From 3e5dabaa2c9e3aff5bd9e87de8a0fb0da6383604 Mon Sep 17 00:00:00 2001 From: iadgovuser26 Date: Thu, 4 Apr 2024 16:27:02 -0400 Subject: [PATCH 1/3] added directory check before install --- HIRS_AttestationCAPortal/build.gradle | 3 +++ 1 file changed, 3 insertions(+) diff --git a/HIRS_AttestationCAPortal/build.gradle b/HIRS_AttestationCAPortal/build.gradle index 83656efd..d5d73a56 100644 --- a/HIRS_AttestationCAPortal/build.gradle +++ b/HIRS_AttestationCAPortal/build.gradle @@ -128,6 +128,9 @@ ospackage { fileMode = 0755 } + // Install - check for existing setup + //preInstall 'if [ -d /etc/hirs ]; then echo "Error: /etc/hirs/ exists, aborting install"; exit 1; fi;' + preInstall 'if [ -d /opt/hirs ]; then echo "Error: /opt/hirs/ exists, aborting install"; exit 1; fi;' // Uninstall preUninstall 'bash /opt/hirs/aca/scripts/aca/aca_remove_setup.sh' preUninstall 'bash /opt/hirs/aca/scripts/systemd/aca_disable_service.sh' From c60ea2121c8235f611de553becabcaf51b263c24 Mon Sep 17 00:00:00 2001 From: iadgovuser26 Date: Wed, 24 Apr 2024 15:40:46 -0400 Subject: [PATCH 2/3] Added additional checks during package install --- HIRS_AttestationCAPortal/build.gradle | 18 +++++++----- build.gradle | 1 + package/linux/aca/aca_check_setup.sh | 30 +++++++++++-------- package/linux/aca/aca_remove_setup.sh | 39 ++++++++++++++++++++----- package/linux/aca/aca_setup.sh | 7 +++++ package/linux/db/db_create.sh | 42 ++++++++++++++------------- package/linux/db/mysql_util.sh | 26 +++++++++++++++-- 7 files changed, 112 insertions(+), 51 deletions(-) diff --git a/HIRS_AttestationCAPortal/build.gradle b/HIRS_AttestationCAPortal/build.gradle index d5d73a56..3a6ad9c0 100644 --- a/HIRS_AttestationCAPortal/build.gradle +++ b/HIRS_AttestationCAPortal/build.gradle @@ -11,6 +11,7 @@ plugins { // Get version from main project gradle def packVersion = properties.get("packageVersion"); def jarVersion = properties.get("jarVersion"); +def projVersion = properties.get("projVersion"); //println "packageVersion is ${projVersion}" java { @@ -96,17 +97,22 @@ task buildVersion() { ospackage { packageName = 'HIRS_AttestationCA' + description = 'HIRS Attestation CA. Use systemctl status hirs-aca' os = LINUX arch = NOARCH version = "$packVersion" - release = '1' + release = '2' + user 'root' fileMode = 0755 addParentDirs = true createDirectoryEntry true + into ('/etc/hirs') { + from '../VERSION' + } // copy json tables into ('/etc/hirs/aca/default-properties') { from '../HIRS_AttestationCA/src/main/resources/component-class.json' @@ -129,12 +135,13 @@ ospackage { } // Install - check for existing setup - //preInstall 'if [ -d /etc/hirs ]; then echo "Error: /etc/hirs/ exists, aborting install"; exit 1; fi;' + preInstall 'if [ -d /etc/hirs ]; then echo "Error: /etc/hirs/ exists, aborting install"; exit 1; fi;' preInstall 'if [ -d /opt/hirs ]; then echo "Error: /opt/hirs/ exists, aborting install"; exit 1; fi;' // Uninstall - preUninstall 'bash /opt/hirs/aca/scripts/aca/aca_remove_setup.sh' + preUninstall 'bash /opt/hirs/aca/scripts/aca/aca_remove_setup.sh $1' preUninstall 'bash /opt/hirs/aca/scripts/systemd/aca_disable_service.sh' postUninstall 'if [ -d /etc/hirs ]; then rm -rf /etc/hirs; fi;' + postUninstall 'if [ -d /opt/hirs ]; then rm -rf /opt/hirs; fi;' buildRpm { dependsOn ':HIRS_AttestationCAPortal:buildVersion' @@ -152,9 +159,6 @@ ospackage { postTrans 'firewall-cmd --reload' postTrans 'bash /opt/hirs/aca/scripts/aca/aca_setup.sh -u' postTrans 'bash /opt/hirs/aca/scripts/systemd/aca_enable_service.sh' - // postTrans 'bash /opt/hirs/aca/scripts/aca/aca_bootRun.sh -w &' - // add chrontab to run ACA at boot - //postTrans 'echo "@reboot root /opt/hirs/aca/scripts/aca/aca_bootRun.sh -w" >> /etc/crontab' postTrans 'chmod +x /opt/hirs/aca/scripts/aca/*' postTrans 'if [ -f /opt/hirs/aca/VERSION ]; then rm /opt/hirs/aca/VERSION; fi;' // Wait for ACA to start up before finishing the install @@ -171,9 +175,7 @@ ospackage { requires('curl') // Install after required packages postInstall 'bash /opt/hirs/aca/scripts/aca/aca_setup.sh -u' - //postInstall '/opt/hirs/aca/scripts/aca/aca_bootRun.sh -w &' postInstall 'bash /opt/hirs/aca/scripts/systemd/aca_enable_service.sh' - postInstall 'echo "@reboot root /opt/hirs/aca/scripts/aca/aca_bootRun.sh -w" >> /etc/crontab' postInstall 'chmod +x /opt/hirs/aca/scripts/aca/*' postInstall 'if [ -f /opt/hirs/aca/VERSION ]; then rm /opt/hirs/aca/VERSION; fi;' // Wait for ACA to start up before finishing the install diff --git a/build.gradle b/build.gradle index 801c4909..5cb5860f 100644 --- a/build.gradle +++ b/build.gradle @@ -51,6 +51,7 @@ def gitHash = { -> return stdout.toString().trim() } +project.ext["projVersion"] = "${projectVersion}" project.ext["jarVersion"] = "${projectVersion}.${buildTime}.${gitHash}" project.ext["packageVersion"] = "${projectVersion}.${buildTime}.${gitHash}.el8" diff --git a/package/linux/aca/aca_check_setup.sh b/package/linux/aca/aca_check_setup.sh index c7737196..8b168500 100755 --- a/package/linux/aca/aca_check_setup.sh +++ b/package/linux/aca/aca_check_setup.sh @@ -75,6 +75,8 @@ while [[ $# -gt 0 ]]; do esac done +check_systemd -p + echo "Checking HIRS ACA Setup on this device..." # Check if aca setup was performed # Check is RPM was installed via RPM package @@ -91,17 +93,21 @@ echo "Checking HIRS ACA Setup on this device..." echo "$ID OS distro encountered" fi if [ $? -eq 0 ]; then - echo "HIRS ACA was installed via an OS package on this device" - systemctl is-active --quiet hirs-aca - if [[ $? -eq 0 ]]; then - echo " The hirs-aca service is active" - else - echo " Error: ACA package install but the hirs-aca service is dead" - ALL_CHECKS_PASSED=false - fi + echo "HIRS ACA was installed via an OS package on this device." + if [ $SYSD_SERVICE = true ]; then + systemctl is-active --quiet hirs-aca + if [[ $? -eq 0 ]]; then + echo " The hirs-aca service is active" + else + echo " Error: ACA package install but the hirs-aca service is dead" + ALL_CHECKS_PASSED=false + fi + fi + else + echo "ACA not installed via a package." fi -check_systemd -p + # Check install setup pki files if [ ! -d $CERT_PATH ]; then @@ -130,7 +136,7 @@ echo "Checking if ACA passwords are present..." echo "hirs db user password not set" PRESENT=false fi - if [ $PRESENT ]; then + if [ $PRESENT = true ]; then echo " ACA passwords were found" else echo " ERROR finding ACA passwords" @@ -182,7 +188,7 @@ check_cert () { ALL_CERTS_PASSED=false fi if [ ! -z "${ARG_VERBOSE}" ]; then - echo " "$RESULTACA_PROP_FILE + echo " "$RESULT fi } @@ -229,7 +235,7 @@ check_pki () { echo " Keystore alias list:" keytool -list -keystore /etc/hirs/certificates/HIRS/TrustStore.jks -storepass $hirs_pki_password | grep hirs | sed -e 's/^/ /' fi - + if [ $? -eq 0 ]; then echo " JKS Trust Store File (/etc/hirs/certificates/HIRS/TrustStore.jks) is correct: HIRS pki password is correct" else diff --git a/package/linux/aca/aca_remove_setup.sh b/package/linux/aca/aca_remove_setup.sh index ce701792..fa7db8be 100755 --- a/package/linux/aca/aca_remove_setup.sh +++ b/package/linux/aca/aca_remove_setup.sh @@ -7,8 +7,31 @@ ##################################################################################### SCRIPT_DIR=$( dirname -- "$( readlink -f -- "$0"; )"; ) +OPTION_IN=$1; # per Fedora packing guidelines: $1 = 1 for an upgrade, 0 for a remove +if [ -z $1 ]; then OPTION_IN="2"; fi # Set if called by command line +case $OPTION_IN in + "0") + echo "Package removal requested" + OPTION="ACA_PKG_REMOVE" + ;; + "1") + echo "Package upgrade requested" + OPTION="ACA_UPGRADE" + ;; + "2") + echo "ACA Setup removal requested" + OPTION="ACA_SET_REMOVE" + ;; + *) + echo "$1 is an unknown parameter for aca_remove_setup" + exit 1 + break + ;; +esac + LOG_FILE=/dev/null LOG_DIR="/var/log/hirs/" + # Check for Admin privileges if [ "$EUID" -ne 0 ]; then echo "This script requires root. ACA setup not removed. Please run as root." @@ -22,7 +45,7 @@ fi if [ ! -d "/opt/hirs" ]; then echo "/opt/hirs does not exist, aborting removal." exit 1 -fi +fi source $SCRIPT_DIR/../db/mysql_util.sh @@ -33,15 +56,17 @@ check_mariadb_install check_mysql_root # remove the hrs-db and hirs_db user -pushd $SCRIPT_DIR/../db/ &>/dev/null -./db_drop.sh $DB_ADMIN_PWD -popd &>/dev/null +if [ $OPTION = "ACA_SET_REMOVE" ] || [ $OPTION = "ACA_PKG_REMOVE" ]; then + pushd $SCRIPT_DIR/../db/ &>/dev/null + ./db_drop.sh $DB_ADMIN_PWD + popd &>/dev/null +fi # remove pki files and config files if not installed by rpm echo "Removing certificates and config files..." # Remove /opt/hirs only if not configured by a package based install: -if [ -f /opt/hirs/aca/VERSION ]; then +if [ $OPTION = "ACA_SET_REMOVE" ]; then if [ -d "/etc/hirs" ]; then rm -rf /etc/hirs >/dev/null 2>&1 fi @@ -54,9 +79,7 @@ if [ -d $LOG_DIR ]; then rm -rf $LOG_DIR; fi -# Remove crontab and current ACA process -echo "Removing the ACA crontab" -sed -i '/aca_bootRun.sh/d' /etc/crontab +# Remove current ACA process echo "Shutting down the aca..." ps axf | grep HIRS_AttestationCAPortal.war | grep -v grep | awk '{print "kill " $1}' | sh >/dev/null 2>&1 echo "ACA setup removal complete." diff --git a/package/linux/aca/aca_setup.sh b/package/linux/aca/aca_setup.sh index a3e7f4dc..b36c3fa4 100755 --- a/package/linux/aca/aca_setup.sh +++ b/package/linux/aca/aca_setup.sh @@ -63,6 +63,13 @@ while [[ $# -gt 0 ]]; do esac done +echo "Input is $1" +if [[ $1 -eq 1 ]] ; then + echo "Install detected $1" + else + echo "Upgrade detected $1" +fi + # Check for existing installation folders and exist if found if [ -z $ARG_UNATTEND ]; then if [ -d "/etc/hirs" ]; then diff --git a/package/linux/db/db_create.sh b/package/linux/db/db_create.sh index b993bda2..aa3324e1 100755 --- a/package/linux/db/db_create.sh +++ b/package/linux/db/db_create.sh @@ -158,13 +158,8 @@ fi # Process HIRS DB USER set_hirs_db_pwd () { - - RESULT="$(mysql -u root --password=$DB_ADMIN_PWD -e "SELECT EXISTS(SELECT 1 FROM mysql.user WHERE user = 'hirs_db')")" - - if [ "$RESULT" = 1 ]; then - echo "hirs-db user exists" - HIRS_DB_PWD=$hirs_db_password - else +check_hirs_db + if [[ $HIRS_DB_USER_EXISTS != "1" ]]; then # Check if Mysql HIRS DB password set by system variable or set to random number if [ -z $HIRS_DB_PWD ]; then HIRS_DB_PWD=$(head -c 64 /dev/urandom | md5sum | tr -dc 'a-zA-Z0-9') @@ -182,20 +177,29 @@ set_hirs_db_pwd () { if [[ $(grep -c "hibernate.connection.password" $SPRING_PROP_FILE) -eq 0 ]]; then echo "hibernate.connection.password=$HIRS_DB_PWD" >> $SPRING_PROP_FILE fi - fi + else + echo "hirs-db user already exists, skipping" + fi } # Create a hirs_db with client side TLS enabled create_hirs_db_with_tls () { - # Check if hirs_db not created and create it if it wasn't - mysqlshow --user=root --password="$DB_ADMIN_PWD" | grep "hirs_db" >> $LOG_FILE 2>&1 - if [ $? -eq 0 ]; then - echo "hirs_db exists, skipping hirs_db create" - else - mysql -u root --password=$DB_ADMIN_PWD < $MYSQL_DIR/db_create.sql - mysql -u root --password=$DB_ADMIN_PWD < $MYSQL_DIR/secure_mysql.sql - mysql -u root --password=$DB_ADMIN_PWD -e "SET PASSWORD FOR 'hirs_db'@'localhost' = PASSWORD('"$HIRS_DB_PWD"'); FLUSH PRIVILEGES;"; - fi + check_hirs_db_user + echo "Now HIRS_DB_USER_EXISTS is $HIRS_DB_USER_EXISTS" + if [[ $HIRS_DB_USER_EXISTS == "1" ]]; then + echo "hirs_db already exists, skipping" + else + # Check if hirs_db not created and create it if it wasn't + mysqlshow --user=root --password="$DB_ADMIN_PWD" | grep "hirs_db" >> $LOG_FILE 2>&1 + if [ $? -eq 0 ]; then + echo "hirs_db exists, skipping hirs_db create" + else + mysql -u root --password=$DB_ADMIN_PWD < $MYSQL_DIR/db_create.sql + mysql -u root --password=$DB_ADMIN_PWD < $MYSQL_DIR/secure_mysql.sql + mysql -u root --password=$DB_ADMIN_PWD -e "SET PASSWORD FOR 'hirs_db'@'localhost' = PASSWORD('"$HIRS_DB_PWD"'); FLUSH PRIVILEGES;"; + echo "**** Setting hirs_db pwd to $HIRS_DB_PWD ***" + fi + fi } # Create a JDBC connector used by hibernate and place in Springs application.properties @@ -232,14 +236,12 @@ fi # HIRS ACA Mysqld processing ... check_systemd -p check_mariadb_install - start_mysqlsd check_mysql check_mysql_root_pwd -clear_hirs_user set_hirs_db_pwd +create_hirs_db_with_tls set_mysql_server_tls set_mysql_client_tls -create_hirs_db_with_tls create_hibernate_url "RSA" "hirs_db" mysqld_reboot diff --git a/package/linux/db/mysql_util.sh b/package/linux/db/mysql_util.sh index f5eb7caa..e16f0acc 100755 --- a/package/linux/db/mysql_util.sh +++ b/package/linux/db/mysql_util.sh @@ -154,6 +154,26 @@ $(mysql -u root -p$DB_ADMIN_PWD -e 'quit' &> /dev/null); fi } +check_hirs_db_user () { +PRINT_STATUS=$1 +HIRS_DB_USER_EXISTS="$(mysql -uroot --password=$DB_ADMIN_PWD -sse "SELECT EXISTS(SELECT 1 FROM mysql.user WHERE user = 'hirs_db')")" + if [[ $HIRS_DB_USER_EXISTS == "1" ]]; then + if [[ $PRINT_STATUS == "-p" ]];then echo " hirs_db user exists" | tee -a "$LOG_FILE"; fi; + else + if [[ $PRINT_STATUS == "-p" ]]; then echo " hirs_db user does not exist" | tee -a "$LOG_FILE"; fi; + fi +} + +check_hirs_db () { +PRINT_STATUS=$1 +HIRS_DB_EXISTS="$(mysql -uroot --password=$DB_ADMIN_PWD -e "SHOW DATABASES" | grep hirs_db)" + if [[ $HIRS_DB_EXISTS == "hirs_db" ]]; then + if [[ $PRINT_STATUS == "-p" ]];then echo " hirs_db database exists" | tee -a "$LOG_FILE"; fi; + else + if [[ $PRINT_STATUS == "-p" ]];then echo " hirs_db database does not exists" | tee -a "$LOG_FILE"; fi; + fi +} + check_db_cleared () { $(mysql -u root -e 'quit' &> /dev/null); if [ $? -eq 0 ]; then @@ -162,13 +182,13 @@ check_db_cleared () { echo " Mysql Root password is not empty" | tee -a "$LOG_FILE"; fi HIRS_DB_USER_EXISTS="$(mysql -uroot -sse "SELECT EXISTS(SELECT 1 FROM mysql.user WHERE user = 'hirs_db')")" - if [[ $HIRS_DB_USER_EXISTS == 1 ]]; then + if [[ $HIRS_DB_USER_EXISTS == "1" ]]; then echo " hirs_db user exists" | tee -a "$LOG_FILE"; else echo " hirs_db user does not exist" | tee -a "$LOG_FILE"; fi HIRS_DB_EXISTS=`mysql -uroot -e "SHOW DATABASES" | grep hirs_db` - if [[ $HIRS_DB_EXISTS == "hirs_db" ]]; then + if [[ $HIRS_DB_EXISTS == "1" ]]; then echo " hirs_db databse exists" | tee -a "$LOG_FILE"; else echo " hirs_db database does not exists" | tee -a "$LOG_FILE"; @@ -179,7 +199,7 @@ clear_hirs_user () { $(mysql -u root -e 'quit' &> /dev/null); if [ $? -eq 0 ]; then HIRS_DB_USER_EXISTS="$(mysql -uroot -sse "SELECT EXISTS(SELECT 1 FROM mysql.user WHERE user = 'hirs_db')")" - if [[ $HIRS_DB_USER_EXISTS == 1 ]]; then + if [[ $HIRS_DB_USER_EXISTS == "1" ]]; then mysql -u root --password=$DB_ADMIN_PWD -e "DROP USER 'hirs_db'@'localhost';" echo "hirs_db user found and deleted" fi From ce129fdf6c94f0b8a2ab7a651d86fe9389172201 Mon Sep 17 00:00:00 2001 From: "iadgovuser26 iadgovuser26@empire.eclipse.ncsc.mil" Date: Wed, 24 Apr 2024 16:18:31 -0400 Subject: [PATCH 3/3] fixed mariadb permission on Rocky 9 --- package/linux/db/db_create.sh | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/package/linux/db/db_create.sh b/package/linux/db/db_create.sh index aa3324e1..dd8e61d5 100755 --- a/package/linux/db/db_create.sh +++ b/package/linux/db/db_create.sh @@ -114,10 +114,10 @@ set_mysql_server_tls () { # The following arent avialble in Mariadb 10.3 #echo "tls_version=TLSv1.2,TLSv1.3" >> "$DB_SRV_CONF" #echo "require_secure_transport=ON" >> "$DB_SRV_CONF" - - + # Make sure mysql can access them chown mysql:mysql $SSL_DB_SRV_CHAIN $SSL_DB_SRV_CERT $SSL_DB_SRV_KEY + chmod 644 $DB_SRV_CONF $DB_CLIENT_CONF # Make selinux contexts for config files, if selinux is enabled if [[ $ID = "rhel" ]] || [[ $ID = "rocky" ]] ||[[ $ID = "fedora" ]]; then command -v selinuxenabled > /dev/null