#!/bin/sh # openconnect will call this script with the follow command-line # arguments, which are needed to populate the contents of the # HIP report: # # --cookie: a URL-encoded string, as output by openconnect # --authenticate --protocol=gp, which includes parameters # from the /ssl-vpn/login.esp response # # --client-ip{,v6}: IPv4/6 addresses allocated by the GlobalProtect # VPN for this client (included in # /ssl-vpn/getconfig.esp response) # # --md5: The md5 digest to encode into this HIP report. I'm not sure # exactly what this is the md5 digest *of*, but all that # really matters is that the value in the HIP report # submission should match the value in the HIP report check. # # This hipreport.sh does not work as-is on Android. The large here-doc # (cat <&2 exit 1; fi # Extract username and domain and computer from cookie USER=$(echo "$COOKIE" | sed -rn 's/(.+&|^)user=([^&]+)(&.+|$)/\2/p') DOMAIN=$(echo "$COOKIE" | sed -rn 's/(.+&|^)domain=([^&]+)(&.+|$)/\2/p') COMPUTER=$(echo "$COOKIE" | sed -rn 's/(.+&|^)computer=([^&]+)(&.+|$)/\2/p') # Timestamp in the format expected by GlobalProtect server NOW=$(date +'%m/%d/%Y %H:%M:%S') DAY=$(date +'%d') MONTH=$(date +'%m') YEAR=$(date +'%Y') # This value may need to be extracted from the official HIP report, if a made-up value is not accepted. HOSTID="deadbeef-dead-beef-dead-beefdeadbeef" cat < $MD5 $USER $USER $COMPUTER $HOSTID $IP $IPV6 $NOW 5.1.0-101 Linux 4.19.0-6-amd64 Linux domain.com spes d6f838cc-2b6f-11b2-a85c-d7bcda6b231e pan1 42:4e:62:fe:ef:87 $MD5 $USER $USER $COMPUTER $HOSTID $IP $IPV6 $NOW 4 5.1.0-101 Linux 4.19.0-6-amd64 Linux domain.com spes d6f838cc-2b6f-11b2-a85c-d7bcda6b231e pan1 42:4e:62:fe:ef:87 EOF