#!/bin/sh # openconnect will call this script with the follow command-line # arguments, which are needed to populate the contents of the # HIP report: # # --cookie: a URL-encoded string, as output by openconnect # --authenticate --protocol=gp, which includes parameters # from the /ssl-vpn/login.esp response # # --client-ip{,v6}: IPv4/6 addresses allocated by the GlobalProtect # VPN for this client (included in # /ssl-vpn/getconfig.esp response) # # --md5: The md5 digest to encode into this HIP report. I'm not sure # exactly what this is the md5 digest *of*, but all that # really matters is that the value in the HIP report # submission should match the value in the HIP report check. # # --client-os: The platform name in GlobalProtect's format (known # values are 'Linux', 'Mac' or 'Windows' ). Defaults to # 'Windows'. # # Sending these parameters as --long-options was a mistake (see # comments on run_hip_script in gpst.c for more details). New # parameters should be sent as environment variables instead: # # APP_VERSION: client software version, labeled here in the HIP # report as '', but as 'app-version' or as # 'clientgpversion' elsewhere in the GlobalProtect wire protocol. # # This hipreport.sh does not work as-is on Android. The large here-doc # (cat <&2 exit 1; fi # Extract username and domain and computer from cookie USER=$(echo "$COOKIE" | sed -rn 's/(.+&|^)user=([^&]+)(&.+|$)/\2/p') DOMAIN=$(echo "$COOKIE" | sed -rn 's/(.+&|^)domain=([^&]+)(&.+|$)/\2/p') COMPUTER=$(echo "$COOKIE" | sed -rn 's/(.+&|^)computer=([^&]+)(&.+|$)/\2/p') case $CLIENTOS in Linux) OS="Linux Fedora 32" OS_VENDOR="Linux" NETWORK_INTERFACE_NAME="virbr0" NETWORK_INTERFACE_DESCRIPTION="virbr0" # Not currently used for Linux ENCDRIVE='/' ;; Mac) # set to desired default OS version if not actually running on MacOS OS_VERSION=$(sw_vers --productVersion 2> /dev/null || echo 10.16.0) OS="Apple Mac OS X ${OS_VERSION}" OS_VENDOR="Apple" NETWORK_INTERFACE_NAME="en0" NETWORK_INTERFACE_DESCRIPTION="en0" # Not currently used for MacOS ENCDRIVE='/' ;; *) OS="Microsoft Windows 10 Pro , 64-bit" OS_VENDOR="Microsoft" NETWORK_INTERFACE_NAME="{DEADBEEF-DEAD-BEEF-DEAD-BEEFDEADBEEF}" NETWORK_INTERFACE_DESCRIPTION="PANGP Virtual Ethernet Adapter #2" # Many VPNs seem to require trailing backslash, others don't accept it ENCDRIVE='C:\\' ;; esac # If default/made-up values are not accepted, these values may need to be extracted from the # HIP report sent by an official GlobalProtect client. HOST_ID="deadbeef-dead-beef-dead-beefdeadbeef" if [ -z "$APP_VERSION" ]; then APP_VERSION=5.1.5-8; fi # Timestamp in the format expected by GlobalProtect server NOW=$(date +'%m/%d/%Y %H:%M:%S') DAY=$(date +'%d') MONTH=$(date +'%m') YEAR=$(date +'%Y') cat < $MD5 $USER $DOMAIN $COMPUTER $HOST_ID $IP $IPV6 $NOW 4 $APP_VERSION $OS $OS_VENDOR $DOMAIN.internal $COMPUTER $HOST_ID $NETWORK_INTERFACE_DESCRIPTION 01-02-03-00-00-01 EOF case $CLIENTOS in Linux) ;; Mac) ;; *) cat < yes $NOW no n/a EOF ;; esac case $CLIENTOS in Linux) cat < EOF ;; Mac) cat < yes n/a yes n/a EOF ;; *) cat < yes $NOW no n/a EOF ;; esac case $CLIENTOS in Linux) cat < EOF ;; Mac) cat < n/a EOF ;; *) cat < n/a EOF ;; esac case $CLIENTOS in Mac) cat < Macintosh HD encrypted Data encrypted All encrypted EOF ;; Linux) cat < / encrypted EOF ;; *) cat < $ENCDRIVE full EOF ;; esac case $CLIENTOS in Mac) cat < yes no EOF ;; Linux) cat < no n/a EOF ;; *) cat < yes EOF ;; esac case $CLIENTOS in Mac) cat < yes EOF ;; Linux) cat < yes EOF ;; *) cat < yes yes EOF ;; esac cat < EOF