mirror of
https://github.com/nsacyber/HIRS.git
synced 2025-01-18 18:56:29 +00:00
Merge pull request #753 from nsacyber/v3_issue_749-setup_check
[#749] ACA setup check
This commit is contained in:
commit
a903b0e448
@ -11,6 +11,7 @@ plugins {
|
||||
// Get version from main project gradle
|
||||
def packVersion = properties.get("packageVersion");
|
||||
def jarVersion = properties.get("jarVersion");
|
||||
def projVersion = properties.get("projVersion");
|
||||
//println "packageVersion is ${projVersion}"
|
||||
|
||||
java {
|
||||
@ -96,17 +97,22 @@ task buildVersion() {
|
||||
|
||||
ospackage {
|
||||
packageName = 'HIRS_AttestationCA'
|
||||
description = 'HIRS Attestation CA. Use systemctl status hirs-aca'
|
||||
os = LINUX
|
||||
arch = NOARCH
|
||||
version = "$packVersion"
|
||||
release = '1'
|
||||
release = '2'
|
||||
|
||||
|
||||
user 'root'
|
||||
fileMode = 0755
|
||||
|
||||
addParentDirs = true
|
||||
createDirectoryEntry true
|
||||
|
||||
into ('/etc/hirs') {
|
||||
from '../VERSION'
|
||||
}
|
||||
// copy json tables
|
||||
into ('/etc/hirs/aca/default-properties') {
|
||||
from '../HIRS_AttestationCA/src/main/resources/component-class.json'
|
||||
@ -128,10 +134,14 @@ ospackage {
|
||||
fileMode = 0755
|
||||
}
|
||||
|
||||
// Install - check for existing setup
|
||||
preInstall 'if [ -d /etc/hirs ]; then echo "Error: /etc/hirs/ exists, aborting install"; exit 1; fi;'
|
||||
preInstall 'if [ -d /opt/hirs ]; then echo "Error: /opt/hirs/ exists, aborting install"; exit 1; fi;'
|
||||
// Uninstall
|
||||
preUninstall 'bash /opt/hirs/aca/scripts/aca/aca_remove_setup.sh'
|
||||
preUninstall 'bash /opt/hirs/aca/scripts/aca/aca_remove_setup.sh $1'
|
||||
preUninstall 'bash /opt/hirs/aca/scripts/systemd/aca_disable_service.sh'
|
||||
postUninstall 'if [ -d /etc/hirs ]; then rm -rf /etc/hirs; fi;'
|
||||
postUninstall 'if [ -d /opt/hirs ]; then rm -rf /opt/hirs; fi;'
|
||||
|
||||
buildRpm {
|
||||
dependsOn ':HIRS_AttestationCAPortal:buildVersion'
|
||||
@ -149,9 +159,6 @@ ospackage {
|
||||
postTrans 'firewall-cmd --reload'
|
||||
postTrans 'bash /opt/hirs/aca/scripts/aca/aca_setup.sh -u'
|
||||
postTrans 'bash /opt/hirs/aca/scripts/systemd/aca_enable_service.sh'
|
||||
// postTrans 'bash /opt/hirs/aca/scripts/aca/aca_bootRun.sh -w &'
|
||||
// add chrontab to run ACA at boot
|
||||
//postTrans 'echo "@reboot root /opt/hirs/aca/scripts/aca/aca_bootRun.sh -w" >> /etc/crontab'
|
||||
postTrans 'chmod +x /opt/hirs/aca/scripts/aca/*'
|
||||
postTrans 'if [ -f /opt/hirs/aca/VERSION ]; then rm /opt/hirs/aca/VERSION; fi;'
|
||||
// Wait for ACA to start up before finishing the install
|
||||
@ -168,9 +175,7 @@ ospackage {
|
||||
requires('curl')
|
||||
// Install after required packages
|
||||
postInstall 'bash /opt/hirs/aca/scripts/aca/aca_setup.sh -u'
|
||||
//postInstall '/opt/hirs/aca/scripts/aca/aca_bootRun.sh -w &'
|
||||
postInstall 'bash /opt/hirs/aca/scripts/systemd/aca_enable_service.sh'
|
||||
postInstall 'echo "@reboot root /opt/hirs/aca/scripts/aca/aca_bootRun.sh -w" >> /etc/crontab'
|
||||
postInstall 'chmod +x /opt/hirs/aca/scripts/aca/*'
|
||||
postInstall 'if [ -f /opt/hirs/aca/VERSION ]; then rm /opt/hirs/aca/VERSION; fi;'
|
||||
// Wait for ACA to start up before finishing the install
|
||||
|
@ -51,6 +51,7 @@ def gitHash = { ->
|
||||
return stdout.toString().trim()
|
||||
}
|
||||
|
||||
project.ext["projVersion"] = "${projectVersion}"
|
||||
project.ext["jarVersion"] = "${projectVersion}.${buildTime}.${gitHash}"
|
||||
project.ext["packageVersion"] = "${projectVersion}.${buildTime}.${gitHash}.el8"
|
||||
|
||||
|
@ -75,6 +75,8 @@ while [[ $# -gt 0 ]]; do
|
||||
esac
|
||||
done
|
||||
|
||||
check_systemd -p
|
||||
|
||||
echo "Checking HIRS ACA Setup on this device..."
|
||||
# Check if aca setup was performed
|
||||
# Check is RPM was installed via RPM package
|
||||
@ -91,17 +93,21 @@ echo "Checking HIRS ACA Setup on this device..."
|
||||
echo "$ID OS distro encountered"
|
||||
fi
|
||||
if [ $? -eq 0 ]; then
|
||||
echo "HIRS ACA was installed via an OS package on this device"
|
||||
systemctl is-active --quiet hirs-aca
|
||||
if [[ $? -eq 0 ]]; then
|
||||
echo " The hirs-aca service is active"
|
||||
else
|
||||
echo " Error: ACA package install but the hirs-aca service is dead"
|
||||
ALL_CHECKS_PASSED=false
|
||||
fi
|
||||
echo "HIRS ACA was installed via an OS package on this device."
|
||||
if [ $SYSD_SERVICE = true ]; then
|
||||
systemctl is-active --quiet hirs-aca
|
||||
if [[ $? -eq 0 ]]; then
|
||||
echo " The hirs-aca service is active"
|
||||
else
|
||||
echo " Error: ACA package install but the hirs-aca service is dead"
|
||||
ALL_CHECKS_PASSED=false
|
||||
fi
|
||||
fi
|
||||
else
|
||||
echo "ACA not installed via a package."
|
||||
fi
|
||||
|
||||
check_systemd -p
|
||||
|
||||
|
||||
# Check install setup pki files
|
||||
if [ ! -d $CERT_PATH ]; then
|
||||
@ -130,7 +136,7 @@ echo "Checking if ACA passwords are present..."
|
||||
echo "hirs db user password not set"
|
||||
PRESENT=false
|
||||
fi
|
||||
if [ $PRESENT ]; then
|
||||
if [ $PRESENT = true ]; then
|
||||
echo " ACA passwords were found"
|
||||
else
|
||||
echo " ERROR finding ACA passwords"
|
||||
@ -182,7 +188,7 @@ check_cert () {
|
||||
ALL_CERTS_PASSED=false
|
||||
fi
|
||||
if [ ! -z "${ARG_VERBOSE}" ]; then
|
||||
echo " "$RESULTACA_PROP_FILE
|
||||
echo " "$RESULT
|
||||
fi
|
||||
}
|
||||
|
||||
@ -229,7 +235,7 @@ check_pki () {
|
||||
echo " Keystore alias list:"
|
||||
keytool -list -keystore /etc/hirs/certificates/HIRS/TrustStore.jks -storepass $hirs_pki_password | grep hirs | sed -e 's/^/ /'
|
||||
fi
|
||||
|
||||
|
||||
if [ $? -eq 0 ]; then
|
||||
echo " JKS Trust Store File (/etc/hirs/certificates/HIRS/TrustStore.jks) is correct: HIRS pki password is correct"
|
||||
else
|
||||
|
@ -7,8 +7,31 @@
|
||||
#####################################################################################
|
||||
|
||||
SCRIPT_DIR=$( dirname -- "$( readlink -f -- "$0"; )"; )
|
||||
OPTION_IN=$1; # per Fedora packing guidelines: $1 = 1 for an upgrade, 0 for a remove
|
||||
if [ -z $1 ]; then OPTION_IN="2"; fi # Set if called by command line
|
||||
case $OPTION_IN in
|
||||
"0")
|
||||
echo "Package removal requested"
|
||||
OPTION="ACA_PKG_REMOVE"
|
||||
;;
|
||||
"1")
|
||||
echo "Package upgrade requested"
|
||||
OPTION="ACA_UPGRADE"
|
||||
;;
|
||||
"2")
|
||||
echo "ACA Setup removal requested"
|
||||
OPTION="ACA_SET_REMOVE"
|
||||
;;
|
||||
*)
|
||||
echo "$1 is an unknown parameter for aca_remove_setup"
|
||||
exit 1
|
||||
break
|
||||
;;
|
||||
esac
|
||||
|
||||
LOG_FILE=/dev/null
|
||||
LOG_DIR="/var/log/hirs/"
|
||||
|
||||
# Check for Admin privileges
|
||||
if [ "$EUID" -ne 0 ]; then
|
||||
echo "This script requires root. ACA setup not removed. Please run as root."
|
||||
@ -22,7 +45,7 @@ fi
|
||||
if [ ! -d "/opt/hirs" ]; then
|
||||
echo "/opt/hirs does not exist, aborting removal."
|
||||
exit 1
|
||||
fi
|
||||
fi
|
||||
|
||||
|
||||
source $SCRIPT_DIR/../db/mysql_util.sh
|
||||
@ -33,15 +56,17 @@ check_mariadb_install
|
||||
check_mysql_root
|
||||
|
||||
# remove the hrs-db and hirs_db user
|
||||
pushd $SCRIPT_DIR/../db/ &>/dev/null
|
||||
./db_drop.sh $DB_ADMIN_PWD
|
||||
popd &>/dev/null
|
||||
if [ $OPTION = "ACA_SET_REMOVE" ] || [ $OPTION = "ACA_PKG_REMOVE" ]; then
|
||||
pushd $SCRIPT_DIR/../db/ &>/dev/null
|
||||
./db_drop.sh $DB_ADMIN_PWD
|
||||
popd &>/dev/null
|
||||
fi
|
||||
|
||||
# remove pki files and config files if not installed by rpm
|
||||
echo "Removing certificates and config files..."
|
||||
|
||||
# Remove /opt/hirs only if not configured by a package based install:
|
||||
if [ -f /opt/hirs/aca/VERSION ]; then
|
||||
if [ $OPTION = "ACA_SET_REMOVE" ]; then
|
||||
if [ -d "/etc/hirs" ]; then
|
||||
rm -rf /etc/hirs >/dev/null 2>&1
|
||||
fi
|
||||
@ -54,9 +79,7 @@ if [ -d $LOG_DIR ]; then
|
||||
rm -rf $LOG_DIR;
|
||||
fi
|
||||
|
||||
# Remove crontab and current ACA process
|
||||
echo "Removing the ACA crontab"
|
||||
sed -i '/aca_bootRun.sh/d' /etc/crontab
|
||||
# Remove current ACA process
|
||||
echo "Shutting down the aca..."
|
||||
ps axf | grep HIRS_AttestationCAPortal.war | grep -v grep | awk '{print "kill " $1}' | sh >/dev/null 2>&1
|
||||
echo "ACA setup removal complete."
|
||||
|
@ -63,6 +63,13 @@ while [[ $# -gt 0 ]]; do
|
||||
esac
|
||||
done
|
||||
|
||||
echo "Input is $1"
|
||||
if [[ $1 -eq 1 ]] ; then
|
||||
echo "Install detected $1"
|
||||
else
|
||||
echo "Upgrade detected $1"
|
||||
fi
|
||||
|
||||
# Check for existing installation folders and exist if found
|
||||
if [ -z $ARG_UNATTEND ]; then
|
||||
if [ -d "/etc/hirs" ]; then
|
||||
|
@ -114,10 +114,10 @@ set_mysql_server_tls () {
|
||||
# The following arent avialble in Mariadb 10.3
|
||||
#echo "tls_version=TLSv1.2,TLSv1.3" >> "$DB_SRV_CONF"
|
||||
#echo "require_secure_transport=ON" >> "$DB_SRV_CONF"
|
||||
|
||||
|
||||
|
||||
# Make sure mysql can access them
|
||||
chown mysql:mysql $SSL_DB_SRV_CHAIN $SSL_DB_SRV_CERT $SSL_DB_SRV_KEY
|
||||
chmod 644 $DB_SRV_CONF $DB_CLIENT_CONF
|
||||
# Make selinux contexts for config files, if selinux is enabled
|
||||
if [[ $ID = "rhel" ]] || [[ $ID = "rocky" ]] ||[[ $ID = "fedora" ]]; then
|
||||
command -v selinuxenabled > /dev/null
|
||||
@ -158,13 +158,8 @@ fi
|
||||
|
||||
# Process HIRS DB USER
|
||||
set_hirs_db_pwd () {
|
||||
|
||||
RESULT="$(mysql -u root --password=$DB_ADMIN_PWD -e "SELECT EXISTS(SELECT 1 FROM mysql.user WHERE user = 'hirs_db')")"
|
||||
|
||||
if [ "$RESULT" = 1 ]; then
|
||||
echo "hirs-db user exists"
|
||||
HIRS_DB_PWD=$hirs_db_password
|
||||
else
|
||||
check_hirs_db
|
||||
if [[ $HIRS_DB_USER_EXISTS != "1" ]]; then
|
||||
# Check if Mysql HIRS DB password set by system variable or set to random number
|
||||
if [ -z $HIRS_DB_PWD ]; then
|
||||
HIRS_DB_PWD=$(head -c 64 /dev/urandom | md5sum | tr -dc 'a-zA-Z0-9')
|
||||
@ -182,20 +177,29 @@ set_hirs_db_pwd () {
|
||||
if [[ $(grep -c "hibernate.connection.password" $SPRING_PROP_FILE) -eq 0 ]]; then
|
||||
echo "hibernate.connection.password=$HIRS_DB_PWD" >> $SPRING_PROP_FILE
|
||||
fi
|
||||
fi
|
||||
else
|
||||
echo "hirs-db user already exists, skipping"
|
||||
fi
|
||||
}
|
||||
|
||||
# Create a hirs_db with client side TLS enabled
|
||||
create_hirs_db_with_tls () {
|
||||
# Check if hirs_db not created and create it if it wasn't
|
||||
mysqlshow --user=root --password="$DB_ADMIN_PWD" | grep "hirs_db" >> $LOG_FILE 2>&1
|
||||
if [ $? -eq 0 ]; then
|
||||
echo "hirs_db exists, skipping hirs_db create"
|
||||
else
|
||||
mysql -u root --password=$DB_ADMIN_PWD < $MYSQL_DIR/db_create.sql
|
||||
mysql -u root --password=$DB_ADMIN_PWD < $MYSQL_DIR/secure_mysql.sql
|
||||
mysql -u root --password=$DB_ADMIN_PWD -e "SET PASSWORD FOR 'hirs_db'@'localhost' = PASSWORD('"$HIRS_DB_PWD"'); FLUSH PRIVILEGES;";
|
||||
fi
|
||||
check_hirs_db_user
|
||||
echo "Now HIRS_DB_USER_EXISTS is $HIRS_DB_USER_EXISTS"
|
||||
if [[ $HIRS_DB_USER_EXISTS == "1" ]]; then
|
||||
echo "hirs_db already exists, skipping"
|
||||
else
|
||||
# Check if hirs_db not created and create it if it wasn't
|
||||
mysqlshow --user=root --password="$DB_ADMIN_PWD" | grep "hirs_db" >> $LOG_FILE 2>&1
|
||||
if [ $? -eq 0 ]; then
|
||||
echo "hirs_db exists, skipping hirs_db create"
|
||||
else
|
||||
mysql -u root --password=$DB_ADMIN_PWD < $MYSQL_DIR/db_create.sql
|
||||
mysql -u root --password=$DB_ADMIN_PWD < $MYSQL_DIR/secure_mysql.sql
|
||||
mysql -u root --password=$DB_ADMIN_PWD -e "SET PASSWORD FOR 'hirs_db'@'localhost' = PASSWORD('"$HIRS_DB_PWD"'); FLUSH PRIVILEGES;";
|
||||
echo "**** Setting hirs_db pwd to $HIRS_DB_PWD ***"
|
||||
fi
|
||||
fi
|
||||
}
|
||||
|
||||
# Create a JDBC connector used by hibernate and place in Springs application.properties
|
||||
@ -232,14 +236,12 @@ fi
|
||||
# HIRS ACA Mysqld processing ...
|
||||
check_systemd -p
|
||||
check_mariadb_install
|
||||
|
||||
start_mysqlsd
|
||||
check_mysql
|
||||
check_mysql_root_pwd
|
||||
clear_hirs_user
|
||||
set_hirs_db_pwd
|
||||
create_hirs_db_with_tls
|
||||
set_mysql_server_tls
|
||||
set_mysql_client_tls
|
||||
create_hirs_db_with_tls
|
||||
create_hibernate_url "RSA" "hirs_db"
|
||||
mysqld_reboot
|
||||
|
@ -154,6 +154,26 @@ $(mysql -u root -p$DB_ADMIN_PWD -e 'quit' &> /dev/null);
|
||||
fi
|
||||
}
|
||||
|
||||
check_hirs_db_user () {
|
||||
PRINT_STATUS=$1
|
||||
HIRS_DB_USER_EXISTS="$(mysql -uroot --password=$DB_ADMIN_PWD -sse "SELECT EXISTS(SELECT 1 FROM mysql.user WHERE user = 'hirs_db')")"
|
||||
if [[ $HIRS_DB_USER_EXISTS == "1" ]]; then
|
||||
if [[ $PRINT_STATUS == "-p" ]];then echo " hirs_db user exists" | tee -a "$LOG_FILE"; fi;
|
||||
else
|
||||
if [[ $PRINT_STATUS == "-p" ]]; then echo " hirs_db user does not exist" | tee -a "$LOG_FILE"; fi;
|
||||
fi
|
||||
}
|
||||
|
||||
check_hirs_db () {
|
||||
PRINT_STATUS=$1
|
||||
HIRS_DB_EXISTS="$(mysql -uroot --password=$DB_ADMIN_PWD -e "SHOW DATABASES" | grep hirs_db)"
|
||||
if [[ $HIRS_DB_EXISTS == "hirs_db" ]]; then
|
||||
if [[ $PRINT_STATUS == "-p" ]];then echo " hirs_db database exists" | tee -a "$LOG_FILE"; fi;
|
||||
else
|
||||
if [[ $PRINT_STATUS == "-p" ]];then echo " hirs_db database does not exists" | tee -a "$LOG_FILE"; fi;
|
||||
fi
|
||||
}
|
||||
|
||||
check_db_cleared () {
|
||||
$(mysql -u root -e 'quit' &> /dev/null);
|
||||
if [ $? -eq 0 ]; then
|
||||
@ -162,13 +182,13 @@ check_db_cleared () {
|
||||
echo " Mysql Root password is not empty" | tee -a "$LOG_FILE";
|
||||
fi
|
||||
HIRS_DB_USER_EXISTS="$(mysql -uroot -sse "SELECT EXISTS(SELECT 1 FROM mysql.user WHERE user = 'hirs_db')")"
|
||||
if [[ $HIRS_DB_USER_EXISTS == 1 ]]; then
|
||||
if [[ $HIRS_DB_USER_EXISTS == "1" ]]; then
|
||||
echo " hirs_db user exists" | tee -a "$LOG_FILE";
|
||||
else
|
||||
echo " hirs_db user does not exist" | tee -a "$LOG_FILE";
|
||||
fi
|
||||
HIRS_DB_EXISTS=`mysql -uroot -e "SHOW DATABASES" | grep hirs_db`
|
||||
if [[ $HIRS_DB_EXISTS == "hirs_db" ]]; then
|
||||
if [[ $HIRS_DB_EXISTS == "1" ]]; then
|
||||
echo " hirs_db databse exists" | tee -a "$LOG_FILE";
|
||||
else
|
||||
echo " hirs_db database does not exists" | tee -a "$LOG_FILE";
|
||||
@ -179,7 +199,7 @@ clear_hirs_user () {
|
||||
$(mysql -u root -e 'quit' &> /dev/null);
|
||||
if [ $? -eq 0 ]; then
|
||||
HIRS_DB_USER_EXISTS="$(mysql -uroot -sse "SELECT EXISTS(SELECT 1 FROM mysql.user WHERE user = 'hirs_db')")"
|
||||
if [[ $HIRS_DB_USER_EXISTS == 1 ]]; then
|
||||
if [[ $HIRS_DB_USER_EXISTS == "1" ]]; then
|
||||
mysql -u root --password=$DB_ADMIN_PWD -e "DROP USER 'hirs_db'@'localhost';"
|
||||
echo "hirs_db user found and deleted"
|
||||
fi
|
||||
|
Loading…
Reference in New Issue
Block a user