addeded OS sepcific checks for mariadb

This commit is contained in:
iadgovuser26 2023-10-05 20:05:21 +00:00
parent 11b7ffd3ff
commit 80dc42dae5
7 changed files with 50 additions and 26 deletions

View File

@ -37,7 +37,15 @@ DB_SRV_CONF="/etc/my.cnf.d/mariadb-server.cnf"
DB_CLIENT_CONF="/etc/my.cnf.d/client.cnf"
ALL_CHECKS_PASSED=true
ALL_CERTS_PASSED=true
source $SCRIPT_DIR/../db/mysql_util.sh
source /etc/os-release
# Setup distro specifc paths and variables
if [ $ID = "ubuntu" ]; then
DB_SRV_CONF="/etc/mysql/mariadb.conf.d/50-server.cnf"
DB_CLIENT_CONF="/etc/mysql/mariadb.conf.d/50-client.cnf"
fi
# Check for Admin privileges
if [ "$EUID" -ne 0 ]; then
@ -69,16 +77,24 @@ done
echo "Checking HIRS ACA Setup on this device..."
# Check if aca setup was performed
# Check is RPM was installed via RPM package
if [ $ID = "rhel" ]; then
echo "RHEL distro detected"
rpm -q --quiet HIRS_AttestationCA
elif [ $ID = 'ubuntu' ]; then
echo "Ubuntu distro detected"
dpkg -l "HIRS_AttestationCA" > /dev/null
else
echo "Unsupported OS Distro encountered"
fi
if [ $? -eq 0 ]; then
echo "HIRS ACA was installed via rpm package on this device"
echo "HIRS ACA was installed via an OS package on this device"
if [[ $(cat /etc/crontab | grep -c hirs/aca) > 0 ]]; then
echo " HIRS ACA is set to start on boot via crontab file"
else
echo " HIRS ACA is NOT set to start on boot via crontab file"
fi
else
echo "HIRS ACA was NOT installed via rpm package on this device"
echo "HIRS ACA was NOT installed via an OS package on this device"
fi
# Check install setup pki files
@ -92,7 +108,6 @@ echo "Checking HIRS ACA Setup on this device..."
source /etc/hirs/aca/aca.properties;
check_pwds () {
PRESENT=true
@ -121,13 +136,13 @@ check_mysql_setup () {
# make sure mysql is running and restart if its not...
check_mysql
# Check DB server/client TLS setup.
if [[ $(cat "$DB_SRV_CONF" | grep -c "ssl") < 1 ]]; then
if [[ $(cat "$DB_SRV_CONF" | grep -c "HIRS") < 1 ]]; then
echo " Mysql server ($DB_SRV_CONF) is NOT configured for Server Side TLS"
ALL_CHECKS_PASSED=false
else
echo " Mysql server ($DB_SRV_CONF) is configured for Server Side TLS"
fi
if [[ $(cat "$DB_CLIENT_CONF" | grep -c "ssl") < 1 ]]; then
if [[ $(cat "$DB_CLIENT_CONF" | grep -c "HIRS") < 1 ]]; then
echo " Mysql client ($DB_CLIENT_CONF)is NOT configured for command line use of TLS without provding key/cert ino the commandline"
ALL_CHECKS_PASSED=false
else
@ -240,12 +255,18 @@ check_db () {
mysql -u hirs_db --password=$hirs_db_password -e "SHOW DATABASES;";
echo "Privileges for the hirs_db user:"
mysql -u hirs_db --password=$hirs_db_password -e "SHOW GRANTS FOR 'hirs_db'@'localhost'"
echo "MYSQL Log:"
mysql -u root --password=$mysql_admin_password -e "SHOW GLOBAL VARIABLES LIKE 'log_error'"
fi
}
# Check selinux status and files that require specific contexts
check_selinux () {
if [ $ID = "ubuntu" ]; then
echo "Skipping selinux check on ubuntu"
return
fi
SELINUXSTATUS=$(getenforce)
DB_SRV_CONTEXT=$(ls -Z $DB_SRV_CONF)
DB_CLIENT_CONTEXT=$(ls -Z $DB_CLIENT_CONF)

View File

@ -22,7 +22,7 @@ check_mysql_root
# remove the hrs-db and hirs_db user
pushd $SCRIPT_DIR/../db/ &>/dev/null
sh db_drop.sh $DB_ADMIN_PWD
./db_drop.sh $DB_ADMIN_PWD
popd &>/dev/null
# remove pki files and config files if not installed by rpm

View File

@ -25,7 +25,7 @@ help () {
echo " -u | --unattended Run unattended"
echo " -h | --help Print this Help."
echo " -sp | --skip-pki run the setup without pki setup."
echo " -sb | --skip-db run the setup without database setup."
echo " -sd | --skip-db run the setup without database setup."
echo
}
@ -97,7 +97,7 @@ if [ -z $HIRS_PKI_PWD ]; then
fi
if [ -z "${ARG_SKIP_PKI}" ]; then
sh ../pki/pki_setup.sh $LOG_FILE $PKI_PASS $ARG_UNATTEND
../pki/pki_setup.sh $LOG_FILE $PKI_PASS $ARG_UNATTEND
if [ $? -eq 0 ]; then
echo "ACA PKI setup complete" | tee -a "$LOG_FILE"
else
@ -109,7 +109,7 @@ if [ -z "${ARG_SKIP_PKI}" ]; then
fi
if [ -z "${ARG_SKIP_DB}" ]; then
sh ../db/db_create.sh $LOG_FILE $PKI_PASS $ARG_UNATTEND
../db/db_create.sh $LOG_FILE $PKI_PASS $ARG_UNATTEND
if [ $? -eq 0 ]; then
echo "ACA database setup complete" | tee -a "$LOG_FILE"
else

View File

@ -17,7 +17,7 @@ SCRIPT_DIR=$( dirname -- "$( readlink -f -- "$0"; )"; )
SPRING_PROP_FILE="/etc/hirs/aca/application.properties"
ACA_PROP_FILE="/etc/hirs/aca/aca.properties"
DB_ADMIN_PWD=""
# Db Configuration files
# Db Configuration fileis, use RHELpaths as default
DB_SRV_CONF="/etc/my.cnf.d/mariadb-server.cnf"
DB_CLIENT_CONF="/etc/my.cnf.d/client.cnf"
# Default Server Side Certificates
@ -39,6 +39,14 @@ mkdir -p /var/log/hirs/
source $SCRIPT_DIR/mysql_util.sh
source $ACA_PROP_FILE
source /etc/os-release
# Setup distro specifc paths and variables
if [ $ID = "ubuntu" ]; then
DB_SRV_CONF="/etc/mysql/mariadb.conf.d/50-server.cnf"
DB_CLIENT_CONF="/etc/mysql/mariadb.conf.d/50-client.cnf"
echo log_error=/var/log/mysql/mariadb.log >> $DB_SRV_CONF
fi
check_mysql_root_pwd () {
# Check if DB root password needs to be obtained
@ -79,8 +87,8 @@ check_mysql_root_pwd () {
}
set_mysql_server_tls () {
# Check DB server setup. If ssl params dont exist then we need to add them.
if [[ $(cat "$DB_SRV_CONF" | grep -c "ssl") < 1 ]]; then
# Check DB server setup. If HIRS ssl params dont exist then we need to add them.
if [[ $(cat "$DB_SRV_CONF" | grep -c "HIRS") < 1 ]]; then
# Add TLS files to my.cnf
echo "Updating $DB_SRV_CONF with ssl parameters..." | tee -a "$LOG_FILE"
echo "ssl_ca=$SSL_DB_SRV_CHAIN" >> "$DB_SRV_CONF"
@ -101,7 +109,7 @@ set_mysql_server_tls () {
set_mysql_client_tls () {
# Update ACA property file with client cert info, if not there already
if [[ $(cat "$DB_CLIENT_CONF" | grep -c "ssl") < 1 ]]; then
if [[ $(cat "$DB_CLIENT_CONF" | grep -c "HIRS") < 1 ]]; then
echo "Updating $DB_CLIENT_CONF with ssl parameters..." | tee -a "$LOG_FILE"
echo "ssl_ca=$SSL_DB_CLIENT_CHAIN" >> $DB_CLIENT_CONF
echo "ssl_cert=$SSL_DB_CLIENT_CERT" >> $DB_CLIENT_CONF

View File

@ -33,8 +33,8 @@ if [ -z "$2" ]; then
fi
# Check for sudo or root user
if [ "$EUID" -ne 0 ]
then echo "This script requires root. Please run as root" | tee -a "$LOG_FILE"
if [ "$EUID" -ne 0 ]; then
echo "This script requires root. Please run as root" | tee -a "$LOG_FILE"
exit 1
fi
@ -52,8 +52,8 @@ if [ ! -d "/etc/hirs/certificates" ]; then
pushd /etc/hirs/certificates/ &> /dev/null
cp $PKI_SETUP_DIR/ca.conf .
sh $PKI_SETUP_DIR/pki_chain_gen.sh "HIRS" "rsa" "3072" "sha384" "$PKI_PASS" "$LOG_FILE"
sh $PKI_SETUP_DIR/pki_chain_gen.sh "HIRS" "ecc" "512" "sha384" "$PKI_PASS" "$LOG_FILE"
$PKI_SETUP_DIR/pki_chain_gen.sh "HIRS" "rsa" "3072" "sha384" "$PKI_PASS" "$LOG_FILE"
$PKI_SETUP_DIR/pki_chain_gen.sh "HIRS" "ecc" "512" "sha384" "$PKI_PASS" "$LOG_FILE"
popd &> /dev/null
echo "hirs_pki_password="$PKI_PASS >> $ACA_PROP

View File

@ -1,5 +0,0 @@
echo "
# *** ACA Directories ***
aca.directories.root = /etc/hirs/
aca.prop.file=aca.directories.root/aca.properties
aca.directories.certificates = root/certificates"