From 95b7679b6fdbc7ce444aad6748b7f1731902cfff Mon Sep 17 00:00:00 2001 From: rafael Date: Tue, 25 Jul 2023 09:34:17 +0200 Subject: [PATCH] 9869 adding check for mysql password validation to online installers --- .../deploy-scripts/deploy_ext_database_el8.sh | 59 +++++++++++++++++-- .../deploy_ext_database_ubuntu_2204.sh | 56 +++++++++++++++++- .../pandora_deploy_community_el8.sh | 56 ++++++++++++++++-- .../pandora_deploy_community_ubuntu_2204.sh | 56 +++++++++++++++++- 4 files changed, 213 insertions(+), 14 deletions(-) diff --git a/extras/deploy-scripts/deploy_ext_database_el8.sh b/extras/deploy-scripts/deploy_ext_database_el8.sh index 3ff86cc56b..4417265599 100644 --- a/extras/deploy-scripts/deploy_ext_database_el8.sh +++ b/extras/deploy-scripts/deploy_ext_database_el8.sh @@ -19,10 +19,10 @@ LOGFILE="/tmp/deploy-ext-db-$(date +%F).log" [ "$DBHOST" ] || DBHOST=127.0.0.1 [ "$DBNAME" ] || DBNAME=pandora [ "$DBUSER" ] || DBUSER=pandora -[ "$DBPASS" ] || DBPASS=pandora +[ "$DBPASS" ] || DBPASS='Pandor4!' [ "$DBPORT" ] || DBPORT=3306 [ "$DBROOTUSER" ] || DBROOTUSER=root -[ "$DBROOTPASS" ] || DBROOTPASS=pandora +[ "$DBROOTPASS" ] || DBROOTPASS='Pandor4!' [ "$SKIP_DATABASE_INSTALL" ] || SKIP_DATABASE_INSTALL=0 [ "$SKIP_KERNEL_OPTIMIZATIONS" ] || SKIP_KERNEL_OPTIMIZATIONS=0 [ "$POOL_SIZE" ] || POOL_SIZE=$(grep -i total /proc/meminfo | head -1 | awk '{printf "%.2f \n", $(NF-1)*0.4/1024}' | sed "s/\\..*$/M/g") @@ -79,6 +79,53 @@ check_root_permissions () { fi } +# Function to check if a password meets the MySQL secure password requirements +is_mysql_secure_password() { + local password=$1 + + # Check password length (at least 8 characters) + if [[ ${#password} -lt 8 ]]; then + echo "Password length should be at least 8 characters." + return 1 + fi + + # Check if password contains at least one uppercase letter + if [[ $password == ${password,,} ]]; then + echo "Password should contain at least one uppercase letter." + return 1 + fi + + # Check if password contains at least one lowercase letter + if [[ $password == ${password^^} ]]; then + echo "Password should contain at least one lowercase letter." + return 1 + fi + + # Check if password contains at least one digit + if ! [[ $password =~ [0-9] ]]; then + echo "Password should contain at least one digit." + return 1 + fi + + # Check if password contains at least one special character + if ! [[ $password =~ [[:punct:]] ]]; then + echo "Password should contain at least one special character." + return 1 + fi + + # Check if password is not a common pattern (e.g., "password", "123456") + local common_patterns=("password" "123456" "qwerty") + for pattern in "${common_patterns[@]}"; do + if [[ $password == *"$pattern"* ]]; then + echo "Password should not contain common patterns." + return 1 + fi + done + + # If all checks pass, the password is MySQL secure compliant + return 0 +} + ## Main echo "Starting PandoraFMS External DB deployment EL8 ver. $S_VERSION" @@ -128,6 +175,10 @@ execute_cmd "grep --version" 'Checking needed tools: grep' execute_cmd "sed --version" 'Checking needed tools: sed' execute_cmd "dnf --version" 'Checking needed tools: dnf' +#Check mysql pass +execute_cmd "is_mysql_secure_password $DBROOTPASS" "Checking DBROOTPASS password match policy" 'This password do not match minimum MySQL policy requirements, more info in: https://dev.mysql.com/doc/refman/8.0/en/validate-password.html' +execute_cmd "is_mysql_secure_password $DBPASS" "Checking DBPASS password match policy" 'This password do not match minimum MySQL policy requirements, more info in: https://dev.mysql.com/doc/refman/8.0/en/validate-password.html' + # Creating working directory rm -rf "$HOME"/pandora_deploy_tmp/*.rpm* &>> "$LOGFILE" mkdir "$HOME"/pandora_deploy_tmp &>> "$LOGFILE" @@ -207,16 +258,12 @@ if [ "$SKIP_DATABASE_INSTALL" -eq '0' ] ; then export MYSQL_PWD=$(grep "temporary password" /var/log/mysqld.log | rev | cut -d' ' -f1 | rev) if [ "$MYVER" -eq '80' ] ; then echo """ - SET PASSWORD FOR '$DBROOTUSER'@'localhost' = 'Pandor4!'; - UNINSTALL COMPONENT 'file://component_validate_password'; SET PASSWORD FOR '$DBROOTUSER'@'localhost' = '$DBROOTPASS'; """ | mysql --connect-expired-password -u$DBROOTUSER &>> "$LOGFILE" fi if [ "$MYVER" -ne '80' ] ; then echo """ - SET PASSWORD FOR '$DBROOTUSER'@'localhost' = PASSWORD('Pandor4!'); - UNINSTALL PLUGIN validate_password; SET PASSWORD FOR '$DBROOTUSER'@'localhost' = PASSWORD('$DBROOTPASS'); """ | mysql --connect-expired-password -u$DBROOTUSER &>> "$LOGFILE"fi fi diff --git a/extras/deploy-scripts/deploy_ext_database_ubuntu_2204.sh b/extras/deploy-scripts/deploy_ext_database_ubuntu_2204.sh index 21f9b21fa0..767be5632f 100644 --- a/extras/deploy-scripts/deploy_ext_database_ubuntu_2204.sh +++ b/extras/deploy-scripts/deploy_ext_database_ubuntu_2204.sh @@ -26,9 +26,9 @@ rm -f $LOGFILE &> /dev/null # remove last log before start [ "$DBHOST" ] || DBHOST=127.0.0.1 [ "$DBNAME" ] || DBNAME=pandora [ "$DBUSER" ] || DBUSER=pandora -[ "$DBPASS" ] || DBPASS=pandora +[ "$DBPASS" ] || DBPASS='Pandor4!' [ "$DBPORT" ] || DBPORT=3306 -[ "$DBROOTPASS" ] || DBROOTPASS=pandora +[ "$DBROOTPASS" ] || DBROOTPASS='Pandor4!' [ "$SKIP_DATABASE_INSTALL" ] || SKIP_DATABASE_INSTALL=0 [ "$SKIP_KERNEL_OPTIMIZATIONS" ] || SKIP_KERNEL_OPTIMIZATIONS=0 [ "$POOL_SIZE" ] || POOL_SIZE=$(grep -i total /proc/meminfo | head -1 | awk '{printf "%.2f \n", $(NF-1)*0.4/1024}' | sed "s/\\..*$/M/g") @@ -86,6 +86,53 @@ check_root_permissions () { fi } +# Function to check if a password meets the MySQL secure password requirements +is_mysql_secure_password() { + local password=$1 + + # Check password length (at least 8 characters) + if [[ ${#password} -lt 8 ]]; then + echo "Password length should be at least 8 characters." + return 1 + fi + + # Check if password contains at least one uppercase letter + if [[ $password == ${password,,} ]]; then + echo "Password should contain at least one uppercase letter." + return 1 + fi + + # Check if password contains at least one lowercase letter + if [[ $password == ${password^^} ]]; then + echo "Password should contain at least one lowercase letter." + return 1 + fi + + # Check if password contains at least one digit + if ! [[ $password =~ [0-9] ]]; then + echo "Password should contain at least one digit." + return 1 + fi + + # Check if password contains at least one special character + if ! [[ $password =~ [[:punct:]] ]]; then + echo "Password should contain at least one special character." + return 1 + fi + + # Check if password is not a common pattern (e.g., "password", "123456") + local common_patterns=("password" "123456" "qwerty") + for pattern in "${common_patterns[@]}"; do + if [[ $password == *"$pattern"* ]]; then + echo "Password should not contain common patterns." + return 1 + fi + done + + # If all checks pass, the password is MySQL secure compliant + return 0 +} + ## Main echo "Starting PandoraFMS External DB deployment Ubuntu 22.04 ver. $S_VERSION" @@ -137,6 +184,10 @@ execute_cmd "grep --version" 'Checking needed tools: grep' execute_cmd "sed --version" 'Checking needed tools: sed' execute_cmd "apt --version" 'Checking needed tools: apt' +#Check mysql pass +execute_cmd "is_mysql_secure_password $DBROOTPASS" "Checking DBROOTPASS password match policy" 'This password do not match minimum MySQL policy requirements, more info in: https://dev.mysql.com/doc/refman/8.0/en/validate-password.html' +execute_cmd "is_mysql_secure_password $DBPASS" "Checking DBPASS password match policy" 'This password do not match minimum MySQL policy requirements, more info in: https://dev.mysql.com/doc/refman/8.0/en/validate-password.html' + # Creating working directory rm -rf "$WORKDIR" &>> "$LOGFILE" mkdir -p "$WORKDIR" &>> "$LOGFILE" @@ -170,6 +221,7 @@ if [ "$SKIP_DATABASE_INSTALL" -eq '0' ] ; then """ | mysql -uroot &>> "$LOGFILE" export MYSQL_PWD=$DBROOTPASS + echo "INSTALL COMPONENT 'file://component_validate_password';" | mysql -uroot -P$DBPORT -h$DBHOST &>> "$LOGFILE" echo -en "${cyan}Creating Pandora FMS database...${reset}" echo "create database $DBNAME" | mysql -uroot -P$DBPORT -h$DBHOST check_cmd_status "Error creating database $DBNAME, is this an empty node? if you have a previus installation please contact with support." diff --git a/extras/deploy-scripts/pandora_deploy_community_el8.sh b/extras/deploy-scripts/pandora_deploy_community_el8.sh index 3b4dde6cef..32422ab98b 100644 --- a/extras/deploy-scripts/pandora_deploy_community_el8.sh +++ b/extras/deploy-scripts/pandora_deploy_community_el8.sh @@ -24,10 +24,10 @@ LOGFILE="/tmp/pandora-deploy-community-$(date +%F).log" [ "$DBHOST" ] || DBHOST=127.0.0.1 [ "$DBNAME" ] || DBNAME=pandora [ "$DBUSER" ] || DBUSER=pandora -[ "$DBPASS" ] || DBPASS=pandora +[ "$DBPASS" ] || DBPASS='Pandor4!' [ "$DBPORT" ] || DBPORT=3306 [ "$DBROOTUSER" ] || DBROOTUSER=root -[ "$DBROOTPASS" ] || DBROOTPASS=pandora +[ "$DBROOTPASS" ] || DBROOTPASS='Pandor4!' [ "$SKIP_PRECHECK" ] || SKIP_PRECHECK=0 [ "$SKIP_DATABASE_INSTALL" ] || SKIP_DATABASE_INSTALL=0 [ "$SKIP_KERNEL_OPTIMIZATIONS" ] || SKIP_KERNEL_OPTIMIZATIONS=0 @@ -125,6 +125,52 @@ installing_docker () { echo "End installig docker" &>> "$LOGFILE" } +# Function to check if a password meets the MySQL secure password requirements +is_mysql_secure_password() { + local password=$1 + + # Check password length (at least 8 characters) + if [[ ${#password} -lt 8 ]]; then + echo "Password length should be at least 8 characters." + return 1 + fi + + # Check if password contains at least one uppercase letter + if [[ $password == ${password,,} ]]; then + echo "Password should contain at least one uppercase letter." + return 1 + fi + + # Check if password contains at least one lowercase letter + if [[ $password == ${password^^} ]]; then + echo "Password should contain at least one lowercase letter." + return 1 + fi + + # Check if password contains at least one digit + if ! [[ $password =~ [0-9] ]]; then + echo "Password should contain at least one digit." + return 1 + fi + + # Check if password contains at least one special character + if ! [[ $password =~ [[:punct:]] ]]; then + echo "Password should contain at least one special character." + return 1 + fi + + # Check if password is not a common pattern (e.g., "password", "123456") + local common_patterns=("password" "123456" "qwerty") + for pattern in "${common_patterns[@]}"; do + if [[ $password == *"$pattern"* ]]; then + echo "Password should not contain common patterns." + return 1 + fi + done + + # If all checks pass, the password is MySQL secure compliant + return 0 +} ## Main echo "Starting PandoraFMS Community deployment EL8 ver. $S_VERSION" @@ -189,6 +235,10 @@ execute_cmd "grep --version" 'Checking needed tools: grep' execute_cmd "sed --version" 'Checking needed tools: sed' execute_cmd "dnf --version" 'Checking needed tools: dnf' +#Check mysql pass +execute_cmd "is_mysql_secure_password $DBROOTPASS" "Checking DBROOTPASS password match policy" 'This password do not match minimum MySQL policy requirements, more info in: https://dev.mysql.com/doc/refman/8.0/en/validate-password.html' +execute_cmd "is_mysql_secure_password $DBPASS" "Checking DBPASS password match policy" 'This password do not match minimum MySQL policy requirements, more info in: https://dev.mysql.com/doc/refman/8.0/en/validate-password.html' + # Creating working directory rm -rf "$HOME"/pandora_deploy_tmp/*.rpm* &>> "$LOGFILE" mkdir "$HOME"/pandora_deploy_tmp &>> "$LOGFILE" @@ -437,7 +487,6 @@ if [ "$SKIP_DATABASE_INSTALL" -eq '0' ] ; then if [ "$MYVER" -eq '80' ] ; then echo """ SET PASSWORD FOR '$DBROOTUSER'@'localhost' = 'Pandor4!'; - UNINSTALL COMPONENT 'file://component_validate_password'; SET PASSWORD FOR '$DBROOTUSER'@'localhost' = '$DBROOTPASS'; """ | mysql --connect-expired-password -u$DBROOTUSER &>> "$LOGFILE" fi @@ -445,7 +494,6 @@ if [ "$SKIP_DATABASE_INSTALL" -eq '0' ] ; then if [ "$MYVER" -ne '80' ] ; then echo """ SET PASSWORD FOR '$DBROOTUSER'@'localhost' = PASSWORD('Pandor4!'); - UNINSTALL PLUGIN validate_password; SET PASSWORD FOR '$DBROOTUSER'@'localhost' = PASSWORD('$DBROOTPASS'); """ | mysql --connect-expired-password -u$DBROOTUSER &>> "$LOGFILE"fi fi diff --git a/extras/deploy-scripts/pandora_deploy_community_ubuntu_2204.sh b/extras/deploy-scripts/pandora_deploy_community_ubuntu_2204.sh index 7e2ff6f532..0a5c721e53 100644 --- a/extras/deploy-scripts/pandora_deploy_community_ubuntu_2204.sh +++ b/extras/deploy-scripts/pandora_deploy_community_ubuntu_2204.sh @@ -27,9 +27,9 @@ rm -f $LOGFILE &> /dev/null # remove last log before start [ "$DBHOST" ] || DBHOST=127.0.0.1 [ "$DBNAME" ] || DBNAME=pandora [ "$DBUSER" ] || DBUSER=pandora -[ "$DBPASS" ] || DBPASS=pandora +[ "$DBPASS" ] || DBPASS='Pandor4!' [ "$DBPORT" ] || DBPORT=3306 -[ "$DBROOTPASS" ] || DBROOTPASS=pandora +[ "$DBROOTPASS" ] || DBROOTPASS='Pandor4!' [ "$SKIP_PRECHECK" ] || SKIP_PRECHECK=0 [ "$SKIP_DATABASE_INSTALL" ] || SKIP_DATABASE_INSTALL=0 [ "$SKIP_KERNEL_OPTIMIZATIONS" ] || SKIP_KERNEL_OPTIMIZATIONS=0 @@ -113,6 +113,53 @@ check_root_permissions () { fi } +# Function to check if a password meets the MySQL secure password requirements +is_mysql_secure_password() { + local password=$1 + + # Check password length (at least 8 characters) + if [[ ${#password} -lt 8 ]]; then + echo "Password length should be at least 8 characters." + return 1 + fi + + # Check if password contains at least one uppercase letter + if [[ $password == ${password,,} ]]; then + echo "Password should contain at least one uppercase letter." + return 1 + fi + + # Check if password contains at least one lowercase letter + if [[ $password == ${password^^} ]]; then + echo "Password should contain at least one lowercase letter." + return 1 + fi + + # Check if password contains at least one digit + if ! [[ $password =~ [0-9] ]]; then + echo "Password should contain at least one digit." + return 1 + fi + + # Check if password contains at least one special character + if ! [[ $password =~ [[:punct:]] ]]; then + echo "Password should contain at least one special character." + return 1 + fi + + # Check if password is not a common pattern (e.g., "password", "123456") + local common_patterns=("password" "123456" "qwerty") + for pattern in "${common_patterns[@]}"; do + if [[ $password == *"$pattern"* ]]; then + echo "Password should not contain common patterns." + return 1 + fi + done + + # If all checks pass, the password is MySQL secure compliant + return 0 +} + installing_docker () { #Installing docker for debug echo "Start installig docker" &>> "$LOGFILE" @@ -194,6 +241,10 @@ execute_cmd "grep --version" 'Checking needed tools: grep' execute_cmd "sed --version" 'Checking needed tools: sed' execute_cmd "apt --version" 'Checking needed tools: apt' +#Check mysql pass +execute_cmd "is_mysql_secure_password $DBROOTPASS" "Checking DBROOTPASS password match policy" 'This password do not match minimum MySQL policy requirements, more info in: https://dev.mysql.com/doc/refman/8.0/en/validate-password.html' +execute_cmd "is_mysql_secure_password $DBPASS" "Checking DBPASS password match policy" 'This password do not match minimum MySQL policy requirements, more info in: https://dev.mysql.com/doc/refman/8.0/en/validate-password.html' + # Creating working directory rm -rf "$WORKDIR" &>> "$LOGFILE" mkdir -p "$WORKDIR" &>> "$LOGFILE" @@ -402,6 +453,7 @@ if [ "$SKIP_DATABASE_INSTALL" -eq '0' ] ; then """ | mysql -uroot &>> "$LOGFILE" export MYSQL_PWD=$DBROOTPASS + echo "INSTALL COMPONENT 'file://component_validate_password';" | mysql -uroot -P$DBPORT -h$DBHOST &>> "$LOGFILE" echo -en "${cyan}Creating Pandora FMS database...${reset}" echo "create database $DBNAME" | mysql -uroot -P$DBPORT -h$DBHOST check_cmd_status "Error creating database $DBNAME, is this an empty node? if you have a previus installation please contact with support."