UTM plc -- Proxy Logging Checker
This is a brief little script that logs in to your UTM via SSH using passwords that it prompts you for, and then proceeds to loop over every Web Filter and proxy profile looking for any action that does not have both logging options enabled. At the end of the run, it prints a list of suggested corrections to turn logging back on on all actions. It is intended for users of advanced configurations where there are many filter assignments and filter actions in a complex configuration. This tool will loop over all of the filter actions that are in use and will list the ones that do not have logging enabled.
You will need Ruby to run this script as it is a RubyGem. You will also need to have Shell Access enabled your UTM, you must be in the list of Allowed Networks, and you must know what the passwords are for the root and loginuser accounts, which you can set under the Shell Access tab under Management -> System Settings.
gem install utm-plc
From there, as long as the path to your gems bin directory is in your $PATH, you should be able to run it:
How It Works
Here is a general overview of how it works.
1) SSH into the appliance as loginuser 2) Become root 3) Run 'cc get http' to get a dump of the Web Filter configuration 4) For each profile listed, -) Look up the profile with `cc get_oject REF_...` -) For every 'cff_profiles' (aka Filter Assignment), -) Look up that cff_profile `cc get_object REF_...` -) Look up the 'action' with `cc get_object REF_...` -) If the action doesn't log both accessed and logged pages, add to the list of results 5) Print results.
Does it have to have root?
Sadly yes. One would hope that you could have read-only access to
loginuser but trying
this simply results in a "Permission denied" error and
cc fails to open. As an interface with
WebAdmin is not yet available, root access is required to access the information from the
What does it look like?
Here, let me show you. In this configuration, the main web filter (under Web Protection -> Web Filter) is configured to log accessed pages and to not log blocked pages. FilterAction One is configured to log blocked pages, but not accessed pages. FilterAction Two is configured to log accessed pages but not blocked pages. The Default content filter block action is configured to log accessed but not blocked pages. FilterAction Three is configured to not log either accessed or blocked pages, but isn't in use by any Filter Profile. Here we go:
jeff@dev> bin/plc What port?: 22 Which host?: 192.168.0.1 Logging in as loginuser... What is the password for loginuser?: Using su to become root... What is the password for root?: Am now root. Checking profile: Default Proxy Got the assignment for that profile... Got the action for that assignment... Found an action that isn't logging everything: Default content filter action Checking profile: Profile One Got the assignment for that profile... Got the action for that assignment... Found an action that isn't logging everything: FilterAction Two Checking profile: Profile Two Got the assignment for that profile... Got the action for that assignment... Found an action that isn't logging everything: FilterAction One Checking exception: Microsoft Windows Update Checking exception: Apple Update Checking exception: Adobe Software Update Checking exception: iphone/iPad youtube Checking exception: Nokia Ovi Suite/Store Checking exception: Sophos LiveConnect Checking exception: Trendmicro Update Checking exception: Sophos Services Printing results: Please activate the 'Log Blocked Pages' option for the Web Filter Action named: Default content filter action Please activate the 'Log Blocked Pages' option for the Web Filter Action named: FilterAction Two Please activate the 'Log Accessed Pages' option for the Web Filter Action named: FilterAction One Please deactivate the option to skip logging of accessed pages for the Exception named: Sophos Services Please deactivate the option to skip logging of blocked pages for the Exception named: Sophos Services Done
Note that FilterAction Three doesn't make an appearance. This is because it isn't being used by any of the current Web Filter or Proxy Profiles, so no traffic is hitting it, so the tool doesn't [see or] report it.
It doesn't work
Check the output of
echo $PATH, and compare it against
which bin/plc. Is the directory that plc is in,
in your path? If not, this will be your problem. To resolve this, append that directory to your path.
How exactly to do this is left as an exercise for the reader.
If you're absolutely positively pinkey-swearsey sure that your $PATH contains the right directory, and it still isn't doing what you think it should be doing, file a bug.
Jeff Welling firstname.lastname@example.org
This software is published under GPLv3. For an alternative license arrangement feel free to email me, but I make no guarantees.
Contributions are welcome by submitting a pull request, or by emailing your patch to the above email address.