mirror of
https://github.com/nsacyber/HIRS.git
synced 2025-01-18 02:39:56 +00:00
commit
a0f3441445
@ -21,34 +21,34 @@ fi
|
|||||||
|
|
||||||
# clear all policy settings
|
# clear all policy settings
|
||||||
setPolicyNone() {
|
setPolicyNone() {
|
||||||
docker exec $aca_container mysql -u root -D hirs_db -e "Update SupplyChainPolicy set enableEcValidation=0, enablePcAttributeValidation=0, enablePcValidation=0,
|
docker exec $aca_container mysql -u root -proot -D hirs_db -e "Update SupplyChainPolicy set enableEcValidation=0, enablePcAttributeValidation=0, enablePcValidation=0,
|
||||||
enableUtcValidation=0, enableFirmwareValidation=0, enableExpiredCertificateValidation=0, enableIgnoreGpt=0, enableIgnoreIma=0, enableIgnoretBoot=0;"
|
enableUtcValidation=0, enableFirmwareValidation=0, enableExpiredCertificateValidation=0, enableIgnoreGpt=0, enableIgnoreIma=0, enableIgnoretBoot=0;"
|
||||||
}
|
}
|
||||||
|
|
||||||
# Policy Settings for tests ...
|
# Policy Settings for tests ...
|
||||||
setPolicyEkOnly() {
|
setPolicyEkOnly() {
|
||||||
docker exec $aca_container mysql -u root -D hirs_db -e "Update SupplyChainPolicy set enableEcValidation=1, enablePcAttributeValidation=0, enablePcValidation=0,
|
docker exec $aca_container mysql -u root -proot -D hirs_db -e "Update SupplyChainPolicy set enableEcValidation=1, enablePcAttributeValidation=0, enablePcValidation=0,
|
||||||
enableUtcValidation=0, enableFirmwareValidation=0, enableExpiredCertificateValidation=0, enableIgnoreGpt=0, enableIgnoreIma=0, enableIgnoretBoot=0;"
|
enableUtcValidation=0, enableFirmwareValidation=0, enableExpiredCertificateValidation=0, enableIgnoreGpt=0, enableIgnoreIma=0, enableIgnoretBoot=0;"
|
||||||
}
|
}
|
||||||
|
|
||||||
setPolicyEkPc_noAttCheck() {
|
setPolicyEkPc_noAttCheck() {
|
||||||
docker exec $aca_container mysql -u root -D hirs_db -e "Update SupplyChainPolicy set enableEcValidation=1, enablePcAttributeValidation=0, enablePcValidation=1,
|
docker exec $aca_container mysql -u root -proot -D hirs_db -e "Update SupplyChainPolicy set enableEcValidation=1, enablePcAttributeValidation=0, enablePcValidation=1,
|
||||||
enableUtcValidation=0, enableFirmwareValidation=0, enableExpiredCertificateValidation=0, enableIgnoreGpt=0, enableIgnoreIma=0, enableIgnoretBoot=0;"
|
enableUtcValidation=0, enableFirmwareValidation=0, enableExpiredCertificateValidation=0, enableIgnoreGpt=0, enableIgnoreIma=0, enableIgnoretBoot=0;"
|
||||||
}
|
}
|
||||||
|
|
||||||
setPolicyEkPc() {
|
setPolicyEkPc() {
|
||||||
docker exec $aca_container mysql -u root -D hirs_db -e "Update SupplyChainPolicy set enableEcValidation=1, enablePcAttributeValidation=1, enablePcValidation=1,
|
docker exec $aca_container mysql -u root -proot -D hirs_db -e "Update SupplyChainPolicy set enableEcValidation=1, enablePcAttributeValidation=1, enablePcValidation=1,
|
||||||
enableUtcValidation=0, enableFirmwareValidation=0, enableExpiredCertificateValidation=0, enableIgnoreGpt=0, enableIgnoreIma=0, enableIgnoretBoot=0;"
|
enableUtcValidation=0, enableFirmwareValidation=0, enableExpiredCertificateValidation=0, enableIgnoreGpt=0, enableIgnoreIma=0, enableIgnoretBoot=0;"
|
||||||
}
|
}
|
||||||
|
|
||||||
setPolicyEkPcFw() {
|
setPolicyEkPcFw() {
|
||||||
docker exec $aca_container mysql -u root -D hirs_db -e "Update SupplyChainPolicy set enableEcValidation=1, enablePcAttributeValidation=1, enablePcValidation=1,
|
docker exec $aca_container mysql -u root -proot -D hirs_db -e "Update SupplyChainPolicy set enableEcValidation=1, enablePcAttributeValidation=1, enablePcValidation=1,
|
||||||
enableUtcValidation=0, enableFirmwareValidation=1, enableExpiredCertificateValidation=0, enableIgnoreGpt=0, enableIgnoreIma=1, enableIgnoretBoot=0;"
|
enableUtcValidation=0, enableFirmwareValidation=1, enableExpiredCertificateValidation=0, enableIgnoreGpt=0, enableIgnoreIma=1, enableIgnoretBoot=0;"
|
||||||
}
|
}
|
||||||
|
|
||||||
# Clear all ACA DB items including policy
|
# Clear all ACA DB items including policy
|
||||||
clearAcaDb() {
|
clearAcaDb() {
|
||||||
docker exec $aca_container mysql -u root -e "use hirs_db; set foreign_key_checks=0; truncate Alert;truncate AlertBaselineIds;truncate
|
docker exec $aca_container mysql -u root -proot -e "use hirs_db; set foreign_key_checks=0; truncate Alert;truncate AlertBaselineIds;truncate
|
||||||
AppraisalResult;truncate Certificate;truncate Certificate_Certificate;truncate CertificatesUsedToValidate;truncate
|
AppraisalResult;truncate Certificate;truncate Certificate_Certificate;truncate CertificatesUsedToValidate;truncate
|
||||||
ComponentInfo;truncate Device;truncate DeviceInfoReport;truncate IMADeviceState;truncate IMAMeasurementRecord;truncate
|
ComponentInfo;truncate Device;truncate DeviceInfoReport;truncate IMADeviceState;truncate IMAMeasurementRecord;truncate
|
||||||
ImaBlacklistRecord;truncate ImaIgnoreSetRecord;truncate IntegrityReport;truncate IntegrityReports_Reports_Join;truncate
|
ImaBlacklistRecord;truncate ImaIgnoreSetRecord;truncate IntegrityReport;truncate IntegrityReports_Reports_Join;truncate
|
||||||
|
@ -68,7 +68,7 @@ public final class ProvisionerApplication {
|
|||||||
}
|
}
|
||||||
|
|
||||||
// enable TLS 1.1 and 1.2
|
// enable TLS 1.1 and 1.2
|
||||||
System.setProperty("https.protocols", "TLSv1.2,TLSv1.1");
|
System.setProperty("https.protocols", "TLSv1.2");
|
||||||
|
|
||||||
// initialize the context
|
// initialize the context
|
||||||
new AnnotationConfigApplicationContext(ProvisionerConfiguration.class);
|
new AnnotationConfigApplicationContext(ProvisionerConfiguration.class);
|
||||||
|
@ -1,6 +1,6 @@
|
|||||||
# Properties used to create JDBC connection
|
# Properties used to create JDBC connection
|
||||||
# WARNING: DO NOT USE "disableSslHostnameVerification=true" FOR A REMOTE DATABASE
|
# WARNING: DO NOT USE "disableSslHostnameVerification=true" FOR A REMOTE DATABASE
|
||||||
persistence.db.url = jdbc:mariadb://localhost/hirs_db?autoReconnect=true&useSSL=true&requireSSL=true&enabledSslProtocolSuites=TLSv1&disableSslHostnameVerification=true
|
persistence.db.url = jdbc:mariadb://localhost/hirs_db?autoReconnect=true&useSSL=true&requireSSL=true&enabledSslProtocolSuites=TLSv1.2&disableSslHostnameVerification=true
|
||||||
persistence.db.username = hirs_db
|
persistence.db.username = hirs_db
|
||||||
persistence.db.password = hirs_db
|
persistence.db.password = hirs_db
|
||||||
persistence.db.driverClass = org.mariadb.jdbc.Driver
|
persistence.db.driverClass = org.mariadb.jdbc.Driver
|
||||||
|
@ -37,4 +37,5 @@ else
|
|||||||
exit 1
|
exit 1
|
||||||
fi
|
fi
|
||||||
|
|
||||||
mysql -u root < $DB_CREATE_SCRIPT
|
mysql -fu root < $DB_CREATE_SCRIPT
|
||||||
|
mysql -fu root < /opt/hirs/scripts/common/secure_mysql.sql
|
||||||
|
6
package/scripts/common/secure_mysql.sql
Normal file
6
package/scripts/common/secure_mysql.sql
Normal file
@ -0,0 +1,6 @@
|
|||||||
|
UPDATE mysql.user SET Password=PASSWORD('root') WHERE User='root';
|
||||||
|
DELETE FROM mysql.user WHERE User='';
|
||||||
|
DELETE FROM mysql.user WHERE User='root' AND Host NOT IN ('localhost', '127.0.0.1', '::1');
|
||||||
|
DROP DATABASE IF EXISTS test;
|
||||||
|
DELETE FROM mysql.db WHERE Db='test' OR Db='test\\_%';
|
||||||
|
FLUSH PRIVILEGES
|
@ -137,10 +137,10 @@ if [[ $1 = "server" ]]; then
|
|||||||
VERCMP_STATUS=$?
|
VERCMP_STATUS=$?
|
||||||
if [[ $VERCMP_STATUS -eq 0 ]] || [[ $VERCMP_STATUS -eq 12 ]]; then
|
if [[ $VERCMP_STATUS -eq 0 ]] || [[ $VERCMP_STATUS -eq 12 ]]; then
|
||||||
# Tomcat v 6.0.38 or newer
|
# Tomcat v 6.0.38 or newer
|
||||||
sed -i "s/.*<\/Service>/<Connector port=\"8443\" protocol=\"HTTP\/1.1\" compression=\"on\" compressionMinSize=\"2048\" compressableMimeType=\"text\/html, text\/xml\" SSLEnabled=\"true\" maxThreads=\"150\" scheme=\"https\" secure=\"true\" clientAuth=\"want\" sslProtocol=\"TLS\" sslEnabledProtocols=\"TLSv1.1,TLSv1.2\" ciphers=\"TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384, TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384, TLS_RSA_WITH_AES_256_GCM_SHA384, TLS_RSA_WITH_AES_256_CBC_SHA256, TLS_RSA_WITH_AES_256_CBC_SHA\" keystoreFile=\"${CA_CERT_DIR_ESCAPED}\/keyStore.jks\" keystorePass=\"$P12_PASSWORD\" truststoreFile=\"${CA_CERT_DIR_ESCAPED}\/TrustStore.jks\" truststorePass=\"password\" \/><\/Service>/" $CATALINA_HOME/conf/server.xml
|
sed -i "s/.*<\/Service>/<Connector port=\"8443\" protocol=\"HTTP\/1.1\" compression=\"on\" compressionMinSize=\"2048\" compressableMimeType=\"text\/html, text\/xml\" SSLEnabled=\"true\" maxThreads=\"150\" scheme=\"https\" secure=\"true\" clientAuth=\"want\" sslProtocol=\"TLS\" sslEnabledProtocols=\"TLSv1.2\" ciphers=\"TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384, TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384, TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384, TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA256, TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384\" keystoreFile=\"${CA_CERT_DIR_ESCAPED}\/keyStore.jks\" keystorePass=\"$P12_PASSWORD\" truststoreFile=\"${CA_CERT_DIR_ESCAPED}\/TrustStore.jks\" truststorePass=\"password\" \/><\/Service>/" $CATALINA_HOME/conf/server.xml
|
||||||
elif [[ $VERCMP_STATUS -eq 11 ]]; then
|
elif [[ $VERCMP_STATUS -eq 11 ]]; then
|
||||||
# Older than Tomcat 6.0.38
|
# Older than Tomcat 6.0.38
|
||||||
sed -i "s/.*<\/Service>/<Connector port=\"8443\" label=\"HIRS\" protocol=\"HTTP\/1.1\" compression=\"on\" compressionMinSize=\"2048\" compressableMimeType=\"text\/html, text\/xml\" SSLEnabled=\"true\" maxThreads=\"150\" scheme=\"https\" secure=\"true\" clientAuth=\"want\" sslProtocol=\"TLS\" protocols=\"TLSv1.1,TLSv1.2\" ciphers=\"TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384, TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384, TLS_RSA_WITH_AES_256_GCM_SHA384, TLS_RSA_WITH_AES_256_CBC_SHA256, TLS_RSA_WITH_AES_256_CBC_SHA\" SSLDisableCompression=\"true\" keystoreFile=\"${CA_CERT_DIR_ESCAPED}\/keyStore.jks\" keystorePass=\"$P12_PASSWORD\" truststoreFile=\"${CA_CERT_DIR_ESCAPED}\/TrustStore.jks\" truststorePass=\"password\" \/><\/Service>/" $CATALINA_HOME/conf/server.xml
|
sed -i "s/.*<\/Service>/<Connector port=\"8443\" label=\"HIRS\" protocol=\"HTTP\/1.1\" compression=\"on\" compressionMinSize=\"2048\" compressableMimeType=\"text\/html, text\/xml\" SSLEnabled=\"true\" maxThreads=\"150\" scheme=\"https\" secure=\"true\" clientAuth=\"want\" sslProtocol=\"TLS\" protocols=\"TLSv1.2\" ciphers=\"TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384, TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384, TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384, TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA256, TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384\" SSLDisableCompression=\"true\" keystoreFile=\"${CA_CERT_DIR_ESCAPED}\/keyStore.jks\" keystorePass=\"$P12_PASSWORD\" truststoreFile=\"${CA_CERT_DIR_ESCAPED}\/TrustStore.jks\" truststorePass=\"password\" \/><\/Service>/" $CATALINA_HOME/conf/server.xml
|
||||||
else
|
else
|
||||||
echo "Unknown rpmdev-vercmp exit code: ${VERCMP_STATUS}"
|
echo "Unknown rpmdev-vercmp exit code: ${VERCMP_STATUS}"
|
||||||
exit 1
|
exit 1
|
||||||
|
Loading…
Reference in New Issue
Block a user