diff options
| author | Stepan Broz <sbroz@redhat.com> | 2019-09-26 12:56:00 +0200 |
|---|---|---|
| committer | Bryn M. Reeves <bmr@redhat.com> | 2019-10-01 15:00:14 +0100 |
| commit | 9f3f4fe616547a704ae64bc340d834dd93ed84c0 (patch) | |
| tree | 45b4a41a66fa889d3eda5b74a12bcf6f7d98db8e | |
| parent | 66ff2902dc934b4c6b69baaf917f46dc4bd0d534 (diff) | |
| download | sos-9f3f4fe616547a704ae64bc340d834dd93ed84c0.tar.gz | |
[libreswan] New plugin for "libreswan" IPsec
The "libreswan" package is replacing "openswan" in many distributions.
This plugin is replacing the original "openswan" plugin that it is
based on.
This plugin will now run for both "libreswan" and "openswan" packages,
or when the configuration file "/etc/ipsec.conf" is present.
Data collected now include configuration, current status, XFRM policy
and state, XFRM statistics, basic information about certificates and
the NSS database.
No private data (keys, certificates, secrets) are collected, authenti-
cation and encryption keys are removed from the output of
"ip xfrm state", and also from "ipsec barf" when running with the
"ipsec-barf" option set.
Resolves: #1733
Signed-off-by: Stepan Broz <sbroz@redhat.com>
Signed-off-by: Bryn M. Reeves <bmr@redhat.com>
| -rw-r--r-- | sos/plugins/libreswan.py (renamed from sos/plugins/openswan.py) | 37 |
1 files changed, 30 insertions, 7 deletions
diff --git a/sos/plugins/openswan.py b/sos/plugins/libreswan.py index ce558132..717329b8 100644 --- a/sos/plugins/openswan.py +++ b/sos/plugins/libreswan.py @@ -1,4 +1,5 @@ # Copyright (C) 2007 Sadique Puthen <sputhenp@redhat.com> +# Copyright (C) 2019 Red Hat Inc., Stepan Broz <sbroz@redhat.com> # This file is part of the sos project: https://github.com/sosreport/sos # @@ -11,29 +12,38 @@ from sos.plugins import Plugin, RedHatPlugin, DebianPlugin, UbuntuPlugin -class Openswan(Plugin, RedHatPlugin, DebianPlugin, UbuntuPlugin): - """Openswan IPsec +class Libreswan(Plugin, RedHatPlugin, DebianPlugin, UbuntuPlugin): + """Libreswan IPsec """ - plugin_name = 'openswan' - profiles = ('network', 'security') + plugin_name = 'libreswan' + profiles = ('network', 'security', 'openshift') option_list = [ ("ipsec-barf", "collect the output of the ipsec barf command", "slow", False) ] files = ('/etc/ipsec.conf',) - packages = ('openswan', 'libreswan') + packages = ('libreswan', 'openswan') def setup(self): self.add_copy_spec([ "/etc/ipsec.conf", - "/etc/ipsec.d" + "/etc/ipsec.d", + "/proc/net/xfrm_stat" ]) # although this is 'verification' it's normally a very quick # operation so is not conditional on --verify - self.add_cmd_output("ipsec verify") + self.add_cmd_output([ + 'ipsec verify', + 'ipsec whack --status', + 'ipsec whack --listall', + 'certutil -L -d sql:/etc/ipsec.d', + 'ip xfrm policy', + 'ip xfrm state' + ]) + if self.get_option("ipsec-barf"): self.add_cmd_output("ipsec barf") @@ -44,4 +54,17 @@ class Openswan(Plugin, RedHatPlugin, DebianPlugin, UbuntuPlugin): '/etc/ipsec.d/*.secrets' ]) + def postproc(self): + # Remove any sensitive data. + # "ip xfrm state" output contains encryption or authentication private + # keys: + xfrm_state_regexp = r'(aead|auth|auth-trunc|enc)' \ + r'(\s.*\s)(0x[0-9a-f]+)' + self.do_cmd_output_sub("state", xfrm_state_regexp, + r"\1\2********") + + if self.get_option("ipsec-barf"): + self.do_cmd_output_sub("barf", xfrm_state_regexp, + r"\1\2********") + # vim: set et ts=4 sw=4 : |