added an aca_check_setup.sh script

package/scripts/aca/aca_check_setup.sh

@@ -36,6 +36,7 @@ ECC_WEB_TLS_CERT="HIRS_aca_tls_ecc_512_sha384.pem"
 DB_SRV_CONF="/etc/my.cnf.d/mariadb-server.cnf"
 DB_CLIENT_CONF="/etc/my.cnf.d/client.cnf"
 ALL_CHECKS_PASSED=true
+ALL_CERTS_PASSED=true
 
 # Check for Admin privileges
 if [ "$EUID" -ne 0 ]; then
@@ -48,6 +49,27 @@ if [ ! -d $CERT_PATH ]; then
      exit 1;
 fi
 
+# Argument handling 
+
+while [[ $# -gt 0 ]]; do
+  case $1 in
+    -v|--verbose)
+      ARG_VERBOSE=YES
+      echo "verbose parameters"
+      shift # past argument
+      ;;
+    -*|--*)
+      echo "Unknown option $1"
+      exit 1
+      ;;
+    *)
+      echo "Unknown argument $1"
+      exit 1
+      shift # past argument
+      ;;
+  esac
+done
+
 source /etc/hirs/aca/aca.properties;
 
 check_pwds () {
@@ -73,6 +95,7 @@ echo "Checking if ACA passwords are in aca.properties"
    ALL_CHECKS_PASSED=false
  fi
 }
+
 check_mysql () {
   echo "Checking mysqld status..."
   if [[ $(pgrep -c -u mysql mysqld) -ne 0 ]]; then
@@ -81,7 +104,7 @@ check_mysql () {
       echo "   mysqld process does NOT exist, attempting to restart mysql..."
     /usr/bin/mysqld_safe &
   fi
- 
+
  # Wait for mysql to start before continuing.
 
   while ! mysqladmin ping -h "$localhost" --silent; do
@@ -89,29 +112,46 @@ check_mysql () {
   done
 
   echo "   mysqld is running."
-  
+
   # Check DB server/client TLS setup.
   if [[ $(cat "$DB_SRV_CONF" | grep -c "ssl") < 1 ]]; then
-     echo "   Mysql server is NOT configured for Server Side TLS"
+     echo "   Mysql server ($DB_SRV_CONF) is NOT configured for Server Side TLS"
      ALL_CHECKS_PASSED=false
    else
-     echo "   Mysql server is configured for Server Side TLS"
+     echo "   Mysql server ($DB_SRV_CONF) is configured for Server Side TLS"
   fi
   if [[ $(cat "$DB_CLIENT_CONF" | grep -c "ssl") < 1 ]]; then
-      echo "   Mysql client is NOT configured for command line use of TLS without provding key/cert ino the commandline"
+      echo "   Mysql client ($DB_CLIENT_CONF)is NOT configured for command line use of TLS without provding key/cert ino the commandline"
       ALL_CHECKS_PASSED=false
     else
-       echo "   Mysql client is configured for command line use of TLS"
+       echo "   Mysql client ($DB_CLIENT_CONF) is configured for command line use of TLS"
   fi
   
   if [ ! -z $mysql_admin_password ]; then
+    if [ ! -z "${ARG_VERBOSE}" ]; then
+      echo "Mysql status:"
+      mysql -u root --password=$mysql_admin_password -e "STATUS;"
       echo "Listing mysql users:"
       mysql -u root --password=$mysql_admin_password -e "Select user from mysql.user;"
       echo "Listing all databses:"
       mysql -u root --password=$mysql_admin_password -e "show databases;"
+    fi
   fi
 }
 
+check_cert () {
+TRUST_STORE=$1
+CERT=$2
+RESULT=$(openssl verify -CAfile "$TRUST_STORE" $CERT)
+if [ $? -ne 0 ]; then
+   ALL_CHECKS_PASSED=false
+   ALL_CERTS_PASSED=false
+fi
+if [ ! -z "${ARG_VERBOSE}" ]; then
+    echo "     "$RESULT
+fi
+}
+
 check_pki () {
  echo "Checking HIRS PKI certificates"
   if [ ! -d "/etc/hirs/certificates" ]; then
@@ -119,55 +159,61 @@ check_pki () {
            Skipping PKI Checks." 
   fi
 
-  pushd $CERT_PATH$RSA_PATH
-   echo "   Checking HIRS RSA certs using trust store..."
-   echo "     "$(openssl verify -CAfile "$RSA_TRUST_STORE" $RSA_HIRS_ROOT)
-   echo "     "$(openssl verify -CAfile "$RSA_TRUST_STORE" $RSA_HIRS_INTERMEDIATE)
-   echo "     "$(openssl verify -CAfile "$RSA_TRUST_STORE" $RSA_HIRS_CA1)
-   echo "     "$(openssl verify -CAfile "$RSA_TRUST_STORE" $RSA_HIRS_CA2)
-   echo "     "$(openssl verify -CAfile "$RSA_TRUST_STORE" $RSA_HIRS_CA3)
-   echo "     "$(openssl verify -CAfile "$RSA_TRUST_STORE" $RSA_RIM_SIGNER)
-   echo "     "$(openssl verify -CAfile "$RSA_TRUST_STORE" $RSA_DN_SRV_CERT)
-   echo "     "$(openssl verify -CAfile "$RSA_TRUST_STORE" $RSA_DB_CLIENT_CERT)
-   echo "     "$(openssl verify -CAfile "$RSA_TRUST_STORE" $RSA_WEB_TLS_CERT)
+  pushd $CERT_PATH$RSA_PATH > /dev/null
+   check_cert $RSA_TRUST_STORE $RSA_HIRS_ROOT
+   check_cert $RSA_TRUST_STORE $RSA_HIRS_INTERMEDIATE
+   check_cert $RSA_TRUST_STORE $RSA_HIRS_CA1
+   check_cert $RSA_TRUST_STORE $RSA_HIRS_CA2
+   check_cert $RSA_TRUST_STORE $RSA_HIRS_CA3
+   check_cert $RSA_TRUST_STORE $RSA_RIM_SIGNER
+   check_cert $RSA_TRUST_STORE $RSA_DN_SRV_CERT
+   check_cert $RSA_TRUST_STORE $RSA_DB_CLIENT_CERT
+   check_cert $RSA_TRUST_STORE $RSA_WEB_TLS_CERT
+
   popd  > /dev/null
-  pushd $CERT_PATH$ECC_PATH
-   echo "    Checking HIRS ECC certs using tust store..." 
-   echo "     "$(openssl verify -CAfile "$ECC_TRUST_STORE" $ECC_HIRS_ROOT)
-   echo "     "$(openssl verify -CAfile "$ECC_TRUST_STORE" $ECC_HIRS_INTERMEDIATE)
-   echo "     "$(openssl verify -CAfile "$ECC_TRUST_STORE" $ECC_HIRS_CA1)
-   echo "     "$(openssl verify -CAfile "$ECC_TRUST_STORE" $ECC_HIRS_CA2)
-   echo "     "$(openssl verify -CAfile "$ECC_TRUST_STORE" $ECC_HIRS_CA3)
-   echo "     "$(openssl verify -CAfile "$ECC_TRUST_STORE" $ECC_RIM_SIGNER)
-   echo "     "$(openssl verify -CAfile "$ECC_TRUST_STORE" $ECC_DN_SRV_CERT)
-   echo "     "$(openssl verify -CAfile "$ECC_TRUST_STORE" $ECC_DB_CLIENT_CERT)
-   echo "     "$(openssl verify -CAfile "$ECC_TRUST_STORE" $ECC_WEB_TLS_CERT)
+  pushd $CERT_PATH$ECC_PATH > /dev/null
+   check_cert $ECC_TRUST_STORE $ECC_HIRS_ROOT
+   check_cert $ECC_TRUST_STORE $ECC_HIRS_INTERMEDIATE
+   check_cert $ECC_TRUST_STORE $ECC_HIRS_CA1
+   check_cert $ECC_TRUST_STORE $ECC_HIRS_CA2
+   check_cert $ECC_TRUST_STORE $ECC_HIRS_CA3
+   check_cert $ECC_TRUST_STORE $ECC_RIM_SIGNER
+   check_cert $ECC_TRUST_STORE $ECC_DN_SRV_CERT
+   check_cert $ECC_TRUST_STORE $ECC_DB_CLIENT_CERT
+   check_cert $ECC_TRUST_STORE $ECC_WEB_TLS_CERT
   popd  > /dev/null
 
-  echo "   Checking KeyStore, Keystore aliases, and pki password"
-  echo "   Keystore alias list:"
-    keytool -list -keystore  /etc/hirs/certificates/HIRS/TrustStore.jks  -storepass $hirs_pki_password | grep hirs | sed -e 's/^/     /'
+  if [ -z "${ARG_VERBOSE}" ]; then
+    if [ $ALL_CERTS_PASSED == true ]; then
+         echo "   All RSA and ECC certificates under $CERT_PATH are valid"
+      else
+         echo "   There were error in the certificates under $CERT_PATH"
+    fi
+       keytool -list -keystore  /etc/hirs/certificates/HIRS/TrustStore.jks  -storepass $hirs_pki_password | grep hirs | sed -e 's/^/     /' > /dev/null
+    else  #verbose
+       echo "   Checking KeyStore, Keystore aliases, and pki password"
+       echo "   Keystore alias list:"
+       keytool -list -keystore  /etc/hirs/certificates/HIRS/TrustStore.jks  -storepass $hirs_pki_password | grep hirs | sed -e 's/^/     /' 
+  fi
+  
   if [ $? -eq 0 ]; then
-      echo "   HIRS pki password is correct"
+      echo "   JKS Trust Store File (/etc/hirs/certificates/HIRS/TrustStore.jks) is correct: HIRS pki password is correct"
     else
-      echo "   HIRS pki password is NOT correct"
+      echo "   Error with JKS Trust Store: HIRS pki password is NOT correct"
       ALL_CHECKS_PASSED=false
   fi
 }
 
 check_db () {
-  echo "Check DB server SSL config..."
-  RESULT=$(mysql -u hirs_db --password=$hirs_db_password -e "SHOW VARIABLES LIKE '%have_ssl%'" |  grep -o YES )
+  echo "Check DB server TLS config..."
+  RESULT=$(mysql -u root --password=$mysql_admin_password -e "SHOW VARIABLES LIKE '%have_ssl%'" |  grep -o YES )
   if [ "$RESULT" == "YES" ]; then
-      echo "   Mysql is configured for Server side TLS:"
+      echo "   Mysql Server side TLS is enabled:"
     else
-      echo "   Mysql is NOT configured for Server side TLS:"
+      echo "   Mysql Sever side TLS is NOT enabled:"
       ALL_CHECKS_PASSED=false
   fi
-  mysql -u hirs_db --password=$hirs_db_password -e "SHOW VARIABLES LIKE '%have_ssl%'" 
-  echo "   Show hirs_db user config"
-  mysql -u hirs_db --password=$hirs_db_password -e "SHOW CREATE USER 'hirs_db'@'localhost';"
-  echo "   Show databases accessable to the hirs_db user:"
+  
   RESULT=$(mysqlshow --user=hirs_db --password=$hirs_db_password hirs_db|  grep -o hirs_db)
   if [ "$RESULT" == "hirs_db" ]; then
       echo "   The hirs_db database is visable by the hirs_db user"
@@ -175,15 +221,46 @@ check_db () {
       echo "   The hirs_db database is NOT visable by the hirs_db user"
       ALL_CHECKS_PASSED=false
   fi
-  mysql -u hirs_db --password=$hirs_db_password -e "SHOW DATABASES;";
-  echo "Showing privileges for the hirs_db user"
-  mysql -u hirs_db --password=$hirs_db_password -e "SHOW GRANTS FOR 'hirs_db'@'localhost'" 
+   if [ ! -z "${ARG_VERBOSE}" ]; then
+   echo "   Show hirs_db user config using hirs_db password"
+   mysql -u hirs_db --password=$hirs_db_password -e "SHOW CREATE USER 'hirs_db'@'localhost';" \
+    --ssl-ca=/etc/hirs/certificates/HIRS/rsa_3k_sha384_certs/HIRS_rsa_3k_sha384_Cert_Chain.pem \
+    --ssl-cert=/etc/hirs/certificates/HIRS/rsa_3k_sha384_certs/HIRS_db_client_rsa_3k_sha384.pem \
+    --ssl-key=/etc/hirs/certificates/HIRS/rsa_3k_sha384_certs/HIRS_db_client_rsa_3k_sha384.key
+    echo "Mysql TLS configuration"
+    mysql -u root --password=$mysql_admin_password -e "SHOW VARIABLES LIKE '%ssl%'"
+    echo "hirs_db user database access:"
+    mysql -u hirs_db --password=$hirs_db_password -e "SHOW DATABASES;";
+    echo "Privileges for the hirs_db user:"
+    mysql -u hirs_db --password=$hirs_db_password -e "SHOW GRANTS FOR 'hirs_db'@'localhost'" 
+  fi
+  
+}
+
+# Check selinux status and files that require specific contexts
+check_selinux () {
+   SELINUXSTATUS=$(getenforce)
+   DB_SRV_CONTEXT=$(ls -Z $DB_SRV_CONF)
+   DB_CLIENT_CONTEXT=$(ls -Z $DB_CLIENT_CONF)
+   
+   if [[ "$SELINUXSTATUS" == *"Enforcing"* ]]; then
+     if [[ "$DB_SRV_CONTEXT" == *"mysqld_etc_t"* &&  "$DB_CLIENT_CONTEXT" == *"mysqld_etc_t"* ]]; then
+         echo "Selinux status is $SELINUXSTATUS and both $DB_SRV_CONF and $DB_SRV_CONF contexts are correct"
+     elif [[ "$DB_CLIENT_CONTEXT" == *"mysqld_etc_t"* ]]; then
+        echo "Selinux status is $SELINUXSTATUS and $DB_SRV_CONF context is incorrect: $DB_SRV_CONTEXT"
+        ALL_CHECKS_PASSED=false
+     else
+        echo "Selinux status is $SELINUXSTATUS and $DB_CLIENT_CONF context is incorrect: $DB_CLIENT_CONTEXT"
+        ALL_CHECKS_PASSED=false
+     fi
+   fi
 }
 
 check_pwds
 check_pki
 check_mysql
 check_db
+check_selinux
 
 if [ $ALL_CHECKS_PASSED = true  ]; then
   echo "ACA setup checks passed!"

package/scripts/aca/aca_remove_setup.sh

@@ -14,6 +14,10 @@ if [ "$EUID" -ne 0 ]; then
       echo "This script requires root.  ACA setup not removed. Please run as root."
       exit 1
 fi
+if [ ! -f /etc/hirs/aca/aca.properties ]; then
+      echo "aca.properties does not exist, aborting."
+      exit 1
+fi
 
 # remove the hrs-db and hirs_db user
 pushd $SCRIPT_DIR/../db/

package/scripts/aca/aca_setup.sh

@@ -22,7 +22,7 @@ fi
 mkdir -p $HIRS_CONF_DIR $LOG_DIR $HIRS_PROP_DIR
 
 # Process parameters
-# Argument handling https://stackoverflow.com/questions/192249/how-do-i-parse-command-line-arguments-in-bash
+# Argument handling 
 POSITIONAL_ARGS=()
 
 while [[ $# -gt 0 ]]; do

package/scripts/db/db_create.sh

@@ -79,7 +79,10 @@ set_mysql_server_tls () {
     echo "ssl_cert=$SSL_DB_SRV_CERT" >> "$DB_SRV_CONF"
     echo "ssl_key=$SSL_DB_SRV_KEY" >> "$DB_SRV_CONF"
     # Make sure mysql can access them
-    chown mysql $SSL_DB_SRV_CHAIN $SSL_DB_SRV_CERT $SSL_DB_SRV_KEY
+    chown mysql:mysql $SSL_DB_SRV_CHAIN $SSL_DB_SRV_CERT $SSL_DB_SRV_KEY
+     # Make selinux contexts for configu file
+    semanage fcontext -a -t mysqld_etc_t $DB_SRV_CONF  > /dev/null #adds the context type to file
+    restorecon -v -F $DB_SRV_CONF                           # changes the file's context type
   else
        echo "mysql.cnf contians existing entry for ssl, skipping..." | tee -a "$LOG_FILE"
   fi
@@ -92,7 +95,10 @@ if [[ $(cat "$DB_CLIENT_CONF" | grep -c "ssl") < 1 ]]; then
   echo "ssl_ca=$SSL_DB_CLIENT_CHAIN" >> $DB_CLIENT_CONF
   echo "ssl_cert=$SSL_DB_CLIENT_CERT" >> $DB_CLIENT_CONF
   echo "ssl_key=$SSL_DB_CLIENT_KEY" >> $DB_CLIENT_CONF
-  chown mysql $SSL_DB_CLIENT_CHAIN $SSL_DB_CLIENT_CERT $SSL_DB_CLIENT_KEY 
+  chown mysql:mysql $SSL_DB_CLIENT_CHAIN $SSL_DB_CLIENT_CERT $SSL_DB_CLIENT_KEY 
+  # Make selinux contexts for configu file
+  semanage fcontext -a -t mysqld_etc_t $DB_CLIENT_CONFf > /dev/null  #adds the context type to file
+  restorecon -F $DB_CLIENT_CONF                           #changes the file's context type
 fi
 }
 
@@ -137,3 +143,8 @@ start_mysqlsd
 check_mysql_root_pwd
 set_hirs_db_pwd
 create_hirs_db_with_tls
+# reboot mysql server
+mysql -u root --password=$DB_ADMIN_PWD -e "SHUTDOWN"
+sleep 2
+check_for_container
+start_mysqlsd

package/scripts/db/db_drop.sh

@@ -29,10 +29,13 @@ fi
 echo "dropping hirs_db database"
 
 if pgrep  mysqld >/dev/null 2>&1; then
-    mysql -u "root" --password=$DB_ADMIN_PWD < $MYSQL_DIR/db_drop.sql
-    echo "hirs_db databse and hirs_db user removed"
+   # mysql -u "root" --password=$DB_ADMIN_PWD < $MYSQL_DIR/db_drop.sql
+     mysql -u root --password=$DB_ADMIN_PWD  -e "FLUSH HOSTS; FLUSH LOGS; FLUSH STATUS; FLUSH PRIVILEGES; FLUSH USER_RESOURCES"
+     mysql -u root --password=$DB_ADMIN_PWD -e "DROP USER 'hirs_db'@'localhost';"
+     mysql -u root --password=$DB_ADMIN_PWD -e "DROP DATABASE IF EXISTS hirs_db;"
+     echo "hirs_db database and hirs_db user removed"
    else
- echo "mysql is not running. DB was not removed." 
+     echo "mysql is not running. DB was not removed."
 fi
 
 # reset the mysql root if the password was left in the properties fiel
@@ -40,6 +43,7 @@ if [ ! -z $mysql_admin_password ]; then
      echo "Resetting mysql root password to empty"
      mysql -u root --password=$mysql_admin_password -e "SET PASSWORD FOR "root@localhost" = PASSWORD('');"
      echo "Current list of databases:"
+     mysql -u "root" -e "FLUSH LOGS;"
      mysql -u "root" -e "SHOW DATABASES;"
      echo "Current list of users:"
      mysql -u root -e "Select user from mysql.user;"
@@ -54,7 +58,10 @@ grep -v "hirs" $SRV_CNF > tmpfile && mv tmpfile $SRV_CNF
 grep -v "hirs" $CLIENT_CNF > tmpfile && mv tmpfile $CLIENT_CNF
 
 echo "restarting mariadb"
-pkill mysql
-sleep 2;
+
+mysql -u root -e "SHUTDOWN"
+sleep 2
 check_for_container
 start_mysqlsd
+
+mysql -u root -e "SHOW VARIABLES LIKE '%ssl%'"

package/scripts/db/db_drop.sql

@@ -1,2 +1,2 @@
-DROP SCHEMA IF EXISTS hirs_db;
 DROP USER "hirs_db"@"localhost";
+DROP DATABASE IF EXISTS hirs_db;

package/scripts/db/reset_hirs_db_user.sh

@@ -21,10 +21,11 @@ echo "DB_ADMIN_PWD is $DB_ADMIN_PWD"
 
 # check if hirs_db user exists
 RESULT="$(mysql -u root --password=$DB_ADMIN_PWD -sse "SELECT EXISTS(SELECT 1 FROM mysql.user WHERE user = 'hirs_db')")"
-
 if [ "$RESULT" = 1 ]; then
   echo "hirs_db user found, dropping hirs-db user"
-  mysql -u root --password=$DB_ADMIN_PWD -e "DROP USER 'hirs_db'@'localhost'"
+  mysql -u root --password=$DB_ADMIN_PWD -e "SET PASSWORD FOR "hirs_db@localhost" = PASSWORD('');"
+  mysql -u root --password=$DB_ADMIN_PWD -e "DROP USER 'hirs_db'@'localhost';"
+
   if [ $? -ne 0 ]; then
      echo "Removing the existing hirs_db user failed"
      else
@@ -34,12 +35,26 @@ if [ "$RESULT" = 1 ]; then
   echo "no hirs_db user found, creating one..."
 fi
 
+mysql -u root --password=$mysql_admin_password -e "Select user from mysql.user;"
 echo "Creating hirs_db user"
+#mysql -u root --password=$DB_ADMIN_PWD < $SCRIPT_DIR/db_create.sql
+#mysql -u root --password=$mysql_admin_password -e "FLUSH PRIVILEGES;"
+
 mysql -u root --password=$DB_ADMIN_PWD -e "CREATE USER 'hirs_db'@'localhost' IDENTIFIED BY 'hirs_db';" 
-mysql -u root --password=$DB_ADMIN_PWD -e "ALTER USER 'hirs_db'@'localhost' IDENTIFIED BY '"$HIRS_DB_PWD"'; FLUSH PRIVILEGES;"
+mysql -u root --password=$DB_ADMIN_PWD -e "ALTER USER 'hirs_db'@'localhost' IDENTIFIED BY '$HIRS_DB_PWD'; FLUSH PRIVILEGES;"
 mysql -u root --password=$DB_ADMIN_PWD -e "GRANT ALL ON hirs_db.* TO 'hirs_db'@'localhost' REQUIRE X509;"
 mysql -u root --password=$DB_ADMIN_PWD -e "FLUSH PRIVILEGES;"
 
+mysql -u root --password=$mysql_admin_password -e "show databases;"
+
+mysql -u root --password=$mysql_admin_password -e  "CHECK TABLE mysql.user;"
+
+mysql -u root --password=$mysql_admin_password -e "Select user from mysql.user;"
+#mysql -u root --password=$mysql_admin_password -e "SHOW CREATE USER 'hirs_db'@'localhost';"
+mysql -u root --password=$mysql_admin_password -e "SHOW GRANTS FOR 'hirs_db'@'localhost'" 
+
+
+echo "HIRS_DB_PWD is $HIRS_DB_PWD"
 echo "Checking hirs_db user..."
 # check user
-mysql -u hirs_db --password=$HIRS_DB_PWD -e "SHOW DATABASES;";
+mysql -u hirs_db --password=$HIRS_DB_PWD -e "SHOW DATABASES;";