UTM plc -- Proxy Logging Checker

This is a brief little script that logs in to your UTM via SSH using passwords that it prompts you for, and then proceeds to loop over every Web Filter and proxy profile looking for any action that does not have both logging options enabled. At the end of the run, it prints a list of suggested corrections to turn logging back on on all actions. It is intended for users of advanced configurations where there are many filter assignments and filter actions in a complex configuration. This tool will loop over all of the filter actions that are in use and will list the ones that do not have logging enabled.

Prerequisites

You will need Ruby to run this script as it is a RubyGem. You will also need to have Shell Access enabled your UTM, you must be in the list of Allowed Networks, and you must know what the passwords are for the root and loginuser accounts, which you can set under the Shell Access tab under Management -> System Settings.

Installation

To install:

gem install utm-plc

From there, as long as the path to your gems bin directory is in your $PATH, you should be able to run it:

plc

How It Works

Here is a general overview of how it works.

    1) SSH into the appliance as loginuser
    2) Become root
    3) Run 'cc get http' to get a dump of the Web Filter configuration
    4) For each profile listed, 
        -) Look up the profile with `cc get_oject REF_...`
        -) For every 'cff_profiles' (aka Filter Assignment), 
            -) Look up that cff_profile `cc get_object REF_...`
            -) Look up the 'action' with `cc get_object REF_...`
            -) If the action doesn't log both accessed and logged pages, add to the list of results
    5) Print results.

Does it have to have root?

Sadly yes. One would hope that you could have read-only access to cc as loginuser but trying this simply results in a "Permission denied" error and cc fails to open. As an interface with WebAdmin is not yet available, root access is required to access the information from the back-end.

What does it look like?

Here, let me show you. In this configuration, the main web filter (under Web Protection -> Web Filter) is configured to log accessed pages and to not log blocked pages. FilterAction One is configured to log blocked pages, but not accessed pages. FilterAction Two is configured to log accessed pages but not blocked pages. The Default content filter block action is configured to log accessed but not blocked pages. FilterAction Three is configured to not log either accessed or blocked pages, but isn't in use by any Filter Profile. Here we go:

jeff@dev> bin/plc
What port?: 22
Which host?: 192.168.0.1
Logging in as loginuser...
What is the password for loginuser?:
Using su to become root...
What is the password for root?:
Am now root.
Checking profile: Default Proxy
Got the assignment for that profile...
Got the action for that assignment...
Found an action that isn't logging everything: Default content filter action
Checking profile: Profile One
Got the assignment for that profile...
Got the action for that assignment...
Found an action that isn't logging everything: FilterAction Two
Checking profile: Profile Two
Got the assignment for that profile...
Got the action for that assignment...
Found an action that isn't logging everything: FilterAction One
Checking exception: Microsoft Windows Update
Checking exception: Apple Update
Checking exception: Adobe Software Update
Checking exception: iphone/iPad youtube
Checking exception: Nokia Ovi Suite/Store
Checking exception: Sophos LiveConnect
Checking exception: Trendmicro Update
Checking exception: Sophos Services


Printing results:
Please activate the 'Log Blocked Pages' option for the Web Filter Action named: Default content filter action
Please activate the 'Log Blocked Pages' option for the Web Filter Action named: FilterAction Two
Please activate the 'Log Accessed Pages' option for the Web Filter Action named: FilterAction One
Please deactivate the option to skip logging of accessed pages for the Exception named: Sophos Services
Please deactivate the option to skip logging of blocked pages for the Exception named: Sophos Services
Done

Note that FilterAction Three doesn't make an appearance. This is because it isn't being used by any of the current Web Filter or Proxy Profiles, so no traffic is hitting it, so the tool doesn't [see or] report it.

It doesn't work

Check the output of echo $PATH, and compare it against which bin/plc. Is the directory that plc is in, in your path? If not, this will be your problem. To resolve this, append that directory to your path.
How exactly to do this is left as an exercise for the reader.

If you're absolutely positively pinkey-swearsey sure that your $PATH contains the right directory, and it still isn't doing what you think it should be doing, file a bug.

Author

Jeff Welling jeff.welling@gmail.com

License

This software is published under GPLv3. For an alternative license arrangement feel free to email me, but I make no guarantees.

Contributing

Contributions are welcome by submitting a pull request, or by emailing your patch to the above email address.