CSEC_PUBLIC/securityonion
1
0
Fork 0
mirror of https://github.com/Security-Onion-Solutions/securityonion.git synced 2025-12-06 09:12:45 +01:00
Code Issues Packages Projects Releases Wiki Activity

Merge pull request #12208 from Security-Onion-Solutions/reyesj2-patch-sl

Browse Source
This commit is contained in:
Jorge Reyes
2024-01-18 16:53:14 -05:00
committed by GitHub
parent 4a898619a6 07602076f1
commit 97e2721754
2 changed files with 41 additions and 44 deletions
Download Patch File Download Diff File Expand all files Collapse all files

80
salt/common/tools/sbin/so-common-status-check
View File

@@ -38,49 +38,39 @@ def check_needs_restarted():
f.write(val) f.write(val)
def check_for_fips(): def check_for_fips():
os = __grains__['os'] fips = 0
fips = False try:
# Only checking fully supported OS result = subprocess.run(['fips-mode-setup', '--is-enabled'], check=True, stdout=subprocess.PIPE)
if os == 'OEL': fips = int(result.returncode == 0)
try: except FileNotFoundError:
result = subprocess.run(['fips-mode-setup', '--is-enabled'], check=True, stdout=subprocess.PIPE) with open('/proc/sys/crypto/fips_enabled', 'r') as f:
fips = result.returncode == 0 contents = f.read()
except FileNotFoundError: if '1' in contents:
with open('/proc/sys/crypto/fips_enabled', 'r') as f: fips = 1
contents = f.read() else:
if '1' in contents: fips = 0
fips = True with open('/opt/so/log/sostatus/fips_enabled', 'w') as f:
else: f.write(str(fips))
fips = False
return fips
def check_for_luks(): def check_for_luks():
os = __grains__['os'] luks = 0
luks = False result = subprocess.run(['lsblk', '-p', '-J'], check=True, stdout=subprocess.PIPE)
# Only checking fully supported OS data = json.loads(result.stdout)
if os == 'OEL': for device in data['blockdevices']:
result = subprocess.run(['lsblk', '-p', '-J'], check=True, stdout=subprocess.PIPE) if 'children' in device:
data = json.loads(result.stdout) for gc in device['children']:
for device in data['blockdevices']: if 'children' in gc:
if 'children' in device: try:
for gc in device['children']: result = subprocess.run(['cryptsetup', 'isLuks', gc['name']], check=True, stdout=subprocess.PIPE)
if 'children' in gc: luks = int(result.returncode == 0)
try: except FileNotFoundError:
result = subprocess.run(['cryptsetup', 'isLuks', gc['name']], check=True, stdout=subprocess.PIPE) for ggc in gc['children']:
luks = result.returncode == 0 if 'crypt' in ggc['type']:
except FileNotFoundError: luks = 1
for ggc in gc['children']: if luks:
if 'crypt' in ggc['type']: break
luks = True with open('/opt/so/log/sostatus/luks_enabled', 'w') as f:
if luks: f.write(str(luks))
break
return luks
def check_features():
fips = check_for_fips()
luks = check_for_luks()
with open('/opt/so/log/sostatus/features-check.log', 'w') as f:
f.write("featuresdetected fips={},luks={}".format(fips,luks))
def fail(msg): def fail(msg):
print(msg, file=sys.stderr) print(msg, file=sys.stderr)
@@ -90,9 +80,13 @@ def main():
proc = subprocess.run(['id', '-u'], stdout=subprocess.PIPE, encoding="utf-8") proc = subprocess.run(['id', '-u'], stdout=subprocess.PIPE, encoding="utf-8")
if proc.stdout.strip() != "0": if proc.stdout.strip() != "0":
fail("This program must be run as root") fail("This program must be run as root")
# Ensure that umask is 0022 so that files created by this script have rw-r-r permissions
org_umask = os.umask(0o022)
check_needs_restarted() check_needs_restarted()
check_features() check_for_fips()
check_for_luks()
# Restore umask to whatever value was set before this script was run. STIG sets to 0077 rw---
os.umask(org_umask)
if __name__ == "__main__": if __name__ == "__main__":
main() main()

5
salt/telegraf/scripts/features.sh
View File

@@ -7,8 +7,11 @@
if [[ ! "`pidof -x $(basename $0) -o %PPID`" ]]; then if [[ ! "`pidof -x $(basename $0) -o %PPID`" ]]; then
cat /var/log/sostatus/features-check.log FIPS_ENABLED=$(cat /var/log/sostatus/fips_enabled)
LUKS_ENABLED=$(cat /var/log/sostatus/luks_enabled)
echo "features fips=$FIPS_ENABLED"
echo "features luks=$LUKS_ENABLED"
fi fi
exit 0 exit 0