Merge branch 'ent-9869-no-desactivar-validate_password-en-nuevas-instalaciones' into 'develop'

9869 adding check for mysql password validation to online installers

See merge request artica/pandorafms!6278
This commit is contained in:
Rafael Ameijeiras 2023-07-27 06:32:45 +00:00
commit 77aaba52fc
4 changed files with 218 additions and 14 deletions

View File

@ -19,10 +19,10 @@ LOGFILE="/tmp/deploy-ext-db-$(date +%F).log"
[ "$DBHOST" ] || DBHOST=127.0.0.1 [ "$DBHOST" ] || DBHOST=127.0.0.1
[ "$DBNAME" ] || DBNAME=pandora [ "$DBNAME" ] || DBNAME=pandora
[ "$DBUSER" ] || DBUSER=pandora [ "$DBUSER" ] || DBUSER=pandora
[ "$DBPASS" ] || DBPASS=pandora [ "$DBPASS" ] || DBPASS='Pandor4!'
[ "$DBPORT" ] || DBPORT=3306 [ "$DBPORT" ] || DBPORT=3306
[ "$DBROOTUSER" ] || DBROOTUSER=root [ "$DBROOTUSER" ] || DBROOTUSER=root
[ "$DBROOTPASS" ] || DBROOTPASS=pandora [ "$DBROOTPASS" ] || DBROOTPASS='Pandor4!'
[ "$SKIP_DATABASE_INSTALL" ] || SKIP_DATABASE_INSTALL=0 [ "$SKIP_DATABASE_INSTALL" ] || SKIP_DATABASE_INSTALL=0
[ "$SKIP_KERNEL_OPTIMIZATIONS" ] || SKIP_KERNEL_OPTIMIZATIONS=0 [ "$SKIP_KERNEL_OPTIMIZATIONS" ] || SKIP_KERNEL_OPTIMIZATIONS=0
[ "$POOL_SIZE" ] || POOL_SIZE=$(grep -i total /proc/meminfo | head -1 | awk '{printf "%.2f \n", $(NF-1)*0.4/1024}' | sed "s/\\..*$/M/g") [ "$POOL_SIZE" ] || POOL_SIZE=$(grep -i total /proc/meminfo | head -1 | awk '{printf "%.2f \n", $(NF-1)*0.4/1024}' | sed "s/\\..*$/M/g")
@ -79,6 +79,53 @@ check_root_permissions () {
fi fi
} }
# Function to check if a password meets the MySQL secure password requirements
is_mysql_secure_password() {
local password=$1
# Check password length (at least 8 characters)
if [[ ${#password} -lt 8 ]]; then
echo "Password length should be at least 8 characters."
return 1
fi
# Check if password contains at least one uppercase letter
if [[ $password == ${password,,} ]]; then
echo "Password should contain at least one uppercase letter."
return 1
fi
# Check if password contains at least one lowercase letter
if [[ $password == ${password^^} ]]; then
echo "Password should contain at least one lowercase letter."
return 1
fi
# Check if password contains at least one digit
if ! [[ $password =~ [0-9] ]]; then
echo "Password should contain at least one digit."
return 1
fi
# Check if password contains at least one special character
if ! [[ $password =~ [[:punct:]] ]]; then
echo "Password should contain at least one special character."
return 1
fi
# Check if password is not a common pattern (e.g., "password", "123456")
local common_patterns=("password" "123456" "qwerty")
for pattern in "${common_patterns[@]}"; do
if [[ $password == *"$pattern"* ]]; then
echo "Password should not contain common patterns."
return 1
fi
done
# If all checks pass, the password is MySQL secure compliant
return 0
}
## Main ## Main
echo "Starting PandoraFMS External DB deployment EL8 ver. $S_VERSION" echo "Starting PandoraFMS External DB deployment EL8 ver. $S_VERSION"
@ -128,6 +175,10 @@ execute_cmd "grep --version" 'Checking needed tools: grep'
execute_cmd "sed --version" 'Checking needed tools: sed' execute_cmd "sed --version" 'Checking needed tools: sed'
execute_cmd "dnf --version" 'Checking needed tools: dnf' execute_cmd "dnf --version" 'Checking needed tools: dnf'
#Check mysql pass
execute_cmd "is_mysql_secure_password $DBROOTPASS" "Checking DBROOTPASS password match policy" 'This password do not match minimum MySQL policy requirements, more info in: https://dev.mysql.com/doc/refman/8.0/en/validate-password.html'
execute_cmd "is_mysql_secure_password $DBPASS" "Checking DBPASS password match policy" 'This password do not match minimum MySQL policy requirements, more info in: https://dev.mysql.com/doc/refman/8.0/en/validate-password.html'
# Creating working directory # Creating working directory
rm -rf "$HOME"/pandora_deploy_tmp/*.rpm* &>> "$LOGFILE" rm -rf "$HOME"/pandora_deploy_tmp/*.rpm* &>> "$LOGFILE"
mkdir "$HOME"/pandora_deploy_tmp &>> "$LOGFILE" mkdir "$HOME"/pandora_deploy_tmp &>> "$LOGFILE"
@ -207,16 +258,12 @@ if [ "$SKIP_DATABASE_INSTALL" -eq '0' ] ; then
export MYSQL_PWD=$(grep "temporary password" /var/log/mysqld.log | rev | cut -d' ' -f1 | rev) export MYSQL_PWD=$(grep "temporary password" /var/log/mysqld.log | rev | cut -d' ' -f1 | rev)
if [ "$MYVER" -eq '80' ] ; then if [ "$MYVER" -eq '80' ] ; then
echo """ echo """
SET PASSWORD FOR '$DBROOTUSER'@'localhost' = 'Pandor4!';
UNINSTALL COMPONENT 'file://component_validate_password';
SET PASSWORD FOR '$DBROOTUSER'@'localhost' = '$DBROOTPASS'; SET PASSWORD FOR '$DBROOTUSER'@'localhost' = '$DBROOTPASS';
""" | mysql --connect-expired-password -u$DBROOTUSER &>> "$LOGFILE" """ | mysql --connect-expired-password -u$DBROOTUSER &>> "$LOGFILE"
fi fi
if [ "$MYVER" -ne '80' ] ; then if [ "$MYVER" -ne '80' ] ; then
echo """ echo """
SET PASSWORD FOR '$DBROOTUSER'@'localhost' = PASSWORD('Pandor4!');
UNINSTALL PLUGIN validate_password;
SET PASSWORD FOR '$DBROOTUSER'@'localhost' = PASSWORD('$DBROOTPASS'); SET PASSWORD FOR '$DBROOTUSER'@'localhost' = PASSWORD('$DBROOTPASS');
""" | mysql --connect-expired-password -u$DBROOTUSER &>> "$LOGFILE"fi """ | mysql --connect-expired-password -u$DBROOTUSER &>> "$LOGFILE"fi
fi fi

View File

@ -26,9 +26,9 @@ rm -f $LOGFILE &> /dev/null # remove last log before start
[ "$DBHOST" ] || DBHOST=127.0.0.1 [ "$DBHOST" ] || DBHOST=127.0.0.1
[ "$DBNAME" ] || DBNAME=pandora [ "$DBNAME" ] || DBNAME=pandora
[ "$DBUSER" ] || DBUSER=pandora [ "$DBUSER" ] || DBUSER=pandora
[ "$DBPASS" ] || DBPASS=pandora [ "$DBPASS" ] || DBPASS='Pandor4!'
[ "$DBPORT" ] || DBPORT=3306 [ "$DBPORT" ] || DBPORT=3306
[ "$DBROOTPASS" ] || DBROOTPASS=pandora [ "$DBROOTPASS" ] || DBROOTPASS='Pandor4!'
[ "$SKIP_DATABASE_INSTALL" ] || SKIP_DATABASE_INSTALL=0 [ "$SKIP_DATABASE_INSTALL" ] || SKIP_DATABASE_INSTALL=0
[ "$SKIP_KERNEL_OPTIMIZATIONS" ] || SKIP_KERNEL_OPTIMIZATIONS=0 [ "$SKIP_KERNEL_OPTIMIZATIONS" ] || SKIP_KERNEL_OPTIMIZATIONS=0
[ "$POOL_SIZE" ] || POOL_SIZE=$(grep -i total /proc/meminfo | head -1 | awk '{printf "%.2f \n", $(NF-1)*0.4/1024}' | sed "s/\\..*$/M/g") [ "$POOL_SIZE" ] || POOL_SIZE=$(grep -i total /proc/meminfo | head -1 | awk '{printf "%.2f \n", $(NF-1)*0.4/1024}' | sed "s/\\..*$/M/g")
@ -86,6 +86,53 @@ check_root_permissions () {
fi fi
} }
# Function to check if a password meets the MySQL secure password requirements
is_mysql_secure_password() {
local password=$1
# Check password length (at least 8 characters)
if [[ ${#password} -lt 8 ]]; then
echo "Password length should be at least 8 characters."
return 1
fi
# Check if password contains at least one uppercase letter
if [[ $password == ${password,,} ]]; then
echo "Password should contain at least one uppercase letter."
return 1
fi
# Check if password contains at least one lowercase letter
if [[ $password == ${password^^} ]]; then
echo "Password should contain at least one lowercase letter."
return 1
fi
# Check if password contains at least one digit
if ! [[ $password =~ [0-9] ]]; then
echo "Password should contain at least one digit."
return 1
fi
# Check if password contains at least one special character
if ! [[ $password =~ [[:punct:]] ]]; then
echo "Password should contain at least one special character."
return 1
fi
# Check if password is not a common pattern (e.g., "password", "123456")
local common_patterns=("password" "123456" "qwerty")
for pattern in "${common_patterns[@]}"; do
if [[ $password == *"$pattern"* ]]; then
echo "Password should not contain common patterns."
return 1
fi
done
# If all checks pass, the password is MySQL secure compliant
return 0
}
## Main ## Main
echo "Starting PandoraFMS External DB deployment Ubuntu 22.04 ver. $S_VERSION" echo "Starting PandoraFMS External DB deployment Ubuntu 22.04 ver. $S_VERSION"
@ -137,6 +184,10 @@ execute_cmd "grep --version" 'Checking needed tools: grep'
execute_cmd "sed --version" 'Checking needed tools: sed' execute_cmd "sed --version" 'Checking needed tools: sed'
execute_cmd "apt --version" 'Checking needed tools: apt' execute_cmd "apt --version" 'Checking needed tools: apt'
#Check mysql pass
execute_cmd "is_mysql_secure_password $DBROOTPASS" "Checking DBROOTPASS password match policy" 'This password do not match minimum MySQL policy requirements, more info in: https://dev.mysql.com/doc/refman/8.0/en/validate-password.html'
execute_cmd "is_mysql_secure_password $DBPASS" "Checking DBPASS password match policy" 'This password do not match minimum MySQL policy requirements, more info in: https://dev.mysql.com/doc/refman/8.0/en/validate-password.html'
# Creating working directory # Creating working directory
rm -rf "$WORKDIR" &>> "$LOGFILE" rm -rf "$WORKDIR" &>> "$LOGFILE"
mkdir -p "$WORKDIR" &>> "$LOGFILE" mkdir -p "$WORKDIR" &>> "$LOGFILE"
@ -170,6 +221,7 @@ if [ "$SKIP_DATABASE_INSTALL" -eq '0' ] ; then
""" | mysql -uroot &>> "$LOGFILE" """ | mysql -uroot &>> "$LOGFILE"
export MYSQL_PWD=$DBROOTPASS export MYSQL_PWD=$DBROOTPASS
echo "INSTALL COMPONENT 'file://component_validate_password';" | mysql -uroot -P$DBPORT -h$DBHOST &>> "$LOGFILE"
echo -en "${cyan}Creating Pandora FMS database...${reset}" echo -en "${cyan}Creating Pandora FMS database...${reset}"
echo "create database $DBNAME" | mysql -uroot -P$DBPORT -h$DBHOST echo "create database $DBNAME" | mysql -uroot -P$DBPORT -h$DBHOST
check_cmd_status "Error creating database $DBNAME, is this an empty node? if you have a previus installation please contact with support." check_cmd_status "Error creating database $DBNAME, is this an empty node? if you have a previus installation please contact with support."

View File

@ -24,10 +24,10 @@ LOGFILE="/tmp/pandora-deploy-community-$(date +%F).log"
[ "$DBHOST" ] || DBHOST=127.0.0.1 [ "$DBHOST" ] || DBHOST=127.0.0.1
[ "$DBNAME" ] || DBNAME=pandora [ "$DBNAME" ] || DBNAME=pandora
[ "$DBUSER" ] || DBUSER=pandora [ "$DBUSER" ] || DBUSER=pandora
[ "$DBPASS" ] || DBPASS=pandora [ "$DBPASS" ] || DBPASS='Pandor4!'
[ "$DBPORT" ] || DBPORT=3306 [ "$DBPORT" ] || DBPORT=3306
[ "$DBROOTUSER" ] || DBROOTUSER=root [ "$DBROOTUSER" ] || DBROOTUSER=root
[ "$DBROOTPASS" ] || DBROOTPASS=pandora [ "$DBROOTPASS" ] || DBROOTPASS='Pandor4!'
[ "$SKIP_PRECHECK" ] || SKIP_PRECHECK=0 [ "$SKIP_PRECHECK" ] || SKIP_PRECHECK=0
[ "$SKIP_DATABASE_INSTALL" ] || SKIP_DATABASE_INSTALL=0 [ "$SKIP_DATABASE_INSTALL" ] || SKIP_DATABASE_INSTALL=0
[ "$SKIP_KERNEL_OPTIMIZATIONS" ] || SKIP_KERNEL_OPTIMIZATIONS=0 [ "$SKIP_KERNEL_OPTIMIZATIONS" ] || SKIP_KERNEL_OPTIMIZATIONS=0
@ -125,6 +125,52 @@ installing_docker () {
echo "End installig docker" &>> "$LOGFILE" echo "End installig docker" &>> "$LOGFILE"
} }
# Function to check if a password meets the MySQL secure password requirements
is_mysql_secure_password() {
local password=$1
# Check password length (at least 8 characters)
if [[ ${#password} -lt 8 ]]; then
echo "Password length should be at least 8 characters."
return 1
fi
# Check if password contains at least one uppercase letter
if [[ $password == ${password,,} ]]; then
echo "Password should contain at least one uppercase letter."
return 1
fi
# Check if password contains at least one lowercase letter
if [[ $password == ${password^^} ]]; then
echo "Password should contain at least one lowercase letter."
return 1
fi
# Check if password contains at least one digit
if ! [[ $password =~ [0-9] ]]; then
echo "Password should contain at least one digit."
return 1
fi
# Check if password contains at least one special character
if ! [[ $password =~ [[:punct:]] ]]; then
echo "Password should contain at least one special character."
return 1
fi
# Check if password is not a common pattern (e.g., "password", "123456")
local common_patterns=("password" "123456" "qwerty")
for pattern in "${common_patterns[@]}"; do
if [[ $password == *"$pattern"* ]]; then
echo "Password should not contain common patterns."
return 1
fi
done
# If all checks pass, the password is MySQL secure compliant
return 0
}
## Main ## Main
echo "Starting PandoraFMS Community deployment EL8 ver. $S_VERSION" echo "Starting PandoraFMS Community deployment EL8 ver. $S_VERSION"
@ -189,6 +235,10 @@ execute_cmd "grep --version" 'Checking needed tools: grep'
execute_cmd "sed --version" 'Checking needed tools: sed' execute_cmd "sed --version" 'Checking needed tools: sed'
execute_cmd "dnf --version" 'Checking needed tools: dnf' execute_cmd "dnf --version" 'Checking needed tools: dnf'
#Check mysql pass
execute_cmd "is_mysql_secure_password $DBROOTPASS" "Checking DBROOTPASS password match policy" 'This password do not match minimum MySQL policy requirements, more info in: https://dev.mysql.com/doc/refman/8.0/en/validate-password.html'
execute_cmd "is_mysql_secure_password $DBPASS" "Checking DBPASS password match policy" 'This password do not match minimum MySQL policy requirements, more info in: https://dev.mysql.com/doc/refman/8.0/en/validate-password.html'
# Creating working directory # Creating working directory
rm -rf "$HOME"/pandora_deploy_tmp/*.rpm* &>> "$LOGFILE" rm -rf "$HOME"/pandora_deploy_tmp/*.rpm* &>> "$LOGFILE"
mkdir "$HOME"/pandora_deploy_tmp &>> "$LOGFILE" mkdir "$HOME"/pandora_deploy_tmp &>> "$LOGFILE"
@ -437,7 +487,6 @@ if [ "$SKIP_DATABASE_INSTALL" -eq '0' ] ; then
if [ "$MYVER" -eq '80' ] ; then if [ "$MYVER" -eq '80' ] ; then
echo """ echo """
SET PASSWORD FOR '$DBROOTUSER'@'localhost' = 'Pandor4!'; SET PASSWORD FOR '$DBROOTUSER'@'localhost' = 'Pandor4!';
UNINSTALL COMPONENT 'file://component_validate_password';
SET PASSWORD FOR '$DBROOTUSER'@'localhost' = '$DBROOTPASS'; SET PASSWORD FOR '$DBROOTUSER'@'localhost' = '$DBROOTPASS';
""" | mysql --connect-expired-password -u$DBROOTUSER &>> "$LOGFILE" """ | mysql --connect-expired-password -u$DBROOTUSER &>> "$LOGFILE"
fi fi
@ -445,7 +494,6 @@ if [ "$SKIP_DATABASE_INSTALL" -eq '0' ] ; then
if [ "$MYVER" -ne '80' ] ; then if [ "$MYVER" -ne '80' ] ; then
echo """ echo """
SET PASSWORD FOR '$DBROOTUSER'@'localhost' = PASSWORD('Pandor4!'); SET PASSWORD FOR '$DBROOTUSER'@'localhost' = PASSWORD('Pandor4!');
UNINSTALL PLUGIN validate_password;
SET PASSWORD FOR '$DBROOTUSER'@'localhost' = PASSWORD('$DBROOTPASS'); SET PASSWORD FOR '$DBROOTUSER'@'localhost' = PASSWORD('$DBROOTPASS');
""" | mysql --connect-expired-password -u$DBROOTUSER &>> "$LOGFILE"fi """ | mysql --connect-expired-password -u$DBROOTUSER &>> "$LOGFILE"fi
fi fi

View File

@ -27,9 +27,9 @@ rm -f $LOGFILE &> /dev/null # remove last log before start
[ "$DBHOST" ] || DBHOST=127.0.0.1 [ "$DBHOST" ] || DBHOST=127.0.0.1
[ "$DBNAME" ] || DBNAME=pandora [ "$DBNAME" ] || DBNAME=pandora
[ "$DBUSER" ] || DBUSER=pandora [ "$DBUSER" ] || DBUSER=pandora
[ "$DBPASS" ] || DBPASS=pandora [ "$DBPASS" ] || DBPASS='Pandor4!'
[ "$DBPORT" ] || DBPORT=3306 [ "$DBPORT" ] || DBPORT=3306
[ "$DBROOTPASS" ] || DBROOTPASS=pandora [ "$DBROOTPASS" ] || DBROOTPASS='Pandor4!'
[ "$SKIP_PRECHECK" ] || SKIP_PRECHECK=0 [ "$SKIP_PRECHECK" ] || SKIP_PRECHECK=0
[ "$SKIP_DATABASE_INSTALL" ] || SKIP_DATABASE_INSTALL=0 [ "$SKIP_DATABASE_INSTALL" ] || SKIP_DATABASE_INSTALL=0
[ "$SKIP_KERNEL_OPTIMIZATIONS" ] || SKIP_KERNEL_OPTIMIZATIONS=0 [ "$SKIP_KERNEL_OPTIMIZATIONS" ] || SKIP_KERNEL_OPTIMIZATIONS=0
@ -113,6 +113,53 @@ check_root_permissions () {
fi fi
} }
# Function to check if a password meets the MySQL secure password requirements
is_mysql_secure_password() {
local password=$1
# Check password length (at least 8 characters)
if [[ ${#password} -lt 8 ]]; then
echo "Password length should be at least 8 characters."
return 1
fi
# Check if password contains at least one uppercase letter
if [[ $password == ${password,,} ]]; then
echo "Password should contain at least one uppercase letter."
return 1
fi
# Check if password contains at least one lowercase letter
if [[ $password == ${password^^} ]]; then
echo "Password should contain at least one lowercase letter."
return 1
fi
# Check if password contains at least one digit
if ! [[ $password =~ [0-9] ]]; then
echo "Password should contain at least one digit."
return 1
fi
# Check if password contains at least one special character
if ! [[ $password =~ [[:punct:]] ]]; then
echo "Password should contain at least one special character."
return 1
fi
# Check if password is not a common pattern (e.g., "password", "123456")
local common_patterns=("password" "123456" "qwerty")
for pattern in "${common_patterns[@]}"; do
if [[ $password == *"$pattern"* ]]; then
echo "Password should not contain common patterns."
return 1
fi
done
# If all checks pass, the password is MySQL secure compliant
return 0
}
installing_docker () { installing_docker () {
#Installing docker for debug #Installing docker for debug
echo "Start installig docker" &>> "$LOGFILE" echo "Start installig docker" &>> "$LOGFILE"
@ -194,6 +241,10 @@ execute_cmd "grep --version" 'Checking needed tools: grep'
execute_cmd "sed --version" 'Checking needed tools: sed' execute_cmd "sed --version" 'Checking needed tools: sed'
execute_cmd "apt --version" 'Checking needed tools: apt' execute_cmd "apt --version" 'Checking needed tools: apt'
#Check mysql pass
execute_cmd "is_mysql_secure_password $DBROOTPASS" "Checking DBROOTPASS password match policy" 'This password do not match minimum MySQL policy requirements, more info in: https://dev.mysql.com/doc/refman/8.0/en/validate-password.html'
execute_cmd "is_mysql_secure_password $DBPASS" "Checking DBPASS password match policy" 'This password do not match minimum MySQL policy requirements, more info in: https://dev.mysql.com/doc/refman/8.0/en/validate-password.html'
# Creating working directory # Creating working directory
rm -rf "$WORKDIR" &>> "$LOGFILE" rm -rf "$WORKDIR" &>> "$LOGFILE"
mkdir -p "$WORKDIR" &>> "$LOGFILE" mkdir -p "$WORKDIR" &>> "$LOGFILE"
@ -286,6 +337,7 @@ server_dependencies=" \
libgeo-ip-perl \ libgeo-ip-perl \
arping \ arping \
snmp-mibs-downloader \ snmp-mibs-downloader \
snmptrapd \
libnsl2 \ libnsl2 \
openjdk-8-jdk " openjdk-8-jdk "
execute_cmd "apt install -y $server_dependencies" "Installing Pandora FMS Server dependencies" execute_cmd "apt install -y $server_dependencies" "Installing Pandora FMS Server dependencies"
@ -402,6 +454,7 @@ if [ "$SKIP_DATABASE_INSTALL" -eq '0' ] ; then
""" | mysql -uroot &>> "$LOGFILE" """ | mysql -uroot &>> "$LOGFILE"
export MYSQL_PWD=$DBROOTPASS export MYSQL_PWD=$DBROOTPASS
echo "INSTALL COMPONENT 'file://component_validate_password';" | mysql -uroot -P$DBPORT -h$DBHOST &>> "$LOGFILE"
echo -en "${cyan}Creating Pandora FMS database...${reset}" echo -en "${cyan}Creating Pandora FMS database...${reset}"
echo "create database $DBNAME" | mysql -uroot -P$DBPORT -h$DBHOST echo "create database $DBNAME" | mysql -uroot -P$DBPORT -h$DBHOST
check_cmd_status "Error creating database $DBNAME, is this an empty node? if you have a previus installation please contact with support." check_cmd_status "Error creating database $DBNAME, is this an empty node? if you have a previus installation please contact with support."
@ -785,6 +838,10 @@ sed --follow-symlinks -i -e "s/^openssl_conf = openssl_init/#openssl_conf = open
# Enable postfix # Enable postfix
systemctl enable postfix --now &>> "$LOGFILE" systemctl enable postfix --now &>> "$LOGFILE"
# Disable snmptrapd
systemctl disable --now snmptrapd &>> "$LOGFILE"
systemctl disable --now snmptrapd.socket &>> "$LOGFILE"
#SSH banner #SSH banner
[ "$(curl -s ifconfig.me)" ] && ipplublic=$(curl -s ifconfig.me) [ "$(curl -s ifconfig.me)" ] && ipplublic=$(curl -s ifconfig.me)