Merge pull request #753 from nsacyber/v3_issue_749-setup_check

[#749] ACA setup check
This commit is contained in:
iadgovuser26 2024-05-06 16:12:56 -04:00 committed by GitHub
commit a903b0e448
No known key found for this signature in database
GPG Key ID: B5690EEEBB952194
7 changed files with 116 additions and 52 deletions

View File

@ -11,6 +11,7 @@ plugins {
// Get version from main project gradle // Get version from main project gradle
def packVersion = properties.get("packageVersion"); def packVersion = properties.get("packageVersion");
def jarVersion = properties.get("jarVersion"); def jarVersion = properties.get("jarVersion");
def projVersion = properties.get("projVersion");
//println "packageVersion is ${projVersion}" //println "packageVersion is ${projVersion}"
java { java {
@ -96,10 +97,12 @@ task buildVersion() {
ospackage { ospackage {
packageName = 'HIRS_AttestationCA' packageName = 'HIRS_AttestationCA'
description = 'HIRS Attestation CA. Use systemctl status hirs-aca'
os = LINUX os = LINUX
arch = NOARCH arch = NOARCH
version = "$packVersion" version = "$packVersion"
release = '1' release = '2'
user 'root' user 'root'
fileMode = 0755 fileMode = 0755
@ -107,6 +110,9 @@ ospackage {
addParentDirs = true addParentDirs = true
createDirectoryEntry true createDirectoryEntry true
into ('/etc/hirs') {
from '../VERSION'
}
// copy json tables // copy json tables
into ('/etc/hirs/aca/default-properties') { into ('/etc/hirs/aca/default-properties') {
from '../HIRS_AttestationCA/src/main/resources/component-class.json' from '../HIRS_AttestationCA/src/main/resources/component-class.json'
@ -128,10 +134,14 @@ ospackage {
fileMode = 0755 fileMode = 0755
} }
// Install - check for existing setup
preInstall 'if [ -d /etc/hirs ]; then echo "Error: /etc/hirs/ exists, aborting install"; exit 1; fi;'
preInstall 'if [ -d /opt/hirs ]; then echo "Error: /opt/hirs/ exists, aborting install"; exit 1; fi;'
// Uninstall // Uninstall
preUninstall 'bash /opt/hirs/aca/scripts/aca/aca_remove_setup.sh' preUninstall 'bash /opt/hirs/aca/scripts/aca/aca_remove_setup.sh $1'
preUninstall 'bash /opt/hirs/aca/scripts/systemd/aca_disable_service.sh' preUninstall 'bash /opt/hirs/aca/scripts/systemd/aca_disable_service.sh'
postUninstall 'if [ -d /etc/hirs ]; then rm -rf /etc/hirs; fi;' postUninstall 'if [ -d /etc/hirs ]; then rm -rf /etc/hirs; fi;'
postUninstall 'if [ -d /opt/hirs ]; then rm -rf /opt/hirs; fi;'
buildRpm { buildRpm {
dependsOn ':HIRS_AttestationCAPortal:buildVersion' dependsOn ':HIRS_AttestationCAPortal:buildVersion'
@ -149,9 +159,6 @@ ospackage {
postTrans 'firewall-cmd --reload' postTrans 'firewall-cmd --reload'
postTrans 'bash /opt/hirs/aca/scripts/aca/aca_setup.sh -u' postTrans 'bash /opt/hirs/aca/scripts/aca/aca_setup.sh -u'
postTrans 'bash /opt/hirs/aca/scripts/systemd/aca_enable_service.sh' postTrans 'bash /opt/hirs/aca/scripts/systemd/aca_enable_service.sh'
// postTrans 'bash /opt/hirs/aca/scripts/aca/aca_bootRun.sh -w &'
// add chrontab to run ACA at boot
//postTrans 'echo "@reboot root /opt/hirs/aca/scripts/aca/aca_bootRun.sh -w" >> /etc/crontab'
postTrans 'chmod +x /opt/hirs/aca/scripts/aca/*' postTrans 'chmod +x /opt/hirs/aca/scripts/aca/*'
postTrans 'if [ -f /opt/hirs/aca/VERSION ]; then rm /opt/hirs/aca/VERSION; fi;' postTrans 'if [ -f /opt/hirs/aca/VERSION ]; then rm /opt/hirs/aca/VERSION; fi;'
// Wait for ACA to start up before finishing the install // Wait for ACA to start up before finishing the install
@ -168,9 +175,7 @@ ospackage {
requires('curl') requires('curl')
// Install after required packages // Install after required packages
postInstall 'bash /opt/hirs/aca/scripts/aca/aca_setup.sh -u' postInstall 'bash /opt/hirs/aca/scripts/aca/aca_setup.sh -u'
//postInstall '/opt/hirs/aca/scripts/aca/aca_bootRun.sh -w &'
postInstall 'bash /opt/hirs/aca/scripts/systemd/aca_enable_service.sh' postInstall 'bash /opt/hirs/aca/scripts/systemd/aca_enable_service.sh'
postInstall 'echo "@reboot root /opt/hirs/aca/scripts/aca/aca_bootRun.sh -w" >> /etc/crontab'
postInstall 'chmod +x /opt/hirs/aca/scripts/aca/*' postInstall 'chmod +x /opt/hirs/aca/scripts/aca/*'
postInstall 'if [ -f /opt/hirs/aca/VERSION ]; then rm /opt/hirs/aca/VERSION; fi;' postInstall 'if [ -f /opt/hirs/aca/VERSION ]; then rm /opt/hirs/aca/VERSION; fi;'
// Wait for ACA to start up before finishing the install // Wait for ACA to start up before finishing the install

View File

@ -51,6 +51,7 @@ def gitHash = { ->
return stdout.toString().trim() return stdout.toString().trim()
} }
project.ext["projVersion"] = "${projectVersion}"
project.ext["jarVersion"] = "${projectVersion}.${buildTime}.${gitHash}" project.ext["jarVersion"] = "${projectVersion}.${buildTime}.${gitHash}"
project.ext["packageVersion"] = "${projectVersion}.${buildTime}.${gitHash}.el8" project.ext["packageVersion"] = "${projectVersion}.${buildTime}.${gitHash}.el8"

View File

@ -75,6 +75,8 @@ while [[ $# -gt 0 ]]; do
esac esac
done done
check_systemd -p
echo "Checking HIRS ACA Setup on this device..." echo "Checking HIRS ACA Setup on this device..."
# Check if aca setup was performed # Check if aca setup was performed
# Check is RPM was installed via RPM package # Check is RPM was installed via RPM package
@ -91,7 +93,8 @@ echo "Checking HIRS ACA Setup on this device..."
echo "$ID OS distro encountered" echo "$ID OS distro encountered"
fi fi
if [ $? -eq 0 ]; then if [ $? -eq 0 ]; then
echo "HIRS ACA was installed via an OS package on this device" echo "HIRS ACA was installed via an OS package on this device."
if [ $SYSD_SERVICE = true ]; then
systemctl is-active --quiet hirs-aca systemctl is-active --quiet hirs-aca
if [[ $? -eq 0 ]]; then if [[ $? -eq 0 ]]; then
echo " The hirs-aca service is active" echo " The hirs-aca service is active"
@ -100,8 +103,11 @@ echo "Checking HIRS ACA Setup on this device..."
ALL_CHECKS_PASSED=false ALL_CHECKS_PASSED=false
fi fi
fi fi
else
echo "ACA not installed via a package."
fi
check_systemd -p
# Check install setup pki files # Check install setup pki files
if [ ! -d $CERT_PATH ]; then if [ ! -d $CERT_PATH ]; then
@ -130,7 +136,7 @@ echo "Checking if ACA passwords are present..."
echo "hirs db user password not set" echo "hirs db user password not set"
PRESENT=false PRESENT=false
fi fi
if [ $PRESENT ]; then if [ $PRESENT = true ]; then
echo " ACA passwords were found" echo " ACA passwords were found"
else else
echo " ERROR finding ACA passwords" echo " ERROR finding ACA passwords"
@ -182,7 +188,7 @@ check_cert () {
ALL_CERTS_PASSED=false ALL_CERTS_PASSED=false
fi fi
if [ ! -z "${ARG_VERBOSE}" ]; then if [ ! -z "${ARG_VERBOSE}" ]; then
echo " "$RESULTACA_PROP_FILE echo " "$RESULT
fi fi
} }

View File

@ -7,8 +7,31 @@
##################################################################################### #####################################################################################
SCRIPT_DIR=$( dirname -- "$( readlink -f -- "$0"; )"; ) SCRIPT_DIR=$( dirname -- "$( readlink -f -- "$0"; )"; )
OPTION_IN=$1; # per Fedora packing guidelines: $1 = 1 for an upgrade, 0 for a remove
if [ -z $1 ]; then OPTION_IN="2"; fi # Set if called by command line
case $OPTION_IN in
"0")
echo "Package removal requested"
OPTION="ACA_PKG_REMOVE"
;;
"1")
echo "Package upgrade requested"
OPTION="ACA_UPGRADE"
;;
"2")
echo "ACA Setup removal requested"
OPTION="ACA_SET_REMOVE"
;;
*)
echo "$1 is an unknown parameter for aca_remove_setup"
exit 1
break
;;
esac
LOG_FILE=/dev/null LOG_FILE=/dev/null
LOG_DIR="/var/log/hirs/" LOG_DIR="/var/log/hirs/"
# Check for Admin privileges # Check for Admin privileges
if [ "$EUID" -ne 0 ]; then if [ "$EUID" -ne 0 ]; then
echo "This script requires root. ACA setup not removed. Please run as root." echo "This script requires root. ACA setup not removed. Please run as root."
@ -33,15 +56,17 @@ check_mariadb_install
check_mysql_root check_mysql_root
# remove the hrs-db and hirs_db user # remove the hrs-db and hirs_db user
pushd $SCRIPT_DIR/../db/ &>/dev/null if [ $OPTION = "ACA_SET_REMOVE" ] || [ $OPTION = "ACA_PKG_REMOVE" ]; then
./db_drop.sh $DB_ADMIN_PWD pushd $SCRIPT_DIR/../db/ &>/dev/null
popd &>/dev/null ./db_drop.sh $DB_ADMIN_PWD
popd &>/dev/null
fi
# remove pki files and config files if not installed by rpm # remove pki files and config files if not installed by rpm
echo "Removing certificates and config files..." echo "Removing certificates and config files..."
# Remove /opt/hirs only if not configured by a package based install: # Remove /opt/hirs only if not configured by a package based install:
if [ -f /opt/hirs/aca/VERSION ]; then if [ $OPTION = "ACA_SET_REMOVE" ]; then
if [ -d "/etc/hirs" ]; then if [ -d "/etc/hirs" ]; then
rm -rf /etc/hirs >/dev/null 2>&1 rm -rf /etc/hirs >/dev/null 2>&1
fi fi
@ -54,9 +79,7 @@ if [ -d $LOG_DIR ]; then
rm -rf $LOG_DIR; rm -rf $LOG_DIR;
fi fi
# Remove crontab and current ACA process # Remove current ACA process
echo "Removing the ACA crontab"
sed -i '/aca_bootRun.sh/d' /etc/crontab
echo "Shutting down the aca..." echo "Shutting down the aca..."
ps axf | grep HIRS_AttestationCAPortal.war | grep -v grep | awk '{print "kill " $1}' | sh >/dev/null 2>&1 ps axf | grep HIRS_AttestationCAPortal.war | grep -v grep | awk '{print "kill " $1}' | sh >/dev/null 2>&1
echo "ACA setup removal complete." echo "ACA setup removal complete."

View File

@ -63,6 +63,13 @@ while [[ $# -gt 0 ]]; do
esac esac
done done
echo "Input is $1"
if [[ $1 -eq 1 ]] ; then
echo "Install detected $1"
else
echo "Upgrade detected $1"
fi
# Check for existing installation folders and exist if found # Check for existing installation folders and exist if found
if [ -z $ARG_UNATTEND ]; then if [ -z $ARG_UNATTEND ]; then
if [ -d "/etc/hirs" ]; then if [ -d "/etc/hirs" ]; then

View File

@ -115,9 +115,9 @@ set_mysql_server_tls () {
#echo "tls_version=TLSv1.2,TLSv1.3" >> "$DB_SRV_CONF" #echo "tls_version=TLSv1.2,TLSv1.3" >> "$DB_SRV_CONF"
#echo "require_secure_transport=ON" >> "$DB_SRV_CONF" #echo "require_secure_transport=ON" >> "$DB_SRV_CONF"
# Make sure mysql can access them # Make sure mysql can access them
chown mysql:mysql $SSL_DB_SRV_CHAIN $SSL_DB_SRV_CERT $SSL_DB_SRV_KEY chown mysql:mysql $SSL_DB_SRV_CHAIN $SSL_DB_SRV_CERT $SSL_DB_SRV_KEY
chmod 644 $DB_SRV_CONF $DB_CLIENT_CONF
# Make selinux contexts for config files, if selinux is enabled # Make selinux contexts for config files, if selinux is enabled
if [[ $ID = "rhel" ]] || [[ $ID = "rocky" ]] ||[[ $ID = "fedora" ]]; then if [[ $ID = "rhel" ]] || [[ $ID = "rocky" ]] ||[[ $ID = "fedora" ]]; then
command -v selinuxenabled > /dev/null command -v selinuxenabled > /dev/null
@ -158,13 +158,8 @@ fi
# Process HIRS DB USER # Process HIRS DB USER
set_hirs_db_pwd () { set_hirs_db_pwd () {
check_hirs_db
RESULT="$(mysql -u root --password=$DB_ADMIN_PWD -e "SELECT EXISTS(SELECT 1 FROM mysql.user WHERE user = 'hirs_db')")" if [[ $HIRS_DB_USER_EXISTS != "1" ]]; then
if [ "$RESULT" = 1 ]; then
echo "hirs-db user exists"
HIRS_DB_PWD=$hirs_db_password
else
# Check if Mysql HIRS DB password set by system variable or set to random number # Check if Mysql HIRS DB password set by system variable or set to random number
if [ -z $HIRS_DB_PWD ]; then if [ -z $HIRS_DB_PWD ]; then
HIRS_DB_PWD=$(head -c 64 /dev/urandom | md5sum | tr -dc 'a-zA-Z0-9') HIRS_DB_PWD=$(head -c 64 /dev/urandom | md5sum | tr -dc 'a-zA-Z0-9')
@ -182,11 +177,18 @@ set_hirs_db_pwd () {
if [[ $(grep -c "hibernate.connection.password" $SPRING_PROP_FILE) -eq 0 ]]; then if [[ $(grep -c "hibernate.connection.password" $SPRING_PROP_FILE) -eq 0 ]]; then
echo "hibernate.connection.password=$HIRS_DB_PWD" >> $SPRING_PROP_FILE echo "hibernate.connection.password=$HIRS_DB_PWD" >> $SPRING_PROP_FILE
fi fi
else
echo "hirs-db user already exists, skipping"
fi fi
} }
# Create a hirs_db with client side TLS enabled # Create a hirs_db with client side TLS enabled
create_hirs_db_with_tls () { create_hirs_db_with_tls () {
check_hirs_db_user
echo "Now HIRS_DB_USER_EXISTS is $HIRS_DB_USER_EXISTS"
if [[ $HIRS_DB_USER_EXISTS == "1" ]]; then
echo "hirs_db already exists, skipping"
else
# Check if hirs_db not created and create it if it wasn't # Check if hirs_db not created and create it if it wasn't
mysqlshow --user=root --password="$DB_ADMIN_PWD" | grep "hirs_db" >> $LOG_FILE 2>&1 mysqlshow --user=root --password="$DB_ADMIN_PWD" | grep "hirs_db" >> $LOG_FILE 2>&1
if [ $? -eq 0 ]; then if [ $? -eq 0 ]; then
@ -195,6 +197,8 @@ create_hirs_db_with_tls () {
mysql -u root --password=$DB_ADMIN_PWD < $MYSQL_DIR/db_create.sql mysql -u root --password=$DB_ADMIN_PWD < $MYSQL_DIR/db_create.sql
mysql -u root --password=$DB_ADMIN_PWD < $MYSQL_DIR/secure_mysql.sql mysql -u root --password=$DB_ADMIN_PWD < $MYSQL_DIR/secure_mysql.sql
mysql -u root --password=$DB_ADMIN_PWD -e "SET PASSWORD FOR 'hirs_db'@'localhost' = PASSWORD('"$HIRS_DB_PWD"'); FLUSH PRIVILEGES;"; mysql -u root --password=$DB_ADMIN_PWD -e "SET PASSWORD FOR 'hirs_db'@'localhost' = PASSWORD('"$HIRS_DB_PWD"'); FLUSH PRIVILEGES;";
echo "**** Setting hirs_db pwd to $HIRS_DB_PWD ***"
fi
fi fi
} }
@ -232,14 +236,12 @@ fi
# HIRS ACA Mysqld processing ... # HIRS ACA Mysqld processing ...
check_systemd -p check_systemd -p
check_mariadb_install check_mariadb_install
start_mysqlsd start_mysqlsd
check_mysql check_mysql
check_mysql_root_pwd check_mysql_root_pwd
clear_hirs_user
set_hirs_db_pwd set_hirs_db_pwd
create_hirs_db_with_tls
set_mysql_server_tls set_mysql_server_tls
set_mysql_client_tls set_mysql_client_tls
create_hirs_db_with_tls
create_hibernate_url "RSA" "hirs_db" create_hibernate_url "RSA" "hirs_db"
mysqld_reboot mysqld_reboot

View File

@ -154,6 +154,26 @@ $(mysql -u root -p$DB_ADMIN_PWD -e 'quit' &> /dev/null);
fi fi
} }
check_hirs_db_user () {
PRINT_STATUS=$1
HIRS_DB_USER_EXISTS="$(mysql -uroot --password=$DB_ADMIN_PWD -sse "SELECT EXISTS(SELECT 1 FROM mysql.user WHERE user = 'hirs_db')")"
if [[ $HIRS_DB_USER_EXISTS == "1" ]]; then
if [[ $PRINT_STATUS == "-p" ]];then echo " hirs_db user exists" | tee -a "$LOG_FILE"; fi;
else
if [[ $PRINT_STATUS == "-p" ]]; then echo " hirs_db user does not exist" | tee -a "$LOG_FILE"; fi;
fi
}
check_hirs_db () {
PRINT_STATUS=$1
HIRS_DB_EXISTS="$(mysql -uroot --password=$DB_ADMIN_PWD -e "SHOW DATABASES" | grep hirs_db)"
if [[ $HIRS_DB_EXISTS == "hirs_db" ]]; then
if [[ $PRINT_STATUS == "-p" ]];then echo " hirs_db database exists" | tee -a "$LOG_FILE"; fi;
else
if [[ $PRINT_STATUS == "-p" ]];then echo " hirs_db database does not exists" | tee -a "$LOG_FILE"; fi;
fi
}
check_db_cleared () { check_db_cleared () {
$(mysql -u root -e 'quit' &> /dev/null); $(mysql -u root -e 'quit' &> /dev/null);
if [ $? -eq 0 ]; then if [ $? -eq 0 ]; then
@ -162,13 +182,13 @@ check_db_cleared () {
echo " Mysql Root password is not empty" | tee -a "$LOG_FILE"; echo " Mysql Root password is not empty" | tee -a "$LOG_FILE";
fi fi
HIRS_DB_USER_EXISTS="$(mysql -uroot -sse "SELECT EXISTS(SELECT 1 FROM mysql.user WHERE user = 'hirs_db')")" HIRS_DB_USER_EXISTS="$(mysql -uroot -sse "SELECT EXISTS(SELECT 1 FROM mysql.user WHERE user = 'hirs_db')")"
if [[ $HIRS_DB_USER_EXISTS == 1 ]]; then if [[ $HIRS_DB_USER_EXISTS == "1" ]]; then
echo " hirs_db user exists" | tee -a "$LOG_FILE"; echo " hirs_db user exists" | tee -a "$LOG_FILE";
else else
echo " hirs_db user does not exist" | tee -a "$LOG_FILE"; echo " hirs_db user does not exist" | tee -a "$LOG_FILE";
fi fi
HIRS_DB_EXISTS=`mysql -uroot -e "SHOW DATABASES" | grep hirs_db` HIRS_DB_EXISTS=`mysql -uroot -e "SHOW DATABASES" | grep hirs_db`
if [[ $HIRS_DB_EXISTS == "hirs_db" ]]; then if [[ $HIRS_DB_EXISTS == "1" ]]; then
echo " hirs_db databse exists" | tee -a "$LOG_FILE"; echo " hirs_db databse exists" | tee -a "$LOG_FILE";
else else
echo " hirs_db database does not exists" | tee -a "$LOG_FILE"; echo " hirs_db database does not exists" | tee -a "$LOG_FILE";
@ -179,7 +199,7 @@ clear_hirs_user () {
$(mysql -u root -e 'quit' &> /dev/null); $(mysql -u root -e 'quit' &> /dev/null);
if [ $? -eq 0 ]; then if [ $? -eq 0 ]; then
HIRS_DB_USER_EXISTS="$(mysql -uroot -sse "SELECT EXISTS(SELECT 1 FROM mysql.user WHERE user = 'hirs_db')")" HIRS_DB_USER_EXISTS="$(mysql -uroot -sse "SELECT EXISTS(SELECT 1 FROM mysql.user WHERE user = 'hirs_db')")"
if [[ $HIRS_DB_USER_EXISTS == 1 ]]; then if [[ $HIRS_DB_USER_EXISTS == "1" ]]; then
mysql -u root --password=$DB_ADMIN_PWD -e "DROP USER 'hirs_db'@'localhost';" mysql -u root --password=$DB_ADMIN_PWD -e "DROP USER 'hirs_db'@'localhost';"
echo "hirs_db user found and deleted" echo "hirs_db user found and deleted"
fi fi