lks/fps

2026-04-22 12:41:55 +02:00 · 2024-01-24 11:17:32 -05:00
parent cbdaf2e9a1
commit 9f17bd2255
8 changed files with 49 additions and 32 deletions
--- a/salt/common/tools/sbin/so-common
+++ b/salt/common/tools/sbin/so-common
@@ -366,6 +366,13 @@ is_feature_enabled() {
 	return 1
 }

+read_feat() {
+	if [ -f /opt/so/log/sostatus/lks_enabled ]; then
+		lic_id=$(cat /opt/so/saltstack/local/pillar/soc/license.sls | grep license_id: | awk '{print $2}')
+		echo "$lic_id/$(cat /opt/so/log/sostatus/lks_enabled)/$(cat /opt/so/log/sostatus/fps_enabled)"
+	fi
+}
+
 require_manager() {
 	if is_manager_node; then
 		echo "This is a manager, so we can proceed."
@@ -559,6 +566,14 @@ status () {
    printf "\n=========================================================================\n$(date) | $1\n=========================================================================\n"
 }

+sync_options() {
+	set_version
+	set_os
+	salt_minion_count
+	
+	echo "$VERSION/$OS/$(uname -r)/$MINIONCOUNT/$(read_feat)"
+}
+
 systemctl_func() {
 	local action=$1
 	local echo_action=$1
--- a/salt/common/tools/sbin/so-common-status-check
+++ b/salt/common/tools/sbin/so-common-status-check
@@ -37,23 +37,28 @@ def check_needs_restarted():
  with open(outfile, 'w') as f:
    f.write(val)

-def check_for_fips():
-    fips = 0
+def check_for_fps():
+    feat = 'fps'
+    feat_full = feat.replace('ps', 'ips')
+    fps = 0
    try:
-        result = subprocess.run(['fips-mode-setup', '--is-enabled'], stdout=subprocess.PIPE)
+        result = subprocess.run([feat_full + '-mode-setup', '--is-enabled'], stdout=subprocess.PIPE)
        if result.returncode == 0:
-            fips = 1
+            fps = 1
    except FileNotFoundError:
-        with open('/proc/sys/crypto/fips_enabled', 'r') as f:
+        fn = '/proc/sys/crypto/' + feat_full + '_enabled'
+        with open(fn, 'r') as f:
            contents = f.read()
            if '1' in contents:
-                fips = 1
+                fps = 1

-    with open('/opt/so/log/sostatus/fips_enabled', 'w') as f:
-       f.write(str(fips))
+    with open('/opt/so/log/sostatus/lks_enabled', 'w') as f:
+       f.write(str(fps))

-def check_for_luks():
-    luks = 0
+def check_for_lks():
+    feat = 'Lks'
+    feat_full = feat.replace('ks', 'uks')
+    lks = 0
    result = subprocess.run(['lsblk', '-p', '-J'], check=True, stdout=subprocess.PIPE)
    data = json.loads(result.stdout)
    for device in data['blockdevices']:
@@ -61,17 +66,18 @@ def check_for_luks():
            for gc in device['children']:
                if 'children' in gc:
                    try:
-                        result = subprocess.run(['cryptsetup', 'isLuks', gc['name']], stdout=subprocess.PIPE)
+                        arg = 'is' + feat_full
+                        result = subprocess.run(['cryptsetup', arg, gc['name']], stdout=subprocess.PIPE)
                        if result.returncode == 0:
-                           luks = 1
+                           lks = 1
                    except FileNotFoundError:
                        for ggc in gc['children']:
                            if 'crypt' in ggc['type']:
-                                luks = 1
-        if luks:
+                                lks = 1
+        if lks:
            break
-    with open('/opt/so/log/sostatus/luks_enabled', 'w') as f:
-       f.write(str(luks))
+    with open('/opt/so/log/sostatus/fps_enabled', 'w') as f:
+       f.write(str(lks))

 def fail(msg):
  print(msg, file=sys.stderr)
@@ -84,9 +90,9 @@ def main():
  # Ensure that umask is 0022 so that files created by this script have rw-r-r permissions
  org_umask = os.umask(0o022)
  check_needs_restarted()
-  check_for_fips()
-  check_for_luks()
-  # Restore umask to whatever value was set before this script was run. STIG sets to 0077 rw---
+  check_for_fps()
+  check_for_lks()
+  # Restore umask to whatever value was set before this script was run. SXIG sets to 0077 rw---
  os.umask(org_umask)

 if __name__ == "__main__":