From 6b99c8d9cff7b3e8ae8f3204b99e7ea40f791349 Mon Sep 17 00:00:00 2001 From: Yves-Alexis Perez Date: Sun, 25 Aug 2013 15:37:26 +0200 Subject: Imported Upstream version 5.1.0 --- .../tests/tnc/tnccs-11-radius-pts/description.txt | 14 + testing/tests/tnc/tnccs-11-radius-pts/evaltest.dat | 19 + .../hosts/alice/etc/freeradius/eap.conf | 25 + .../hosts/alice/etc/freeradius/proxy.conf | 5 + .../alice/etc/freeradius/sites-available/default | 43 + .../etc/freeradius/sites-available/inner-tunnel | 32 + .../freeradius/sites-available/inner-tunnel-second | 36 + .../hosts/alice/etc/freeradius/users | 2 + .../hosts/alice/etc/pts/data.sql | 873 +++++++++++++++++++++ .../hosts/alice/etc/strongswan.conf | 13 + .../hosts/alice/etc/tnc/log4cxx.properties | 15 + .../tnccs-11-radius-pts/hosts/alice/etc/tnc_config | 4 + .../tnccs-11-radius-pts/hosts/carol/etc/ipsec.conf | 23 + .../hosts/carol/etc/ipsec.secrets | 3 + .../hosts/carol/etc/strongswan.conf | 14 + .../tnccs-11-radius-pts/hosts/carol/etc/tnc_config | 4 + .../tnccs-11-radius-pts/hosts/dave/etc/ipsec.conf | 23 + .../hosts/dave/etc/ipsec.secrets | 3 + .../hosts/dave/etc/strongswan.conf | 17 + .../tnccs-11-radius-pts/hosts/dave/etc/tnc_config | 4 + .../tnccs-11-radius-pts/hosts/moon/etc/ipsec.conf | 33 + .../hosts/moon/etc/ipsec.secrets | 3 + .../hosts/moon/etc/iptables.rules | 32 + .../hosts/moon/etc/strongswan.conf | 13 + testing/tests/tnc/tnccs-11-radius-pts/posttest.dat | 10 + testing/tests/tnc/tnccs-11-radius-pts/pretest.dat | 21 + testing/tests/tnc/tnccs-11-radius-pts/test.conf | 26 + 27 files changed, 1310 insertions(+) create mode 100644 testing/tests/tnc/tnccs-11-radius-pts/description.txt create mode 100644 testing/tests/tnc/tnccs-11-radius-pts/evaltest.dat create mode 100644 testing/tests/tnc/tnccs-11-radius-pts/hosts/alice/etc/freeradius/eap.conf create mode 100644 testing/tests/tnc/tnccs-11-radius-pts/hosts/alice/etc/freeradius/proxy.conf create mode 100644 testing/tests/tnc/tnccs-11-radius-pts/hosts/alice/etc/freeradius/sites-available/default create mode 100644 testing/tests/tnc/tnccs-11-radius-pts/hosts/alice/etc/freeradius/sites-available/inner-tunnel create mode 100644 testing/tests/tnc/tnccs-11-radius-pts/hosts/alice/etc/freeradius/sites-available/inner-tunnel-second create mode 100644 testing/tests/tnc/tnccs-11-radius-pts/hosts/alice/etc/freeradius/users create mode 100644 testing/tests/tnc/tnccs-11-radius-pts/hosts/alice/etc/pts/data.sql create mode 100644 testing/tests/tnc/tnccs-11-radius-pts/hosts/alice/etc/strongswan.conf create mode 100644 testing/tests/tnc/tnccs-11-radius-pts/hosts/alice/etc/tnc/log4cxx.properties create mode 100644 testing/tests/tnc/tnccs-11-radius-pts/hosts/alice/etc/tnc_config create mode 100644 testing/tests/tnc/tnccs-11-radius-pts/hosts/carol/etc/ipsec.conf create mode 100644 testing/tests/tnc/tnccs-11-radius-pts/hosts/carol/etc/ipsec.secrets create mode 100644 testing/tests/tnc/tnccs-11-radius-pts/hosts/carol/etc/strongswan.conf create mode 100644 testing/tests/tnc/tnccs-11-radius-pts/hosts/carol/etc/tnc_config create mode 100644 testing/tests/tnc/tnccs-11-radius-pts/hosts/dave/etc/ipsec.conf create mode 100644 testing/tests/tnc/tnccs-11-radius-pts/hosts/dave/etc/ipsec.secrets create mode 100644 testing/tests/tnc/tnccs-11-radius-pts/hosts/dave/etc/strongswan.conf create mode 100644 testing/tests/tnc/tnccs-11-radius-pts/hosts/dave/etc/tnc_config create mode 100644 testing/tests/tnc/tnccs-11-radius-pts/hosts/moon/etc/ipsec.conf create mode 100644 testing/tests/tnc/tnccs-11-radius-pts/hosts/moon/etc/ipsec.secrets create mode 100644 testing/tests/tnc/tnccs-11-radius-pts/hosts/moon/etc/iptables.rules create mode 100644 testing/tests/tnc/tnccs-11-radius-pts/hosts/moon/etc/strongswan.conf create mode 100644 testing/tests/tnc/tnccs-11-radius-pts/posttest.dat create mode 100644 testing/tests/tnc/tnccs-11-radius-pts/pretest.dat create mode 100644 testing/tests/tnc/tnccs-11-radius-pts/test.conf (limited to 'testing/tests/tnc/tnccs-11-radius-pts') diff --git a/testing/tests/tnc/tnccs-11-radius-pts/description.txt b/testing/tests/tnc/tnccs-11-radius-pts/description.txt new file mode 100644 index 000000000..f71837b6d --- /dev/null +++ b/testing/tests/tnc/tnccs-11-radius-pts/description.txt @@ -0,0 +1,14 @@ +The roadwarriors carol and dave set up a connection each to gateway moon. +At the outset the gateway authenticates itself to the clients by sending an IKEv2 +RSA signature accompanied by a certificate. +carol and dave then set up an EAP-TTLS tunnel each via moon to the + +TNC@FHH-enhanced FreeRADIUS server alice authenticated by an X.509 AAA certificate. +The strong EAP-TTLS tunnel protects the ensuing weak client authentication based on EAP-MD5. +In a next step the EAP-TNC protocol is used within the EAP-TTLS tunnel to determine the +health of carol and dave via the IF-TNCCS 1.1 client-server interface. +The communication between the OS and Attestation IMC and the Attestation IMV is based on the + IF-M protocol defined by RFC 5792 PA-TNC. +

+carol passes the health test and dave fails. Based on these measurements the clients +are connected by gateway moon to the "rw-allow" and "rw-isolate" subnets, respectively. diff --git a/testing/tests/tnc/tnccs-11-radius-pts/evaltest.dat b/testing/tests/tnc/tnccs-11-radius-pts/evaltest.dat new file mode 100644 index 000000000..e22b767f7 --- /dev/null +++ b/testing/tests/tnc/tnccs-11-radius-pts/evaltest.dat @@ -0,0 +1,19 @@ +carol::cat /var/log/daemon.log::authentication of 'moon.strongswan.org' with RSA signature successful::YES +carol::cat /var/log/daemon.log::TNCCS-Recommendation.*allow::YES +carol::cat /var/log/daemon.log::EAP method EAP_TTLS succeeded, MSK established::YES +carol::cat /var/log/daemon.log::CHILD_SA home{1} established.*TS 192.168.0.100/32 === 10.1.0.0/28::YES +dave:: cat /var/log/daemon.log::authentication of 'moon.strongswan.org' with RSA signature successful::YES +dave:: cat /var/log/daemon.log::TNCCS-Recommendation.*isolate::YES +dave:: cat /var/log/daemon.log::EAP method EAP_TTLS succeeded, MSK established::YES +dave:: cat /var/log/daemon.log::CHILD_SA home{1} established.*TS 192.168.0.200/32 === 10.1.0.16/28::YES +moon:: cat /var/log/daemon.log::received RADIUS attribute Filter-Id: 'allow'::YES +moon:: cat /var/log/daemon.log::authentication of 'carol@strongswan.org' with EAP successful::YES +moon:: cat /var/log/daemon.log::received RADIUS attribute Filter-Id: 'isolate'::YES +moon:: cat /var/log/daemon.log::authentication of 'dave@strongswan.org' with EAP successful::YES +moon:: ipsec statusall 2> /dev/null::rw-allow.*10.1.0.0/28 === 192.168.0.100/32::YES +moon:: ipsec statusall 2> /dev/null::rw-isolate.*10.1.0.16/28 === 192.168.0.200/32::YES +carol::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_req=1::YES +carol::ping -c 1 PH_IP_VENUS::64 bytes from PH_IP_ALICE: icmp_req=1::NO +dave:: ping -c 1 PH_IP_VENUS::64 bytes from PH_IP_VENUS: icmp_req=1::YES +dave:: ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_VENUS: icmp_req=1::NO + diff --git a/testing/tests/tnc/tnccs-11-radius-pts/hosts/alice/etc/freeradius/eap.conf b/testing/tests/tnc/tnccs-11-radius-pts/hosts/alice/etc/freeradius/eap.conf new file mode 100644 index 000000000..31556361e --- /dev/null +++ b/testing/tests/tnc/tnccs-11-radius-pts/hosts/alice/etc/freeradius/eap.conf @@ -0,0 +1,25 @@ +eap { + md5 { + } + default_eap_type = ttls + tls { + private_key_file = /etc/raddb/certs/aaaKey.pem + certificate_file = /etc/raddb/certs/aaaCert.pem + CA_file = /etc/raddb/certs/strongswanCert.pem + cipher_list = "DEFAULT" + dh_file = /etc/raddb/certs/dh + random_file = /etc/raddb/certs/random + } + ttls { + default_eap_type = md5 + use_tunneled_reply = yes + virtual_server = "inner-tunnel" + tnc_virtual_server = "inner-tunnel-second" + } +} + +eap eap_tnc { + default_eap_type = tnc + tnc { + } +} diff --git a/testing/tests/tnc/tnccs-11-radius-pts/hosts/alice/etc/freeradius/proxy.conf b/testing/tests/tnc/tnccs-11-radius-pts/hosts/alice/etc/freeradius/proxy.conf new file mode 100644 index 000000000..23cba8d11 --- /dev/null +++ b/testing/tests/tnc/tnccs-11-radius-pts/hosts/alice/etc/freeradius/proxy.conf @@ -0,0 +1,5 @@ +realm strongswan.org { + type = radius + authhost = LOCAL + accthost = LOCAL +} diff --git a/testing/tests/tnc/tnccs-11-radius-pts/hosts/alice/etc/freeradius/sites-available/default b/testing/tests/tnc/tnccs-11-radius-pts/hosts/alice/etc/freeradius/sites-available/default new file mode 100644 index 000000000..dd0825858 --- /dev/null +++ b/testing/tests/tnc/tnccs-11-radius-pts/hosts/alice/etc/freeradius/sites-available/default @@ -0,0 +1,43 @@ +authorize { + suffix + eap { + ok = return + } + files +} + +authenticate { + eap +} + +preacct { + preprocess + acct_unique + suffix + files +} + +accounting { + detail + unix + radutmp + attr_filter.accounting_response +} + +session { + radutmp +} + +post-auth { + exec + Post-Auth-Type REJECT { + attr_filter.access_reject + } +} + +pre-proxy { +} + +post-proxy { + eap +} diff --git a/testing/tests/tnc/tnccs-11-radius-pts/hosts/alice/etc/freeradius/sites-available/inner-tunnel b/testing/tests/tnc/tnccs-11-radius-pts/hosts/alice/etc/freeradius/sites-available/inner-tunnel new file mode 100644 index 000000000..e088fae14 --- /dev/null +++ b/testing/tests/tnc/tnccs-11-radius-pts/hosts/alice/etc/freeradius/sites-available/inner-tunnel @@ -0,0 +1,32 @@ +server inner-tunnel { + +authorize { + suffix + eap { + ok = return + } + files +} + +authenticate { + eap +} + +session { + radutmp +} + +post-auth { + Post-Auth-Type REJECT { + attr_filter.access_reject + } +} + +pre-proxy { +} + +post-proxy { + eap +} + +} # inner-tunnel server block diff --git a/testing/tests/tnc/tnccs-11-radius-pts/hosts/alice/etc/freeradius/sites-available/inner-tunnel-second b/testing/tests/tnc/tnccs-11-radius-pts/hosts/alice/etc/freeradius/sites-available/inner-tunnel-second new file mode 100644 index 000000000..c5bde6a9e --- /dev/null +++ b/testing/tests/tnc/tnccs-11-radius-pts/hosts/alice/etc/freeradius/sites-available/inner-tunnel-second @@ -0,0 +1,36 @@ +server inner-tunnel-second { + +authorize { + eap_tnc { + ok = return + } +} + +authenticate { + eap_tnc +} + +session { + radutmp +} + +post-auth { + if (control:TNC-Status == "Access") { + update reply { + Tunnel-Type := ESP + Filter-Id := "allow" + } + } + elsif (control:TNC-Status == "Isolate") { + update reply { + Tunnel-Type := ESP + Filter-Id := "isolate" + } + } + + Post-Auth-Type REJECT { + attr_filter.access_reject + } +} + +} # inner-tunnel-second block diff --git a/testing/tests/tnc/tnccs-11-radius-pts/hosts/alice/etc/freeradius/users b/testing/tests/tnc/tnccs-11-radius-pts/hosts/alice/etc/freeradius/users new file mode 100644 index 000000000..50ccf3e76 --- /dev/null +++ b/testing/tests/tnc/tnccs-11-radius-pts/hosts/alice/etc/freeradius/users @@ -0,0 +1,2 @@ +carol Cleartext-Password := "Ar3etTnp" +dave Cleartext-Password := "W7R0g3do" diff --git a/testing/tests/tnc/tnccs-11-radius-pts/hosts/alice/etc/pts/data.sql b/testing/tests/tnc/tnccs-11-radius-pts/hosts/alice/etc/pts/data.sql new file mode 100644 index 000000000..090eb47ff --- /dev/null +++ b/testing/tests/tnc/tnccs-11-radius-pts/hosts/alice/etc/pts/data.sql @@ -0,0 +1,873 @@ +/* Products */ + +INSERT INTO products ( /* 1 */ + name +) VALUES ( + 'Debian 6.0 i686' +); + +INSERT INTO products ( /* 2 */ + name +) VALUES ( + 'Debian 6.0 x86_64' +); + +INSERT INTO products ( /* 3 */ + name +) VALUES ( + 'Debian 7.0 i686' +); + +INSERT INTO products ( /* 4 */ + name +) VALUES ( + 'Debian 7.0 x86_64' +); + +INSERT INTO products ( /* 5 */ + name +) VALUES ( + 'Debian 8.0 i686' +); + +INSERT INTO products ( /* 6 */ + name +) VALUES ( + 'Debian 8.0 x86_64' +); + +INSERT INTO products ( /* 7 */ + name +) VALUES ( + 'Ubuntu 10.04 i686' +); + +INSERT INTO products ( /* 8 */ + name +) VALUES ( + 'Ubuntu 10.04 x86_64' +); + +INSERT INTO products ( /* 9 */ + name +) VALUES ( + 'Ubuntu 10.10 i686' +); + +INSERT INTO products ( /* 10 */ + name +) VALUES ( + 'Ubuntu 10.10 x86_64' +); + +INSERT INTO products ( /* 11 */ + name +) VALUES ( + 'Ubuntu 11.04 i686' +); + +INSERT INTO products ( /* 12 */ + name +) VALUES ( + 'Ubuntu 11.04 x86_64' +); + +INSERT INTO products ( /* 13 */ + name +) VALUES ( + 'Ubuntu 11.10 i686' +); + +INSERT INTO products ( /* 14 */ + name +) VALUES ( + 'Ubuntu 11.10 x86_64' +); + +INSERT INTO products ( /* 15 */ + name +) VALUES ( + 'Ubuntu 12.04 i686' +); + +INSERT INTO products ( /* 16 */ + name +) VALUES ( + 'Ubuntu 12.04 x86_64' +); + +INSERT INTO products ( /* 17 */ + name +) VALUES ( + 'Ubuntu 12.10 i686' +); + +INSERT INTO products ( /* 18 */ + name +) VALUES ( + 'Ubuntu 12.10 x86_64' +); + +INSERT INTO products ( /* 19 */ + name +) VALUES ( + 'Ubuntu 13.04 i686' +); + +INSERT INTO products ( /* 20 */ + name +) VALUES ( + 'Ubuntu 13.04 x86_64' +); + +INSERT INTO products ( /* 21 */ + name +) VALUES ( + 'Android 4.1.1' +); + +INSERT INTO products ( /* 22 */ + name +) VALUES ( + 'Android 4.2.1' +); + +/* Directories */ + +INSERT INTO directories ( /* 1 */ + path +) VALUES ( + '/bin' +); + +INSERT INTO directories ( /* 2 */ + path +) VALUES ( + '/etc' +); + +INSERT INTO directories ( /* 3 */ + path +) VALUES ( + '/lib' +); + +INSERT INTO directories ( /* 4 */ + path +) VALUES ( + '/lib/i386-linux-gnu' +); + +INSERT INTO directories ( /* 5 */ + path +) VALUES ( + '/lib/x86_64-linux-gnu' +); + +INSERT INTO directories ( /* 6 */ + path +) VALUES ( + '/lib/xtables' +); + +INSERT INTO directories ( /* 7 */ + path +) VALUES ( + '/sbin' +); + +INSERT INTO directories ( /* 8 */ + path +) VALUES ( + '/usr/bin' +); + +INSERT INTO directories ( /* 9 */ + path +) VALUES ( + '/usr/lib' +); + +INSERT INTO directories ( /* 10 */ + path +) VALUES ( + '/usr/lib/i386-linux-gnu' +); + +INSERT INTO directories ( /* 11 */ + path +) VALUES ( + '/usr/lib/x86_64-linux-gnu' +); + +INSERT INTO directories ( /* 12 */ + path +) VALUES ( + '/usr/sbin' +); + +INSERT INTO directories ( /* 13 */ + path +) VALUES ( + '/system/bin' +); + +INSERT INTO directories ( /* 14 */ + path +) VALUES ( + '/system/lib' +); + +/* Files */ + +INSERT INTO files ( /* 1 */ + name, dir +) VALUES ( + 'libcrypto.so.1.0.0', 5 +); + +INSERT INTO files ( /* 2 */ + name, dir +) VALUES ( + 'libcrypto.so.1.0.0', 11 +); + +INSERT INTO files ( /* 3 */ + name, dir +) VALUES ( + 'libssl.so.1.0.0', 5 +); + +INSERT INTO files ( /* 4 */ + name, dir +) VALUES ( + 'libssl.so.1.0.0', 11 +); + +INSERT INTO files ( /* 5 */ + name, dir +) VALUES ( + 'openssl', 8 +); + +INSERT INTO files ( /* 6 */ + name, dir +) VALUES ( + 'tnc_config', 2 +); + +/* Algorithms */ + +INSERT INTO algorithms ( + id, name +) VALUES ( + 65536, 'SHA1-IMA' +); + +INSERT INTO algorithms ( + id, name +) VALUES ( + 32768, 'SHA1' +); + +INSERT INTO algorithms ( + id, name +) VALUES ( + 16384, 'SHA256' +); + +INSERT INTO algorithms ( + id, name +) VALUES ( + 8192, 'SHA384' +); + +/* File Hashes */ + +INSERT INTO file_hashes ( + product, file, algo, hash +) VALUES ( + 4, 2, 32768, X'6c6f8e12f6cbfba612e780374c4cdcd40f20968a' +); + +INSERT INTO file_hashes ( + product, file, algo, hash +) VALUES ( + 4, 2, 16384, X'dbcecd19d59310183cf5c31ddee29e8d7bec64d3f9583aad074330a1b3024b07' +); + +INSERT INTO file_hashes ( + product, file, algo, hash +) VALUES ( + 4, 2, 8192, X'197c5385e5853003188833d4f991136c1b0875fa416a60b1159f64e57e457b3184762c884a802a2bda194c058e3bd953' +); + +INSERT INTO file_hashes ( + product, file, algo, hash +) VALUES ( + 4, 4, 32768, X'3ad204f99eb7262efab79cfca02628870ea76361' +); + +INSERT INTO file_hashes ( + product, file, algo, hash +) VALUES ( + 4, 4, 16384, X'3a2170aad92fdd58b55e0e199822bc873cf587b2d1eb1ed7ed8dcea97ae86376' +); + +INSERT INTO file_hashes ( + product, file, algo, hash +) VALUES ( + 4, 4, 8192, X'f778076baa876b5e4b502494a3db081fb09dd870dee6991d54104a74b7e009c58fe261db5ffd13c11e08ef0cefcfa59f' +); + +INSERT INTO file_hashes ( + product, file, algo, hash +) VALUES ( + 4, 5, 32768, X'ecd9c7076cc0572724c7a67db7f19c2831e0445f' +); + +INSERT INTO file_hashes ( + product, file, algo, hash +) VALUES ( + 4, 5, 16384, X'28f3ea5afd34444c8232ea75003131e294a0c9b847de300e4b205d38c1a41305' +); + +INSERT INTO file_hashes ( + product, file, algo, hash +) VALUES ( + 4, 5, 8192, X'51921a8b9322f2d3f06d55002ff40a79da67e70cb563b2a50977642d603dfac2ccbb68b3d32a8bb350769b75d6254208' +); + +INSERT INTO file_hashes ( + product, file, algo, hash +) VALUES ( + 18, 1, 32768, X'd9309b9e45928239d7a7b18711e690792632cce4' +); + +INSERT INTO file_hashes ( + product, file, algo, hash +) VALUES ( + 18, 1, 16384, X'dbfa1856d278d8707c4989b30dd065b4bcd309908f0f2e6e66ff2aa83ff93f59' +); + +INSERT INTO file_hashes ( + product, file, algo, hash +) VALUES ( + 18, 1, 8192, X'fb8d027f03bb5ebb47741ed247eb9e174127b714d20229885feb37e0979aeb14a1b74020cded891d680441093625729c' +); + +INSERT INTO file_hashes ( + product, file, algo, hash +) VALUES ( + 18, 3, 32768, X'3715f2f94016a91fab5bbc503f0f1d43c5a9fc2b' +); + +INSERT INTO file_hashes ( + product, file, algo, hash +) VALUES ( + 18, 3, 16384, X'c03a5296b5decb87b01517f9927a8b2349dfb29ff9f5ba084f994c155ca5d4be' +); + +INSERT INTO file_hashes ( + product, file, algo, hash +) VALUES ( + 18, 3, 8192, X'b8bc345f56115235cc6091f61e312ce43ea54a5b99e7295002ae7b415fd35e06ec4c731ab70ad00d784bb53a318a2fa0' +); + +INSERT INTO file_hashes ( + product, file, algo, hash +) VALUES ( + 18, 5, 32768, X'e59602f4edf24c1b36199588886d06665d4adcd7' +); + +INSERT INTO file_hashes ( + product, file, algo, hash +) VALUES ( + 18, 5, 16384, X'090e1b77bda7fe665e498c6b5e09dbb7ddc5cfe57f213de48f4fb6736484f500' +); + +INSERT INTO file_hashes ( + product, file, algo, hash +) VALUES ( + 18, 5, 8192, X'7cbdb4612a13443dba910ecdef5161f2213e52c9b4a2eef14bcee5d287e9df931cd022e9e9715518ad9c9b6e3384a668' +); + +/* Packages */ + +INSERT INTO packages ( /* 1 */ + name +) VALUES ( + 'libssl-dev' +); + +INSERT INTO packages ( /* 2 */ + name +) VALUES ( + 'libssl1.0.0' +); + +INSERT INTO packages ( /* 3 */ + name +) VALUES ( + 'libssl1.0.0-dbg' +); + +INSERT INTO packages ( /* 4 */ + name +) VALUES ( + 'openssl' +); + +/* Versions */ + +INSERT INTO versions ( + package, product, release, time +) VALUES ( + 1, 4, '1.0.1e-2', 1366531494 +); + +INSERT INTO versions ( + package, product, release, time +) VALUES ( + 2, 4, '1.0.1e-2', 1366531494 +); + +INSERT INTO versions ( + package, product, release, time +) VALUES ( + 3, 4, '1.0.1e-2', 1366531494 +); + +INSERT INTO versions ( + package, product, release, time +) VALUES ( + 4, 4, '1.0.1e-2', 1366531494 +); + +/* Components */ + +INSERT INTO components ( + vendor_id, name, qualifier +) VALUES ( + 36906, 1, 33 /* ITA TGRUB */ +); + +INSERT INTO components ( + vendor_id, name, qualifier +) VALUES ( + 36906, 2, 33 /* ITA TBOOT */ +); + +INSERT INTO components ( + vendor_id, name, qualifier +) VALUES ( + 36906, 3, 33 /* ITA IMA - Trusted Platform */ +); + +INSERT INTO components ( + vendor_id, name, qualifier +) VALUES ( + 36906, 3, 34 /* ITA IMA - Operating System */ +); + +/* Groups */ + +INSERT INTO groups ( /* 1 */ + name +) VALUES ( + 'Default' +); + +INSERT INTO groups ( /* 2 */ + name, parent +) VALUES ( + 'Linux', 1 +); + +INSERT INTO groups ( /* 3 */ + name, parent +) VALUES ( + 'Android', 1 +); + +INSERT INTO groups ( /* 4 */ + name, parent +) VALUES ( + 'Debian i686', 2 +); + +INSERT INTO groups ( /* 5 */ + name, parent +) VALUES ( + 'Debian x86_64', 2 +); + +INSERT INTO groups ( /* 6 */ + name, parent +) VALUES ( + 'Ubuntu i686', 2 +); + +INSERT INTO groups ( /* 7 */ + name, parent +) VALUES ( + 'Ubuntu x86_64', 2 +); + +INSERT INTO groups ( /* 8 */ + name +) VALUES ( + 'Reference' +); + +INSERT INTO groups ( /* 9 */ + name, parent +) VALUES ( + 'Ref. Android', 8 +); + +INSERT INTO groups ( /* 10 */ + name, parent +) VALUES ( + 'Ref. Linux', 8 +); + +/* Default Product Groups */ + +INSERT INTO groups_product_defaults ( + group_id, product_id +) VALUES ( + 4, 1 +); + +INSERT INTO groups_product_defaults ( + group_id, product_id +) VALUES ( + 4, 3 +); + +INSERT INTO groups_product_defaults ( + group_id, product_id +) VALUES ( + 4, 5 +); + +INSERT INTO groups_product_defaults ( + group_id, product_id +) VALUES ( + 5, 2 +); + +INSERT INTO groups_product_defaults ( + group_id, product_id +) VALUES ( + 5, 4 +); + +INSERT INTO groups_product_defaults ( + group_id, product_id +) VALUES ( + 5, 6 +); + +INSERT INTO groups_product_defaults ( + group_id, product_id +) VALUES ( + 6, 7 +); + +INSERT INTO groups_product_defaults ( + group_id, product_id +) VALUES ( + 6, 9 +); + +INSERT INTO groups_product_defaults ( + group_id, product_id +) VALUES ( + 6, 11 +); + +INSERT INTO groups_product_defaults ( + group_id, product_id +) VALUES ( + 6, 13 +); + +INSERT INTO groups_product_defaults ( + group_id, product_id +) VALUES ( + 6, 15 +); + +INSERT INTO groups_product_defaults ( + group_id, product_id +) VALUES ( + 6, 17 +); + +INSERT INTO groups_product_defaults ( + group_id, product_id +) VALUES ( + 6, 19 +); + +INSERT INTO groups_product_defaults ( + group_id, product_id +) VALUES ( + 7, 8 +); + +INSERT INTO groups_product_defaults ( + group_id, product_id +) VALUES ( + 7, 10 +); + +INSERT INTO groups_product_defaults ( + group_id, product_id +) VALUES ( + 7, 12 +); + +INSERT INTO groups_product_defaults ( + group_id, product_id +) VALUES ( + 7, 14 +); + +INSERT INTO groups_product_defaults ( + group_id, product_id +) VALUES ( + 7, 16 +); + +INSERT INTO groups_product_defaults ( + group_id, product_id +) VALUES ( + 7, 18 +); + +INSERT INTO groups_product_defaults ( + group_id, product_id +) VALUES ( + 7, 20 +); + +INSERT INTO groups_product_defaults ( + group_id, product_id +) VALUES ( + 3, 21 +); + +INSERT INTO groups_product_defaults ( + group_id, product_id +) VALUES ( + 3, 22 +); + +/* Devices */ + +INSERT INTO devices ( /* 1 */ + value, product, created +) VALUES ( + 'aabbccddeeff11223344556677889900', 4, 1372330615 +); + +/* Groups Members */ + +INSERT INTO groups_members ( + group_id, device_id +) VALUES ( + 10, 1 +); + +/* Policies */ + +INSERT INTO policies ( /* 1 */ + type, name, rec_fail, rec_noresult +) VALUES ( + 1, 'Installed Packages', 2, 2 +); + +INSERT INTO policies ( /* 2 */ + type, name, rec_fail, rec_noresult +) VALUES ( + 2, 'Unknown Source', 2, 2 +); + +INSERT INTO policies ( /* 3 */ + type, name, rec_fail, rec_noresult +) VALUES ( + 3, 'IP Forwarding Enabled', 1, 1 +); + +INSERT INTO policies ( /* 4 */ + type, name, rec_fail, rec_noresult +) VALUES ( + 4, 'Default Factory Password Enabled', 1, 1 +); + +INSERT INTO policies ( /* 5 */ + type, name, file, rec_fail, rec_noresult +) VALUES ( + 6, 'Measure /lib/x86_64-linux-gnu/libcrypto.so.1.0.0', 1, 2, 2 +); + +INSERT INTO policies ( /* 6 */ + type, name, file, rec_fail, rec_noresult +) VALUES ( + 6, 'Measure /lib/x86_64-linux-gnu/libssl.so.1.0.0', 3, 2, 2 +); + +INSERT INTO policies ( /* 7 */ + type, name, file, rec_fail, rec_noresult +) VALUES ( + 6, 'Measure /usr/bin/openssl', 5, 2, 2 +); + +INSERT INTO policies ( /* 8 */ + type, name, rec_fail, rec_noresult +) VALUES ( + 11, 'No Open TCP Ports', 1, 1 +); + +INSERT INTO policies ( /* 9 */ + type, name, argument, rec_fail, rec_noresult +) VALUES ( + 13, 'Open UDP Ports', '500 4500 10000-65000', 1, 1 +); + +INSERT INTO policies ( /* 10 */ + type, name, file, rec_fail, rec_noresult +) VALUES ( + 7, 'Metadata of /etc/tnc_config', 6, 0, 0 +); + +INSERT INTO policies ( /* 11 */ + type, name, dir, rec_fail, rec_noresult +) VALUES ( + 8, 'Get /bin', 1, 0, 0 +); + +INSERT INTO policies ( /* 12 */ + type, name, file, rec_fail, rec_noresult +) VALUES ( + 6, 'Measure /usr/lib/x86_64-linux-gnu/libcrypto.so.1.0.0', 2, 2, 2 +); + +INSERT INTO policies ( /* 13 */ + type, name, file, rec_fail, rec_noresult +) VALUES ( + 6, 'Measure /usr/lib/x86_64-linux-gnu/libssl.so.1.0.0', 4, 2, 2 +); + +INSERT INTO policies ( /* 14 */ + type, name, dir, rec_fail, rec_noresult +) VALUES ( + 8, 'Get /system/bin', 13, 0, 0 +); + +INSERT INTO policies ( /* 15 */ + type, name, dir, rec_fail, rec_noresult +) VALUES ( + 8, 'Get /system/lib', 14, 0, 0 +); + +INSERT INTO policies ( /* 16 */ + type, name, dir, rec_fail, rec_noresult +) VALUES ( + 9, 'Measure /bin', 1, 2, 2 +); + +/* Enforcements */ + +INSERT INTO enforcements ( + policy, group_id, max_age +) VALUES ( + 2, 3, 0 +); + +INSERT INTO enforcements ( + policy, group_id, max_age, rec_fail, rec_noresult +) VALUES ( + 3, 2, 0, 2, 2 +); + +INSERT INTO enforcements ( + policy, group_id, max_age, rec_fail, rec_noresult +) VALUES ( + 3, 10, 0, 2, 2 +); + +INSERT INTO enforcements ( + policy, group_id, max_age +) VALUES ( + 5, 7, 86400 +); + +INSERT INTO enforcements ( + policy, group_id, max_age +) VALUES ( + 6, 7, 86400 +); + +INSERT INTO enforcements ( + policy, group_id, max_age +) VALUES ( + 7, 2, 86400 +); + +INSERT INTO enforcements ( + policy, group_id, max_age +) VALUES ( + 8, 1, 60 +); + +INSERT INTO enforcements ( + policy, group_id, max_age +) VALUES ( + 9, 1, 60 +); + +INSERT INTO enforcements ( + policy, group_id, max_age +) VALUES ( + 10, 2, 60 +); + +INSERT INTO enforcements ( + policy, group_id, max_age +) VALUES ( + 11, 10, 86400 +); + +INSERT INTO enforcements ( + policy, group_id, max_age +) VALUES ( + 12, 5, 86400 +); + +INSERT INTO enforcements ( + policy, group_id, max_age +) VALUES ( + 13, 5, 86400 +); + +INSERT INTO enforcements ( + policy, group_id, max_age +) VALUES ( + 14, 9, 0 +); + +INSERT INTO enforcements ( + policy, group_id, max_age +) VALUES ( + 15, 9, 0 +); + +INSERT INTO enforcements ( + policy, group_id, max_age +) VALUES ( + 16, 2, 0 +); diff --git a/testing/tests/tnc/tnccs-11-radius-pts/hosts/alice/etc/strongswan.conf b/testing/tests/tnc/tnccs-11-radius-pts/hosts/alice/etc/strongswan.conf new file mode 100644 index 000000000..23f840f69 --- /dev/null +++ b/testing/tests/tnc/tnccs-11-radius-pts/hosts/alice/etc/strongswan.conf @@ -0,0 +1,13 @@ +# /etc/strongswan.conf - strongSwan configuration file + +libimcv { + load = random nonce openssl pubkey sqlite + debug_level = 3 + database = sqlite:///etc/pts/config.db + policy_script = ipsec imv_policy_manager + assessment_result = no +} + +attest { + database = sqlite:///etc/pts/config.db +} diff --git a/testing/tests/tnc/tnccs-11-radius-pts/hosts/alice/etc/tnc/log4cxx.properties b/testing/tests/tnc/tnccs-11-radius-pts/hosts/alice/etc/tnc/log4cxx.properties new file mode 100644 index 000000000..2bdc6e4de --- /dev/null +++ b/testing/tests/tnc/tnccs-11-radius-pts/hosts/alice/etc/tnc/log4cxx.properties @@ -0,0 +1,15 @@ +# Set root logger level to DEBUG and its appenders to A1 and A2. +log4j.rootLogger=DEBUG, A1, A2 + +# A1 is set to be a ConsoleAppender. +log4j.appender.A1=org.apache.log4j.ConsoleAppender +log4j.appender.A1.layout=org.apache.log4j.PatternLayout +log4j.appender.A1.layout.ConversionPattern=[FHH] %m%n + +# A2 is set to be a SyslogAppender +log4j.appender.A2=org.apache.log4j.net.SyslogAppender +log4j.appender.A2.Facility=DAEMON +log4j.appender.A2.SyslogHost=localhost +log4j.appender.A2.Threshold=DEBUG +log4j.appender.A2.layout=org.apache.log4j.PatternLayout +log4j.appender.A2.layout.ConversionPattern=[FHH] %m%n diff --git a/testing/tests/tnc/tnccs-11-radius-pts/hosts/alice/etc/tnc_config b/testing/tests/tnc/tnccs-11-radius-pts/hosts/alice/etc/tnc_config new file mode 100644 index 000000000..b5ac8c178 --- /dev/null +++ b/testing/tests/tnc/tnccs-11-radius-pts/hosts/alice/etc/tnc_config @@ -0,0 +1,4 @@ +#IMV configuration file for strongSwan client + +IMV "OS" /usr/local/lib/ipsec/imcvs/imv-os.so +IMV "Attestation" /usr/local/lib/ipsec/imcvs/imv-attestation.so diff --git a/testing/tests/tnc/tnccs-11-radius-pts/hosts/carol/etc/ipsec.conf b/testing/tests/tnc/tnccs-11-radius-pts/hosts/carol/etc/ipsec.conf new file mode 100644 index 000000000..e9152e0d8 --- /dev/null +++ b/testing/tests/tnc/tnccs-11-radius-pts/hosts/carol/etc/ipsec.conf @@ -0,0 +1,23 @@ +# /etc/ipsec.conf - strongSwan IPsec configuration file + +config setup + charondebug="tnc 3, imc 3" + +conn %default + ikelifetime=60m + keylife=20m + rekeymargin=3m + keyingtries=1 + keyexchange=ikev2 + +conn home + left=PH_IP_CAROL + leftid=carol@strongswan.org + leftauth=eap + leftfirewall=yes + right=PH_IP_MOON + rightid=@moon.strongswan.org + rightsubnet=10.1.0.0/16 + rightauth=pubkey + aaa_identity="C=CH, O=Linux strongSwan, CN=aaa.strongswan.org" + auto=add diff --git a/testing/tests/tnc/tnccs-11-radius-pts/hosts/carol/etc/ipsec.secrets b/testing/tests/tnc/tnccs-11-radius-pts/hosts/carol/etc/ipsec.secrets new file mode 100644 index 000000000..74942afda --- /dev/null +++ b/testing/tests/tnc/tnccs-11-radius-pts/hosts/carol/etc/ipsec.secrets @@ -0,0 +1,3 @@ +# /etc/ipsec.secrets - strongSwan IPsec secrets file + +carol@strongswan.org : EAP "Ar3etTnp" diff --git a/testing/tests/tnc/tnccs-11-radius-pts/hosts/carol/etc/strongswan.conf b/testing/tests/tnc/tnccs-11-radius-pts/hosts/carol/etc/strongswan.conf new file mode 100644 index 000000000..56c6b9f57 --- /dev/null +++ b/testing/tests/tnc/tnccs-11-radius-pts/hosts/carol/etc/strongswan.conf @@ -0,0 +1,14 @@ +# /etc/strongswan.conf - strongSwan configuration file + +charon { + load = curl openssl pem pkcs1 random nonce revocation stroke kernel-netlink socket-default eap-identity eap-md5 eap-ttls eap-tnc tnc-imc tnc-tnccs tnccs-11 updown + multiple_authentication=no +} + +libimcv { + plugins { + imc-test { + command = allow + } + } +} diff --git a/testing/tests/tnc/tnccs-11-radius-pts/hosts/carol/etc/tnc_config b/testing/tests/tnc/tnccs-11-radius-pts/hosts/carol/etc/tnc_config new file mode 100644 index 000000000..15dc93a0a --- /dev/null +++ b/testing/tests/tnc/tnccs-11-radius-pts/hosts/carol/etc/tnc_config @@ -0,0 +1,4 @@ +#IMC configuration file for strongSwan client + +IMC "OS" /usr/local/lib/ipsec/imcvs/imc-os.so +IMC "Attestation" /usr/local/lib/ipsec/imcvs/imc-attestation.so diff --git a/testing/tests/tnc/tnccs-11-radius-pts/hosts/dave/etc/ipsec.conf b/testing/tests/tnc/tnccs-11-radius-pts/hosts/dave/etc/ipsec.conf new file mode 100644 index 000000000..25589bcf1 --- /dev/null +++ b/testing/tests/tnc/tnccs-11-radius-pts/hosts/dave/etc/ipsec.conf @@ -0,0 +1,23 @@ +# /etc/ipsec.conf - strongSwan IPsec configuration file + +config setup + charondebug="tnc 3, imc 3" + +conn %default + ikelifetime=60m + keylife=20m + rekeymargin=3m + keyingtries=1 + keyexchange=ikev2 + +conn home + left=PH_IP_DAVE + leftid=dave@strongswan.org + leftauth=eap + leftfirewall=yes + right=PH_IP_MOON + rightid=@moon.strongswan.org + rightsubnet=10.1.0.0/16 + rightauth=pubkey + aaa_identity="C=CH, O=Linux strongSwan, CN=aaa.strongswan.org" + auto=add diff --git a/testing/tests/tnc/tnccs-11-radius-pts/hosts/dave/etc/ipsec.secrets b/testing/tests/tnc/tnccs-11-radius-pts/hosts/dave/etc/ipsec.secrets new file mode 100644 index 000000000..5496df7ad --- /dev/null +++ b/testing/tests/tnc/tnccs-11-radius-pts/hosts/dave/etc/ipsec.secrets @@ -0,0 +1,3 @@ +# /etc/ipsec.secrets - strongSwan IPsec secrets file + +dave@strongswan.org : EAP "W7R0g3do" diff --git a/testing/tests/tnc/tnccs-11-radius-pts/hosts/dave/etc/strongswan.conf b/testing/tests/tnc/tnccs-11-radius-pts/hosts/dave/etc/strongswan.conf new file mode 100644 index 000000000..145ad9d2d --- /dev/null +++ b/testing/tests/tnc/tnccs-11-radius-pts/hosts/dave/etc/strongswan.conf @@ -0,0 +1,17 @@ +# /etc/strongswan.conf - strongSwan configuration file + +charon { + load = curl openssl pem pkcs1 random nonce revocation stroke kernel-netlink socket-default eap-identity eap-md5 eap-ttls eap-tnc tnc-imc tnc-tnccs tnccs-11 updown + multiple_authentication=no +} + +libimcv { + plugins { + imc-test { + command = allow + } + imc-scanner { + push_info = no + } + } +} diff --git a/testing/tests/tnc/tnccs-11-radius-pts/hosts/dave/etc/tnc_config b/testing/tests/tnc/tnccs-11-radius-pts/hosts/dave/etc/tnc_config new file mode 100644 index 000000000..15dc93a0a --- /dev/null +++ b/testing/tests/tnc/tnccs-11-radius-pts/hosts/dave/etc/tnc_config @@ -0,0 +1,4 @@ +#IMC configuration file for strongSwan client + +IMC "OS" /usr/local/lib/ipsec/imcvs/imc-os.so +IMC "Attestation" /usr/local/lib/ipsec/imcvs/imc-attestation.so diff --git a/testing/tests/tnc/tnccs-11-radius-pts/hosts/moon/etc/ipsec.conf b/testing/tests/tnc/tnccs-11-radius-pts/hosts/moon/etc/ipsec.conf new file mode 100644 index 000000000..294964fe7 --- /dev/null +++ b/testing/tests/tnc/tnccs-11-radius-pts/hosts/moon/etc/ipsec.conf @@ -0,0 +1,33 @@ +# /etc/ipsec.conf - strongSwan IPsec configuration file + +config setup + +conn %default + ikelifetime=60m + keylife=20m + rekeymargin=3m + keyingtries=1 + keyexchange=ikev2 + +conn rw-allow + rightgroups=allow + leftsubnet=10.1.0.0/28 + also=rw-eap + auto=add + +conn rw-isolate + rightgroups=isolate + leftsubnet=10.1.0.16/28 + also=rw-eap + auto=add + +conn rw-eap + left=PH_IP_MOON + leftcert=moonCert.pem + leftid=@moon.strongswan.org + leftauth=pubkey + leftfirewall=yes + rightauth=eap-radius + rightid=*@strongswan.org + rightsendcert=never + right=%any diff --git a/testing/tests/tnc/tnccs-11-radius-pts/hosts/moon/etc/ipsec.secrets b/testing/tests/tnc/tnccs-11-radius-pts/hosts/moon/etc/ipsec.secrets new file mode 100644 index 000000000..e86d6aa5c --- /dev/null +++ b/testing/tests/tnc/tnccs-11-radius-pts/hosts/moon/etc/ipsec.secrets @@ -0,0 +1,3 @@ +# /etc/ipsec.secrets - strongSwan IPsec secrets file + +: RSA moonKey.pem diff --git a/testing/tests/tnc/tnccs-11-radius-pts/hosts/moon/etc/iptables.rules b/testing/tests/tnc/tnccs-11-radius-pts/hosts/moon/etc/iptables.rules new file mode 100644 index 000000000..1eb755354 --- /dev/null +++ b/testing/tests/tnc/tnccs-11-radius-pts/hosts/moon/etc/iptables.rules @@ -0,0 +1,32 @@ +*filter + +# default policy is DROP +-P INPUT DROP +-P OUTPUT DROP +-P FORWARD DROP + +# allow esp +-A INPUT -i eth0 -p 50 -j ACCEPT +-A OUTPUT -o eth0 -p 50 -j ACCEPT + +# allow IKE +-A INPUT -i eth0 -p udp --sport 500 --dport 500 -j ACCEPT +-A OUTPUT -o eth0 -p udp --dport 500 --sport 500 -j ACCEPT + +# allow MobIKE +-A INPUT -i eth0 -p udp --sport 4500 --dport 4500 -j ACCEPT +-A OUTPUT -o eth0 -p udp --dport 4500 --sport 4500 -j ACCEPT + +# allow ssh +-A INPUT -p tcp --dport 22 -j ACCEPT +-A OUTPUT -p tcp --sport 22 -j ACCEPT + +# allow crl fetch from winnetou +-A INPUT -i eth0 -p tcp --sport 80 -s PH_IP_WINNETOU -j ACCEPT +-A OUTPUT -o eth0 -p tcp --dport 80 -d PH_IP_WINNETOU -j ACCEPT + +# allow RADIUS protocol with alice +-A INPUT -i eth1 -p udp --sport 1812 -s PH_IP_ALICE -j ACCEPT +-A OUTPUT -o eth1 -p udp --dport 1812 -d PH_IP_ALICE -j ACCEPT + +COMMIT diff --git a/testing/tests/tnc/tnccs-11-radius-pts/hosts/moon/etc/strongswan.conf b/testing/tests/tnc/tnccs-11-radius-pts/hosts/moon/etc/strongswan.conf new file mode 100644 index 000000000..390c42ccf --- /dev/null +++ b/testing/tests/tnc/tnccs-11-radius-pts/hosts/moon/etc/strongswan.conf @@ -0,0 +1,13 @@ +# /etc/strongswan.conf - strongSwan configuration file + +charon { + load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 revocation hmac stroke kernel-netlink socket-default eap-radius updown + multiple_authentication=no + plugins { + eap-radius { + secret = gv6URkSs + server = PH_IP_ALICE + filter_id = yes + } + } +} diff --git a/testing/tests/tnc/tnccs-11-radius-pts/posttest.dat b/testing/tests/tnc/tnccs-11-radius-pts/posttest.dat new file mode 100644 index 000000000..dc8507d26 --- /dev/null +++ b/testing/tests/tnc/tnccs-11-radius-pts/posttest.dat @@ -0,0 +1,10 @@ +moon::ipsec stop +carol::ipsec stop +dave::ipsec stop +alice::killall radiusd +alice::rm /etc/freeradius/sites-enabled/inner-tunnel-second +alice::rm /etc/pts/config.db +carol::echo 1 > /proc/sys/net/ipv4/ip_forward +moon::iptables-restore < /etc/iptables.flush +carol::iptables-restore < /etc/iptables.flush +dave::iptables-restore < /etc/iptables.flush diff --git a/testing/tests/tnc/tnccs-11-radius-pts/pretest.dat b/testing/tests/tnc/tnccs-11-radius-pts/pretest.dat new file mode 100644 index 000000000..5f94f8dbb --- /dev/null +++ b/testing/tests/tnc/tnccs-11-radius-pts/pretest.dat @@ -0,0 +1,21 @@ +moon::iptables-restore < /etc/iptables.rules +carol::iptables-restore < /etc/iptables.rules +dave::iptables-restore < /etc/iptables.rules +carol::echo 0 > /proc/sys/net/ipv4/ip_forward +dave::echo aabbccddeeff11223344556677889900 > /var/lib/dbus/machine-id +alice::ln -s /etc/freeradius/sites-available/inner-tunnel-second /etc/freeradius/sites-enabled/inner-tunnel-second +alice::cat /etc/freeradius/sites-enabled/inner-tunnel-second +alice::cd /etc/pts; cat tables.sql data.sql | sqlite3 config.db +alice::LEAK_DETECTIVE_DISABLE=1 LOG4CXX_CONFIGURATION=/etc/tnc/log4cxx.properties radiusd +alice::cat /etc/tnc_config +carol::cat /etc/tnc_config +dave::cat /etc/tnc_config +moon::ipsec start +dave::ipsec start +carol::ipsec start +dave::sleep 1 +dave::ipsec up home +carol::ipsec up home +carol::sleep 1 +alice::ipsec attest --sessions +alice::ipsec attest --devices diff --git a/testing/tests/tnc/tnccs-11-radius-pts/test.conf b/testing/tests/tnc/tnccs-11-radius-pts/test.conf new file mode 100644 index 000000000..f23a19329 --- /dev/null +++ b/testing/tests/tnc/tnccs-11-radius-pts/test.conf @@ -0,0 +1,26 @@ +#!/bin/bash +# +# This configuration file provides information on the +# guest instances used for this test + +# All guest instances that are required for this test +# +VIRTHOSTS="alice venus moon carol winnetou dave" + +# Corresponding block diagram +# +DIAGRAM="a-v-m-c-w-d.png" + +# Guest instances on which tcpdump is to be started +# +TCPDUMPHOSTS="moon" + +# Guest instances on which IPsec is started +# Used for IPsec logging purposes +# +IPSECHOSTS="moon carol dave" + +# Guest instances on which FreeRadius is started +# +RADIUSHOSTS="alice" + -- cgit v1.2.3