A BASH script developed to handle all Access Control List administration activities by modifying the SQLite Database entries as needed. A system administrator who has a privilege to modify the Database should only access this script. We used normal UNIX permissions to control this access as needed.
The BASH script code is presented in Appendix A and Table (6) below lists a full description of the different functionalities that can be performed by this script to administer the VirtualBox Database:
Table 6 ACL Administration Module Functions
# Name Description
1 Display Clients Database
Display all entries of the VirtualBox Clients Database including all registered virtual machines and their UUID along with the allowed clients physical machine list per VM and their corresponding TPM public endorsement key
2 Export Clients Database to CSV File
Provide a possibility to export the VirtualBox Clients Database entries to a CSV file for an easier way to manipulate the exported entries for reporting purposes.
It prompts the user to provide a full path and file name to use to export the Database entries.
32
# Name Description
3 Add a new client
Add a new physical machine as an allowed client to one of the registered VirtualBox VM’s.
It prompts for a choosing an existing virtual machine from the Database and verifies that the provided virtual machine name exists then it prompts to provide a new physical machine client name and checks if an entry already exist for the same client name to the chosen virtual machine; it then prompts to enter the full path and file name for the copy of the client TPM public endorsement key and checks if the provided path and file name exists.
It then truncates the TPM EK by removing un-needed lines to limit the EK entry in the Database only to the exact key to minimize the size of the field.
Once all checks are completed, it then inserts the new client entry along with the corresponding TPM EK to a new entry in the Database table for the selected VirtualBox virtual machine.
4 Modify an existing client name (All Entries)
Modify the name of a physical machine client across all its entries in the Database.
It prompts the user to provide the name of the client name that is required to be changed then verifies that entries in the Database exist for this client name. It then prompts for the new name of that client machine and verifies that this new name does not exist in the Database and accordingly changes the name across all entries to the new one.
This functionality is required in case a physical machine name is changed and this change needs to be reflected in the VirtualBox Clients Database to ensure the access to the VM’s is using the new client name.
5 Modify an existing client TPM EK (All Entries)
Modify the TPM EK entry for an existing physical machine client across all its entries in the Database.
It prompts the user to provide the name of an existing client machine in the Database then
33
# Name Description
verifies that it exists and then prompts the user to provide a full path and file name for the new TPM EK. It then verifies that this TPM EK file exists and then truncates it and use it to replace the existing TPM EK data in all entries for the selected client machine name.
This functionality is only required in case the added TPM EK for a client machine was wrong and there is a need to replace it with the correct one.
6 Delete an existing client (Single Entry)
Delete a single entry of a physical machine client for a virtual machine.
It prompts the user to provide a client name and verifies that it exists in the Database then prompts the user to select the virtual machine for which the client entry will be deleted and verifies that it also exists in the Database then it deletes the selected client name entry for that virtual machine.
This functionality is required in case a physical machine is no longer allowed to access a specific virtual machine and accordingly it needs to be removed from the VM’s allowed clients list.
7 Delete an existing client (All Entries)
Delete all Database entries of a physical machine client.
It prompts the user to provide a client name and verifies that it exists in the Database then prompts for a confirmation from the user that all the entries of the selected client name will be deleted for all the virtual machines in the Database and deletes all the entries accordingly.
This functionality is required when a physical machine is no longer allowed to access any of the registered virtual machines in VirtualBox and accordingly all its entries in the Database need to be deleted.
8 Clear all Database Entries
Delete all the entries in the VirtualBox Clients Database. Prompts for a confirmation before performing the delete operation and also checks if the Database is already empty and prompt the user accordingly.
34
# Name Description
Once the Database is cleared then the virtual machines’ information can only be added through the VirtualBox server upon creation of new VM’s
9 Quit Exit the BASH script