105 lines
3.5 KiB
Diff
105 lines
3.5 KiB
Diff
From b061168bdae759c88e9ef93f3620edae404e69fe Mon Sep 17 00:00:00 2001
|
|
From: Stepan Broz <sbroz@redhat.com>
|
|
Date: Thu, 26 Sep 2019 12:56:00 +0200
|
|
Subject: [PATCH] [libreswan] New plugin for "libreswan" IPsec
|
|
|
|
The "libreswan" package is replacing "openswan" in many distributions.
|
|
This plugin is replacing the original "openswan" plugin that it is
|
|
based on.
|
|
|
|
This plugin will now run for both "libreswan" and "openswan" packages,
|
|
or when the configuration file "/etc/ipsec.conf" is present.
|
|
|
|
Data collected now include configuration, current status, XFRM policy
|
|
and state, XFRM statistics, basic information about certificates and
|
|
the NSS database.
|
|
|
|
No private data (keys, certificates, secrets) are collected, authenti-
|
|
cation and encryption keys are removed from the output of
|
|
"ip xfrm state", and also from "ipsec barf" when running with the
|
|
"ipsec-barf" option set.
|
|
|
|
Signed-off-by: Stepan Broz <sbroz@redhat.com>
|
|
---
|
|
sos/plugins/{openswan.py => libreswan.py} | 37 ++++++++++++++++++-----
|
|
1 file changed, 30 insertions(+), 7 deletions(-)
|
|
rename sos/plugins/{openswan.py => libreswan.py} (50%)
|
|
|
|
diff --git a/sos/plugins/openswan.py b/sos/plugins/libreswan.py
|
|
similarity index 50%
|
|
rename from sos/plugins/openswan.py
|
|
rename to sos/plugins/libreswan.py
|
|
index ce5581320..717329b87 100644
|
|
--- a/sos/plugins/openswan.py
|
|
+++ b/sos/plugins/libreswan.py
|
|
@@ -1,4 +1,5 @@
|
|
# Copyright (C) 2007 Sadique Puthen <sputhenp@redhat.com>
|
|
+# Copyright (C) 2019 Red Hat Inc., Stepan Broz <sbroz@redhat.com>
|
|
|
|
# This file is part of the sos project: https://github.com/sosreport/sos
|
|
#
|
|
@@ -11,29 +12,38 @@
|
|
from sos.plugins import Plugin, RedHatPlugin, DebianPlugin, UbuntuPlugin
|
|
|
|
|
|
-class Openswan(Plugin, RedHatPlugin, DebianPlugin, UbuntuPlugin):
|
|
- """Openswan IPsec
|
|
+class Libreswan(Plugin, RedHatPlugin, DebianPlugin, UbuntuPlugin):
|
|
+ """Libreswan IPsec
|
|
"""
|
|
|
|
- plugin_name = 'openswan'
|
|
- profiles = ('network', 'security')
|
|
+ plugin_name = 'libreswan'
|
|
+ profiles = ('network', 'security', 'openshift')
|
|
option_list = [
|
|
("ipsec-barf", "collect the output of the ipsec barf command",
|
|
"slow", False)
|
|
]
|
|
|
|
files = ('/etc/ipsec.conf',)
|
|
- packages = ('openswan', 'libreswan')
|
|
+ packages = ('libreswan', 'openswan')
|
|
|
|
def setup(self):
|
|
self.add_copy_spec([
|
|
"/etc/ipsec.conf",
|
|
- "/etc/ipsec.d"
|
|
+ "/etc/ipsec.d",
|
|
+ "/proc/net/xfrm_stat"
|
|
])
|
|
|
|
# although this is 'verification' it's normally a very quick
|
|
# operation so is not conditional on --verify
|
|
- self.add_cmd_output("ipsec verify")
|
|
+ self.add_cmd_output([
|
|
+ 'ipsec verify',
|
|
+ 'ipsec whack --status',
|
|
+ 'ipsec whack --listall',
|
|
+ 'certutil -L -d sql:/etc/ipsec.d',
|
|
+ 'ip xfrm policy',
|
|
+ 'ip xfrm state'
|
|
+ ])
|
|
+
|
|
if self.get_option("ipsec-barf"):
|
|
self.add_cmd_output("ipsec barf")
|
|
|
|
@@ -44,4 +54,17 @@ def setup(self):
|
|
'/etc/ipsec.d/*.secrets'
|
|
])
|
|
|
|
+ def postproc(self):
|
|
+ # Remove any sensitive data.
|
|
+ # "ip xfrm state" output contains encryption or authentication private
|
|
+ # keys:
|
|
+ xfrm_state_regexp = r'(aead|auth|auth-trunc|enc)' \
|
|
+ r'(\s.*\s)(0x[0-9a-f]+)'
|
|
+ self.do_cmd_output_sub("state", xfrm_state_regexp,
|
|
+ r"\1\2********")
|
|
+
|
|
+ if self.get_option("ipsec-barf"):
|
|
+ self.do_cmd_output_sub("barf", xfrm_state_regexp,
|
|
+ r"\1\2********")
|
|
+
|
|
# vim: set et ts=4 sw=4 :
|