mirror of
https://github.com/Security-Onion-Solutions/securityonion.git
synced 2025-12-06 09:12:45 +01:00
104 lines
3.2 KiB
Python
104 lines
3.2 KiB
Python
#!/usr/bin/env python3
|
|
|
|
# Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one
|
|
# or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at
|
|
# https://securityonion.net/license; you may not use this file except in compliance with the
|
|
# Elastic License 2.0.
|
|
|
|
import sys
|
|
import subprocess
|
|
import os
|
|
import json
|
|
|
|
sys.path.append('/opt/saltstack/salt/lib/python3.10/site-packages/')
|
|
import salt.config
|
|
import salt.loader
|
|
|
|
__opts__ = salt.config.minion_config('/etc/salt/minion')
|
|
__grains__ = salt.loader.grains(__opts__)
|
|
|
|
def check_needs_restarted():
|
|
osfam = __grains__['os_family']
|
|
val = '0'
|
|
outfile = "/opt/so/log/sostatus/needs_restarted"
|
|
|
|
if osfam == 'Debian':
|
|
if os.path.exists('/var/run/reboot-required'):
|
|
val = '1'
|
|
elif osfam == 'RedHat':
|
|
cmd = 'needs-restarting -r > /dev/null 2>&1'
|
|
try:
|
|
needs_restarting = subprocess.check_call(cmd, shell=True)
|
|
except subprocess.CalledProcessError:
|
|
val = '1'
|
|
else:
|
|
fail("Unsupported OS")
|
|
|
|
with open(outfile, 'w') as f:
|
|
f.write(val)
|
|
|
|
def check_for_fps():
|
|
feat = 'fps'
|
|
feat_full = feat.replace('ps', 'ips')
|
|
fps = 0
|
|
try:
|
|
result = subprocess.run([feat_full + '-mode-setup', '--is-enabled'], stdout=subprocess.PIPE)
|
|
if result.returncode == 0:
|
|
fps = 1
|
|
except FileNotFoundError:
|
|
fn = '/proc/sys/crypto/' + feat_full + '_enabled'
|
|
try:
|
|
with open(fn, 'r') as f:
|
|
contents = f.read()
|
|
if '1' in contents:
|
|
fps = 1
|
|
except:
|
|
# Unknown, so assume 0
|
|
fps = 0
|
|
|
|
with open('/opt/so/log/sostatus/fps_enabled', 'w') as f:
|
|
f.write(str(fps))
|
|
|
|
def check_for_lks():
|
|
feat = 'Lks'
|
|
feat_full = feat.replace('ks', 'uks')
|
|
lks = 0
|
|
result = subprocess.run(['lsblk', '-p', '-J'], check=True, stdout=subprocess.PIPE)
|
|
data = json.loads(result.stdout)
|
|
for device in data['blockdevices']:
|
|
if 'children' in device:
|
|
for gc in device['children']:
|
|
if 'children' in gc:
|
|
try:
|
|
arg = 'is' + feat_full
|
|
result = subprocess.run(['cryptsetup', arg, gc['name']], stdout=subprocess.PIPE)
|
|
if result.returncode == 0:
|
|
lks = 1
|
|
except FileNotFoundError:
|
|
for ggc in gc['children']:
|
|
if 'crypt' in ggc['type']:
|
|
lks = 1
|
|
if lks:
|
|
break
|
|
with open('/opt/so/log/sostatus/lks_enabled', 'w') as f:
|
|
f.write(str(lks))
|
|
|
|
def fail(msg):
|
|
print(msg, file=sys.stderr)
|
|
sys.exit(1)
|
|
|
|
def main():
|
|
proc = subprocess.run(['id', '-u'], stdout=subprocess.PIPE, encoding="utf-8")
|
|
if proc.stdout.strip() != "0":
|
|
fail("This program must be run as root")
|
|
# Ensure that umask is 0022 so that files created by this script have rw-r-r permissions
|
|
org_umask = os.umask(0o022)
|
|
check_needs_restarted()
|
|
check_for_fps()
|
|
check_for_lks()
|
|
# Restore umask to whatever value was set before this script was run. SXIG sets to 0077 rw---
|
|
os.umask(org_umask)
|
|
|
|
if __name__ == "__main__":
|
|
main()
|