search

inverse-inc / packetfence

PacketFence is a fully supported, trusted, Free and Open Source network access control (NAC) solution. Boasting an impressive feature set including a captive-portal for registration and remediation, centralized wired and wireless management, powerful BYOD management options, 802.1X support, layer-2 isolation of problematic devices; PacketFence can be used to effectively secure networks small to very large heterogeneous networks.
https://packetfence.org
GNU General Public License v2.0
1.27k stars 274 forks source link

Creating security event with trigger "Switch Group" only fails silently #8056

Open chri2 opened 3 months ago

chri2 commented 3 months ago

Describe the bug Creating a security event to trigger on any event fails.

To Reproduce Steps to reproduce the behavior:

  1. In 'Compliance/Security Events' create a new event
  2. Create a new security event (mine has action "Email Administrator" only)
  3. Add an Event Trigger: Endpoint = "Switch Group" "existing Switchgroup"
  4. Save the Security Event

journalctl -f -t pfperl-api-docker-wrapper

Apr 03 10:27:20 paketzaun pfperl-api-docker-wrapper[1215]: pfperl-api(19) ERROR: [mac:[undef]] Invalid trigger switch_group::openwrt-o8b. Error was : Attribute (condition) is required at /usr/local/pf/lib_perl/lib/perl5/x86_64-linux-gnu-thread-multi/Moose/Object.pm line 24
Apr 03 10:27:20 paketzaun pfperl-api-docker-wrapper[1215]:         Moose::Object::new('pf::condition::switch_group', 'HASH(0x55fe00c1beb8)') called at /usr/local/pf/lib/pf/factory/condition/security_event.pm line 100
Apr 03 10:27:20 paketzaun pfperl-api-docker-wrapper[1215]:         pf::factory::condition::security_event::instantiate('pf::factory::condition::security_event', 'switch_group::openwrt-o8b') called at /usr/local/pf/lib/pfconfig/namespaces/FilterEngine/SecurityEvent.pm line 51
Apr 03 10:27:20 paketzaun pfperl-api-docker-wrapper[1215]:         eval {...} at /usr/local/pf/lib/pfconfig/namespaces/FilterEngine/SecurityEvent.pm line 51
Apr 03 10:27:20 paketzaun pfperl-api-docker-wrapper[1215]:         pfconfig::namespaces::FilterEngine::SecurityEvent::build('pfconfig::namespaces::FilterEngine::SecurityEvent=HASH(0x55fdfd40fc18)') called at /usr/local/pf/lib/pfconfig/manager.pm line 65
Apr 03 10:27:20 paketzaun pfperl-api-docker-wrapper[1215]:         pfconfig::manager::config_builder('pfconfig::manager=HASH(0x55fdfd328c28)', 'FilterEngine::SecurityEvent()') called at /usr/local/pf/lib/pfconfig/manager.pm line 337
Apr 03 10:27:20 paketzaun pfperl-api-docker-wrapper[1215]:         pfconfig::manager::cache_resource('pfconfig::manager=HASH(0x55fdfd328c28)', 'FilterEngine::SecurityEvent()') called at /usr/local/pf/lib/pfconfig/manager.pm line 425
Apr 03 10:27:20 paketzaun pfperl-api-docker-wrapper[1215]:         pfconfig::manager::expire('pfconfig::manager=HASH(0x55fdfd328c28)', 'FilterEngine::SecurityEvent', undef) called at /usr/local/pf/lib/pfconfig/manager.pm line 445
Apr 03 10:27:20 paketzaun pfperl-api-docker-wrapper[1215]:         pfconfig::manager::expire('pfconfig::manager=HASH(0x55fdfd328c28)', 'config::SecurityEvents') called at /usr/local/pf/lib/pf/ConfigStore.pm line 681
Apr 03 10:27:20 paketzaun pfperl-api-docker-wrapper[1215]:         pf::ConfigStore::commitPfconfig('pf::ConfigStore::SecurityEvents=HASH(0x55fdf7967348)') called at /usr/local/pf/lib/pf/ConfigStore.pm line 650
Apr 03 10:27:20 paketzaun pfperl-api-docker-wrapper[1215]:         pf::ConfigStore::commit('pf::ConfigStore::SecurityEvents=HASH(0x55fdf7967348)') called at /usr/local/pf/lib/pf/ConfigStore/SecurityEvents.pm line 169
Apr 03 10:27:20 paketzaun pfperl-api-docker-wrapper[1215]:         pf::ConfigStore::SecurityEvents::commit('pf::ConfigStore::SecurityEvents=HASH(0x55fdf7967348)') called at /usr/local/pf/lib/pf/UnifiedApi/Controller/Config.pm line 444
Apr 03 10:27:20 paketzaun pfperl-api-docker-wrapper[1215]:         pf::UnifiedApi::Controller::Config::commit('pf::UnifiedApi::Controller::Config::SecurityEvents=HASH(0x55fe00f0ef10)', 'pf::ConfigStore::SecurityEvents=HASH(0x55fdf7967348)') called at /usr/local/pf/lib/pf/UnifiedApi/Controller/Config/SecurityEvents.pm line 57
Apr 03 10:27:20 paketzaun pfperl-api-docker-wrapper[1215]:         pf::UnifiedApi::Controller::Config::SecurityEvents::commit('pf::UnifiedApi::Controller::Config::SecurityEvents=HASH(0x55fe00f0ef10)', 'pf::ConfigStore::SecurityEvents=HASH(0x55fdf7967348)') called at /usr/local/pf/lib/pf/UnifiedApi/Controller/Config.pm line 570
Apr 03 10:27:20 paketzaun pfperl-api-docker-wrapper[1215]:         pf::UnifiedApi::Controller::Config::update('pf::UnifiedApi::Controller::Config::SecurityEvents=HASH(0x55fe00f0ef10)') called at /usr/local/pf/lib_perl/lib/perl5/Mojolicious.pm line 190
Apr 03 10:27:20 paketzaun pfperl-api-docker-wrapper[1215]:         Mojolicious::_action(undef, 'pf::UnifiedApi::Controller::Config::SecurityEvents=HASH(0x55fe00f0ef10)', 'CODE(0x55fde8b73fd0)', 1) called at /usr/local/pf/lib_perl/lib/perl5/Mojolicious/Plugins.pm line 15
Apr 03 10:27:20 paketzaun pfperl-api-docker-wrapper[1215]:         Mojolicious::Plugins::__ANON__ at /usr/local/pf/lib_perl/lib/perl5/Mojolicious/Plugins.pm line 18
Apr 03 10:27:20 paketzaun pfperl-api-docker-wrapper[1215]:         Mojolicious::Plugins::emit_chain('Mojolicious::Plugins=HASH(0x55fdf3e52708)', 'around_action', 'pf::UnifiedApi::Controller::Config::SecurityEvents=HASH(0x55fe00f0ef10)', 'CODE(0x55fde8b73fd0)', 1) called at /usr/local/pf/lib_perl/lib/perl5/Mojolicious/Routes.pm line 88
Apr 03 10:27:20 paketzaun pfperl-api-docker-wrapper[1215]:         Mojolicious::Routes::_action('pf::UnifiedApi::custom=HASH(0x55fde040c9f0)', 'pf::UnifiedApi::Controller::Config::SecurityEvents=HASH(0x55fe00f0ef10)', 'CODE(0x55fde8b73fd0)', 1) called at /usr/local/pf/lib_perl/lib/perl5/Mojolicious/Routes.pm line 161
Apr 03 10:27:20 paketzaun pfperl-api-docker-wrapper[1215]:         Mojolicious::Routes::_controller('Mojolicious::Routes=HASH(0x55fddf195898)', 'pf::UnifiedApi::Controller=HASH(0x55fdfd765530)', 'HASH(0x55fdfc9575a0)', 1) called at /usr/local/pf/lib_perl/lib/perl5/Mojolicious/Routes.pm line 44
Apr 03 10:27:20 paketzaun pfperl-api-docker-wrapper[1215]:         Mojolicious::Routes::continue('Mojolicious::Routes=HASH(0x55fddf195898)', 'pf::UnifiedApi::Controller=HASH(0x55fdfd765530)') called at /usr/local/pf/lib_perl/lib/perl5/Mojolicious/Routes.pm line 46
Apr 03 10:27:20 paketzaun pfperl-api-docker-wrapper[1215]:         Mojolicious::Routes::continue('Mojolicious::Routes=HASH(0x55fddf195898)', 'pf::UnifiedApi::Controller=HASH(0x55fdfd765530)') called at /usr/local/pf/lib_perl/lib/perl5/Mojolicious/Routes.pm line 52
Apr 03 10:27:20 paketzaun pfperl-api-docker-wrapper[1215]:         Mojolicious::Routes::dispatch('Mojolicious::Routes=HASH(0x55fddf195898)', 'pf::UnifiedApi::Controller=HASH(0x55fdfd765530)') called at /usr/local/pf/lib_perl/lib/perl5/Mojolicious.pm line 125
Apr 03 10:27:20 paketzaun pfperl-api-docker-wrapper[1215]:         Mojolicious::dispatch('pf::UnifiedApi::custom=HASH(0x55fde040c9f0)', 'pf::UnifiedApi::Controller=HASH(0x55fdfd765530)') called at /usr/local/pf/lib_perl/lib/perl5/Mojolicious.pm line 134
Apr 03 10:27:20 paketzaun pfperl-api-docker-wrapper[1215]:         Mojolicious::__ANON__(undef, 'pf::UnifiedApi::Controller=HASH(0x55fdfd765530)') called at /usr/local/pf/lib_perl/lib/perl5/Mojolicious/Plugins.pm line 15
Apr 03 10:27:20 paketzaun pfperl-api-docker-wrapper[1215]:         Mojolicious::Plugins::__ANON__ at /usr/local/pf/lib_perl/lib/perl5/Mojolicious.pm line 200
Apr 03 10:27:20 paketzaun pfperl-api-docker-wrapper[1215]:         eval {...} at /usr/local/pf/lib_perl/lib/perl5/Mojolicious.pm line 200
Apr 03 10:27:20 paketzaun pfperl-api-docker-wrapper[1215]:         Mojolicious::_exception('CODE(0x55fdfd6fdad8)', 'pf::UnifiedApi::Controller=HASH(0x55fdfd765530)') called at /usr/local/pf/lib_perl/lib/perl5/Mojolicious/Plugins.pm line 15
Apr 03 10:27:20 paketzaun pfperl-api-docker-wrapper[1215]:         Mojolicious::Plugins::__ANON__ at /usr/local/pf/lib_perl/lib/perl5/Mojolicious/Plugins.pm line 18
Apr 03 10:27:20 paketzaun pfperl-api-docker-wrapper[1215]:         Mojolicious::Plugins::emit_chain('Mojolicious::Plugins=HASH(0x55fdf3e52708)', 'around_dispatch', 'pf::UnifiedApi::Controller=HASH(0x55fdfd765530)') called at /usr/local/pf/lib_perl/lib/perl5/Mojolicious.pm line 139
Apr 03 10:27:20 paketzaun pfperl-api-docker-wrapper[1215]:         Mojolicious::handler('pf::UnifiedApi::custom=HASH(0x55fde040c9f0)', 'Mojo::Transaction::HTTP=HASH(0x55fdfd16ace8)') called at /usr/local/pf/lib_perl/lib/perl5/Mojo/Server.pm line 70
Apr 03 10:27:20 paketzaun pfperl-api-docker-wrapper[1215]:         Mojo::Server::__ANON__('Mojo::Server::Prefork=HASH(0x55fdf4234668)', 'Mojo::Transaction::HTTP=HASH(0x55fdfd16ace8)') called at /usr/local/pf/lib_perl/lib/perl5/Mojo/EventEmitter.pm line 15
Apr 03 10:27:20 paketzaun pfperl-api-docker-wrapper[1215]:         Mojo::EventEmitter::emit('Mojo::Server::Prefork=HASH(0x55fdf4234668)', 'request', 'Mojo::Transaction::HTTP=HASH(0x55fdfd16ace8)') called at /usr/local/pf/lib_perl/lib/perl5/Mojo/Server/Daemon.pm line 103
Apr 03 10:27:20 paketzaun pfperl-api-docker-wrapper[1215]:         Mojo::Server::Daemon::__ANON__('Mojo::Transaction::HTTP=HASH(0x55fdfd16ace8)') called at /usr/local/pf/lib_perl/lib/perl5/Mojo/EventEmitter.pm line 15
Apr 03 10:27:20 paketzaun pfperl-api-docker-wrapper[1215]:         Mojo::EventEmitter::emit('Mojo::Transaction::HTTP=HASH(0x55fdfd16ace8)', 'request') called at /usr/local/pf/lib_perl/lib/perl5/Mojo/Transaction/HTTP.pm line 60
Apr 03 10:27:20 paketzaun pfperl-api-docker-wrapper[1215]:         Mojo::Transaction::HTTP::server_read('Mojo::Transaction::HTTP=HASH(0x55fdfd16ace8)', '{"id":"3000008","isClone":false,"isNew":true,"access_duration":"12h","actions":["email_admin","email_recipient"],"auto_enable":null,"button_text":null,"delay_by":

The security event doesn't work, but is successfully saved.

Screenshots 2024-04-03_10-32-40-748576639

Expected behavior The condition presented on the web-interface reads:

( Endpoint = Switch Group( openwrt-o8b ) ) AND (All device types) AND (Any data usage) AND (Any event)

I'd expect that I'd get an security event (in this case an email) for Any event concerning a switch in Switch Group openwrt-o8b.

Desktop (please complete the following information):

Additional context For testing and debugging it would be nice to be able to use a security event that triggers on any event on a switch, switch group or even on any switch.

chri2 commented 3 months ago

Update: Works when using "Switch ". Empty triggers seem not to trigger.

mellalahmed commented 1 month ago

hello, i need to integrate suricata with packetfence for security event can you help me.