mirror of
https://github.com/nsacyber/HIRS.git
synced 2024-12-19 21:17:59 +00:00
Merge remote-tracking branch 'origin/tls-1_1-removal' into issue-470
This commit is contained in:
iadgovuser26
commit
8f409e0e0b
@ -21,34 +21,34 @@ fi
|
||||
|
||||
# clear all policy settings
|
||||
setPolicyNone() {
|
||||
docker exec $aca_container mysql -u root -D hirs_db -e "Update SupplyChainPolicy set enableEcValidation=0, enablePcAttributeValidation=0, enablePcValidation=0,
|
||||
docker exec $aca_container mysql -u root -proot -D hirs_db -e "Update SupplyChainPolicy set enableEcValidation=0, enablePcAttributeValidation=0, enablePcValidation=0,
|
||||
enableUtcValidation=0, enableFirmwareValidation=0, enableExpiredCertificateValidation=0, enableIgnoreGpt=0, enableIgnoreIma=0, enableIgnoretBoot=0;"
|
||||
}
|
||||
|
||||
# Policy Settings for tests ...
|
||||
setPolicyEkOnly() {
|
||||
docker exec $aca_container mysql -u root -D hirs_db -e "Update SupplyChainPolicy set enableEcValidation=1, enablePcAttributeValidation=0, enablePcValidation=0,
|
||||
docker exec $aca_container mysql -u root -proot -D hirs_db -e "Update SupplyChainPolicy set enableEcValidation=1, enablePcAttributeValidation=0, enablePcValidation=0,
|
||||
enableUtcValidation=0, enableFirmwareValidation=0, enableExpiredCertificateValidation=0, enableIgnoreGpt=0, enableIgnoreIma=0, enableIgnoretBoot=0;"
|
||||
}
|
||||
|
||||
setPolicyEkPc_noAttCheck() {
|
||||
docker exec $aca_container mysql -u root -D hirs_db -e "Update SupplyChainPolicy set enableEcValidation=1, enablePcAttributeValidation=0, enablePcValidation=1,
|
||||
docker exec $aca_container mysql -u root -proot -D hirs_db -e "Update SupplyChainPolicy set enableEcValidation=1, enablePcAttributeValidation=0, enablePcValidation=1,
|
||||
enableUtcValidation=0, enableFirmwareValidation=0, enableExpiredCertificateValidation=0, enableIgnoreGpt=0, enableIgnoreIma=0, enableIgnoretBoot=0;"
|
||||
}
|
||||
|
||||
setPolicyEkPc() {
|
||||
docker exec $aca_container mysql -u root -D hirs_db -e "Update SupplyChainPolicy set enableEcValidation=1, enablePcAttributeValidation=1, enablePcValidation=1,
|
||||
docker exec $aca_container mysql -u root -proot -D hirs_db -e "Update SupplyChainPolicy set enableEcValidation=1, enablePcAttributeValidation=1, enablePcValidation=1,
|
||||
enableUtcValidation=0, enableFirmwareValidation=0, enableExpiredCertificateValidation=0, enableIgnoreGpt=0, enableIgnoreIma=0, enableIgnoretBoot=0;"
|
||||
}
|
||||
|
||||
setPolicyEkPcFw() {
|
||||
docker exec $aca_container mysql -u root -D hirs_db -e "Update SupplyChainPolicy set enableEcValidation=1, enablePcAttributeValidation=1, enablePcValidation=1,
|
||||
docker exec $aca_container mysql -u root -proot -D hirs_db -e "Update SupplyChainPolicy set enableEcValidation=1, enablePcAttributeValidation=1, enablePcValidation=1,
|
||||
enableUtcValidation=0, enableFirmwareValidation=1, enableExpiredCertificateValidation=0, enableIgnoreGpt=0, enableIgnoreIma=1, enableIgnoretBoot=0;"
|
||||
}
|
||||
|
||||
# Clear all ACA DB items including policy
|
||||
clearAcaDb() {
|
||||
docker exec $aca_container mysql -u root -e "use hirs_db; set foreign_key_checks=0; truncate Alert;truncate AlertBaselineIds;truncate
|
||||
docker exec $aca_container mysql -u root -proot -e "use hirs_db; set foreign_key_checks=0; truncate Alert;truncate AlertBaselineIds;truncate
|
||||
AppraisalResult;truncate Certificate;truncate Certificate_Certificate;truncate CertificatesUsedToValidate;truncate
|
||||
ComponentInfo;truncate Device;truncate DeviceInfoReport;truncate IMADeviceState;truncate IMAMeasurementRecord;truncate
|
||||
ImaBlacklistRecord;truncate ImaIgnoreSetRecord;truncate IntegrityReport;truncate IntegrityReports_Reports_Join;truncate
|
||||
|
||||
@ -225,17 +225,8 @@ public class ReferenceManifestPageController
|
||||
});
|
||||
supportRims.stream().forEach((rim) -> {
|
||||
LOGGER.info(String.format("Storing event log %s", rim.getFileName()));
|
||||
storeManifest(messages, rim, false);
|
||||
});
|
||||
for (ReferenceManifest rim : baseRims) {
|
||||
// store first then update
|
||||
storeManifest(messages, rim, false);
|
||||
}
|
||||
|
||||
for (ReferenceManifest rim : supportRims) {
|
||||
// store the rimels
|
||||
storeManifest(messages, rim, true);
|
||||
}
|
||||
});
|
||||
|
||||
// Prep a map to associated the swidtag payload hash to the swidtag.
|
||||
// pass it in to update support rims that either were uploaded
|
||||
@ -657,33 +648,35 @@ public class ReferenceManifestPageController
|
||||
// So first we'll have to pull values based on support rim
|
||||
// get by support rim id NEXT
|
||||
|
||||
tpmEvents = referenceEventManager.getValuesByRimId(dbSupport);
|
||||
baseRim = findBaseRim(dbSupport);
|
||||
if (tpmEvents.isEmpty()) {
|
||||
ReferenceDigestValue rdv;
|
||||
try {
|
||||
logProcessor = new TCGEventLog(dbSupport.getRimBytes());
|
||||
for (TpmPcrEvent tpe : logProcessor.getEventList()) {
|
||||
rdv = new ReferenceDigestValue(baseRim.getId(),
|
||||
dbSupport.getId(), dbSupport.getPlatformManufacturer(),
|
||||
dbSupport.getPlatformModel(), tpe.getPcrIndex(),
|
||||
tpe.getEventDigestStr(), tpe.getEventTypeStr(),
|
||||
false, false, updated, tpe.getEventContent());
|
||||
if (dbSupport.getPlatformManufacturer() != null) {
|
||||
tpmEvents = referenceEventManager.getValuesByRimId(dbSupport);
|
||||
baseRim = findBaseRim(dbSupport);
|
||||
if (tpmEvents.isEmpty()) {
|
||||
ReferenceDigestValue rdv;
|
||||
try {
|
||||
logProcessor = new TCGEventLog(dbSupport.getRimBytes());
|
||||
for (TpmPcrEvent tpe : logProcessor.getEventList()) {
|
||||
rdv = new ReferenceDigestValue(baseRim.getId(),
|
||||
dbSupport.getId(), dbSupport.getPlatformManufacturer(),
|
||||
dbSupport.getPlatformModel(), tpe.getPcrIndex(),
|
||||
tpe.getEventDigestStr(), tpe.getEventTypeStr(),
|
||||
false, false, updated, tpe.getEventContent());
|
||||
|
||||
this.referenceEventManager.saveValue(rdv);
|
||||
this.referenceEventManager.saveValue(rdv);
|
||||
}
|
||||
} catch (CertificateException e) {
|
||||
e.printStackTrace();
|
||||
} catch (NoSuchAlgorithmException e) {
|
||||
e.printStackTrace();
|
||||
} catch (IOException e) {
|
||||
e.printStackTrace();
|
||||
}
|
||||
} catch (CertificateException e) {
|
||||
e.printStackTrace();
|
||||
} catch (NoSuchAlgorithmException e) {
|
||||
e.printStackTrace();
|
||||
} catch (IOException e) {
|
||||
e.printStackTrace();
|
||||
}
|
||||
} else {
|
||||
for (ReferenceDigestValue rdv : tpmEvents) {
|
||||
if (!rdv.isUpdated()) {
|
||||
rdv.updateInfo(dbSupport, baseRim.getId());
|
||||
this.referenceEventManager.updateEvent(rdv);
|
||||
} else {
|
||||
for (ReferenceDigestValue rdv : tpmEvents) {
|
||||
if (!rdv.isUpdated()) {
|
||||
rdv.updateInfo(dbSupport, baseRim.getId());
|
||||
this.referenceEventManager.updateEvent(rdv);
|
||||
}
|
||||
}
|
||||
}
|
||||
}
|
||||
|
||||
@ -68,7 +68,7 @@ public final class ProvisionerApplication {
|
||||
}
|
||||
|
||||
// enable TLS 1.1 and 1.2
|
||||
System.setProperty("https.protocols", "TLSv1.2,TLSv1.1");
|
||||
System.setProperty("https.protocols", "TLSv1.2");
|
||||
|
||||
// initialize the context
|
||||
new AnnotationConfigApplicationContext(ProvisionerConfiguration.class);
|
||||
|
||||
@ -1,6 +1,6 @@
|
||||
# Properties used to create JDBC connection
|
||||
# WARNING: DO NOT USE "disableSslHostnameVerification=true" FOR A REMOTE DATABASE
|
||||
persistence.db.url = jdbc:mariadb://localhost/hirs_db?autoReconnect=true&useSSL=true&requireSSL=true&enabledSslProtocolSuites=TLSv1&disableSslHostnameVerification=true
|
||||
persistence.db.url = jdbc:mariadb://localhost/hirs_db?autoReconnect=true&useSSL=true&requireSSL=true&enabledSslProtocolSuites=TLSv1.2&disableSslHostnameVerification=true
|
||||
persistence.db.username = hirs_db
|
||||
persistence.db.password = hirs_db
|
||||
persistence.db.driverClass = org.mariadb.jdbc.Driver
|
||||
|
||||
@ -37,4 +37,5 @@ else
|
||||
exit 1
|
||||
fi
|
||||
|
||||
mysql -u root < $DB_CREATE_SCRIPT
|
||||
mysql -fu root < $DB_CREATE_SCRIPT
|
||||
mysql -fu root < /opt/hirs/scripts/common/secure_mysql.sql
|
||||
|
||||
6
package/scripts/common/secure_mysql.sql
Normal file
6
package/scripts/common/secure_mysql.sql
Normal file
@ -0,0 +1,6 @@
|
||||
UPDATE mysql.user SET Password=PASSWORD('root') WHERE User='root';
|
||||
DELETE FROM mysql.user WHERE User='';
|
||||
DELETE FROM mysql.user WHERE User='root' AND Host NOT IN ('localhost', '127.0.0.1', '::1');
|
||||
DROP DATABASE IF EXISTS test;
|
||||
DELETE FROM mysql.db WHERE Db='test' OR Db='test\\_%';
|
||||
FLUSH PRIVILEGES
|
||||
@ -137,10 +137,10 @@ if [[ $1 = "server" ]]; then
|
||||
VERCMP_STATUS=$?
|
||||
if [[ $VERCMP_STATUS -eq 0 ]] || [[ $VERCMP_STATUS -eq 12 ]]; then
|
||||
# Tomcat v 6.0.38 or newer
|
||||
sed -i "s/.*<\/Service>/<Connector port=\"8443\" protocol=\"HTTP\/1.1\" compression=\"on\" compressionMinSize=\"2048\" compressableMimeType=\"text\/html, text\/xml\" SSLEnabled=\"true\" maxThreads=\"150\" scheme=\"https\" secure=\"true\" clientAuth=\"want\" sslProtocol=\"TLS\" sslEnabledProtocols=\"TLSv1.1,TLSv1.2\" ciphers=\"TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384, TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384, TLS_RSA_WITH_AES_256_GCM_SHA384, TLS_RSA_WITH_AES_256_CBC_SHA256, TLS_RSA_WITH_AES_256_CBC_SHA\" keystoreFile=\"${CA_CERT_DIR_ESCAPED}\/keyStore.jks\" keystorePass=\"$P12_PASSWORD\" truststoreFile=\"${CA_CERT_DIR_ESCAPED}\/TrustStore.jks\" truststorePass=\"password\" \/><\/Service>/" $CATALINA_HOME/conf/server.xml
|
||||
sed -i "s/.*<\/Service>/<Connector port=\"8443\" protocol=\"HTTP\/1.1\" compression=\"on\" compressionMinSize=\"2048\" compressableMimeType=\"text\/html, text\/xml\" SSLEnabled=\"true\" maxThreads=\"150\" scheme=\"https\" secure=\"true\" clientAuth=\"want\" sslProtocol=\"TLS\" sslEnabledProtocols=\"TLSv1.2\" ciphers=\"TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384, TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384, TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384, TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA256, TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384\" keystoreFile=\"${CA_CERT_DIR_ESCAPED}\/keyStore.jks\" keystorePass=\"$P12_PASSWORD\" truststoreFile=\"${CA_CERT_DIR_ESCAPED}\/TrustStore.jks\" truststorePass=\"password\" \/><\/Service>/" $CATALINA_HOME/conf/server.xml
|
||||
elif [[ $VERCMP_STATUS -eq 11 ]]; then
|
||||
# Older than Tomcat 6.0.38
|
||||
sed -i "s/.*<\/Service>/<Connector port=\"8443\" label=\"HIRS\" protocol=\"HTTP\/1.1\" compression=\"on\" compressionMinSize=\"2048\" compressableMimeType=\"text\/html, text\/xml\" SSLEnabled=\"true\" maxThreads=\"150\" scheme=\"https\" secure=\"true\" clientAuth=\"want\" sslProtocol=\"TLS\" protocols=\"TLSv1.1,TLSv1.2\" ciphers=\"TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384, TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384, TLS_RSA_WITH_AES_256_GCM_SHA384, TLS_RSA_WITH_AES_256_CBC_SHA256, TLS_RSA_WITH_AES_256_CBC_SHA\" SSLDisableCompression=\"true\" keystoreFile=\"${CA_CERT_DIR_ESCAPED}\/keyStore.jks\" keystorePass=\"$P12_PASSWORD\" truststoreFile=\"${CA_CERT_DIR_ESCAPED}\/TrustStore.jks\" truststorePass=\"password\" \/><\/Service>/" $CATALINA_HOME/conf/server.xml
|
||||
sed -i "s/.*<\/Service>/<Connector port=\"8443\" label=\"HIRS\" protocol=\"HTTP\/1.1\" compression=\"on\" compressionMinSize=\"2048\" compressableMimeType=\"text\/html, text\/xml\" SSLEnabled=\"true\" maxThreads=\"150\" scheme=\"https\" secure=\"true\" clientAuth=\"want\" sslProtocol=\"TLS\" protocols=\"TLSv1.2\" ciphers=\"TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384, TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384, TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384, TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA256, TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384\" SSLDisableCompression=\"true\" keystoreFile=\"${CA_CERT_DIR_ESCAPED}\/keyStore.jks\" keystorePass=\"$P12_PASSWORD\" truststoreFile=\"${CA_CERT_DIR_ESCAPED}\/TrustStore.jks\" truststorePass=\"password\" \/><\/Service>/" $CATALINA_HOME/conf/server.xml
|
||||
else
|
||||
echo "Unknown rpmdev-vercmp exit code: ${VERCMP_STATUS}"
|
||||
exit 1
|
||||
|
||||
Loading…
Reference in New Issue
Block a user