addeded OS sepcific checks for mariadb

This commit is contained in:
iadgovuser26 2023-10-05 20:05:21 +00:00
parent 11b7ffd3ff
commit 80dc42dae5
7 changed files with 50 additions and 26 deletions

View File

@ -37,7 +37,15 @@ DB_SRV_CONF="/etc/my.cnf.d/mariadb-server.cnf"
DB_CLIENT_CONF="/etc/my.cnf.d/client.cnf" DB_CLIENT_CONF="/etc/my.cnf.d/client.cnf"
ALL_CHECKS_PASSED=true ALL_CHECKS_PASSED=true
ALL_CERTS_PASSED=true ALL_CERTS_PASSED=true
source $SCRIPT_DIR/../db/mysql_util.sh source $SCRIPT_DIR/../db/mysql_util.sh
source /etc/os-release
# Setup distro specifc paths and variables
if [ $ID = "ubuntu" ]; then
DB_SRV_CONF="/etc/mysql/mariadb.conf.d/50-server.cnf"
DB_CLIENT_CONF="/etc/mysql/mariadb.conf.d/50-client.cnf"
fi
# Check for Admin privileges # Check for Admin privileges
if [ "$EUID" -ne 0 ]; then if [ "$EUID" -ne 0 ]; then
@ -69,16 +77,24 @@ done
echo "Checking HIRS ACA Setup on this device..." echo "Checking HIRS ACA Setup on this device..."
# Check if aca setup was performed # Check if aca setup was performed
# Check is RPM was installed via RPM package # Check is RPM was installed via RPM package
if [ $ID = "rhel" ]; then
echo "RHEL distro detected"
rpm -q --quiet HIRS_AttestationCA rpm -q --quiet HIRS_AttestationCA
elif [ $ID = 'ubuntu' ]; then
echo "Ubuntu distro detected"
dpkg -l "HIRS_AttestationCA" > /dev/null
else
echo "Unsupported OS Distro encountered"
fi
if [ $? -eq 0 ]; then if [ $? -eq 0 ]; then
echo "HIRS ACA was installed via rpm package on this device" echo "HIRS ACA was installed via an OS package on this device"
if [[ $(cat /etc/crontab | grep -c hirs/aca) > 0 ]]; then if [[ $(cat /etc/crontab | grep -c hirs/aca) > 0 ]]; then
echo " HIRS ACA is set to start on boot via crontab file" echo " HIRS ACA is set to start on boot via crontab file"
else else
echo " HIRS ACA is NOT set to start on boot via crontab file" echo " HIRS ACA is NOT set to start on boot via crontab file"
fi fi
else else
echo "HIRS ACA was NOT installed via rpm package on this device" echo "HIRS ACA was NOT installed via an OS package on this device"
fi fi
# Check install setup pki files # Check install setup pki files
@ -92,7 +108,6 @@ echo "Checking HIRS ACA Setup on this device..."
source /etc/hirs/aca/aca.properties; source /etc/hirs/aca/aca.properties;
check_pwds () { check_pwds () {
PRESENT=true PRESENT=true
@ -121,13 +136,13 @@ check_mysql_setup () {
# make sure mysql is running and restart if its not... # make sure mysql is running and restart if its not...
check_mysql check_mysql
# Check DB server/client TLS setup. # Check DB server/client TLS setup.
if [[ $(cat "$DB_SRV_CONF" | grep -c "ssl") < 1 ]]; then if [[ $(cat "$DB_SRV_CONF" | grep -c "HIRS") < 1 ]]; then
echo " Mysql server ($DB_SRV_CONF) is NOT configured for Server Side TLS" echo " Mysql server ($DB_SRV_CONF) is NOT configured for Server Side TLS"
ALL_CHECKS_PASSED=false ALL_CHECKS_PASSED=false
else else
echo " Mysql server ($DB_SRV_CONF) is configured for Server Side TLS" echo " Mysql server ($DB_SRV_CONF) is configured for Server Side TLS"
fi fi
if [[ $(cat "$DB_CLIENT_CONF" | grep -c "ssl") < 1 ]]; then if [[ $(cat "$DB_CLIENT_CONF" | grep -c "HIRS") < 1 ]]; then
echo " Mysql client ($DB_CLIENT_CONF)is NOT configured for command line use of TLS without provding key/cert ino the commandline" echo " Mysql client ($DB_CLIENT_CONF)is NOT configured for command line use of TLS without provding key/cert ino the commandline"
ALL_CHECKS_PASSED=false ALL_CHECKS_PASSED=false
else else
@ -240,12 +255,18 @@ check_db () {
mysql -u hirs_db --password=$hirs_db_password -e "SHOW DATABASES;"; mysql -u hirs_db --password=$hirs_db_password -e "SHOW DATABASES;";
echo "Privileges for the hirs_db user:" echo "Privileges for the hirs_db user:"
mysql -u hirs_db --password=$hirs_db_password -e "SHOW GRANTS FOR 'hirs_db'@'localhost'" mysql -u hirs_db --password=$hirs_db_password -e "SHOW GRANTS FOR 'hirs_db'@'localhost'"
echo "MYSQL Log:"
mysql -u root --password=$mysql_admin_password -e "SHOW GLOBAL VARIABLES LIKE 'log_error'"
fi fi
} }
# Check selinux status and files that require specific contexts # Check selinux status and files that require specific contexts
check_selinux () { check_selinux () {
if [ $ID = "ubuntu" ]; then
echo "Skipping selinux check on ubuntu"
return
fi
SELINUXSTATUS=$(getenforce) SELINUXSTATUS=$(getenforce)
DB_SRV_CONTEXT=$(ls -Z $DB_SRV_CONF) DB_SRV_CONTEXT=$(ls -Z $DB_SRV_CONF)
DB_CLIENT_CONTEXT=$(ls -Z $DB_CLIENT_CONF) DB_CLIENT_CONTEXT=$(ls -Z $DB_CLIENT_CONF)

View File

@ -22,7 +22,7 @@ check_mysql_root
# remove the hrs-db and hirs_db user # remove the hrs-db and hirs_db user
pushd $SCRIPT_DIR/../db/ &>/dev/null pushd $SCRIPT_DIR/../db/ &>/dev/null
sh db_drop.sh $DB_ADMIN_PWD ./db_drop.sh $DB_ADMIN_PWD
popd &>/dev/null popd &>/dev/null
# remove pki files and config files if not installed by rpm # remove pki files and config files if not installed by rpm

View File

@ -25,7 +25,7 @@ help () {
echo " -u | --unattended Run unattended" echo " -u | --unattended Run unattended"
echo " -h | --help Print this Help." echo " -h | --help Print this Help."
echo " -sp | --skip-pki run the setup without pki setup." echo " -sp | --skip-pki run the setup without pki setup."
echo " -sb | --skip-db run the setup without database setup." echo " -sd | --skip-db run the setup without database setup."
echo echo
} }
@ -97,7 +97,7 @@ if [ -z $HIRS_PKI_PWD ]; then
fi fi
if [ -z "${ARG_SKIP_PKI}" ]; then if [ -z "${ARG_SKIP_PKI}" ]; then
sh ../pki/pki_setup.sh $LOG_FILE $PKI_PASS $ARG_UNATTEND ../pki/pki_setup.sh $LOG_FILE $PKI_PASS $ARG_UNATTEND
if [ $? -eq 0 ]; then if [ $? -eq 0 ]; then
echo "ACA PKI setup complete" | tee -a "$LOG_FILE" echo "ACA PKI setup complete" | tee -a "$LOG_FILE"
else else
@ -109,7 +109,7 @@ if [ -z "${ARG_SKIP_PKI}" ]; then
fi fi
if [ -z "${ARG_SKIP_DB}" ]; then if [ -z "${ARG_SKIP_DB}" ]; then
sh ../db/db_create.sh $LOG_FILE $PKI_PASS $ARG_UNATTEND ../db/db_create.sh $LOG_FILE $PKI_PASS $ARG_UNATTEND
if [ $? -eq 0 ]; then if [ $? -eq 0 ]; then
echo "ACA database setup complete" | tee -a "$LOG_FILE" echo "ACA database setup complete" | tee -a "$LOG_FILE"
else else

View File

@ -17,7 +17,7 @@ SCRIPT_DIR=$( dirname -- "$( readlink -f -- "$0"; )"; )
SPRING_PROP_FILE="/etc/hirs/aca/application.properties" SPRING_PROP_FILE="/etc/hirs/aca/application.properties"
ACA_PROP_FILE="/etc/hirs/aca/aca.properties" ACA_PROP_FILE="/etc/hirs/aca/aca.properties"
DB_ADMIN_PWD="" DB_ADMIN_PWD=""
# Db Configuration files # Db Configuration fileis, use RHELpaths as default
DB_SRV_CONF="/etc/my.cnf.d/mariadb-server.cnf" DB_SRV_CONF="/etc/my.cnf.d/mariadb-server.cnf"
DB_CLIENT_CONF="/etc/my.cnf.d/client.cnf" DB_CLIENT_CONF="/etc/my.cnf.d/client.cnf"
# Default Server Side Certificates # Default Server Side Certificates
@ -39,6 +39,14 @@ mkdir -p /var/log/hirs/
source $SCRIPT_DIR/mysql_util.sh source $SCRIPT_DIR/mysql_util.sh
source $ACA_PROP_FILE source $ACA_PROP_FILE
source /etc/os-release
# Setup distro specifc paths and variables
if [ $ID = "ubuntu" ]; then
DB_SRV_CONF="/etc/mysql/mariadb.conf.d/50-server.cnf"
DB_CLIENT_CONF="/etc/mysql/mariadb.conf.d/50-client.cnf"
echo log_error=/var/log/mysql/mariadb.log >> $DB_SRV_CONF
fi
check_mysql_root_pwd () { check_mysql_root_pwd () {
# Check if DB root password needs to be obtained # Check if DB root password needs to be obtained
@ -79,8 +87,8 @@ check_mysql_root_pwd () {
} }
set_mysql_server_tls () { set_mysql_server_tls () {
# Check DB server setup. If ssl params dont exist then we need to add them. # Check DB server setup. If HIRS ssl params dont exist then we need to add them.
if [[ $(cat "$DB_SRV_CONF" | grep -c "ssl") < 1 ]]; then if [[ $(cat "$DB_SRV_CONF" | grep -c "HIRS") < 1 ]]; then
# Add TLS files to my.cnf # Add TLS files to my.cnf
echo "Updating $DB_SRV_CONF with ssl parameters..." | tee -a "$LOG_FILE" echo "Updating $DB_SRV_CONF with ssl parameters..." | tee -a "$LOG_FILE"
echo "ssl_ca=$SSL_DB_SRV_CHAIN" >> "$DB_SRV_CONF" echo "ssl_ca=$SSL_DB_SRV_CHAIN" >> "$DB_SRV_CONF"
@ -101,7 +109,7 @@ set_mysql_server_tls () {
set_mysql_client_tls () { set_mysql_client_tls () {
# Update ACA property file with client cert info, if not there already # Update ACA property file with client cert info, if not there already
if [[ $(cat "$DB_CLIENT_CONF" | grep -c "ssl") < 1 ]]; then if [[ $(cat "$DB_CLIENT_CONF" | grep -c "HIRS") < 1 ]]; then
echo "Updating $DB_CLIENT_CONF with ssl parameters..." | tee -a "$LOG_FILE" echo "Updating $DB_CLIENT_CONF with ssl parameters..." | tee -a "$LOG_FILE"
echo "ssl_ca=$SSL_DB_CLIENT_CHAIN" >> $DB_CLIENT_CONF echo "ssl_ca=$SSL_DB_CLIENT_CHAIN" >> $DB_CLIENT_CONF
echo "ssl_cert=$SSL_DB_CLIENT_CERT" >> $DB_CLIENT_CONF echo "ssl_cert=$SSL_DB_CLIENT_CERT" >> $DB_CLIENT_CONF

View File

@ -33,8 +33,8 @@ if [ -z "$2" ]; then
fi fi
# Check for sudo or root user # Check for sudo or root user
if [ "$EUID" -ne 0 ] if [ "$EUID" -ne 0 ]; then
then echo "This script requires root. Please run as root" | tee -a "$LOG_FILE" echo "This script requires root. Please run as root" | tee -a "$LOG_FILE"
exit 1 exit 1
fi fi
@ -52,8 +52,8 @@ if [ ! -d "/etc/hirs/certificates" ]; then
pushd /etc/hirs/certificates/ &> /dev/null pushd /etc/hirs/certificates/ &> /dev/null
cp $PKI_SETUP_DIR/ca.conf . cp $PKI_SETUP_DIR/ca.conf .
sh $PKI_SETUP_DIR/pki_chain_gen.sh "HIRS" "rsa" "3072" "sha384" "$PKI_PASS" "$LOG_FILE" $PKI_SETUP_DIR/pki_chain_gen.sh "HIRS" "rsa" "3072" "sha384" "$PKI_PASS" "$LOG_FILE"
sh $PKI_SETUP_DIR/pki_chain_gen.sh "HIRS" "ecc" "512" "sha384" "$PKI_PASS" "$LOG_FILE" $PKI_SETUP_DIR/pki_chain_gen.sh "HIRS" "ecc" "512" "sha384" "$PKI_PASS" "$LOG_FILE"
popd &> /dev/null popd &> /dev/null
echo "hirs_pki_password="$PKI_PASS >> $ACA_PROP echo "hirs_pki_password="$PKI_PASS >> $ACA_PROP

View File

@ -1,5 +0,0 @@
echo "
# *** ACA Directories ***
aca.directories.root = /etc/hirs/
aca.prop.file=aca.directories.root/aca.properties
aca.directories.certificates = root/certificates"