From 56adda043ed5f4e04c12aec2d6ebbca2372332b8 Mon Sep 17 00:00:00 2001 From: root Date: Sun, 5 Nov 2017 06:08:37 +0100 Subject: Initial commit --- modules-available/usblockoff/api.inc.php | 59 ++++++ modules-available/usblockoff/config.json | 4 + .../usblockoff/inc/default-configs/rules.conf | 0 .../inc/default-configs/usbguard-daemon.conf | 160 ++++++++++++++ modules-available/usblockoff/install.inc.php | 31 +++ modules-available/usblockoff/lang/de/module.json | 4 + modules-available/usblockoff/lang/de/rule.json | 19 ++ .../usblockoff/lang/de/template-tags.json | 14 ++ modules-available/usblockoff/lang/en/module.json | 4 + modules-available/usblockoff/lang/en/rule.json | 19 ++ .../usblockoff/lang/en/template-tags.json | 14 ++ modules-available/usblockoff/page.inc.php | 234 +++++++++++++++++++++ .../usblockoff/templates/server-prop-bool.html | 16 ++ .../usblockoff/templates/server-prop-dropdown.html | 19 ++ .../usblockoff/templates/server-prop-generic.html | 16 ++ .../usblockoff/templates/usb-choose-config.html | 118 +++++++++++ .../usblockoff/templates/usb-configuration.html | 91 ++++++++ .../usblockoff/templates/usb-device-list.html | 170 +++++++++++++++ 18 files changed, 992 insertions(+) create mode 100644 modules-available/usblockoff/api.inc.php create mode 100644 modules-available/usblockoff/config.json create mode 100644 modules-available/usblockoff/inc/default-configs/rules.conf create mode 100644 modules-available/usblockoff/inc/default-configs/usbguard-daemon.conf create mode 100644 modules-available/usblockoff/install.inc.php create mode 100644 modules-available/usblockoff/lang/de/module.json create mode 100644 modules-available/usblockoff/lang/de/rule.json create mode 100644 modules-available/usblockoff/lang/de/template-tags.json create mode 100644 modules-available/usblockoff/lang/en/module.json create mode 100644 modules-available/usblockoff/lang/en/rule.json create mode 100644 modules-available/usblockoff/lang/en/template-tags.json create mode 100644 modules-available/usblockoff/page.inc.php create mode 100644 modules-available/usblockoff/templates/server-prop-bool.html create mode 100644 modules-available/usblockoff/templates/server-prop-dropdown.html create mode 100644 modules-available/usblockoff/templates/server-prop-generic.html create mode 100644 modules-available/usblockoff/templates/usb-choose-config.html create mode 100644 modules-available/usblockoff/templates/usb-configuration.html create mode 100644 modules-available/usblockoff/templates/usb-device-list.html (limited to 'modules-available/usblockoff') diff --git a/modules-available/usblockoff/api.inc.php b/modules-available/usblockoff/api.inc.php new file mode 100644 index 00000000..9029819d --- /dev/null +++ b/modules-available/usblockoff/api.inc.php @@ -0,0 +1,59 @@ + $ip)); + $client = Database::queryFirst("SELECT m.machineuuid AS 'muid', m.currentuser AS 'user' FROM machine AS m WHERE m.clientip=:ip", array('ip' => $ip)); + + // TODO: Same device when ID/Serial/Name are the same? Maybe hash value but the hash value can be different on multiple unix. + $dbresult = Database::queryFirst("SELECT uid FROM `usb_devices` WHERE id=:id AND serial=:serialnr AND name=:name", array( + 'id' => $id, 'serialnr' => $serial, 'name' => $name)); + if (empty($dbresult)) { + $dbquery = Database::exec("INSERT INTO `usb_devices` (id, serial, name, machineuuid, time, user, ruleInformation) VALUES (:id, :serialnr, + :name, :machineuuid, :now, :user, :ruleInformation)", array('id' => $id, 'serialnr' => $serial, 'name' => $name, 'machineuuid' => $client['muid'], 'now' => $NOW, + 'user' => $client['user'], 'ruleInformation' => json_encode($ruleInformation))); + echo "Successfully added"; + } else { + $dbquery = Database::exec("UPDATE `usb_devices` SET machineuuid=:machineuuid, time=:now, user=:user, ruleInformation=:ruleInformation WHERE id=:id AND serial=:serialnr AND name=:name", + array('id' => $id, 'serialnr' => $serial, 'name' => $name, 'machineuuid' => $client['muid'], 'now' => $NOW, 'user' => $client['user'], 'ruleInformation' => json_encode($ruleInformation))); + echo "Successfully updated"; + } + +} + +/** + * Deletes a device from the db given a serial number. + * + * @param string $serial USB-Device serial number. + */ +function deleteDevice($serial) { + $dbquery = Database::exec("DELETE FROM `usb_devices` WHERE serial=:serial", array('serial' => $serial)); +} diff --git a/modules-available/usblockoff/config.json b/modules-available/usblockoff/config.json new file mode 100644 index 00000000..59b54a80 --- /dev/null +++ b/modules-available/usblockoff/config.json @@ -0,0 +1,4 @@ +{ + "category":"main.beta", + "dependencies": ["bootstrap_switch", "bootstrap_dialog"] +} diff --git a/modules-available/usblockoff/inc/default-configs/rules.conf b/modules-available/usblockoff/inc/default-configs/rules.conf new file mode 100644 index 00000000..e69de29b diff --git a/modules-available/usblockoff/inc/default-configs/usbguard-daemon.conf b/modules-available/usblockoff/inc/default-configs/usbguard-daemon.conf new file mode 100644 index 00000000..44f2d66c --- /dev/null +++ b/modules-available/usblockoff/inc/default-configs/usbguard-daemon.conf @@ -0,0 +1,160 @@ +# +# Rule set file path. +# +# The USBGuard daemon will use this file to load the policy +# rule set from it and to write new rules received via the +# IPC interface. +# +# RuleFile=/path/to/rules.conf +# +RuleFile=/usr/local/etc/usbguard/rules.conf + +# +# Implicit policy target. +# +# How to treat devices that don't match any rule in the +# policy. One of: +# +# * allow - authorize the device +# * block - block the device +# * reject - remove the device +# +ImplicitPolicyTarget=allow + +# +# Present device policy. +# +# How to treat devices that are already connected when the +# daemon starts. One of: +# +# * allow - authorize every present device +# * block - deauthorize every present device +# * reject - remove every present device +# * keep - just sync the internal state and leave it +# * apply-policy - evaluate the ruleset for every present +# device +# +PresentDevicePolicy=apply-policy + +# +# Present controller policy. +# +# How to treat USB controllers that are already connected +# when the daemon starts. One of: +# +# * allow - authorize every present device +# * block - deauthorize every present device +# * reject - remove every present device +# * keep - just sync the internal state and leave it +# * apply-policy - evaluate the ruleset for every present +# device +# +PresentControllerPolicy=keep + +# +# Inserted device policy. +# +# How to treat USB devices that are already connected +# *after* the daemon starts. One of: +# +# * block - deauthorize every present device +# * reject - remove every present device +# * apply-policy - evaluate the ruleset for every present +# device +# +InsertedDevicePolicy=apply-policy + +# +# Restore controller device state. +# +# The USBGuard daemon modifies some attributes of controller +# devices like the default authorization state of new child device +# instances. Using this setting, you can controll whether the +# daemon will try to restore the attribute values to the state +# before modificaton on shutdown. +# +# SECURITY CONSIDERATIONS: If set to true, the USB authorization +# policy could be bypassed by performing some sort of attack on the +# daemon (via a local exploit or via a USB device) to make it shutdown +# and restore to the operating-system default state (known to be permissive). +# +RestoreControllerDeviceState=false + +# +# Device manager backend +# +# Which device manager backend implementation to use. One of: +# +# * uevent - Netlink based implementation which uses sysfs to scan for present +# devices and an uevent netlink socket for receiving USB device +# related events. +# * dummy - A dummy device manager which simulates several devices and device +# events. Useful for testing. +# +DeviceManagerBackend=uevent + +#!!! WARNING: It's good practice to set at least one of the !!! +#!!! two options bellow. If none of them are set, !!! +#!!! the daemon will accept IPC connections from !!! +#!!! anyone, thus allowing anyone to modify the !!! +#!!! rule set and (de)authorize USB devices. !!! + +# +# Users allowed to use the IPC interface. +# +# A space delimited list of usernames that the daemon will +# accept IPC connections from. +# +# IPCAllowedUsers=username1 username2 ... +# +IPCAllowedUsers=root + +# +# Groups allowed to use the IPC interface. +# +# A space delimited list of groupnames that the daemon will +# accept IPC connections from. +# +# IPCAllowedGroups=groupname1 groupname2 ... +# +IPCAllowedGroups= + +# +# IPC access control definition files path. +# +# The files at this location will be interpreted by the daemon +# as access control definition files. The (base)name of a file +# should be in the form: +# +# [user][:] +# +# and should contain lines in the form: +# +#
=[privilege] ... +# +# This way each file defines who is able to connect to the IPC +# bus and what privileges he has. +# +IPCAccessControlFiles=/usr/local/etc/usbguard/IPCAccessControl.d/ + +# +# Generate device specific rules including the "via-port" +# attribute. +# +# This option modifies the behavior of the allowDevice +# action. When instructed to generate a permanent rule, +# the action can generate a port specific rule. Because +# some systems have unstable port numbering, the generated +# rule might not match the device after rebooting the system. +# +# If set to false, the generated rule will still contain +# the "parent-hash" attribute which also defines an association +# to the parent device. See usbguard-rules.conf(5) for more +# details. +# +DeviceRulesWithPort=false + +# +# USBGuard audit events log file path. +# +AuditFilePath=/usr/local/var/log/usbguard/usbguard-audit.log diff --git a/modules-available/usblockoff/install.inc.php b/modules-available/usblockoff/install.inc.php new file mode 100644 index 00000000..690f45d4 --- /dev/null +++ b/modules-available/usblockoff/install.inc.php @@ -0,0 +1,31 @@ +", + "lang_deleteConfigMessage": "Sind sie sicher, dass sie die Konfiguration Löschen wollen?" +} diff --git a/modules-available/usblockoff/lang/en/module.json b/modules-available/usblockoff/lang/en/module.json new file mode 100644 index 00000000..bfde75fe --- /dev/null +++ b/modules-available/usblockoff/lang/en/module.json @@ -0,0 +1,4 @@ +{ + "module_name": "USB Lock-Off", + "page_title": "USB Lock-Off" +} diff --git a/modules-available/usblockoff/lang/en/rule.json b/modules-available/usblockoff/lang/en/rule.json new file mode 100644 index 00000000..d2e7b8ca --- /dev/null +++ b/modules-available/usblockoff/lang/en/rule.json @@ -0,0 +1,19 @@ +{ + "abr_helptext": "allow: authorize the device.\u000Dblock: block the device.\u000DReject: remove the device from the system.", + "id": "ID", + "id_helptext": "ID of the USB-device.", + "serial": "Serialnumber", + "serial_helptext": "Serialnumber of the USB-device.", + "name": "Name", + "name_helptext": "Name of the USB-device.", + "hash": "Hash value", + "hash_helptext": "Hash value of the USB-device. Calculated via USBGuard through sodium or gcrypt.", + "parent-hash": "Parent-hash value", + "parent-hash_helptext": "Hash value of the Client the USB-device was connected.", + "via-port": "Via port", + "via-port_helptext": "Accepted USB-port(s) for the USB-device.", + "with-interface": "Interfaces", + "with-interface_helptext": "Interfaces of the USB-device.", + "interface-policy": "interface-policy", + "interface-policy_helptext": "Per-interface authorisation." +} diff --git a/modules-available/usblockoff/lang/en/template-tags.json b/modules-available/usblockoff/lang/en/template-tags.json new file mode 100644 index 00000000..20529d4a --- /dev/null +++ b/modules-available/usblockoff/lang/en/template-tags.json @@ -0,0 +1,14 @@ +{ + "lang_howToRuleLang": "Usage of the Rule Language.", + "lang_device": "usb device", + "lang_devices": "usb devices", + "lang_general": "General", + "lang_config": "Configuration", + "lang_config_helptext": "Create a new configuration or choose one to load and edit it", + "lang_configName": "Configuration name", + "lang_configName_helptext": "The name of the configuration", + "lang_deleteConfig": "Delete configuration", + "lang_deleteConfig_helptext": "Delets the configuration", + "lang_createNewConfig": "", + "lang_deleteConfigMessage": "Are you sure you want to delete the configuration?" +} diff --git a/modules-available/usblockoff/page.inc.php b/modules-available/usblockoff/page.inc.php new file mode 100644 index 00000000..e2effad4 --- /dev/null +++ b/modules-available/usblockoff/page.inc.php @@ -0,0 +1,234 @@ +action = Request::post('action'); + error_log($this->action); + + if ($this->action === 'updateConfig') { + $this->updateConfig(); + } elseif ($this->action === 'deleteConfig') { + $this->deleteConfig(); + } + // elseif ($this->action === 'addDevices') { + // $this->addDevices(); + //} + } + + /** + * Menu etc. has already been generated, now it's time to generate page content. + */ + protected function doRender() { + $this->loadConfigChooser(); + } + + + protected function loadConfigChooser() { + $dbquery = Database::simpleQuery("SELECT configid, configname FROM `usb_configs`"); + $configs = array(); + while ($dbentry = $dbquery->fetch(PDO::FETCH_ASSOC)) { + $config['config_id'] = $dbentry['configid']; + $config['config_name'] = $dbentry['configname']; + $configs[] = $config; + } + + Render::addTemplate('usb-choose-config', array( 'config_list' => array_values($configs))); + } + + protected function deleteConfig() { + $configID = Request::post('id', 0, 'int'); + + if ($configID != 0) { + Database::exec("DELETE FROM `usb_configs` WHERE configid=:configid", array('configid' => $configID)); + } + + Util::redirect('?do=usblockoff'); + } + + protected function updateConfig() { + // Add new settings in usbguard-daemon.conf here: + $result['RuleFile'] = Request::post('RuleFile', '', 'string'); + $result['ImplicitPolicyTarget'] = Request::post('ImplicitPolicyTarget', '', 'string'); + $result['PresentDevicePolicy'] = Request::post('PresentDevicePolicy', '', 'string'); + $result['PresentControllerPolicy'] = Request::post('PresentControllerPolicy', '', 'string'); + $result['InsertedDevicePolicy'] = Request::post('InsertedDevicePolicy', '', 'string'); + $result['RestoreControllerDeviceState'] = Request::post('RestoreControllerDeviceState', '', 'string'); + $result['DeviceManagerBackend'] = Request::post('DeviceManagerBackend', '', 'string'); + $result['IPCAllowedUsers'] = Request::post('IPCAllowedUsers', '', 'string'); + $result['IPCAllowedGroups'] = Request::post('IPCAllowedGroups', '', 'string'); + $result['IPCAccessControlFiles'] = Request::post('IPCAccessControlFiles', '', 'string'); + $result['DeviceRulesWithPort'] = Request::post('DeviceRulesWithPort', '', 'string'); + $result['AuditFilePath'] = Request::post('AuditFilePath', '', 'string'); + $result['rules'] = Request::post('rules', '', 'string'); + + $id = Request::post('id', 0, 'int'); + $configname = Request::post('configName', '', 'string'); + $dbquery = Database::queryFirst("SELECT * FROM `usb_configs` WHERE configid=:id", array('id' => $id)); + + // Load daemon.conf from db else load default + if ($dbquery !== false) { + $daemonConf = explode("\r\n", $dbquery['daemonconfig']); + } else { + $currentdir = getcwd(); + $file = $currentdir . '/modules/usblockoff/inc/default-configs/usbguard-daemon.conf'; + $daemonConf = file($file); + } + $newDaemonConf = array(); + + foreach ($daemonConf as $line) { + $t_line = trim($line, "\r\n"); + if ($t_line == '' || $t_line[0] == '#') { + $newDaemonConf[] = $line . "\r\n"; + continue; + } else { + $splitstr = explode('=', $line); + + $splitstr[1] = $result[$splitstr[0]]; + $newDaemonConf[] = implode('=', $splitstr)."\r\n"; + } + } + + // INSERT IN DB + if ($id == '0') { + $dbquery = Database::exec("INSERT INTO `usb_configs` (configname, rulesconfig, daemonconfig) VALUES (:configname, :rulesconfig, :daemonconfig)", + array('configname' => $configname, 'rulesconfig' => $result['rules'], 'daemonconfig' => implode($newDaemonConf))); + } else { + $dbquery = Database::exec("UPDATE `usb_configs` SET configname=:configname, rulesconfig=:rulesconfig, daemonconfig=:daemonconfig WHERE configid=:configid", + array('configid' => $id,'configname' => $configname, 'rulesconfig' => $result['rules'], 'daemonconfig' => implode($newDaemonConf))); + } + } + + /** + * AJAX + */ + protected function doAjax() + { + User::load(); + if (!User::isLoggedIn()) { + die('Unauthorized'); + } + $action = Request::any('action'); + if ($action === 'deviceList') { + $this->ajaxDeviceList(); + } elseif ($action === 'loadConfig') { + $id = Request::any('id', 0, 'int'); + $this->ajaxConfig($id); + } + } + + private function ajaxConfig($id) { + + $form = array(); + $rulesConf; + + if($id == 0) { + $currentdir = getcwd(); + + $rulesConf = file_get_contents($currentdir . '/modules/usblockoff/inc/default-configs/rules.conf'); + $daemonConf = file($currentdir . '/modules/usblockoff/inc/default-configs/usbguard-daemon.conf'); + } else { + $dbquery = Database::queryFirst("SELECT * FROM `usb_configs` WHERE configid=:id", array('id' => $id)); + $daemonConf = explode("\r\n", $dbquery['daemonconfig']); + $rulesConf = $dbquery['rulesconfig']; + } + + $element = array(); + $hlptxt = ''; + + foreach ($daemonConf as $line) { + $t_line = trim($line, "\r\n"); + if ($t_line == '#' || $t_line == '' || strpos($t_line, '#!!!') !== false) { + continue; + } elseif ($t_line[0] == '#') { + $ttxt = trim($line, "#"); + $hlptxt .= $ttxt . '
'; + } else { + $splitstr = explode('=', $t_line); + $element['name'] = $splitstr[0]; + $element['value'] = $splitstr[1]; + $element['helptext'] = $hlptxt; + + $form[] = $element; + $hlptxt = ''; + } + } + + echo Render::parse('usb-configuration', array( + 'list' => array_values($form), + 'rules' => $rulesConf, + )); + } + + private function ajaxDeviceList() { + + $usbdevices = array(); + + $dbquery = Database::simpleQuery("SELECT * FROM `usb_devices`"); + while ($entry = $dbquery->fetch(PDO::FETCH_ASSOC)) { + $locationquery = Database::queryFirst("SELECT l.locationname AS 'name', m.clientip AS 'ip' FROM machine AS m JOIN location AS l ON l.locationid=m.locationid + WHERE m.machineuuid=:machineuuid", array( 'machineuuid' => $entry['machineuuid'])); + + $device['uid'] = $entry['uid']; + $device['id'] = $entry['id']; + $device['name'] = $entry['name']; + $device['serial'] = $entry['serial']; + $device['machineuuid'] = $entry['machineuuid']; + $device['user'] = $entry['user']; + $device['clientip'] = $locationquery['ip']; + $device['date'] = date('d.m.Y', $entry['time']); + $device['time'] = date('G:i', $entry['time']); + $device['location'] = $locationquery['name']; + $ruleInformation = json_decode($entry['ruleInformation'], true); + $device['hash'] = $ruleInformation['hash']; + $device['parent-hash'] = $ruleInformation['parent-hash']; + $device['via-port'] = $ruleInformation['via-port']; + $device['with-interface'] = $ruleInformation['with-interface']; + $usbdevices[] = $device; + } + + $settings = array(); + $setting = array(); + $setting['title'] = "Action"; + $setting['select_list'] = array(array( + 'option' => 'allow', + 'active' => true, + ), array( + 'option' => 'block', + 'active' => false, + ), array( + 'option' => 'reject', + 'active' => false, + )); + $setting['helptext'] = array('helptext' => Dictionary::translateFile('rule', 'abr_helptext')); + $setting['property'] = 'action'; + $setting['settingHtml'] = Render::parse('server-prop-dropdown', (array)$setting); + $settings[] = $setting; + + $ruleValues = array('id' => true, 'serial' => true, 'name' => true, 'hash' => false, 'parent-hash' => false, 'via-port' => false, 'with-interface' => false, 'interface-policy' => false); + foreach ($ruleValues as $key => $value) { + $settings[] = array( + 'settingHtml' => Render::parse('server-prop-bool', array('title' => Dictionary::translateFile('rule', $key), + 'helptext' => array('helptext' => Dictionary::translateFile('rule', $key . "_helptext")), + 'property' => $key, 'currentvalue' => $value)), + ); + } + + echo Render::parse('usb-device-list', array( + 'list' => array_values($usbdevices), + 'settings' => array_values($settings) + )); + } +} diff --git a/modules-available/usblockoff/templates/server-prop-bool.html b/modules-available/usblockoff/templates/server-prop-bool.html new file mode 100644 index 00000000..f430d02c --- /dev/null +++ b/modules-available/usblockoff/templates/server-prop-bool.html @@ -0,0 +1,16 @@ +
+
+
+
+ +
+
+ {{#helptext}} + + + + {{/helptext}} +
+
+
\ No newline at end of file diff --git a/modules-available/usblockoff/templates/server-prop-dropdown.html b/modules-available/usblockoff/templates/server-prop-dropdown.html new file mode 100644 index 00000000..80667766 --- /dev/null +++ b/modules-available/usblockoff/templates/server-prop-dropdown.html @@ -0,0 +1,19 @@ +
+
+
+
+ +
+
+ {{#helptext}} + + + + {{/helptext}} +
+
+
\ No newline at end of file diff --git a/modules-available/usblockoff/templates/server-prop-generic.html b/modules-available/usblockoff/templates/server-prop-generic.html new file mode 100644 index 00000000..9e94c23d --- /dev/null +++ b/modules-available/usblockoff/templates/server-prop-generic.html @@ -0,0 +1,16 @@ +
+
+
+
+ +
+
+ {{#helptext}} + + + + {{/helptext}} +
+
+
\ No newline at end of file diff --git a/modules-available/usblockoff/templates/usb-choose-config.html b/modules-available/usblockoff/templates/usb-choose-config.html new file mode 100644 index 00000000..d446e4cf --- /dev/null +++ b/modules-available/usblockoff/templates/usb-choose-config.html @@ -0,0 +1,118 @@ +
+ + + + +
+
{{lang_general}}
+
+
+ +
+
+
+ +
+
+
+ + +
+
+
+ + + +
+
+
+ +
+
+
+ +
+
+
+ +
+
+
+ + + +
+
+
+ +
+
+
+ +
+
+
+ + +
+
+
+ + + +
+
+
+ +
+
+
+
+
+ diff --git a/modules-available/usblockoff/templates/usb-configuration.html b/modules-available/usblockoff/templates/usb-configuration.html new file mode 100644 index 00000000..939dffcd --- /dev/null +++ b/modules-available/usblockoff/templates/usb-configuration.html @@ -0,0 +1,91 @@ +
+
usbugard-daemon.conf
+
+
+ + {{#list}} +
+
+
+ +
+
+
+ +
+
+
+ + + +
+
+
+ {{/list}} + +
+
+
+ +
+
rules.conf
+
+
+ +
+ +
+ + + +
+
+
+ +
+ + + +
+ + + + + diff --git a/modules-available/usblockoff/templates/usb-device-list.html b/modules-available/usblockoff/templates/usb-device-list.html new file mode 100644 index 00000000..a7ecf989 --- /dev/null +++ b/modules-available/usblockoff/templates/usb-device-list.html @@ -0,0 +1,170 @@ +
+
+ + + + + +
+ + + + + + + + + + + {{#list}} + + + + + + + + + + + + + + + + + + {{/list}} +
NameTimeUser InfoUSB InfoRule Info
{{time}}
{{date}}		User: {{user}}
Location: {{location}}
Client: {{clientip}}		id: {{id}}
Serial: {{serial}}
via-port: {{via-port}}		hash: {{hash}}
parent-hash: {{parent-hash}}
with-interface: {{with-interface}}
+
+ +
+
Rule Options
+
+
+ + {{#settings}} + {{{settingHtml}}} + {{/settings}} + +
+
+
+ +
+
+ + + + -- cgit v1.2.3-55-g7522