diff --git a/HIRS_AttestationCAPortal/build.gradle b/HIRS_AttestationCAPortal/build.gradle index be8edfcb..83656efd 100644 --- a/HIRS_AttestationCAPortal/build.gradle +++ b/HIRS_AttestationCAPortal/build.gradle @@ -132,7 +132,7 @@ ospackage { preUninstall 'bash /opt/hirs/aca/scripts/aca/aca_remove_setup.sh' preUninstall 'bash /opt/hirs/aca/scripts/systemd/aca_disable_service.sh' postUninstall 'if [ -d /etc/hirs ]; then rm -rf /etc/hirs; fi;' - + buildRpm { dependsOn ':HIRS_AttestationCAPortal:buildVersion' dependsOn ':HIRS_AttestationCAPortal:bootWar' diff --git a/package/linux/aca/aca_check_setup.sh b/package/linux/aca/aca_check_setup.sh index 74a52212..c7737196 100755 --- a/package/linux/aca/aca_check_setup.sh +++ b/package/linux/aca/aca_check_setup.sh @@ -92,13 +92,13 @@ echo "Checking HIRS ACA Setup on this device..." fi if [ $? -eq 0 ]; then echo "HIRS ACA was installed via an OS package on this device" - if [[ $(cat /etc/crontab | grep -c hirs/aca) > 0 ]]; then - echo " HIRS ACA is set to start on boot via crontab file" + systemctl is-active --quiet hirs-aca + if [[ $? -eq 0 ]]; then + echo " The hirs-aca service is active" else - echo " HIRS ACA is NOT set to start on boot via crontab file" + echo " Error: ACA package install but the hirs-aca service is dead" + ALL_CHECKS_PASSED=false fi - else - echo "HIRS ACA was NOT installed via an OS package on this device" fi check_systemd -p @@ -221,7 +221,7 @@ check_pki () { if [ $ALL_CERTS_PASSED == true ]; then echo " All RSA and ECC certificates under $CERT_PATH are valid" else - echo " There were error in the certificates under $CERT_PATH" + echo " Error: There were error in the certificates under $CERT_PATH" fi keytool -list -keystore /etc/hirs/certificates/HIRS/TrustStore.jks -storepass $hirs_pki_password | grep hirs | sed -e 's/^/ /' > /dev/null else #verbose @@ -244,15 +244,16 @@ check_db () { if [ "$RESULT" == "YES" ]; then echo " Mysql Server side TLS is enabled:" else - echo " Mysql Server side TLS is NOT enabled:" + echo " Error: Mysql Server side TLS is NOT enabled:" ALL_CHECKS_PASSED=false fi + RESULT=$(mysqlshow --user=hirs_db --password=$hirs_db_password hirs_db| grep -o hirs_db) if [ "$RESULT" == "hirs_db" ]; then echo " The hirs_db database is visable by the hirs_db user" else - echo " The hirs_db database is NOT visable by the hirs_db user" + echo " Error: The hirs_db database is NOT visable by the hirs_db user" ALL_CHECKS_PASSED=false fi if [ ! -z "${ARG_VERBOSE}" ]; then @@ -263,6 +264,8 @@ check_db () { --ssl-key=/etc/hirs/certificates/HIRS/rsa_3k_sha384_certs/HIRS_db_client_rsa_3k_sha384.key echo "Mysql TLS configuration" mysql -u root --password=$mysql_admin_password -e "SHOW VARIABLES LIKE '%ssl%'" + echo "TLS versions allowed on maraidb:" + mysql -u root --password=$mysql_admin_password -e "SHOW GLOBAL VARIABLES LIKE 'tls_version'"; echo "hirs_db user database access:" mysql -u hirs_db --password=$hirs_db_password -e "SHOW DATABASES;"; echo "Privileges for the hirs_db user:" @@ -289,7 +292,7 @@ check_selinux () { if [[ "$DB_SRV_CONTEXT" == *"mysqld_etc_t"* && "$DB_CLIENT_CONTEXT" == *"mysqld_etc_t"* ]]; then echo " Selinux status is $SELINUXSTATUS and both $DB_SRV_CONF and $DB_CLIENT_CONF contexts are correct" elif [[ "$DB_CLIENT_CONTEXT" == *"mysqld_etc_t"* ]]; then - echo " Selinux status is $SELINUXSTATUS and $DB_CLIENT_CONF context is incorrect: $DB_CLIENT_CONTEXT" + echo " Error: Selinux status is $SELINUXSTATUS and $DB_CLIENT_CONF context is incorrect: $DB_CLIENT_CONTEXT" ALL_CHECKS_PASSED=false else echo " Selinux status is $SELINUXSTATUS and $DB_SRV_CONF context is incorrect: $DB_SRV_CONTEXT" diff --git a/package/linux/aca/aca_setup.sh b/package/linux/aca/aca_setup.sh index 6765681f..a3e7f4dc 100755 --- a/package/linux/aca/aca_setup.sh +++ b/package/linux/aca/aca_setup.sh @@ -96,9 +96,12 @@ fi echo "HIRS ACA Setup initiated on $(date +%Y-%m-%d)" >> "$LOG_FILE" # Create a version file for bootRun to use -if command -v git ; then - jarVersion=$(cat '../../../VERSION').$(date +%s).$(git rev-parse --short HEAD) +if command -v git &> /dev/null; then + git rev-parse --is-inside-work-tree &> /dev/null; + if [ $? -eq 0 ]; then + jarVersion=$(cat '../../../VERSION').$(date +%s).$(git rev-parse --short HEAD) echo $jarVersion > $ACA_VERSION_FILE + fi fi # Set HIRS PKI password diff --git a/package/linux/db/db_create.sh b/package/linux/db/db_create.sh index 97c1f21a..57a3cf36 100755 --- a/package/linux/db/db_create.sh +++ b/package/linux/db/db_create.sh @@ -111,6 +111,10 @@ set_mysql_server_tls () { echo "ssl_ca=$SSL_DB_SRV_CHAIN" >> "$DB_SRV_CONF" echo "ssl_cert=$SSL_DB_SRV_CERT" >> "$DB_SRV_CONF" echo "ssl_key=$SSL_DB_SRV_KEY" >> "$DB_SRV_CONF" + echo "tls_version=TLSv1.2,TLSv1.3" >> "$DB_SRV_CONF" + echo "require_secure_transport=ON" >> "$DB_SRV_CONF" + + # Make sure mysql can access them chown mysql:mysql $SSL_DB_SRV_CHAIN $SSL_DB_SRV_CERT $SSL_DB_SRV_KEY # Make selinux contexts for config files, if selinux is enabled diff --git a/package/linux/db/db_drop.sh b/package/linux/db/db_drop.sh index f82c454a..59a286bb 100755 --- a/package/linux/db/db_drop.sh +++ b/package/linux/db/db_drop.sh @@ -49,10 +49,14 @@ fi # Remove key , cert and truststore entries from client.cnf andf mariadb.cnf -echo "Removing hirs cert references from mariadb configuration files" +echo "Removing hirs tls references from mariadb configuration files" grep -v "hirs" $DB_SRV_CONF > tmpfile && mv tmpfile $DB_SRV_CONF +grep -v "tls_version" $DB_SRV_CONF > tmpfile && mv tmpfile $DB_SRV_CONF +grep -v "require_secure_transport" $DB_SRV_CONF > tmpfile && mv tmpfile $DB_SRV_CONF + grep -v "hirs" $DB_CLIENT_CONF > tmpfile && mv tmpfile $DB_CLIENT_CONF + echo "restarting mariadb" mysqld_reboot diff --git a/package/linux/pki/pki_setup.sh b/package/linux/pki/pki_setup.sh index 35456473..27277ff7 100755 --- a/package/linux/pki/pki_setup.sh +++ b/package/linux/pki/pki_setup.sh @@ -14,7 +14,9 @@ PKI_PASS=$2 UNATTENDED=$3 LOG_FILE_NAME="hirs_aca_install_"$(date +%Y-%m-%d).log LOG_DIR="/var/log/hirs/" +HIRS_DIR=/etc/hirs HIRS_CONF_DIR=/etc/hirs/aca +HIRS_CERT_DIR=/etc/hirs/certificates # Capture location of the script to allow from invocation from any location SCRIPT_DIR=$( dirname -- "$( readlink -f -- "$0"; )"; ) @@ -65,9 +67,21 @@ if [ ! -d "/etc/hirs/certificates" ]; then $PKI_SETUP_DIR/pki_chain_gen.sh "HIRS" "ecc" "512" "sha384" "$PKI_PASS" "$LOG_FILE" popd &> /dev/null +echo "Setting MYSQL permissions for DB TLS Certs..." | tee -a "$LOG_FILE" + find $HIRS_CERT_DIR -type f -iname "*.pem" -exec chmod 600 {} \; + find $HIRS_CERT_DIR -type f -iname "*.jks" -exec chmod 600 {} \; + find $HIRS_CERT_DIR -type f -iname "*.key" -exec chmod 600 {} \; + chown root:mysql $HIRS_CERT_DIR $HIRS_CERT_DIR/HIRS $HIRS_CERT_DIR/HIRS/rsa_3k_sha384_certs $HIRS_CERT_DIR/HIRS/ecc_512_sha384_certs + chmod 750 $HIRS_CERT_DIR $HIRS_CERT_DIR/HIRS $HIRS_CERT_DIR/HIRS/rsa_3k_sha384_certs $HIRS_CERT_DIR/HIRS/ecc_512_sha384_certs + chmod 755 $HIRS_DIR + chmod 750 $HIRS_CONF_DIR + chmod 755 $HIRS_CERT_DIR/HIRS/ecc_512_sha384_certs/HIRS_ecc_512_sha384_Cert_Chain.pem + chmod 755 $HIRS_CERT_DIR/HIRS/rsa_3k_sha384_certs/HIRS_rsa_3k_sha384_Cert_Chain.pem + echo "hirs_pki_password="$PKI_PASS >> $ACA_PROP echo "server.ssl.key-store-password="$PKI_PASS >> $SPRING_PROP_FILE echo "server.ssl.trust-store-password="$PKI_PASS >> $SPRING_PROP_FILE else echo "/etc/hirs/certificates exists, skipping" | tee -a "$LOG_FILE" fi +chmod 600 $ACA_PROP \ No newline at end of file