Merge pull request #753 from nsacyber/v3_issue_749-setup_check

[#749] ACA setup check
This commit is contained in:
iadgovuser26 2024-05-06 16:12:56 -04:00 committed by GitHub
commit a903b0e448
No known key found for this signature in database
GPG Key ID: B5690EEEBB952194
7 changed files with 116 additions and 52 deletions

View File

@ -11,6 +11,7 @@ plugins {
// Get version from main project gradle
def packVersion = properties.get("packageVersion");
def jarVersion = properties.get("jarVersion");
def projVersion = properties.get("projVersion");
//println "packageVersion is ${projVersion}"
java {
@ -96,17 +97,22 @@ task buildVersion() {
ospackage {
packageName = 'HIRS_AttestationCA'
description = 'HIRS Attestation CA. Use systemctl status hirs-aca'
os = LINUX
arch = NOARCH
version = "$packVersion"
release = '1'
release = '2'
user 'root'
fileMode = 0755
addParentDirs = true
createDirectoryEntry true
into ('/etc/hirs') {
from '../VERSION'
}
// copy json tables
into ('/etc/hirs/aca/default-properties') {
from '../HIRS_AttestationCA/src/main/resources/component-class.json'
@ -128,10 +134,14 @@ ospackage {
fileMode = 0755
}
// Install - check for existing setup
preInstall 'if [ -d /etc/hirs ]; then echo "Error: /etc/hirs/ exists, aborting install"; exit 1; fi;'
preInstall 'if [ -d /opt/hirs ]; then echo "Error: /opt/hirs/ exists, aborting install"; exit 1; fi;'
// Uninstall
preUninstall 'bash /opt/hirs/aca/scripts/aca/aca_remove_setup.sh'
preUninstall 'bash /opt/hirs/aca/scripts/aca/aca_remove_setup.sh $1'
preUninstall 'bash /opt/hirs/aca/scripts/systemd/aca_disable_service.sh'
postUninstall 'if [ -d /etc/hirs ]; then rm -rf /etc/hirs; fi;'
postUninstall 'if [ -d /opt/hirs ]; then rm -rf /opt/hirs; fi;'
buildRpm {
dependsOn ':HIRS_AttestationCAPortal:buildVersion'
@ -149,9 +159,6 @@ ospackage {
postTrans 'firewall-cmd --reload'
postTrans 'bash /opt/hirs/aca/scripts/aca/aca_setup.sh -u'
postTrans 'bash /opt/hirs/aca/scripts/systemd/aca_enable_service.sh'
// postTrans 'bash /opt/hirs/aca/scripts/aca/aca_bootRun.sh -w &'
// add chrontab to run ACA at boot
//postTrans 'echo "@reboot root /opt/hirs/aca/scripts/aca/aca_bootRun.sh -w" >> /etc/crontab'
postTrans 'chmod +x /opt/hirs/aca/scripts/aca/*'
postTrans 'if [ -f /opt/hirs/aca/VERSION ]; then rm /opt/hirs/aca/VERSION; fi;'
// Wait for ACA to start up before finishing the install
@ -168,9 +175,7 @@ ospackage {
requires('curl')
// Install after required packages
postInstall 'bash /opt/hirs/aca/scripts/aca/aca_setup.sh -u'
//postInstall '/opt/hirs/aca/scripts/aca/aca_bootRun.sh -w &'
postInstall 'bash /opt/hirs/aca/scripts/systemd/aca_enable_service.sh'
postInstall 'echo "@reboot root /opt/hirs/aca/scripts/aca/aca_bootRun.sh -w" >> /etc/crontab'
postInstall 'chmod +x /opt/hirs/aca/scripts/aca/*'
postInstall 'if [ -f /opt/hirs/aca/VERSION ]; then rm /opt/hirs/aca/VERSION; fi;'
// Wait for ACA to start up before finishing the install

View File

@ -51,6 +51,7 @@ def gitHash = { ->
return stdout.toString().trim()
}
project.ext["projVersion"] = "${projectVersion}"
project.ext["jarVersion"] = "${projectVersion}.${buildTime}.${gitHash}"
project.ext["packageVersion"] = "${projectVersion}.${buildTime}.${gitHash}.el8"

View File

@ -75,6 +75,8 @@ while [[ $# -gt 0 ]]; do
esac
done
check_systemd -p
echo "Checking HIRS ACA Setup on this device..."
# Check if aca setup was performed
# Check is RPM was installed via RPM package
@ -91,17 +93,21 @@ echo "Checking HIRS ACA Setup on this device..."
echo "$ID OS distro encountered"
fi
if [ $? -eq 0 ]; then
echo "HIRS ACA was installed via an OS package on this device"
systemctl is-active --quiet hirs-aca
if [[ $? -eq 0 ]]; then
echo " The hirs-aca service is active"
else
echo " Error: ACA package install but the hirs-aca service is dead"
ALL_CHECKS_PASSED=false
fi
echo "HIRS ACA was installed via an OS package on this device."
if [ $SYSD_SERVICE = true ]; then
systemctl is-active --quiet hirs-aca
if [[ $? -eq 0 ]]; then
echo " The hirs-aca service is active"
else
echo " Error: ACA package install but the hirs-aca service is dead"
ALL_CHECKS_PASSED=false
fi
fi
else
echo "ACA not installed via a package."
fi
check_systemd -p
# Check install setup pki files
if [ ! -d $CERT_PATH ]; then
@ -130,7 +136,7 @@ echo "Checking if ACA passwords are present..."
echo "hirs db user password not set"
PRESENT=false
fi
if [ $PRESENT ]; then
if [ $PRESENT = true ]; then
echo " ACA passwords were found"
else
echo " ERROR finding ACA passwords"
@ -182,7 +188,7 @@ check_cert () {
ALL_CERTS_PASSED=false
fi
if [ ! -z "${ARG_VERBOSE}" ]; then
echo " "$RESULTACA_PROP_FILE
echo " "$RESULT
fi
}
@ -229,7 +235,7 @@ check_pki () {
echo " Keystore alias list:"
keytool -list -keystore /etc/hirs/certificates/HIRS/TrustStore.jks -storepass $hirs_pki_password | grep hirs | sed -e 's/^/ /'
fi
if [ $? -eq 0 ]; then
echo " JKS Trust Store File (/etc/hirs/certificates/HIRS/TrustStore.jks) is correct: HIRS pki password is correct"
else

View File

@ -7,8 +7,31 @@
#####################################################################################
SCRIPT_DIR=$( dirname -- "$( readlink -f -- "$0"; )"; )
OPTION_IN=$1; # per Fedora packing guidelines: $1 = 1 for an upgrade, 0 for a remove
if [ -z $1 ]; then OPTION_IN="2"; fi # Set if called by command line
case $OPTION_IN in
"0")
echo "Package removal requested"
OPTION="ACA_PKG_REMOVE"
;;
"1")
echo "Package upgrade requested"
OPTION="ACA_UPGRADE"
;;
"2")
echo "ACA Setup removal requested"
OPTION="ACA_SET_REMOVE"
;;
*)
echo "$1 is an unknown parameter for aca_remove_setup"
exit 1
break
;;
esac
LOG_FILE=/dev/null
LOG_DIR="/var/log/hirs/"
# Check for Admin privileges
if [ "$EUID" -ne 0 ]; then
echo "This script requires root. ACA setup not removed. Please run as root."
@ -22,7 +45,7 @@ fi
if [ ! -d "/opt/hirs" ]; then
echo "/opt/hirs does not exist, aborting removal."
exit 1
fi
fi
source $SCRIPT_DIR/../db/mysql_util.sh
@ -33,15 +56,17 @@ check_mariadb_install
check_mysql_root
# remove the hrs-db and hirs_db user
pushd $SCRIPT_DIR/../db/ &>/dev/null
./db_drop.sh $DB_ADMIN_PWD
popd &>/dev/null
if [ $OPTION = "ACA_SET_REMOVE" ] || [ $OPTION = "ACA_PKG_REMOVE" ]; then
pushd $SCRIPT_DIR/../db/ &>/dev/null
./db_drop.sh $DB_ADMIN_PWD
popd &>/dev/null
fi
# remove pki files and config files if not installed by rpm
echo "Removing certificates and config files..."
# Remove /opt/hirs only if not configured by a package based install:
if [ -f /opt/hirs/aca/VERSION ]; then
if [ $OPTION = "ACA_SET_REMOVE" ]; then
if [ -d "/etc/hirs" ]; then
rm -rf /etc/hirs >/dev/null 2>&1
fi
@ -54,9 +79,7 @@ if [ -d $LOG_DIR ]; then
rm -rf $LOG_DIR;
fi
# Remove crontab and current ACA process
echo "Removing the ACA crontab"
sed -i '/aca_bootRun.sh/d' /etc/crontab
# Remove current ACA process
echo "Shutting down the aca..."
ps axf | grep HIRS_AttestationCAPortal.war | grep -v grep | awk '{print "kill " $1}' | sh >/dev/null 2>&1
echo "ACA setup removal complete."

View File

@ -63,6 +63,13 @@ while [[ $# -gt 0 ]]; do
esac
done
echo "Input is $1"
if [[ $1 -eq 1 ]] ; then
echo "Install detected $1"
else
echo "Upgrade detected $1"
fi
# Check for existing installation folders and exist if found
if [ -z $ARG_UNATTEND ]; then
if [ -d "/etc/hirs" ]; then

View File

@ -114,10 +114,10 @@ set_mysql_server_tls () {
# The following arent avialble in Mariadb 10.3
#echo "tls_version=TLSv1.2,TLSv1.3" >> "$DB_SRV_CONF"
#echo "require_secure_transport=ON" >> "$DB_SRV_CONF"
# Make sure mysql can access them
chown mysql:mysql $SSL_DB_SRV_CHAIN $SSL_DB_SRV_CERT $SSL_DB_SRV_KEY
chmod 644 $DB_SRV_CONF $DB_CLIENT_CONF
# Make selinux contexts for config files, if selinux is enabled
if [[ $ID = "rhel" ]] || [[ $ID = "rocky" ]] ||[[ $ID = "fedora" ]]; then
command -v selinuxenabled > /dev/null
@ -158,13 +158,8 @@ fi
# Process HIRS DB USER
set_hirs_db_pwd () {
RESULT="$(mysql -u root --password=$DB_ADMIN_PWD -e "SELECT EXISTS(SELECT 1 FROM mysql.user WHERE user = 'hirs_db')")"
if [ "$RESULT" = 1 ]; then
echo "hirs-db user exists"
HIRS_DB_PWD=$hirs_db_password
else
check_hirs_db
if [[ $HIRS_DB_USER_EXISTS != "1" ]]; then
# Check if Mysql HIRS DB password set by system variable or set to random number
if [ -z $HIRS_DB_PWD ]; then
HIRS_DB_PWD=$(head -c 64 /dev/urandom | md5sum | tr -dc 'a-zA-Z0-9')
@ -182,20 +177,29 @@ set_hirs_db_pwd () {
if [[ $(grep -c "hibernate.connection.password" $SPRING_PROP_FILE) -eq 0 ]]; then
echo "hibernate.connection.password=$HIRS_DB_PWD" >> $SPRING_PROP_FILE
fi
fi
else
echo "hirs-db user already exists, skipping"
fi
}
# Create a hirs_db with client side TLS enabled
create_hirs_db_with_tls () {
# Check if hirs_db not created and create it if it wasn't
mysqlshow --user=root --password="$DB_ADMIN_PWD" | grep "hirs_db" >> $LOG_FILE 2>&1
if [ $? -eq 0 ]; then
echo "hirs_db exists, skipping hirs_db create"
else
mysql -u root --password=$DB_ADMIN_PWD < $MYSQL_DIR/db_create.sql
mysql -u root --password=$DB_ADMIN_PWD < $MYSQL_DIR/secure_mysql.sql
mysql -u root --password=$DB_ADMIN_PWD -e "SET PASSWORD FOR 'hirs_db'@'localhost' = PASSWORD('"$HIRS_DB_PWD"'); FLUSH PRIVILEGES;";
fi
check_hirs_db_user
echo "Now HIRS_DB_USER_EXISTS is $HIRS_DB_USER_EXISTS"
if [[ $HIRS_DB_USER_EXISTS == "1" ]]; then
echo "hirs_db already exists, skipping"
else
# Check if hirs_db not created and create it if it wasn't
mysqlshow --user=root --password="$DB_ADMIN_PWD" | grep "hirs_db" >> $LOG_FILE 2>&1
if [ $? -eq 0 ]; then
echo "hirs_db exists, skipping hirs_db create"
else
mysql -u root --password=$DB_ADMIN_PWD < $MYSQL_DIR/db_create.sql
mysql -u root --password=$DB_ADMIN_PWD < $MYSQL_DIR/secure_mysql.sql
mysql -u root --password=$DB_ADMIN_PWD -e "SET PASSWORD FOR 'hirs_db'@'localhost' = PASSWORD('"$HIRS_DB_PWD"'); FLUSH PRIVILEGES;";
echo "**** Setting hirs_db pwd to $HIRS_DB_PWD ***"
fi
fi
}
# Create a JDBC connector used by hibernate and place in Springs application.properties
@ -232,14 +236,12 @@ fi
# HIRS ACA Mysqld processing ...
check_systemd -p
check_mariadb_install
start_mysqlsd
check_mysql
check_mysql_root_pwd
clear_hirs_user
set_hirs_db_pwd
create_hirs_db_with_tls
set_mysql_server_tls
set_mysql_client_tls
create_hirs_db_with_tls
create_hibernate_url "RSA" "hirs_db"
mysqld_reboot

View File

@ -154,6 +154,26 @@ $(mysql -u root -p$DB_ADMIN_PWD -e 'quit' &> /dev/null);
fi
}
check_hirs_db_user () {
PRINT_STATUS=$1
HIRS_DB_USER_EXISTS="$(mysql -uroot --password=$DB_ADMIN_PWD -sse "SELECT EXISTS(SELECT 1 FROM mysql.user WHERE user = 'hirs_db')")"
if [[ $HIRS_DB_USER_EXISTS == "1" ]]; then
if [[ $PRINT_STATUS == "-p" ]];then echo " hirs_db user exists" | tee -a "$LOG_FILE"; fi;
else
if [[ $PRINT_STATUS == "-p" ]]; then echo " hirs_db user does not exist" | tee -a "$LOG_FILE"; fi;
fi
}
check_hirs_db () {
PRINT_STATUS=$1
HIRS_DB_EXISTS="$(mysql -uroot --password=$DB_ADMIN_PWD -e "SHOW DATABASES" | grep hirs_db)"
if [[ $HIRS_DB_EXISTS == "hirs_db" ]]; then
if [[ $PRINT_STATUS == "-p" ]];then echo " hirs_db database exists" | tee -a "$LOG_FILE"; fi;
else
if [[ $PRINT_STATUS == "-p" ]];then echo " hirs_db database does not exists" | tee -a "$LOG_FILE"; fi;
fi
}
check_db_cleared () {
$(mysql -u root -e 'quit' &> /dev/null);
if [ $? -eq 0 ]; then
@ -162,13 +182,13 @@ check_db_cleared () {
echo " Mysql Root password is not empty" | tee -a "$LOG_FILE";
fi
HIRS_DB_USER_EXISTS="$(mysql -uroot -sse "SELECT EXISTS(SELECT 1 FROM mysql.user WHERE user = 'hirs_db')")"
if [[ $HIRS_DB_USER_EXISTS == 1 ]]; then
if [[ $HIRS_DB_USER_EXISTS == "1" ]]; then
echo " hirs_db user exists" | tee -a "$LOG_FILE";
else
echo " hirs_db user does not exist" | tee -a "$LOG_FILE";
fi
HIRS_DB_EXISTS=`mysql -uroot -e "SHOW DATABASES" | grep hirs_db`
if [[ $HIRS_DB_EXISTS == "hirs_db" ]]; then
if [[ $HIRS_DB_EXISTS == "1" ]]; then
echo " hirs_db databse exists" | tee -a "$LOG_FILE";
else
echo " hirs_db database does not exists" | tee -a "$LOG_FILE";
@ -179,7 +199,7 @@ clear_hirs_user () {
$(mysql -u root -e 'quit' &> /dev/null);
if [ $? -eq 0 ]; then
HIRS_DB_USER_EXISTS="$(mysql -uroot -sse "SELECT EXISTS(SELECT 1 FROM mysql.user WHERE user = 'hirs_db')")"
if [[ $HIRS_DB_USER_EXISTS == 1 ]]; then
if [[ $HIRS_DB_USER_EXISTS == "1" ]]; then
mysql -u root --password=$DB_ADMIN_PWD -e "DROP USER 'hirs_db'@'localhost';"
echo "hirs_db user found and deleted"
fi