79 lines
3.1 KiB
Bash
79 lines
3.1 KiB
Bash
#!/bin/bash
|
|
#
|
|
# Copyright (c) 2017 Wind River Systems, Inc.
|
|
#
|
|
# SPDX-License-Identifier: Apache-2.0
|
|
#
|
|
|
|
# Install a new certificate file, pushing it to both controllers
|
|
# Also allow a TPM option to install the certificate files using
|
|
# an onboard Trusted Platform Module (TPM)
|
|
|
|
source /etc/platform/platform.conf
|
|
|
|
processIMAAppraisal()
|
|
{
|
|
# SAMPLE INCOMING EVENT:
|
|
# 20:43:51.000 localhost audispd: info node=localhost.localdomain
|
|
# type=INTEGRITY_DATA msg=audit(1507236231.359:4179): pid=4411 uid=0
|
|
# auid=1875 ses=18 op="appraise_data" cause="missing-signature"
|
|
# comm=sudo name=/usr/lib64/ld-2.17.so dev=sda3 ino=262715 res=0
|
|
event_array=($1)
|
|
_hostname=${event_array[0]}
|
|
_appraisal_msg=${event_array[@]:1}
|
|
# parse appraise specific fields from the message
|
|
for field in $_appraisal_msg; do
|
|
set -- `echo $field | tr '=' ' '`
|
|
eval _$1=$2;
|
|
done
|
|
|
|
# sanity check (make sure its an appraisal event
|
|
if [ "${_op}" == "appraise_data" ]; then
|
|
# Fields explanation:
|
|
#
|
|
# alarm_id: 500.500
|
|
# alarm_state: msg
|
|
# entity_type_id: system.service
|
|
# entity_instance_id: host=<hostname>.service=<service>
|
|
# severity: major
|
|
# reason_text: Host <host_name> has IMA Appraisal failure for service <service>,
|
|
# reason = <reason_text>
|
|
# alarm_type: integrity-violation
|
|
# probable_cause: information-modification-detected
|
|
# proposed_repair_action:free-format string providing additional details on how to
|
|
# clear the alarm. Optional.
|
|
# service_affecting: false
|
|
# suppression: false
|
|
# uuid: unique identifier of an active alarm instance, filled by FM system
|
|
# Timestamp: filled by FM system
|
|
_absol_path=`which $_comm`
|
|
[ $? -eq 0 ] || _absol_path="$_comm"
|
|
FM_EVENT_LOG="### ###500.500###msg###system.service###host=$_hostname.service=$_comm### ###major###Host $_hostname has IMA Appraisal failure for service $_absol_path when executing file $_name, reason = $_cause###integrity-violation###information-modification-detected### ### ### ###"
|
|
fmClientCli -c "\"$FM_EVENT_LOG\""
|
|
fi
|
|
}
|
|
|
|
while read line; do
|
|
if [ ! -z "$line" ]; then
|
|
# Before we proceed, we need to ensure that
|
|
# this node has been configured so that FM Events can
|
|
# be logged
|
|
if [ ${nodetype} == "controller" ]; then
|
|
_configuration_flag_file="/var/run/.controller_config_complete"
|
|
elif [ ${nodetype} == "worker" ]; then
|
|
_configuration_flag_file="/var/run/.worker_config_complete"
|
|
elif [ ${nodetype} == "storage" ]; then
|
|
_configuration_flag_file="/var/run/.storage_config_complete"
|
|
else
|
|
_configuration_flag_file=""
|
|
fi
|
|
|
|
if [ -n "${_configuration_flag_file}" ] && [ -f "${_configuration_flag_file}" ]; then
|
|
# Only covers IMA appraisals at the moment, since this destination
|
|
# is only set up to IMA appraise logs in syslog-ng.conf, but this
|
|
# can be opened up to other FM Event Sysloggers
|
|
processIMAAppraisal "$line"
|
|
fi
|
|
fi
|
|
done
|