arrayref(qq{SELECT rowid, application, action, actionAs FROM appStarter WHERE status = 'pending'}); + if (!defined($aref)) { + return "db failure: ".$self->{'dbh'}->errstr; + } + return $aref; +} + +=head2 ackAppAction(rowid) + +Change the status of rowid to 'completed' + +RETURNS + 1 on success + "db failure" on failure + +=cut + +sub ackAppAction { + my $self = shift; + my $rowid = shift; + + my $sql = "UPDATE appStarter SET status = 'completed' WHERE rowid = ".$self->{'dbh'}->quote($rowid); + my $rv = $self->{'dbh'}->do($sql); + if (!defined($rv)) { + return "db failure: ". $self->{'dbh'}->errstr; + } + return 1; } =head2 reqAppAction ($proc, $action, $actionas) @@ -2744,6 +2778,30 @@ return $self->{'dbh'}->commit; } +=head2 clearRegister( ) + +Delete all data from the register data. + +RETURNS + + 1 on success + "db failure" on database failure + +=cut + +sub clearRegister { + my $self = shift; + $self->reconnect() || return "db failure: not connected"; + + my $rv = $self->{'dbh'}->do('DELETE FROM register'); + if (!defined($rv)) { + _log("ERROR", "db failure ".$self->{'dbh'}->errstr); + return "db failure ".$self->{'dbh'}->errstr; + } + return 1; +} + + =head2 updateRegister(-mac => '', -status => [QUAR|PQUAR|UNQUAR|PUNQUAR]) Update the register table for the given MAC address. Index: API.pm =================================================================== RCS file: /cvsroot/netpass/NetPass/lib/NetPass/API.pm,v retrieving revision 1.24 retrieving revision 1.25 diff -u -d -r1.24 -r1.25 --- API.pm 26 Jul 2005 15:09:37 -0000 1.24 +++ API.pm 3 Aug 2005 02:44:39 -0000 1.25 @@ -70,7 +70,7 @@ eval { require NetPass::API::Local; }; if ($@) { - _log("DEBUG", "NetPass::API::Local does not exist or has an error in it ".$@); + #_log("DEBUG", "NetPass::API::Local does not exist or has an error in it ".$@); return 0; } |
|
From: jeff m. <jef...@us...> - 2005-08-03 02:44:47
|
Update of /cvsroot/netpass/NetPass/install.d/init.d In directory sc8-pr-cvs1.sourceforge.net:/tmp/cvs-serv19022/install.d/init.d Modified Files: mysqld ndbmgmd netpass netpassha Log Message: some bug fixes, resetport.pl re-write, appstarter completion, install/initd tweaks Index: mysqld =================================================================== RCS file: /cvsroot/netpass/NetPass/install.d/init.d/mysqld,v retrieving revision 1.2 retrieving revision 1.3 diff -u -d -r1.2 -r1.3 --- mysqld 27 Apr 2005 20:36:48 -0000 1.2 +++ mysqld 3 Aug 2005 02:44:38 -0000 1.3 @@ -73,7 +73,11 @@ [ $ret -eq 0 ] && rm -f /var/lock/subsys/mysqld [ $ret -eq 0 ] && rm -f $datadir/mysql.sock + sleep 10 + killproc mysqld -KILL + killproc mysqld_safe -KILL killproc ndbd + echo return $ret } Index: netpassha =================================================================== RCS file: /cvsroot/netpass/NetPass/install.d/init.d/netpassha,v retrieving revision 1.2 retrieving revision 1.3 diff -u -d -r1.2 -r1.3 --- netpassha 20 Apr 2005 13:17:02 -0000 1.2 +++ netpassha 3 Aug 2005 02:44:38 -0000 1.3 @@ -13,7 +13,13 @@ # Source networking configuration. . /etc/sysconfig/network -HASCRIPT="hascript.sh" +# specify one of your NetPass servers. currently this script +# isnt smart enough to accept mulitple and try each in turn +# also, specify which redirector this machine is. either +# "1" or "2" + +NPSERVER="npw2.cit.buffalo.edu" +MYTYPE="-r 1" # or "-r 2" [ -f /etc/sysconfig/netpass ] && . /etc/sysconfig/netpass @@ -28,9 +34,10 @@ start() { # Start daemons. - if [ -f ${B}/bin/${HASCRIPT} ] ; then + if [ -f ${B}/bin/interfacecfg.pl ] ; then echo -n $"Starting netpass-ha: " - daemon ${B}/bin/${HASCRIPT} + ${B}/bin/interfacecfg.pl -c "dbi:mysql:database=netpass;host=${NPSERVER}" ${MYTYPE} | /bin/sh 2>&1 >& /dev/null + success echo #[ $RETVAL -eq 0 ] && exit $RETVAL fi @@ -41,6 +48,8 @@ stop() { # at this time, there's no way to shutdown HA + action $"Stopping $prog: " /bin/true + return 0 } Index: ndbmgmd =================================================================== RCS file: /cvsroot/netpass/NetPass/install.d/init.d/ndbmgmd,v retrieving revision 1.2 retrieving revision 1.3 diff -u -d -r1.2 -r1.3 --- ndbmgmd 30 Apr 2005 18:08:04 -0000 1.2 +++ ndbmgmd 3 Aug 2005 02:44:38 -0000 1.3 @@ -3,6 +3,10 @@ # ndb_mgmd Start/Stop the ndb_mgmd. # # chkconfig: 2345 40 60 +# description: MySQL NDB Management Daemon +# +# processname: ndb_mgmd +# pidfile: # # Source function library. . /etc/rc.d/init.d/functions Index: netpass =================================================================== RCS file: /cvsroot/netpass/NetPass/install.d/init.d/netpass,v retrieving revision 1.4 retrieving revision 1.5 diff -u -d -r1.4 -r1.5 --- netpass 16 May 2005 16:10:43 -0000 1.4 +++ netpass 3 Aug 2005 02:44:38 -0000 1.5 @@ -67,6 +67,11 @@ echo #[ $RETVAL -eq 0 ] && exit $RETVAL + echo -n $"Starting appstarter: " + daemon ${B}/bin/appstarter.pl + echo + #[ $RETVAL -eq 0 ] && exit $RETVAL + return 0 } |
|
From: jeff m. <jef...@us...> - 2005-08-03 02:44:47
|
Update of /cvsroot/netpass/NetPass/www/components/Admin In directory sc8-pr-cvs1.sourceforge.net:/tmp/cvs-serv19022/www/components/Admin Modified Files: FormNPPolicy FormNPSnort TableEditPolicy Log Message: some bug fixes, resetport.pl re-write, appstarter completion, install/initd tweaks Index: TableEditPolicy =================================================================== RCS file: /cvsroot/netpass/NetPass/www/components/Admin/TableEditPolicy,v retrieving revision 1.6 retrieving revision 1.7 diff -u -d -r1.6 -r1.7 --- TableEditPolicy 19 May 2005 20:15:05 -0000 1.6 +++ TableEditPolicy 3 Aug 2005 02:44:39 -0000 1.7 @@ -327,6 +327,21 @@ % } </TR> <TR> +<TD CLASS='left'>ResetPort Max Port Poll Time</TD> +<TD CLASS='right'> +<%$q->textfield ( + -name => 'policy:resetport_port_poll_time', + -default => $np->cfg->policy(-key => 'resetport_port_poll_time', -network => $network), + -size => 5 + )%> seconds +</TD> +% if ($showDefault) { +<td class='center'><input type='checkbox' <%!$np->cfg->policyLocation(-key => 'resetport_port_poll_time', -network => $network, -location => $formatFor)?"":"checked"%> name="override:resetport_port_poll_time"></td> +<td class='right'><%$np->cfg->policy(-key => 'resetport_port_poll_time')%> secs</td><td class='left'> +(<%join(',', @{$np->cfg->policyLocation(-key => 'resetport_port_poll_time', -network => $network)})%>)</td> +% } +</TR> +<TR> <TD CLASS='left'>ResetPort Link Flap Tolerance</TD> <TD CLASS='right'> <%$q->textfield ( Index: FormNPPolicy =================================================================== RCS file: /cvsroot/netpass/NetPass/www/components/Admin/FormNPPolicy,v retrieving revision 1.2 retrieving revision 1.3 diff -u -d -r1.2 -r1.3 --- FormNPPolicy 14 Jun 2005 20:34:17 -0000 1.2 +++ FormNPPolicy 3 Aug 2005 02:44:39 -0000 1.3 @@ -196,6 +196,15 @@ )%> </TD></TR> <TR> +<TD CLASS='left'>ResetPort Max Port Poll Time</TD> +<TD CLASS='right'> +<%$q->textfield ( + -name => 'policy:resetport_port_poll_time', + -default => $np->cfg->policy(-key => 'resetport_port_poll_time'), + -size => 5 + )%> seconds +</TD></TR> +<TR> <TD CLASS='left'>ResetPort Link Flap Tolerance</TD> <TD CLASS='right'> <%$q->textfield ( Index: FormNPSnort =================================================================== RCS file: /cvsroot/netpass/NetPass/www/components/Admin/FormNPSnort,v retrieving revision 1.6 retrieving revision 1.7 diff -u -d -r1.6 -r1.7 --- FormNPSnort 14 Jun 2005 21:41:08 -0000 1.6 +++ FormNPSnort 3 Aug 2005 02:44:39 -0000 1.7 @@ -47,6 +47,7 @@ <%perl> my $h = $np->cfg->snort(-key => 'servers', -network => $network); + if ($h && (ref($h) eq "HASH")) { foreach my $s (keys %$h) { my($server, $port) = split(/:/, $s); print "<TR>"; @@ -66,6 +67,7 @@ ); print "</TD></TR>"; } + } print "<TR>"; print "<TD CLASS=\"gray\" ALIGN=center>"; print $q->textfield ( @@ -113,6 +115,7 @@ </TR> <%perl> + if ($h && (ref($h) eq "HASH")) { foreach my $s (keys %$h) { my($server, $port) = split(/:/, $s); print "<TR>"; @@ -121,6 +124,7 @@ print "<TD CLASS=\"gray\" ALIGN=center>".$np->cfg->snort(-key => $s, -sval => 'servers'); print "</TD></TR>"; } + } print "</TABLE></TD>"; |
|
From: jeff m. <jef...@us...> - 2005-08-03 02:44:47
|
Update of /cvsroot/netpass/NetPass/install.d In directory sc8-pr-cvs1.sourceforge.net:/tmp/cvs-serv19022/install.d Modified Files: install-ipvs.sh Log Message: some bug fixes, resetport.pl re-write, appstarter completion, install/initd tweaks Index: install-ipvs.sh =================================================================== RCS file: /cvsroot/netpass/NetPass/install.d/install-ipvs.sh,v retrieving revision 1.2 retrieving revision 1.3 diff -u -d -r1.2 -r1.3 --- install-ipvs.sh 17 May 2005 02:57:36 -0000 1.2 +++ install-ipvs.sh 3 Aug 2005 02:44:38 -0000 1.3 @@ -22,7 +22,8 @@ mkdir -p /var/cache/cpan/build /var/cache/cpan/sources unset DISPLAY up2date --nox -i glib-devel openssl-devel libnet perl-CPAN -cp Config.pm /usr/lib/perl5/5.8.0/CPAN/Config.pm +# 5.8.5 = RH4 +cp Config.pm /usr/lib/perl5/5.8.5/CPAN/Config.pm cat <<EOF Using CPAN to install some perl modules. If CPAN asks whether @@ -31,8 +32,11 @@ EOF sleep 5 -echo "install Bundle::CPAN" | perl -MCPAN -e shell -echo "install Mail::IMAPClient" | perl -MCPAN -e shell +for i in Bundle::CPAN Mail::IMAPClient ExtUtils::AutoInstall Convert::ASN1 Authen::SASL \ +Digest::MD5 URI::ldap IO::Socket::SSL XML::SAX::Base MIME::Base64 ; do + echo "install " $i | perl -MCPAN -e shell +done + echo "force install Net::SSLeay" | perl -MCPAN -e shell echo "install Net::LDAP" | perl -MCPAN -e shell |
|
From: Jeff M. <jcm...@os...> - 2005-08-03 02:29:45
|
> -- > * We're still having issues with Netgroups in the Message Editor > section. At this point all we see is the default group despite the > fact we have a number of otherwise working Netgroups. i havent been able to reproduce this. > > * When attempting to view the current permissions of a user in the User > Editor, I select a user then select their group to see their access > rights. The problem is that even if they have mulitple access types, > the interface only displays one of them. In the database itself > things look ok. It would be useful to see their real privileges. > fixed > * The scanning progress bar has changed since the NP1 and the feedback > we've been getting has not been positive. Essentially the bar now > appears to the progress in across the entire width of the webpage > in two passes though there's still a 100% marker in the middle of the > page. I can provide a screenshot if necessary. This happens in all > browsers that draw the progress bar (IE, Mozilla). fixed > > * When running the byos.mhtml report we receive the following error. > It references a missing .png file, but I suspect I missing the perl > module that generates the image, perhaps perl-GD. Can you confirm? fixed |
|
From: jeff m. <jef...@us...> - 2005-08-03 01:37:18
|
Update of /cvsroot/netpass/NetPass/www/htdocs/OSSTemplate/js In directory sc8-pr-cvs1.sourceforge.net:/tmp/cvs-serv9056 Modified Files: common.js userform.js Log Message: bug fix for userform not showing all the acls the user is privileged for Index: userform.js =================================================================== RCS file: /cvsroot/netpass/NetPass/www/htdocs/OSSTemplate/js/userform.js,v retrieving revision 1.10 retrieving revision 1.11 diff -u -d -r1.10 -r1.11 --- userform.js 4 May 2005 20:22:18 -0000 1.10 +++ userform.js 3 Aug 2005 01:37:08 -0000 1.11 @@ -322,7 +322,7 @@ for(var acl in userhash[su][o.value]) { userform_disableModAll(); dbg(1, RN + ": acl/"+su+"/"+o.value+"="+acl); - highLightList("AccessControlList", acl); + highLightList("AccessControlList", acl, 1); } } } Index: common.js =================================================================== RCS file: /cvsroot/netpass/NetPass/www/htdocs/OSSTemplate/js/common.js,v retrieving revision 1.4 retrieving revision 1.5 diff -u -d -r1.4 -r1.5 --- common.js 23 Jun 2005 20:21:10 -0000 1.4 +++ common.js 3 Aug 2005 01:37:08 -0000 1.5 @@ -102,12 +102,12 @@ } -function highLightList(oname, item) { +function highLightList(oname, item, dontclear) { var RN = "highLightList"; dbg(1, RN + "(" + oname + ", " + item + ")" ); var acl = document.getElementById(oname); if (acl) { - acl.selectedIndex = -1; + if (dontclear != 1) acl.selectedIndex = -1; for(var i = 1 ; i < acl.options.length ; i++) { if (item) { if (acl.options[i].value == item) |
|
From: jeff m. <jef...@us...> - 2005-08-03 01:26:23
|
Update of /cvsroot/netpass/NetPass/www/components/Client In directory sc8-pr-cvs1.sourceforge.net:/tmp/cvs-serv7023 Modified Files: BeginScan Log Message: removed padding to make pbar look ok in mozilla as well as IE Index: BeginScan =================================================================== RCS file: /cvsroot/netpass/NetPass/www/components/Client/BeginScan,v retrieving revision 1.9 retrieving revision 1.10 diff -u -d -r1.9 -r1.10 --- BeginScan 3 Aug 2005 01:17:07 -0000 1.9 +++ BeginScan 3 Aug 2005 01:26:12 -0000 1.10 @@ -58,7 +58,7 @@ my $percent_done = int(100*(eval($cbm->[2]))); - print qq{<image style='margin: 0px 1px 0px 1px; padding: 1px 1px 1px 1px;' src="$progress_image" border="0" width="$progress_step_pixel_width" height="10" alt="$percent_done percent">}; + print qq{<image style='margin: 0px 1px 0px 1px; ' src="$progress_image" border="0" width="$progress_step_pixel_width" height="10" alt="$percent_done percent">}; $m->flush_buffer(); }; |
|
From: jeff m. <jef...@us...> - 2005-08-03 01:17:32
|
Update of /cvsroot/netpass/NetPass/www/components/Client In directory sc8-pr-cvs1.sourceforge.net:/tmp/cvs-serv4130 Modified Files: BeginScan Log Message: progress bar bug fix Index: BeginScan =================================================================== RCS file: /cvsroot/netpass/NetPass/www/components/Client/BeginScan,v retrieving revision 1.8 retrieving revision 1.9 diff -u -d -r1.8 -r1.9 --- BeginScan 8 May 2005 02:35:46 -0000 1.8 +++ BeginScan 3 Aug 2005 01:17:07 -0000 1.9 @@ -46,18 +46,19 @@ my $plugin_total = $parms->{'pitot'}; return if ($plugin_total < 1); - my $progress_bar_width = "500"; #px - my $progress_step_pixel_width = int(($progress_bar_width/$plugin_total)+1); + my $max_iteration = (split('/', $cbm->[2]))[1]; + $max_iteration ||= $plugin_total; + + my $progress_bar_width = "500"; #px same as table width + my $progress_step_pixel_width = int($progress_bar_width/$max_iteration)-2; my $progress_image = '/resources/images/progress.gif'; - $progress_bar_width = $progress_step_pixel_width*$plugin_total; # this evens out the progress bar - $progress_step_pixel_width -= 4; # nessus passes in an array. the 3rd element is basically # "pluginnum/totplugin" so we eval it to get percent done my $percent_done = int(100*(eval($cbm->[2]))); - print qq{<image src="$progress_image" border="0" width="$progress_step_pixel_width" height="10" alt="$percent_done percent">}; + print qq{<image style='margin: 0px 1px 0px 1px; padding: 1px 1px 1px 1px;' src="$progress_image" border="0" width="$progress_step_pixel_width" height="10" alt="$percent_done percent">}; $m->flush_buffer(); }; @@ -112,6 +113,7 @@ goto scan_finished; } + print "\n<!-- PIDS: ", join(',',@$pids), "-->\n"; $nessus->plugin_set(join(';', @$pids)); $nessus->attack($ip); |
|
From: jeff m. <jef...@us...> - 2005-08-03 00:43:08
|
Update of /cvsroot/netpass/NetPass/lib/SNMP/Device In directory sc8-pr-cvs1.sourceforge.net:/tmp/cvs-serv30544 Modified Files: Cisco.pm Log Message: removed ref to netpass.conf Index: Cisco.pm =================================================================== RCS file: /cvsroot/netpass/NetPass/lib/SNMP/Device/Cisco.pm,v retrieving revision 1.2 retrieving revision 1.3 diff -u -d -r1.2 -r1.3 --- Cisco.pm 3 Aug 2005 00:32:50 -0000 1.2 +++ Cisco.pm 3 Aug 2005 00:42:58 -0000 1.3 @@ -1,7 +1,7 @@ package SNMP::Device::Cisco; use SNMP::Device; -use NetPass::Config; +use NetPass; use Net::SNMP; use NetPass::LOG qw (_log _cont); @@ -280,7 +280,7 @@ # through all the vlans on the switch. my $np = new NetPass(-cstr => undef, - -dbuser => '', -dbpass => '', + -dbuser => undef, -dbpass => undef, -debug => 0, -quiet => 0); |
|
From: jeff m. <jef...@us...> - 2005-08-03 00:33:10
|
Update of /cvsroot/netpass/NetPass/lib/SNMP/Device In directory sc8-pr-cvs1.sourceforge.net:/tmp/cvs-serv28508 Modified Files: Cisco.pm Log Message: removed ref to netpass.conf Index: Cisco.pm =================================================================== RCS file: /cvsroot/netpass/NetPass/lib/SNMP/Device/Cisco.pm,v retrieving revision 1.1 retrieving revision 1.2 diff -u -d -r1.1 -r1.2 --- Cisco.pm 15 Oct 2004 15:49:35 -0000 1.1 +++ Cisco.pm 3 Aug 2005 00:32:50 -0000 1.2 @@ -188,73 +188,73 @@ my $p2ifoid = ".1.3.6.1.2.1.17.1.4.1.2"; # Check to see what mac's are for the switch -my %selfhash = (); -my $reslcl = $snmp->snmp->get_table(-baseoid=>$lcloid); -foreach my $selfoid (keys(%{$reslcl})){ - if ($reslcl->{$selfoid} == 4){ - my @selfoidtmp = split(/\./,$selfoid); - $selfoidtmp[11] = "2"; - my $selfoid = join('.',@selfoidtmp); - $selfhash{$selfoid} = 1; - } -} + my %selfhash = (); + my $reslcl = $snmp->snmp->get_table(-baseoid=>$lcloid); + foreach my $selfoid (keys(%{$reslcl})){ + if ($reslcl->{$selfoid} == 4){ + my @selfoidtmp = split(/\./,$selfoid); + $selfoidtmp[11] = "2"; + my $selfoid = join('.',@selfoidtmp); + $selfhash{$selfoid} = 1; + } + } # Create hash of vlans that are on ports if (!defined($res = $snmp->snmp->get_table($vlanoid))) { $snmp->err($snmp->snmp->error); return undef; - } -my %vlanhash; + } + my %vlanhash; foreach my $void (keys(%{$res})) { - my $vlan = $res->{$void}; - $vlanhash{$vlan} = 1; - } + my $vlan = $res->{$void}; + $vlanhash{$vlan} = 1; + } my $orig_cn = $snmp->snmp_community; foreach my $vlan (keys(%vlanhash)) { - $snmp->snmp_community("$orig_cn\@$vlan"); - my $snmp2 = $snmp->_create_snmp(); - -# create bidge port to ifindex mapping hash - - if (!defined($resp = $snmp2->get_table($p2ifoid))) { - $snmp->err($snmp2->error); - return undef; - } - my %p2ihash = (); - foreach my $p2ioid (keys(%{$resp})) { - my $bport = substr($p2ioid,rindex($p2ioid,".")+1); - $p2ihash{$bport} = $resp->{$p2ioid}; + $snmp->snmp_community("$orig_cn\@$vlan"); + my $snmp2 = $snmp->_create_snmp(); + +# create bridge port to ifindex mapping hash + + if (!defined($resp = $snmp2->get_table($p2ifoid))) { + $snmp->err($snmp2->error); + return undef; } - if (!defined($res = $snmp2->get_table($oid))) { - $snmp->err($snmp2->error); - $snmp->snmp_community($orig_cn); - #return undef; - } - - - MAC: foreach my $key (keys %{$res}) { - if (exists($selfhash{$key})){ - next; + my %p2ihash = (); + foreach my $p2ioid (keys(%{$resp})) { + my $bport = substr($p2ioid,rindex($p2ioid,".")+1); + $p2ihash{$bport} = $resp->{$p2ioid}; } - my ($m1, $m2, $m3, $m4, $m5, $m6) = ($key =~ /^.*?\.(\d{1,3})\.(\d{1,3})\.(\d{1,3})\.(\d{1,3})\.(\d{1,3})\.(\d{1,3})$/); # MAC pieces, base 10. - my $mac = sprintf("%2.2x", $m1) . - sprintf("%2.2x", $m2) . - sprintf("%2.2x", $m3) . - sprintf("%2.2x", $m4) . - sprintf("%2.2x", $m5) . - sprintf("%2.2x", $m6); - - my $ifIndex = $p2ihash{$res->{$key}}; - if (defined ($ifIndex)) { - $m2p->{$mac} = [] if !exists $m2p->{$mac}; - $p2m->{$ifIndex} = [] if !exists $p2m->{$ifIndex}; - push @{$m2p->{$mac}} , $ifIndex; - push @{$p2m->{$ifIndex}} , $mac; + if (!defined($res = $snmp2->get_table($oid))) { + $snmp->err($snmp2->error); + $snmp->snmp_community($orig_cn); + #return undef; } - } # vlan foreach + + + MAC: foreach my $key (keys %{$res}) { + if (exists($selfhash{$key})){ + next; + } + my ($m1, $m2, $m3, $m4, $m5, $m6) = ($key =~ /^.*?\.(\d{1,3})\.(\d{1,3})\.(\d{1,3})\.(\d{1,3})\.(\d{1,3})\.(\d{1,3})$/); # MAC pieces, base 10. + my $mac = sprintf("%2.2x", $m1) . + sprintf("%2.2x", $m2) . + sprintf("%2.2x", $m3) . + sprintf("%2.2x", $m4) . + sprintf("%2.2x", $m5) . + sprintf("%2.2x", $m6); + + my $ifIndex = $p2ihash{$res->{$key}}; + if (defined ($ifIndex)) { + $m2p->{$mac} = [] if !exists $m2p->{$mac}; + $p2m->{$ifIndex} = [] if !exists $p2m->{$ifIndex}; + push @{$m2p->{$mac}} , $ifIndex; + push @{$p2m->{$ifIndex}} , $mac; + } + } # vlan foreach } # mac foreach $snmp->snmp_community($orig_cn); - + return ($m2p, $p2m); } @@ -279,39 +279,41 @@ # Need to get unquar and quar vlans for network, otherwise would need to go # through all the vlans on the switch. - my $cfg = new NetPass::Config('/opt/netpass/etc/netpass.conf'); - my @taglist = $cfg->availableVlans(-network=>$myNW); - my $orig_cn = $self->snmp_community; - foreach my $vlan (@taglist) { - $self->snmp_community("$orig_cn\@$vlan"); - my $snmp2 = $self->_create_snmp(); - -# create bidge port to ifindex mapping hash + my $np = new NetPass(-cstr => undef, + -dbuser => '', -dbpass => '', + -debug => 0, + -quiet => 0); - if (!defined($resp = $snmp2->get_table($p2ifoid))) { - $self->err($snmp2->error); - return undef; - } - my %p2ihash = (); - foreach my $p2ioid (keys(%{$resp})) { - my $bport = substr($p2ioid,rindex($p2ioid,".")+1); - $p2ihash{$bport} = $resp->{$p2ioid}; - } - if (!defined($res1 = $snmp2->get_request("$oid.$decmac"))) { - next; - } - if ($res1->{"$oid.$decmac"} =~ /\d+/){ - $self->snmp_community($orig_cn); - return $p2ihash{$res1->{"$oid.$decmac"}}; - } - else { - next; - } - } - $self->snmp_community($orig_cn); - return undef; + my @taglist = $np->cfg->availableVlans(-network=>$myNW); + my $orig_cn = $self->snmp_community; + foreach my $vlan (@taglist) { + $self->snmp_community("$orig_cn\@$vlan"); + my $snmp2 = $self->_create_snmp(); + # create bridge port to ifindex mapping hash + if (!defined($resp = $snmp2->get_table($p2ifoid))) { + $self->err($snmp2->error); + return undef; + } + my %p2ihash = (); + foreach my $p2ioid (keys(%{$resp})) { + my $bport = substr($p2ioid,rindex($p2ioid,".")+1); + $p2ihash{$bport} = $resp->{$p2ioid}; + } + if (!defined($res1 = $snmp2->get_request("$oid.$decmac"))) { + next; + } + if ($res1->{"$oid.$decmac"} =~ /\d+/){ + $self->snmp_community($orig_cn); + return $p2ihash{$res1->{"$oid.$decmac"}}; + } + else { + next; + } + } + $self->snmp_community($orig_cn); + return undef; } @@ -345,11 +347,11 @@ } foreach my $key (keys %{$response}) { - my $hexip = $response->{$key}; - push(my @ip,hex(substr($hexip,2,2))); - push(@ip,hex(substr($hexip,4,2))); - push(@ip,hex(substr($hexip,6,2))); - push(@ip,hex(substr($hexip,8,2))); + my $hexip = $response->{$key}; + push(my @ip,hex(substr($hexip,2,2))); + push(@ip,hex(substr($hexip,4,2))); + push(@ip,hex(substr($hexip,6,2))); + push(@ip,hex(substr($hexip,8,2))); return join(".",@ip); } return ""; |
|
From: Matt <mt...@us...> - 2005-07-29 01:14:25
|
Update of /cvsroot/netpass/NetPass/www/htdocs/Admin/reports In directory sc8-pr-cvs1.sourceforge.net:/tmp/cvs-serv16855 Modified Files: byos.mhtml Log Message: Index: byos.mhtml =================================================================== RCS file: /cvsroot/netpass/NetPass/www/htdocs/Admin/reports/byos.mhtml,v retrieving revision 1.7 retrieving revision 1.8 diff -u -d -r1.7 -r1.8 --- byos.mhtml 29 Jul 2005 00:53:50 -0000 1.7 +++ byos.mhtml 29 Jul 2005 01:14:16 -0000 1.8 @@ -15,7 +15,7 @@ use FileHandle; use File::stat; -my $NPBASE = $np->cfg()->{'cfg'}->obj('policy')->value('base_dir'); +my $NPBASE = $np->cfg->policy(-key => 'base_dir'); my $REPORTSDIR = $NPBASE."/www/htdocs/Admin/reports"; my $GRAPHIMG = "byospiechart.png"; |
|
From: Matt <mt...@us...> - 2005-07-29 00:54:15
|
Update of /cvsroot/netpass/NetPass/www/htdocs/Admin/reports In directory sc8-pr-cvs1.sourceforge.net:/tmp/cvs-serv13623 Modified Files: byos.mhtml Log Message: Index: byos.mhtml =================================================================== RCS file: /cvsroot/netpass/NetPass/www/htdocs/Admin/reports/byos.mhtml,v retrieving revision 1.6 retrieving revision 1.7 diff -u -d -r1.6 -r1.7 --- byos.mhtml 27 Oct 2004 15:17:02 -0000 1.6 +++ byos.mhtml 29 Jul 2005 00:53:50 -0000 1.7 @@ -15,7 +15,7 @@ use FileHandle; use File::stat; -my $NPBASE = $np->cfg()->{'cfg'}->obj('policy')->value('BASE_DIR'); +my $NPBASE = $np->cfg()->{'cfg'}->obj('policy')->value('base_dir'); my $REPORTSDIR = $NPBASE."/www/htdocs/Admin/reports"; my $GRAPHIMG = "byospiechart.png"; |
|
From: Robert V. <re...@no...> - 2005-07-28 22:47:33
|
Greetings,
We've run into a few issues with the NP2 during our trials with
administrative departments. I've itemized them below in order of
importance. Note that tend to run CVS updates after I see updates come
through on the mailing list so I believe we are running the latest
version available via CVS. If I'm unclear or if you would find
additional details helpful, just let me know. Thanks!
Bob
--
* We're still having issues with Netgroups in the Message Editor
section. At this point all we see is the default group despite the
fact we have a number of otherwise working Netgroups.
* When attempting to view the current permissions of a user in the User
Editor, I select a user then select their group to see their access
rights. The problem is that even if they have mulitple access types,
the interface only displays one of them. In the database itself
things look ok. It would be useful to see their real privileges.
* The scanning progress bar has changed since the NP1 and the feedback
we've been getting has not been positive. Essentially the bar now
appears to the progress in across the entire width of the webpage
in two passes though there's still a 100% marker in the middle of the
page. I can provide a screenshot if necessary. This happens in all
browsers that draw the progress bar (IE, Mozilla).
* When running the byos.mhtml report we receive the following error.
It references a missing .png file, but I suspect I missing the perl
module that generates the image, perhaps perl-GD. Can you confirm?
System error
error: Unable to open byospiechart.png at
/opt/netpass/www/htdocs/Admin/reports/byos.mhtml line 75, <GEN314> line 14.
context:
...
71: );
72:
73: $graph->set_value_font(GD::Font->Large);
74:
75: my $fh = new FileHandle("> $REPORTSDIR/$GRAPHIMG") || die "Unable
to open $GRAPHIMG";
76: binmode $fh;
77: print $fh $graph->plot($data)->png;
78: $fh->close;
79: }
...
code stack: /opt/netpass/www/htdocs/Admin/reports/byos.mhtml:75
/opt/netpass/www/htdocs/Admin/reports/byos.mhtml:35
/opt/netpass/www/htdocs/Admin/autohandler:82
/opt/netpass/www/htdocs/autohandler:33
raw error
|
|
From: Matt <mt...@us...> - 2005-07-26 15:10:35
|
Update of /cvsroot/netpass/NetPass/lib/NetPass/API In directory sc8-pr-cvs1.sourceforge.net:/tmp/cvs-serv19202 Added Files: Local.pm Log Message: --- NEW FILE: Local.pm --- package NetPass::API::Local; use strict; use Carp; my $VERSION = '0.01'; use lib qw(/opt/netpass/lib); use NetPass::LOG qw(_log _cont); use NetPass::Config; use Class::ParmList qw(simple_parms parse_parms); my $nph = $::np; =head1 NAME NetPass::API::Local - NetPass User Defined API functions =head1 SYNOPSIS use NetPass::API::Local; =head1 DESCRIPTION There currently are hooks in the NetPass::API module that will call functions in this module to execute user defined functionality. For example if the API function quarantineByIp is called, NetPass::API will check this module for a quarantineByIp function, if such a function exists it will be executed with the same arguments that were passed to the original call to NetPass::API::quarantineByIp. If a function defined in this module returns a value less than 0 the corresponding NetPass::API function called will return C<undef> and not execute. The NetPass object is also available through a global variable $::np to this module. =head1 METHODS =cut sub getSnortPCAPFilter { return 1; } sub getSnortRules { return 1; } sub snortEnabled { return 1; } sub snortEnabledNetworks { return 1; } sub getRegisterInfo { return 1; } sub addSnortRuleEntry { return 1; } sub quarantineByIP { return 1; } 1; |
|
From: Matt <mt...@us...> - 2005-07-26 15:09:59
|
Update of /cvsroot/netpass/NetPass/lib/NetPass/API In directory sc8-pr-cvs1.sourceforge.net:/tmp/cvs-serv18990/API Log Message: Directory /cvsroot/netpass/NetPass/lib/NetPass/API added to the repository |
|
From: Matt <mt...@us...> - 2005-07-26 15:09:46
|
Update of /cvsroot/netpass/NetPass/lib/NetPass In directory sc8-pr-cvs1.sourceforge.net:/tmp/cvs-serv18884 Modified Files: API.pm Log Message: Index: API.pm =================================================================== RCS file: /cvsroot/netpass/NetPass/lib/NetPass/API.pm,v retrieving revision 1.23 retrieving revision 1.24 diff -u -d -r1.23 -r1.24 --- API.pm 14 Jul 2005 15:46:25 -0000 1.23 +++ API.pm 26 Jul 2005 15:09:37 -0000 1.24 @@ -62,6 +62,29 @@ return ($secret, \@args); }; +my $execute_user_defined_function = sub { + my $self = shift; + my $function = shift; + my @args = @_; + + eval { require NetPass::API::Local; }; + + if ($@) { + _log("DEBUG", "NetPass::API::Local does not exist or has an error in it ".$@); + return 0; + } + + my $e = \&{"NetPass::API::Local::$function"}; + my $rv = eval { &$e(@args); }; + + if ($@) { + _log("DEBUG", "$e does not exist or has an error in it ".$@); + return 0; + } + + return $rv; +}; + =head2 $rule = getSnortPCAPFilter(-secret => $secret, -sensor => $hostname -ignorequar => [1|0]) Get the necessary pcap rules for the particular sensor. Argument @@ -90,6 +113,7 @@ my ($secret, $sensor, $ignorequar) = $parms->get('-secret', '-sensor', '-ignorequar'); return undef unless ($self->$check_soap_auth($secret)); + return undef if $self->$execute_user_defined_function("getSnortPCAPFilter", @_) < 0; if ($sensor !~ /^\w*\.*\w*\.*\w+\.\w+:\d+$/) { _log("ERROR", "Incorrect sensor format $sensor"); @@ -150,6 +174,7 @@ return undef unless ($self->$check_soap_auth($secret)); return undef unless ($type =~ /^(enabled|disabled|all)$/); + return undef if $self->$execute_user_defined_function("getSnortRules", @_) < 0; _log("DEBUG", "retrieving snort rules"); @@ -177,6 +202,7 @@ return undef unless ($self->$check_soap_auth($secret)); return undef unless defined $nw; + return undef if $self->$execute_user_defined_function("snortEnabled", @_) < 0; return $np->cfg->snortEnabled($nw); } @@ -201,6 +227,7 @@ my @snortnws; return undef unless ($self->$check_soap_auth($secret)); + return undef if $self->$execute_user_defined_function("snortEnabledNetworks", @_) < 0; $nws = $np->cfg->getNetworks(); if (!defined($nws) || ref($nws) ne 'ARRAY') { @@ -238,6 +265,7 @@ my($secret, $args) = $self->$get_secret_from_args(@_); return undef if $secret eq ""; return undef unless ($self->$check_soap_auth($secret)); + return undef if $self->$execute_user_defined_function("getRegisterInfo", @_) < 0; return $np->db->getRegisterInfo(@$args); } @@ -256,6 +284,7 @@ my($secret, $args) = $self->$get_secret_from_args(@_); return undef if $secret eq ""; return undef unless ($self->$check_soap_auth($secret)); + return undef if $self->$execute_user_defined_function("addSnortRuleEntry", @_) < 0; return $np->db->addSnortRuleEntry(@$args); } @@ -294,6 +323,7 @@ my ($secret, $type, $id, $ip, $time) = $parms->get('-secret', '-type', '-id', '-ip', '-time'); return undef unless ($self->$check_soap_auth($secret)); + return undef if $self->$execute_user_defined_function("quarantineByIP", @_) < 0; if (ref($type) eq 'ARRAY' && ref($id) eq 'ARRAY' && ref($time) eq 'ARRAY') { $arrays = 1; |
|
From: Matt <mt...@us...> - 2005-07-26 15:08:11
|
Update of /cvsroot/netpass/NetPass/etc In directory sc8-pr-cvs1.sourceforge.net:/tmp/cvs-serv18572 Modified Files: npsvc.conf Log Message: Index: npsvc.conf =================================================================== RCS file: /cvsroot/netpass/NetPass/etc/npsvc.conf,v retrieving revision 1.1 retrieving revision 1.2 diff -u -d -r1.1 -r1.2 --- npsvc.conf 21 Jul 2005 15:45:24 -0000 1.1 +++ npsvc.conf 26 Jul 2005 15:08:01 -0000 1.2 @@ -1,2 +1,2 @@ # service email action <restart|norestart> command with args -# npapid ad...@do... restart /opt/netpass/bin/npapid.pl +# npapi ad...@do... restart /opt/netpass/bin/npapid.pl |
