diff --git a/10 b/.ci/docker/Dockerfile.ubuntu22ci similarity index 100% rename from 10 rename to .ci/docker/Dockerfile.ubuntu22ci diff --git a/package/scripts/aca/aca_check_setup.sh b/package/scripts/aca/aca_check_setup.sh index 3ca9c8e9..bf4ed0d5 100755 --- a/package/scripts/aca/aca_check_setup.sh +++ b/package/scripts/aca/aca_check_setup.sh @@ -37,7 +37,15 @@ DB_SRV_CONF="/etc/my.cnf.d/mariadb-server.cnf" DB_CLIENT_CONF="/etc/my.cnf.d/client.cnf" ALL_CHECKS_PASSED=true ALL_CERTS_PASSED=true + source $SCRIPT_DIR/../db/mysql_util.sh +source /etc/os-release + +# Setup distro specifc paths and variables +if [ $ID = "ubuntu" ]; then + DB_SRV_CONF="/etc/mysql/mariadb.conf.d/50-server.cnf" + DB_CLIENT_CONF="/etc/mysql/mariadb.conf.d/50-client.cnf" +fi # Check for Admin privileges if [ "$EUID" -ne 0 ]; then @@ -69,16 +77,24 @@ done echo "Checking HIRS ACA Setup on this device..." # Check if aca setup was performed # Check is RPM was installed via RPM package - rpm -q --quiet HIRS_AttestationCA + if [ $ID = "rhel" ]; then + echo "RHEL distro detected" + rpm -q --quiet HIRS_AttestationCA + elif [ $ID = 'ubuntu' ]; then + echo "Ubuntu distro detected" + dpkg -l "HIRS_AttestationCA" > /dev/null + else + echo "Unsupported OS Distro encountered" + fi if [ $? -eq 0 ]; then - echo "HIRS ACA was installed via rpm package on this device" + echo "HIRS ACA was installed via an OS package on this device" if [[ $(cat /etc/crontab | grep -c hirs/aca) > 0 ]]; then echo " HIRS ACA is set to start on boot via crontab file" else echo " HIRS ACA is NOT set to start on boot via crontab file" fi else - echo "HIRS ACA was NOT installed via rpm package on this device" + echo "HIRS ACA was NOT installed via an OS package on this device" fi # Check install setup pki files @@ -92,7 +108,6 @@ echo "Checking HIRS ACA Setup on this device..." source /etc/hirs/aca/aca.properties; - check_pwds () { PRESENT=true @@ -121,13 +136,13 @@ check_mysql_setup () { # make sure mysql is running and restart if its not... check_mysql # Check DB server/client TLS setup. - if [[ $(cat "$DB_SRV_CONF" | grep -c "ssl") < 1 ]]; then + if [[ $(cat "$DB_SRV_CONF" | grep -c "HIRS") < 1 ]]; then echo " Mysql server ($DB_SRV_CONF) is NOT configured for Server Side TLS" ALL_CHECKS_PASSED=false else echo " Mysql server ($DB_SRV_CONF) is configured for Server Side TLS" fi - if [[ $(cat "$DB_CLIENT_CONF" | grep -c "ssl") < 1 ]]; then + if [[ $(cat "$DB_CLIENT_CONF" | grep -c "HIRS") < 1 ]]; then echo " Mysql client ($DB_CLIENT_CONF)is NOT configured for command line use of TLS without provding key/cert ino the commandline" ALL_CHECKS_PASSED=false else @@ -240,12 +255,18 @@ check_db () { mysql -u hirs_db --password=$hirs_db_password -e "SHOW DATABASES;"; echo "Privileges for the hirs_db user:" mysql -u hirs_db --password=$hirs_db_password -e "SHOW GRANTS FOR 'hirs_db'@'localhost'" + echo "MYSQL Log:" + mysql -u root --password=$mysql_admin_password -e "SHOW GLOBAL VARIABLES LIKE 'log_error'" fi } # Check selinux status and files that require specific contexts check_selinux () { + if [ $ID = "ubuntu" ]; then + echo "Skipping selinux check on ubuntu" + return + fi SELINUXSTATUS=$(getenforce) DB_SRV_CONTEXT=$(ls -Z $DB_SRV_CONF) DB_CLIENT_CONTEXT=$(ls -Z $DB_CLIENT_CONF) @@ -283,4 +304,4 @@ if [ $ALL_CHECKS_PASSED = true ]; then echo "ACA setup checks passed!" else echo "ACA setup checks failed." -fi \ No newline at end of file +fi diff --git a/package/scripts/aca/aca_remove_setup.sh b/package/scripts/aca/aca_remove_setup.sh index 6cb473e5..01f38cfb 100755 --- a/package/scripts/aca/aca_remove_setup.sh +++ b/package/scripts/aca/aca_remove_setup.sh @@ -22,7 +22,7 @@ check_mysql_root # remove the hrs-db and hirs_db user pushd $SCRIPT_DIR/../db/ &>/dev/null -sh db_drop.sh $DB_ADMIN_PWD +./db_drop.sh $DB_ADMIN_PWD popd &>/dev/null # remove pki files and config files if not installed by rpm @@ -36,4 +36,4 @@ echo "Removing the ACA crontab" sed -i '/aca_bootRun.sh/d' /etc/crontab echo "Shutting down the aca..." ps axf | grep HIRS_AttestationCAPortal.war | grep -v grep | awk '{print "kill " $1}' | sh >/dev/null 2>&1 -echo "ACA setup removal complete." \ No newline at end of file +echo "ACA setup removal complete." diff --git a/package/scripts/aca/aca_setup.sh b/package/scripts/aca/aca_setup.sh index d3561c32..42f5d7ea 100755 --- a/package/scripts/aca/aca_setup.sh +++ b/package/scripts/aca/aca_setup.sh @@ -25,7 +25,7 @@ help () { echo " -u | --unattended Run unattended" echo " -h | --help Print this Help." echo " -sp | --skip-pki run the setup without pki setup." - echo " -sb | --skip-db run the setup without database setup." + echo " -sd | --skip-db run the setup without database setup." echo } @@ -97,7 +97,7 @@ if [ -z $HIRS_PKI_PWD ]; then fi if [ -z "${ARG_SKIP_PKI}" ]; then - sh ../pki/pki_setup.sh $LOG_FILE $PKI_PASS $ARG_UNATTEND + ../pki/pki_setup.sh $LOG_FILE $PKI_PASS $ARG_UNATTEND if [ $? -eq 0 ]; then echo "ACA PKI setup complete" | tee -a "$LOG_FILE" else @@ -109,7 +109,7 @@ if [ -z "${ARG_SKIP_PKI}" ]; then fi if [ -z "${ARG_SKIP_DB}" ]; then - sh ../db/db_create.sh $LOG_FILE $PKI_PASS $ARG_UNATTEND + ../db/db_create.sh $LOG_FILE $PKI_PASS $ARG_UNATTEND if [ $? -eq 0 ]; then echo "ACA database setup complete" | tee -a "$LOG_FILE" else @@ -122,4 +122,4 @@ fi echo "ACA setup complete" | tee -a "$LOG_FILE" -popd &>/dev/null \ No newline at end of file +popd &>/dev/null diff --git a/package/scripts/db/db_create.sh b/package/scripts/db/db_create.sh index e723ec9f..99c17f24 100755 --- a/package/scripts/db/db_create.sh +++ b/package/scripts/db/db_create.sh @@ -17,7 +17,7 @@ SCRIPT_DIR=$( dirname -- "$( readlink -f -- "$0"; )"; ) SPRING_PROP_FILE="/etc/hirs/aca/application.properties" ACA_PROP_FILE="/etc/hirs/aca/aca.properties" DB_ADMIN_PWD="" -# Db Configuration files +# Db Configuration fileis, use RHELpaths as default DB_SRV_CONF="/etc/my.cnf.d/mariadb-server.cnf" DB_CLIENT_CONF="/etc/my.cnf.d/client.cnf" # Default Server Side Certificates @@ -39,6 +39,14 @@ mkdir -p /var/log/hirs/ source $SCRIPT_DIR/mysql_util.sh source $ACA_PROP_FILE +source /etc/os-release + +# Setup distro specifc paths and variables +if [ $ID = "ubuntu" ]; then + DB_SRV_CONF="/etc/mysql/mariadb.conf.d/50-server.cnf" + DB_CLIENT_CONF="/etc/mysql/mariadb.conf.d/50-client.cnf" + echo log_error=/var/log/mysql/mariadb.log >> $DB_SRV_CONF +fi check_mysql_root_pwd () { # Check if DB root password needs to be obtained @@ -79,8 +87,8 @@ check_mysql_root_pwd () { } set_mysql_server_tls () { - # Check DB server setup. If ssl params dont exist then we need to add them. - if [[ $(cat "$DB_SRV_CONF" | grep -c "ssl") < 1 ]]; then + # Check DB server setup. If HIRS ssl params dont exist then we need to add them. + if [[ $(cat "$DB_SRV_CONF" | grep -c "HIRS") < 1 ]]; then # Add TLS files to my.cnf echo "Updating $DB_SRV_CONF with ssl parameters..." | tee -a "$LOG_FILE" echo "ssl_ca=$SSL_DB_SRV_CHAIN" >> "$DB_SRV_CONF" @@ -101,7 +109,7 @@ set_mysql_server_tls () { set_mysql_client_tls () { # Update ACA property file with client cert info, if not there already -if [[ $(cat "$DB_CLIENT_CONF" | grep -c "ssl") < 1 ]]; then +if [[ $(cat "$DB_CLIENT_CONF" | grep -c "HIRS") < 1 ]]; then echo "Updating $DB_CLIENT_CONF with ssl parameters..." | tee -a "$LOG_FILE" echo "ssl_ca=$SSL_DB_CLIENT_CHAIN" >> $DB_CLIENT_CONF echo "ssl_cert=$SSL_DB_CLIENT_CERT" >> $DB_CLIENT_CONF diff --git a/package/scripts/pki/pki_setup.sh b/package/scripts/pki/pki_setup.sh index 5a28142b..763e40f5 100755 --- a/package/scripts/pki/pki_setup.sh +++ b/package/scripts/pki/pki_setup.sh @@ -33,8 +33,8 @@ if [ -z "$2" ]; then fi # Check for sudo or root user -if [ "$EUID" -ne 0 ] - then echo "This script requires root. Please run as root" | tee -a "$LOG_FILE" +if [ "$EUID" -ne 0 ]; then + echo "This script requires root. Please run as root" | tee -a "$LOG_FILE" exit 1 fi @@ -52,8 +52,8 @@ if [ ! -d "/etc/hirs/certificates" ]; then pushd /etc/hirs/certificates/ &> /dev/null cp $PKI_SETUP_DIR/ca.conf . - sh $PKI_SETUP_DIR/pki_chain_gen.sh "HIRS" "rsa" "3072" "sha384" "$PKI_PASS" "$LOG_FILE" - sh $PKI_SETUP_DIR/pki_chain_gen.sh "HIRS" "ecc" "512" "sha384" "$PKI_PASS" "$LOG_FILE" + $PKI_SETUP_DIR/pki_chain_gen.sh "HIRS" "rsa" "3072" "sha384" "$PKI_PASS" "$LOG_FILE" + $PKI_SETUP_DIR/pki_chain_gen.sh "HIRS" "ecc" "512" "sha384" "$PKI_PASS" "$LOG_FILE" popd &> /dev/null echo "hirs_pki_password="$PKI_PASS >> $ACA_PROP diff --git a/test.sh b/test.sh deleted file mode 100644 index 6eeb60f5..00000000 --- a/test.sh +++ /dev/null @@ -1,5 +0,0 @@ -echo " -# *** ACA Directories *** -aca.directories.root = /etc/hirs/ -aca.prop.file=aca.directories.root/aca.properties -aca.directories.certificates = root/certificates"