2019-03-08 14:33:06 -05:00

166 lines
4.6 KiB
Bash
Executable File

#!/bin/bash
# main driving script for the HIRS Provisioner RPM/DEB. Provides user options
# for creating a default hirs-site.config, used by the provisioner and the HIRS Client RPM,
# as well as initiating HIRS provisioning of the TPM and loading of credentials from the
# HIRS Attestation CA.
CERTS_DIR="/etc/hirs/provisioner/certs/"
HIRS_SITE_CONFIG="/etc/hirs/hirs-site.config"
HIRS_PROVISIONER_CONFIG="/etc/hirs/provisioner/hirs-provisioner-config.sh"
HIRS_PROVISIONER_SCRIPT="/usr/share/hirs/provisioner/bin/HIRS_Provisioner"
HIRS_PROVISIONER_2_0_SCRIPT="/usr/local/bin/hirs-provisioner-tpm2"
HIRS_PROVISIONER_PROPERTIES="/etc/hirs/provisioner/provisioner.properties"
if [ "$EUID" != "0" ]; then
echo "This script must be run as root"
exit 1
fi
function ShowHelp {
echo "hirs provisioner - host integrity at runtime & startup"
echo ""
echo "hirs-provisioner [command]"
echo ""
echo "commands:"
echo "-h, --help, help show this help"
echo "-c, --config, config verify or generate site configuration"
echo "-p, --provision, provision provision TPM/prepare for use with HIRS"
exit 0
}
if [ $# -eq 0 ]; then # if no arguments
ShowHelp
fi
function CheckHIRSSiteConfig {
# Check for site config existence
if [ ! -f $HIRS_SITE_CONFIG ]; then
echo "--> ERROR: $HIRS_SITE_CONFIG not found - run \"hirs-provisioner -c\" to generate the file"
exit 1
fi
# Read site config
source $HIRS_SITE_CONFIG
# Verify variable existence
if [[ -z "$CLIENT_HOSTNAME" ]]; then
echo "--> ERROR: CLIENT_HOSTNAME is not set in $HIRS_SITE_CONFIG"
exit 1
fi
if [[ -z "$ATTESTATION_CA_FQDN" ]]; then
echo "--> ERROR: ATTESTATION_CA_FQDN not set in $HIRS_SITE_CONFIG"
exit 1
fi
if [[ -z "$ATTESTATION_CA_PORT" ]]; then
echo "--> ERROR: ATTESTATION_CA_PORT not set in $HIRS_SITE_CONFIG"
exit 1
fi
if [[ -z "$BROKER_FQDN" ]]; then
echo "--> ERROR: BROKER_FQDN not set in $HIRS_SITE_CONFIG"
exit 1
fi
if [[ -z "$BROKER_PORT" ]]; then
echo "--> ERROR: BROKER_PORT not set in $HIRS_SITE_CONFIG"
exit 1
fi
if [[ -z "$PORTAL_FQDN" ]]; then
echo "--> ERROR: PORTAL_FQDN not set in $HIRS_SITE_CONFIG"
exit 1
fi
if [[ -z "$PORTAL_PORT" ]]; then
echo "--> ERROR: PORTAL_PORT not set in $HIRS_SITE_CONFIG"
exit 1
fi
}
function CheckProvisionPrereqsAndDoProvisioning {
if [ ! -f $HIRS_SITE_CONFIG ]; then
echo "$HIRS_SITE_CONFIG not found. Run \"hirs-provisioner -c\" to generate."
exit 0
fi
# the hirs provisioner script should be verifying
CheckHIRSSiteConfig
echo "--> Configuring provisioner"
eval $HIRS_PROVISIONER_CONFIG || { echo "----> Failed configuring provisioner"; exit 1; }
if [ $TPM_ENABLED = "true" ]; then
echo "--> Provisioning"
Provision
else
echo "--> TPM not enabled - skipping provisioning"
fi
}
function Provision {
# Provisioner will only retain one {uuid}.cer credential; remove any existing *.cer files.
echo "----> Removing old attestation credentials, if any"
rm -f $CERTS_DIR/*.cer /etc/hirs/ak.cer
echo "----> Provisioning TPM"
if [ -f $HIRS_PROVISIONER_2_0_SCRIPT ]
then
$HIRS_PROVISIONER_2_0_SCRIPT provision || { echo "----> Failed to provision TPM 2.0"; exit 1; }
else
$HIRS_PROVISIONER_SCRIPT $CLIENT_HOSTNAME || { echo "----> Failed to provision TPM"; exit 1; }
fi
}
function WriteDefaultHirsSiteConfigFile {
if [ ! -f $HIRS_SITE_CONFIG ]; then
# Create template site config if it does not exist
cat <<DEFAULT_SITE_CONFIG_FILE > $HIRS_SITE_CONFIG
#*******************************************
#* HIRS site configuration properties file
#*******************************************
# Client configuration
CLIENT_HOSTNAME=$(hostname -f)
TPM_ENABLED=
IMA_ENABLED=
# Site-specific configuration
ATTESTATION_CA_FQDN=
ATTESTATION_CA_PORT=8443
BROKER_FQDN=
BROKER_PORT=61616
PORTAL_FQDN=
PORTAL_PORT=8443
DEFAULT_SITE_CONFIG_FILE
echo "$HIRS_SITE_CONFIG not found - a template has been created"
echo "Set your site configuration manually in $HIRS_SITE_CONFIG, then run 'hirs-provisioner -p' to provision this system"
fi
}
while test $# -gt 0; do # iterate over arguments
case "$1" in
-c|--config|config)
shift
WriteDefaultHirsSiteConfigFile
;;
-p|--provision|provision)
shift
CheckProvisionPrereqsAndDoProvisioning
;;
*)
ShowHelp
;;
esac
done