updated file permissions for Rocky 9

2024-12-19 21:17:59 +00:00 · 2024-03-28 15:26:21 -04:00 · 2024-03-28 15:26:21 -04:00 · 3c322d6b6a
commit 3c322d6b6a
parent 674564b79e
6 changed files with 41 additions and 13 deletions
--- a/package/linux/aca/aca_check_setup.sh
+++ b/package/linux/aca/aca_check_setup.sh
@ -92,13 +92,13 @@ echo "Checking HIRS ACA Setup on this device..."
  fi
  if [ $? -eq 0 ]; then
      echo "HIRS ACA was installed via an OS package on this device"
-      if [[ $(cat /etc/crontab | grep -c hirs/aca) > 0 ]]; then 
-           echo "  HIRS ACA is set to start on boot via crontab file"
+      systemctl is-active --quiet hirs-aca
+      if [[ $? -eq 0 ]]; then
+        echo "    The hirs-aca service is active"
        else
-           echo "  HIRS ACA is NOT set to start on boot via crontab file"
+        echo "    Error: ACA package install but the hirs-aca service is dead"
+        ALL_CHECKS_PASSED=false
      fi
-    else
-      echo "HIRS ACA was NOT installed via an OS package on this device" 
  fi

 check_systemd -p
@ -221,7 +221,7 @@ check_pki () {
    if [ $ALL_CERTS_PASSED == true ]; then
         echo "   All RSA and ECC certificates under $CERT_PATH are valid"
      else
-         echo "   There were error in the certificates under $CERT_PATH"
+         echo "   Error: There were error in the certificates under $CERT_PATH"
    fi
       keytool -list -keystore  /etc/hirs/certificates/HIRS/TrustStore.jks  -storepass $hirs_pki_password | grep hirs | sed -e 's/^/     /' > /dev/null
    else  #verbose
@ -244,15 +244,16 @@ check_db () {
  if [ "$RESULT" == "YES" ]; then
      echo "   Mysql Server side TLS is enabled:"
    else
-      echo "   Mysql Server side TLS is NOT enabled:"
+      echo "   Error: Mysql Server side TLS is NOT enabled:"
      ALL_CHECKS_PASSED=false
  fi
  
+  
  RESULT=$(mysqlshow --user=hirs_db --password=$hirs_db_password hirs_db|  grep -o hirs_db)
  if [ "$RESULT" == "hirs_db" ]; then
      echo "   The hirs_db database is visable by the hirs_db user"
    else
-      echo "   The hirs_db database is NOT visable by the hirs_db user"
+      echo "   Error: The hirs_db database is NOT visable by the hirs_db user"
      ALL_CHECKS_PASSED=false
  fi
   if [ ! -z "${ARG_VERBOSE}" ]; then
@ -263,6 +264,8 @@ check_db () {
    --ssl-key=/etc/hirs/certificates/HIRS/rsa_3k_sha384_certs/HIRS_db_client_rsa_3k_sha384.key
    echo "Mysql TLS configuration"
    mysql -u root --password=$mysql_admin_password -e "SHOW VARIABLES LIKE '%ssl%'"
+    echo "TLS versions allowed on maraidb:"
+    mysql -u root --password=$mysql_admin_password -e "SHOW GLOBAL VARIABLES LIKE 'tls_version'";
    echo "hirs_db user database access:"
    mysql -u hirs_db --password=$hirs_db_password -e "SHOW DATABASES;";
    echo "Privileges for the hirs_db user:"
@ -289,7 +292,7 @@ check_selinux () {
       if [[ "$DB_SRV_CONTEXT" == *"mysqld_etc_t"* &&  "$DB_CLIENT_CONTEXT" == *"mysqld_etc_t"* ]]; then
         echo "   Selinux status is $SELINUXSTATUS and both $DB_SRV_CONF and $DB_CLIENT_CONF contexts are correct"
       elif [[ "$DB_CLIENT_CONTEXT" == *"mysqld_etc_t"* ]]; then
-         echo "   Selinux status is $SELINUXSTATUS and $DB_CLIENT_CONF context is incorrect: $DB_CLIENT_CONTEXT"
+         echo "   Error: Selinux status is $SELINUXSTATUS and $DB_CLIENT_CONF context is incorrect: $DB_CLIENT_CONTEXT"
         ALL_CHECKS_PASSED=false
     else
        echo "   Selinux status is $SELINUXSTATUS and $DB_SRV_CONF context is incorrect: $DB_SRV_CONTEXT"
--- a/package/linux/aca/aca_setup.sh
+++ b/package/linux/aca/aca_setup.sh
@ -96,10 +96,13 @@ fi
 echo "HIRS ACA Setup initiated on $(date +%Y-%m-%d)" >> "$LOG_FILE"

 # Create a version file for bootRun to use
-if  command -v git ; then 
+if command -v git &> /dev/null; then
+   git rev-parse --is-inside-work-tree  &> /dev/null;
+   if [ $? -eq 0 ]; then
     jarVersion=$(cat '../../../VERSION').$(date +%s).$(git rev-parse --short  HEAD)
   echo $jarVersion > $ACA_VERSION_FILE
   fi
+fi

 # Set HIRS PKI  password
 if [ -z $HIRS_PKI_PWD ]; then
--- a/package/linux/db/db_create.sh
+++ b/package/linux/db/db_create.sh
@ -111,6 +111,10 @@ set_mysql_server_tls () {
    echo "ssl_ca=$SSL_DB_SRV_CHAIN" >> "$DB_SRV_CONF"
    echo "ssl_cert=$SSL_DB_SRV_CERT" >> "$DB_SRV_CONF"
    echo "ssl_key=$SSL_DB_SRV_KEY" >> "$DB_SRV_CONF"
+    echo "tls_version=TLSv1.2,TLSv1.3" >> "$DB_SRV_CONF"
+    echo "require_secure_transport=ON" >> "$DB_SRV_CONF"
+    
+    
    # Make sure mysql can access them
    chown mysql:mysql $SSL_DB_SRV_CHAIN $SSL_DB_SRV_CERT $SSL_DB_SRV_KEY
    # Make selinux contexts for config files, if selinux is enabled
--- a/package/linux/db/db_drop.sh
+++ b/package/linux/db/db_drop.sh
@ -49,10 +49,14 @@ fi

 # Remove key , cert and truststore entries from client.cnf andf mariadb.cnf

-echo "Removing hirs cert references from mariadb configuration files"
+echo "Removing hirs tls references from mariadb configuration files"
 grep -v "hirs" $DB_SRV_CONF > tmpfile && mv tmpfile $DB_SRV_CONF
+grep -v "tls_version" $DB_SRV_CONF > tmpfile && mv tmpfile $DB_SRV_CONF
+grep -v "require_secure_transport" $DB_SRV_CONF > tmpfile && mv tmpfile $DB_SRV_CONF
+
 grep -v "hirs" $DB_CLIENT_CONF > tmpfile && mv tmpfile $DB_CLIENT_CONF

+
 echo "restarting mariadb"

 mysqld_reboot
--- a/package/linux/pki/pki_setup.sh
+++ b/package/linux/pki/pki_setup.sh
@ -14,7 +14,9 @@ PKI_PASS=$2
 UNATTENDED=$3
 LOG_FILE_NAME="hirs_aca_install_"$(date +%Y-%m-%d).log
 LOG_DIR="/var/log/hirs/"
+HIRS_DIR=/etc/hirs
 HIRS_CONF_DIR=/etc/hirs/aca
+HIRS_CERT_DIR=/etc/hirs/certificates
 # Capture location of the script to allow from invocation from any location 
 SCRIPT_DIR=$( dirname -- "$( readlink -f -- "$0"; )"; )

@ -65,9 +67,21 @@ if [ ! -d "/etc/hirs/certificates" ]; then
    $PKI_SETUP_DIR/pki_chain_gen.sh "HIRS" "ecc" "512" "sha384" "$PKI_PASS" "$LOG_FILE"
  popd &> /dev/null

+echo "Setting MYSQL permissions for DB TLS Certs..." | tee -a "$LOG_FILE"
+  find $HIRS_CERT_DIR -type f -iname "*.pem" -exec chmod 600 {} \; 
+  find $HIRS_CERT_DIR -type f -iname "*.jks" -exec chmod 600 {} \; 
+  find $HIRS_CERT_DIR -type f -iname "*.key" -exec chmod 600 {} \;
+  chown root:mysql $HIRS_CERT_DIR $HIRS_CERT_DIR/HIRS $HIRS_CERT_DIR/HIRS/rsa_3k_sha384_certs $HIRS_CERT_DIR/HIRS/ecc_512_sha384_certs
+  chmod 750 $HIRS_CERT_DIR $HIRS_CERT_DIR/HIRS $HIRS_CERT_DIR/HIRS/rsa_3k_sha384_certs $HIRS_CERT_DIR/HIRS/ecc_512_sha384_certs
+  chmod 755 $HIRS_DIR
+  chmod 750 $HIRS_CONF_DIR
+  chmod 755 $HIRS_CERT_DIR/HIRS/ecc_512_sha384_certs/HIRS_ecc_512_sha384_Cert_Chain.pem
+  chmod 755 $HIRS_CERT_DIR/HIRS/rsa_3k_sha384_certs/HIRS_rsa_3k_sha384_Cert_Chain.pem
+  
  echo "hirs_pki_password="$PKI_PASS >>  $ACA_PROP
  echo "server.ssl.key-store-password="$PKI_PASS >> $SPRING_PROP_FILE
  echo "server.ssl.trust-store-password="$PKI_PASS >> $SPRING_PROP_FILE
 else 
  echo "/etc/hirs/certificates exists, skipping" | tee -a "$LOG_FILE"
 fi
+chmod 600 $ACA_PROP