mirror of
https://github.com/Security-Onion-Solutions/securityonion.git
synced 2025-12-06 17:22:49 +01:00
lks/fps
This commit is contained in:
Jason Ertel
@@ -366,6 +366,13 @@ is_feature_enabled() {
|
|||||||
return 1
|
return 1
|
||||||
}
|
}
|
||||||
|
|
||||||
|
read_feat() {
|
||||||
|
if [ -f /opt/so/log/sostatus/lks_enabled ]; then
|
||||||
|
lic_id=$(cat /opt/so/saltstack/local/pillar/soc/license.sls | grep license_id: | awk '{print $2}')
|
||||||
|
echo "$lic_id/$(cat /opt/so/log/sostatus/lks_enabled)/$(cat /opt/so/log/sostatus/fps_enabled)"
|
||||||
|
fi
|
||||||
|
}
|
||||||
|
|
||||||
require_manager() {
|
require_manager() {
|
||||||
if is_manager_node; then
|
if is_manager_node; then
|
||||||
echo "This is a manager, so we can proceed."
|
echo "This is a manager, so we can proceed."
|
||||||
@@ -559,6 +566,14 @@ status () {
|
|||||||
printf "\n=========================================================================\n$(date) | $1\n=========================================================================\n"
|
printf "\n=========================================================================\n$(date) | $1\n=========================================================================\n"
|
||||||
}
|
}
|
||||||
|
|
||||||
|
sync_options() {
|
||||||
|
set_version
|
||||||
|
set_os
|
||||||
|
salt_minion_count
|
||||||
|
|
||||||
|
echo "$VERSION/$OS/$(uname -r)/$MINIONCOUNT/$(read_feat)"
|
||||||
|
}
|
||||||
|
|
||||||
systemctl_func() {
|
systemctl_func() {
|
||||||
local action=$1
|
local action=$1
|
||||||
local echo_action=$1
|
local echo_action=$1
|
||||||
|
|||||||
@@ -37,23 +37,28 @@ def check_needs_restarted():
|
|||||||
with open(outfile, 'w') as f:
|
with open(outfile, 'w') as f:
|
||||||
f.write(val)
|
f.write(val)
|
||||||
|
|
||||||
def check_for_fips():
|
def check_for_fps():
|
||||||
fips = 0
|
feat = 'fps'
|
||||||
|
feat_full = feat.replace('ps', 'ips')
|
||||||
|
fps = 0
|
||||||
try:
|
try:
|
||||||
result = subprocess.run(['fips-mode-setup', '--is-enabled'], stdout=subprocess.PIPE)
|
result = subprocess.run([feat_full + '-mode-setup', '--is-enabled'], stdout=subprocess.PIPE)
|
||||||
if result.returncode == 0:
|
if result.returncode == 0:
|
||||||
fips = 1
|
fps = 1
|
||||||
except FileNotFoundError:
|
except FileNotFoundError:
|
||||||
with open('/proc/sys/crypto/fips_enabled', 'r') as f:
|
fn = '/proc/sys/crypto/' + feat_full + '_enabled'
|
||||||
|
with open(fn, 'r') as f:
|
||||||
contents = f.read()
|
contents = f.read()
|
||||||
if '1' in contents:
|
if '1' in contents:
|
||||||
fips = 1
|
fps = 1
|
||||||
|
|
||||||
with open('/opt/so/log/sostatus/fips_enabled', 'w') as f:
|
with open('/opt/so/log/sostatus/lks_enabled', 'w') as f:
|
||||||
f.write(str(fips))
|
f.write(str(fps))
|
||||||
|
|
||||||
def check_for_luks():
|
def check_for_lks():
|
||||||
luks = 0
|
feat = 'Lks'
|
||||||
|
feat_full = feat.replace('ks', 'uks')
|
||||||
|
lks = 0
|
||||||
result = subprocess.run(['lsblk', '-p', '-J'], check=True, stdout=subprocess.PIPE)
|
result = subprocess.run(['lsblk', '-p', '-J'], check=True, stdout=subprocess.PIPE)
|
||||||
data = json.loads(result.stdout)
|
data = json.loads(result.stdout)
|
||||||
for device in data['blockdevices']:
|
for device in data['blockdevices']:
|
||||||
@@ -61,17 +66,18 @@ def check_for_luks():
|
|||||||
for gc in device['children']:
|
for gc in device['children']:
|
||||||
if 'children' in gc:
|
if 'children' in gc:
|
||||||
try:
|
try:
|
||||||
result = subprocess.run(['cryptsetup', 'isLuks', gc['name']], stdout=subprocess.PIPE)
|
arg = 'is' + feat_full
|
||||||
|
result = subprocess.run(['cryptsetup', arg, gc['name']], stdout=subprocess.PIPE)
|
||||||
if result.returncode == 0:
|
if result.returncode == 0:
|
||||||
luks = 1
|
lks = 1
|
||||||
except FileNotFoundError:
|
except FileNotFoundError:
|
||||||
for ggc in gc['children']:
|
for ggc in gc['children']:
|
||||||
if 'crypt' in ggc['type']:
|
if 'crypt' in ggc['type']:
|
||||||
luks = 1
|
lks = 1
|
||||||
if luks:
|
if lks:
|
||||||
break
|
break
|
||||||
with open('/opt/so/log/sostatus/luks_enabled', 'w') as f:
|
with open('/opt/so/log/sostatus/fps_enabled', 'w') as f:
|
||||||
f.write(str(luks))
|
f.write(str(lks))
|
||||||
|
|
||||||
def fail(msg):
|
def fail(msg):
|
||||||
print(msg, file=sys.stderr)
|
print(msg, file=sys.stderr)
|
||||||
@@ -84,9 +90,9 @@ def main():
|
|||||||
# Ensure that umask is 0022 so that files created by this script have rw-r-r permissions
|
# Ensure that umask is 0022 so that files created by this script have rw-r-r permissions
|
||||||
org_umask = os.umask(0o022)
|
org_umask = os.umask(0o022)
|
||||||
check_needs_restarted()
|
check_needs_restarted()
|
||||||
check_for_fips()
|
check_for_fps()
|
||||||
check_for_luks()
|
check_for_lks()
|
||||||
# Restore umask to whatever value was set before this script was run. STIG sets to 0077 rw---
|
# Restore umask to whatever value was set before this script was run. SXIG sets to 0077 rw---
|
||||||
os.umask(org_umask)
|
os.umask(org_umask)
|
||||||
|
|
||||||
if __name__ == "__main__":
|
if __name__ == "__main__":
|
||||||
|
|||||||
@@ -21,7 +21,7 @@
|
|||||||
|
|
||||||
{% set KRATOSMERGED = salt['pillar.get']('kratos', default=KRATOSDEFAULTS.kratos, merge=true) %}
|
{% set KRATOSMERGED = salt['pillar.get']('kratos', default=KRATOSDEFAULTS.kratos, merge=true) %}
|
||||||
|
|
||||||
{% if KRATOSMERGED.oidc.enabled and 'oidc' in salt['pillar.get']('features') %}
|
{% if KRATOSMERGED.oidc.enabled and 'odc' in salt['pillar.get']('features') %}
|
||||||
{% do KRATOSMERGED.config.selfservice.methods.update({'oidc': {'enabled': true, 'config': {'providers': [KRATOSMERGED.oidc.config]}}}) %}
|
{% do KRATOSMERGED.config.selfservice.methods.update({'oidc': {'enabled': true, 'config': {'providers': [KRATOSMERGED.oidc.config]}}}) %}
|
||||||
{% endif %}
|
{% endif %}
|
||||||
|
|
||||||
|
|||||||
@@ -7,12 +7,8 @@
|
|||||||
NOROOT=1
|
NOROOT=1
|
||||||
. /usr/sbin/so-common
|
. /usr/sbin/so-common
|
||||||
|
|
||||||
set_version
|
|
||||||
set_os
|
|
||||||
salt_minion_count
|
|
||||||
|
|
||||||
set -e
|
set -e
|
||||||
|
|
||||||
curl --retry 5 --retry-delay 60 -A "reposync/$VERSION/$OS/$(uname -r)/$MINIONCOUNT" https://sigs.securityonion.net/checkup --output /tmp/checkup
|
curl --retry 5 --retry-delay 60 -A "reposync/$(sync_options)" https://sigs.securityonion.net/checkup --output /tmp/checkup
|
||||||
dnf reposync --norepopath -g --delete -m -c /opt/so/conf/reposync/repodownload.conf --repoid=securityonionsync --download-metadata -p /nsm/repo/
|
dnf reposync --norepopath -g --delete -m -c /opt/so/conf/reposync/repodownload.conf --repoid=securityonionsync --download-metadata -p /nsm/repo/
|
||||||
createrepo /nsm/repo
|
createrepo /nsm/repo
|
||||||
|
|||||||
@@ -347,7 +347,7 @@ function syncElastic() {
|
|||||||
[[ $? != 0 ]] && fail "Unable to read credential hashes from database"
|
[[ $? != 0 ]] && fail "Unable to read credential hashes from database"
|
||||||
|
|
||||||
user_data_formatted=$(echo "${userData}" | jq -r '.user + ":" + .data.hashed_password')
|
user_data_formatted=$(echo "${userData}" | jq -r '.user + ":" + .data.hashed_password')
|
||||||
if lookup_salt_value "licensed_features" "" "pillar" | grep -x oidc; then
|
if lookup_salt_value "features" "" "pillar" | grep -x odc; then
|
||||||
# generate random placeholder salt/hash for users without passwords
|
# generate random placeholder salt/hash for users without passwords
|
||||||
random_crypt=$(get_random_value 53)
|
random_crypt=$(get_random_value 53)
|
||||||
user_data_formatted=$(echo "${user_data_formatted}" | sed -r "s/^(.+:)\$/\\1\$2a\$12${random_crypt}/")
|
user_data_formatted=$(echo "${user_data_formatted}" | sed -r "s/^(.+:)\$/\\1\$2a\$12${random_crypt}/")
|
||||||
|
|||||||
@@ -12,7 +12,7 @@
|
|||||||
{% from 'vars/globals.map.jinja' import GLOBALS %}
|
{% from 'vars/globals.map.jinja' import GLOBALS %}
|
||||||
{% from 'allowed_states.map.jinja' import allowed_states %}
|
{% from 'allowed_states.map.jinja' import allowed_states %}
|
||||||
{% if sls.split('.')[0] in allowed_states and GLOBALS.os == 'OEL' %}
|
{% if sls.split('.')[0] in allowed_states and GLOBALS.os == 'OEL' %}
|
||||||
{% if 'stig' in salt['pillar.get']('features', []) %}
|
{% if 'stg' in salt['pillar.get']('features', []) %}
|
||||||
{% set OSCAP_PROFILE_NAME = 'xccdf_org.ssgproject.content_profile_stig' %}
|
{% set OSCAP_PROFILE_NAME = 'xccdf_org.ssgproject.content_profile_stig' %}
|
||||||
{% set OSCAP_PROFILE_LOCATION = '/opt/so/conf/stig/sos-oscap.xml' %}
|
{% set OSCAP_PROFILE_LOCATION = '/opt/so/conf/stig/sos-oscap.xml' %}
|
||||||
{% set OSCAP_OUTPUT_DIR = '/opt/so/log/stig' %}
|
{% set OSCAP_OUTPUT_DIR = '/opt/so/log/stig' %}
|
||||||
|
|||||||
@@ -4,7 +4,7 @@
|
|||||||
# Elastic License 2.0.
|
# Elastic License 2.0.
|
||||||
|
|
||||||
{% from 'stig/map.jinja' import STIGMERGED %}
|
{% from 'stig/map.jinja' import STIGMERGED %}
|
||||||
{% if 'stig' in salt['pillar.get']('features', []) %}
|
{% if 'stg' in salt['pillar.get']('features', []) %}
|
||||||
stig_remediate_schedule:
|
stig_remediate_schedule:
|
||||||
schedule.present:
|
schedule.present:
|
||||||
- function: state.apply
|
- function: state.apply
|
||||||
|
|||||||
@@ -7,11 +7,11 @@
|
|||||||
|
|
||||||
if [[ ! "`pidof -x $(basename $0) -o %PPID`" ]]; then
|
if [[ ! "`pidof -x $(basename $0) -o %PPID`" ]]; then
|
||||||
|
|
||||||
FIPS_ENABLED=$(cat /var/log/sostatus/fips_enabled)
|
FPS_ENABLED=$(cat /var/log/sostatus/fps_enabled)
|
||||||
LUKS_ENABLED=$(cat /var/log/sostatus/luks_enabled)
|
LKS_ENABLED=$(cat /var/log/sostatus/lks_enabled)
|
||||||
|
|
||||||
echo "features fips=$FIPS_ENABLED"
|
echo "features fps=$FPS_ENABLED"
|
||||||
echo "features luks=$LUKS_ENABLED"
|
echo "features lks=$LKS_ENABLED"
|
||||||
fi
|
fi
|
||||||
|
|
||||||
exit 0
|
exit 0
|
||||||
|
|||||||
Reference in New Issue
Block a user