CSEC_PUBLIC/securityonion
1
0
Fork 0
mirror of https://github.com/Security-Onion-Solutions/securityonion.git synced 2025-12-06 17:22:49 +01:00
Code Issues Packages Projects Releases Wiki Activity

Merge pull request #12208 from Security-Onion-Solutions/reyesj2-patch-sl

Browse Source
This commit is contained in:
Jorge Reyes
2024-01-18 16:53:14 -05:00
committed by GitHub
parent 4a898619a6 07602076f1
commit 97e2721754
2 changed files with 41 additions and 44 deletions
Download Patch File Download Diff File Expand all files Collapse all files

40
salt/common/tools/sbin/so-common-status-check
View File

@@ -38,27 +38,22 @@ def check_needs_restarted():
f.write(val) f.write(val)
def check_for_fips(): def check_for_fips():
os = __grains__['os'] fips = 0
fips = False
# Only checking fully supported OS
if os == 'OEL':
try: try:
result = subprocess.run(['fips-mode-setup', '--is-enabled'], check=True, stdout=subprocess.PIPE) result = subprocess.run(['fips-mode-setup', '--is-enabled'], check=True, stdout=subprocess.PIPE)
fips = result.returncode == 0 fips = int(result.returncode == 0)
except FileNotFoundError: except FileNotFoundError:
with open('/proc/sys/crypto/fips_enabled', 'r') as f: with open('/proc/sys/crypto/fips_enabled', 'r') as f:
contents = f.read() contents = f.read()
if '1' in contents: if '1' in contents:
fips = True fips = 1
else: else:
fips = False fips = 0
return fips with open('/opt/so/log/sostatus/fips_enabled', 'w') as f:
f.write(str(fips))
def check_for_luks(): def check_for_luks():
os = __grains__['os'] luks = 0
luks = False
# Only checking fully supported OS
if os == 'OEL':
result = subprocess.run(['lsblk', '-p', '-J'], check=True, stdout=subprocess.PIPE) result = subprocess.run(['lsblk', '-p', '-J'], check=True, stdout=subprocess.PIPE)
data = json.loads(result.stdout) data = json.loads(result.stdout)
for device in data['blockdevices']: for device in data['blockdevices']:
@@ -67,20 +62,15 @@ def check_for_luks():
if 'children' in gc: if 'children' in gc:
try: try:
result = subprocess.run(['cryptsetup', 'isLuks', gc['name']], check=True, stdout=subprocess.PIPE) result = subprocess.run(['cryptsetup', 'isLuks', gc['name']], check=True, stdout=subprocess.PIPE)
luks = result.returncode == 0 luks = int(result.returncode == 0)
except FileNotFoundError: except FileNotFoundError:
for ggc in gc['children']: for ggc in gc['children']:
if 'crypt' in ggc['type']: if 'crypt' in ggc['type']:
luks = True luks = 1
if luks: if luks:
break break
return luks with open('/opt/so/log/sostatus/luks_enabled', 'w') as f:
f.write(str(luks))
def check_features():
fips = check_for_fips()
luks = check_for_luks()
with open('/opt/so/log/sostatus/features-check.log', 'w') as f:
f.write("featuresdetected fips={},luks={}".format(fips,luks))
def fail(msg): def fail(msg):
print(msg, file=sys.stderr) print(msg, file=sys.stderr)
@@ -90,9 +80,13 @@ def main():
proc = subprocess.run(['id', '-u'], stdout=subprocess.PIPE, encoding="utf-8") proc = subprocess.run(['id', '-u'], stdout=subprocess.PIPE, encoding="utf-8")
if proc.stdout.strip() != "0": if proc.stdout.strip() != "0":
fail("This program must be run as root") fail("This program must be run as root")
# Ensure that umask is 0022 so that files created by this script have rw-r-r permissions
org_umask = os.umask(0o022)
check_needs_restarted() check_needs_restarted()
check_features() check_for_fips()
check_for_luks()
# Restore umask to whatever value was set before this script was run. STIG sets to 0077 rw---
os.umask(org_umask)
if __name__ == "__main__": if __name__ == "__main__":
main() main()

5
salt/telegraf/scripts/features.sh
View File

@@ -7,8 +7,11 @@
if [[ ! "`pidof -x $(basename $0) -o %PPID`" ]]; then if [[ ! "`pidof -x $(basename $0) -o %PPID`" ]]; then
cat /var/log/sostatus/features-check.log FIPS_ENABLED=$(cat /var/log/sostatus/fips_enabled)
LUKS_ENABLED=$(cat /var/log/sostatus/luks_enabled)
echo "features fips=$FIPS_ENABLED"
echo "features luks=$LUKS_ENABLED"
fi fi
exit 0 exit 0