updated file permissions for Rocky 9

This commit is contained in:
iadgovuser26 2024-03-28 15:26:21 -04:00 committed by Lawrence Reinert lareine
parent 674564b79e
commit 3c322d6b6a
6 changed files with 41 additions and 13 deletions

View File

@ -132,7 +132,7 @@ ospackage {
preUninstall 'bash /opt/hirs/aca/scripts/aca/aca_remove_setup.sh'
preUninstall 'bash /opt/hirs/aca/scripts/systemd/aca_disable_service.sh'
postUninstall 'if [ -d /etc/hirs ]; then rm -rf /etc/hirs; fi;'
buildRpm {
dependsOn ':HIRS_AttestationCAPortal:buildVersion'
dependsOn ':HIRS_AttestationCAPortal:bootWar'

View File

@ -92,13 +92,13 @@ echo "Checking HIRS ACA Setup on this device..."
fi
if [ $? -eq 0 ]; then
echo "HIRS ACA was installed via an OS package on this device"
if [[ $(cat /etc/crontab | grep -c hirs/aca) > 0 ]]; then
echo " HIRS ACA is set to start on boot via crontab file"
systemctl is-active --quiet hirs-aca
if [[ $? -eq 0 ]]; then
echo " The hirs-aca service is active"
else
echo " HIRS ACA is NOT set to start on boot via crontab file"
echo " Error: ACA package install but the hirs-aca service is dead"
ALL_CHECKS_PASSED=false
fi
else
echo "HIRS ACA was NOT installed via an OS package on this device"
fi
check_systemd -p
@ -221,7 +221,7 @@ check_pki () {
if [ $ALL_CERTS_PASSED == true ]; then
echo " All RSA and ECC certificates under $CERT_PATH are valid"
else
echo " There were error in the certificates under $CERT_PATH"
echo " Error: There were error in the certificates under $CERT_PATH"
fi
keytool -list -keystore /etc/hirs/certificates/HIRS/TrustStore.jks -storepass $hirs_pki_password | grep hirs | sed -e 's/^/ /' > /dev/null
else #verbose
@ -244,15 +244,16 @@ check_db () {
if [ "$RESULT" == "YES" ]; then
echo " Mysql Server side TLS is enabled:"
else
echo " Mysql Server side TLS is NOT enabled:"
echo " Error: Mysql Server side TLS is NOT enabled:"
ALL_CHECKS_PASSED=false
fi
RESULT=$(mysqlshow --user=hirs_db --password=$hirs_db_password hirs_db| grep -o hirs_db)
if [ "$RESULT" == "hirs_db" ]; then
echo " The hirs_db database is visable by the hirs_db user"
else
echo " The hirs_db database is NOT visable by the hirs_db user"
echo " Error: The hirs_db database is NOT visable by the hirs_db user"
ALL_CHECKS_PASSED=false
fi
if [ ! -z "${ARG_VERBOSE}" ]; then
@ -263,6 +264,8 @@ check_db () {
--ssl-key=/etc/hirs/certificates/HIRS/rsa_3k_sha384_certs/HIRS_db_client_rsa_3k_sha384.key
echo "Mysql TLS configuration"
mysql -u root --password=$mysql_admin_password -e "SHOW VARIABLES LIKE '%ssl%'"
echo "TLS versions allowed on maraidb:"
mysql -u root --password=$mysql_admin_password -e "SHOW GLOBAL VARIABLES LIKE 'tls_version'";
echo "hirs_db user database access:"
mysql -u hirs_db --password=$hirs_db_password -e "SHOW DATABASES;";
echo "Privileges for the hirs_db user:"
@ -289,7 +292,7 @@ check_selinux () {
if [[ "$DB_SRV_CONTEXT" == *"mysqld_etc_t"* && "$DB_CLIENT_CONTEXT" == *"mysqld_etc_t"* ]]; then
echo " Selinux status is $SELINUXSTATUS and both $DB_SRV_CONF and $DB_CLIENT_CONF contexts are correct"
elif [[ "$DB_CLIENT_CONTEXT" == *"mysqld_etc_t"* ]]; then
echo " Selinux status is $SELINUXSTATUS and $DB_CLIENT_CONF context is incorrect: $DB_CLIENT_CONTEXT"
echo " Error: Selinux status is $SELINUXSTATUS and $DB_CLIENT_CONF context is incorrect: $DB_CLIENT_CONTEXT"
ALL_CHECKS_PASSED=false
else
echo " Selinux status is $SELINUXSTATUS and $DB_SRV_CONF context is incorrect: $DB_SRV_CONTEXT"

View File

@ -96,9 +96,12 @@ fi
echo "HIRS ACA Setup initiated on $(date +%Y-%m-%d)" >> "$LOG_FILE"
# Create a version file for bootRun to use
if command -v git ; then
jarVersion=$(cat '../../../VERSION').$(date +%s).$(git rev-parse --short HEAD)
if command -v git &> /dev/null; then
git rev-parse --is-inside-work-tree &> /dev/null;
if [ $? -eq 0 ]; then
jarVersion=$(cat '../../../VERSION').$(date +%s).$(git rev-parse --short HEAD)
echo $jarVersion > $ACA_VERSION_FILE
fi
fi
# Set HIRS PKI password

View File

@ -111,6 +111,10 @@ set_mysql_server_tls () {
echo "ssl_ca=$SSL_DB_SRV_CHAIN" >> "$DB_SRV_CONF"
echo "ssl_cert=$SSL_DB_SRV_CERT" >> "$DB_SRV_CONF"
echo "ssl_key=$SSL_DB_SRV_KEY" >> "$DB_SRV_CONF"
echo "tls_version=TLSv1.2,TLSv1.3" >> "$DB_SRV_CONF"
echo "require_secure_transport=ON" >> "$DB_SRV_CONF"
# Make sure mysql can access them
chown mysql:mysql $SSL_DB_SRV_CHAIN $SSL_DB_SRV_CERT $SSL_DB_SRV_KEY
# Make selinux contexts for config files, if selinux is enabled

View File

@ -49,10 +49,14 @@ fi
# Remove key , cert and truststore entries from client.cnf andf mariadb.cnf
echo "Removing hirs cert references from mariadb configuration files"
echo "Removing hirs tls references from mariadb configuration files"
grep -v "hirs" $DB_SRV_CONF > tmpfile && mv tmpfile $DB_SRV_CONF
grep -v "tls_version" $DB_SRV_CONF > tmpfile && mv tmpfile $DB_SRV_CONF
grep -v "require_secure_transport" $DB_SRV_CONF > tmpfile && mv tmpfile $DB_SRV_CONF
grep -v "hirs" $DB_CLIENT_CONF > tmpfile && mv tmpfile $DB_CLIENT_CONF
echo "restarting mariadb"
mysqld_reboot

View File

@ -14,7 +14,9 @@ PKI_PASS=$2
UNATTENDED=$3
LOG_FILE_NAME="hirs_aca_install_"$(date +%Y-%m-%d).log
LOG_DIR="/var/log/hirs/"
HIRS_DIR=/etc/hirs
HIRS_CONF_DIR=/etc/hirs/aca
HIRS_CERT_DIR=/etc/hirs/certificates
# Capture location of the script to allow from invocation from any location
SCRIPT_DIR=$( dirname -- "$( readlink -f -- "$0"; )"; )
@ -65,9 +67,21 @@ if [ ! -d "/etc/hirs/certificates" ]; then
$PKI_SETUP_DIR/pki_chain_gen.sh "HIRS" "ecc" "512" "sha384" "$PKI_PASS" "$LOG_FILE"
popd &> /dev/null
echo "Setting MYSQL permissions for DB TLS Certs..." | tee -a "$LOG_FILE"
find $HIRS_CERT_DIR -type f -iname "*.pem" -exec chmod 600 {} \;
find $HIRS_CERT_DIR -type f -iname "*.jks" -exec chmod 600 {} \;
find $HIRS_CERT_DIR -type f -iname "*.key" -exec chmod 600 {} \;
chown root:mysql $HIRS_CERT_DIR $HIRS_CERT_DIR/HIRS $HIRS_CERT_DIR/HIRS/rsa_3k_sha384_certs $HIRS_CERT_DIR/HIRS/ecc_512_sha384_certs
chmod 750 $HIRS_CERT_DIR $HIRS_CERT_DIR/HIRS $HIRS_CERT_DIR/HIRS/rsa_3k_sha384_certs $HIRS_CERT_DIR/HIRS/ecc_512_sha384_certs
chmod 755 $HIRS_DIR
chmod 750 $HIRS_CONF_DIR
chmod 755 $HIRS_CERT_DIR/HIRS/ecc_512_sha384_certs/HIRS_ecc_512_sha384_Cert_Chain.pem
chmod 755 $HIRS_CERT_DIR/HIRS/rsa_3k_sha384_certs/HIRS_rsa_3k_sha384_Cert_Chain.pem
echo "hirs_pki_password="$PKI_PASS >> $ACA_PROP
echo "server.ssl.key-store-password="$PKI_PASS >> $SPRING_PROP_FILE
echo "server.ssl.trust-store-password="$PKI_PASS >> $SPRING_PROP_FILE
else
echo "/etc/hirs/certificates exists, skipping" | tee -a "$LOG_FILE"
fi
chmod 600 $ACA_PROP