diff options
author | Suryakanth Sekar <suryakanth.sekar@linux.intel.com> | 2019-12-12 21:39:14 +0530 |
---|---|---|
committer | Suryakanth Sekar <suryakanth.sekar@linux.intel.com> | 2020-01-08 03:53:10 +0000 |
commit | 8988dda41319950476ebb146df06c2e7b3fbf44d (patch) | |
tree | 144f10f58f0794b87134be0ac862f92ece6e93d7 | |
parent | 2830a9cf2559c7b6956fcb5a6cce56231fcfd18e (diff) | |
download | bmcweb-8988dda41319950476ebb146df06c2e7b3fbf44d.tar.gz bmcweb-8988dda41319950476ebb146df06c2e7b3fbf44d.zip |
bmcweb: Message entry for user security Event
Message entry for
BMC should detect the following intrusion or non-allowed configuration and
log the security event with description.
1. Password storing hash algo changes from SHA2-256 to MD5 in Linux pwd file
2. When any user other than root has its UID set to 0 in Linux pwd file
3. When any unsupported shells (not bash or sh) are present in Linux pwd file
4. When the root user is assigned a password in Linux password file
Tested:
1. Ran Redfish validator - passed for this new addition.
{
"@odata.context": "/redfish/v1/$metadata#LogEntry.LogEntry",
"@odata.id": "/redfish/v1/Systems/system/LogServices/EventLog/Entries/75_1",
"@odata.type": "#LogEntry.v1_4_0.LogEntry",
"Created": "1970-01-01T00:01:15+00:00",
"EntryType": "Event",
"Id": "75_1",
"Message": "weak password computing hash algorithm is enabled = MD5 Hash algorithm .",
"MessageArgs": [
"MD5 Hash algorithm"
],
"MessageId": "OpenBMC.0.1.SecurityUserWeakHashAlgoEnabled",
"Name": "System Event Log Entry",
"Severity": "Critical"
},
{
"@odata.context": "/redfish/v1/$metadata#LogEntry.LogEntry",
"@odata.id": "/redfish/v1/Systems/system/LogServices/EventLog/Entries/240",
"@odata.type": "#LogEntry.v1_4_0.LogEntry",
"Created": "1970-01-01T00:04:00+00:00",
"EntryType": "Event",
"Id": "240",
"Message": "other than /bin/bash,/bin/sh, Unsupported shell is enabled",
"MessageArgs": [],
"MessageId": "OpenBMC.0.1.SecurityUserUnsupportedShellEnabled",
"Name": "System Event Log Entry",
"Severity": "Critical"
},
{
"@odata.context": "/redfish/v1/$metadata#LogEntry.LogEntry",
"@odata.id": "/redfish/v1/Systems/system/LogServices/EventLog/Entries/246",
"@odata.type": "#LogEntry.v1_4_0.LogEntry",
"Created": "1970-01-01T00:04:06+00:00",
"EntryType": "Event",
"Id": "246",
"Message": "Unsupported shell is removed",
"MessageArgs": [],
"MessageId": "OpenBMC.0.1.SecurityUserUnsupportedShellRemoved",
"Name": "System Event Log Entry",
"Severity": "OK"
},
{
"@odata.context": "/redfish/v1/$metadata#LogEntry.LogEntry",
"@odata.id": "/redfish/v1/Systems/system/LogServices/EventLog/Entries/604",
"@odata.type": "#LogEntry.v1_4_0.LogEntry",
"Created": "1970-01-01T00:10:04+00:00",
"EntryType": "Event",
"Id": "604",
"Message": "password computing hash algorithm is changed to sha256/sha512.",
"MessageArgs": [],
"MessageId": "OpenBMC.0.1.SecurityUserHashAlgoChanged",
"Name": "System Event Log Entry",
"Severity": "OK"
}
{
"@odata.context": "/redfish/v1/$metadata#LogEntry.LogEntry",
"@odata.id": "/redfish/v1/Systems/system/LogServices/EventLog/Entries/75",
"@odata.type": "#LogEntry.v1_4_0.LogEntry",
"Created": "1970-01-01T00:01:15+00:00",
"EntryType": "Event",
"Id": "75",
"Message": "root user is enabled.",
"MessageArgs": [],
"MessageId": "OpenBMC.0.1.SecurityUserRootEnabled",
"Name": "System Event Log Entry",
"Severity": "Critical"
},
{
"@odata.context": "/redfish/v1/$metadata#LogEntry.LogEntry",
"@odata.id": "/redfish/v1/Systems/system/LogServices/EventLog/Entries/1153",
"@odata.type": "#LogEntry.v1_4_0.LogEntry",
"Created": "1970-01-01T00:19:13+00:00",
"EntryType": "Event",
"Id": "1153",
"Message": "uid Zero is assigned with non-root user",
"MessageArgs": [],
"MessageId": "OpenBMC.0.1.SecurityUserNonRootUidZeroAssigned",
"Name": "System Event Log Entry",
"Severity": "Critical"
}
Signed-off-by: Suryakanth Sekar <suryakanth.sekar@linux.intel.com>
Change-Id: I8a3a10be2cc85614baa7b0d2f56b3376c3301e01
-rw-r--r-- | redfish-core/include/registries/openbmc_message_registry.hpp | 81 |
1 files changed, 80 insertions, 1 deletions
diff --git a/redfish-core/include/registries/openbmc_message_registry.hpp b/redfish-core/include/registries/openbmc_message_registry.hpp index 1e9fa60..9b3cf28 100644 --- a/redfish-core/include/registries/openbmc_message_registry.hpp +++ b/redfish-core/include/registries/openbmc_message_registry.hpp @@ -29,7 +29,7 @@ const Header header = { "0.1.0", "OpenBMC", }; -constexpr std::array<MessageEntry, 144> registry = { +constexpr std::array<MessageEntry, 152> registry = { MessageEntry{ "ADDDCCorrectable", { @@ -1492,6 +1492,85 @@ constexpr std::array<MessageEntry, 144> registry = { {}, "None.", }}, + MessageEntry{ + "SecurityUserStrongHashAlgoRestored", + { + "Indicates that password computing hash algorithm changed.", + "Password computing hash algorithm is changed to sha256/sha512.", + "OK", + 0, + {}, + "None.", + }}, + + MessageEntry{"SecurityUserNonRootUidZeroAssigned", + { + "Indicates that non root user assigned with user ID zero.", + "User ID Zero is assigned with non-root user.", + "Critical", + 0, + {}, + "None.", + }}, + MessageEntry{"SecurityUserNonRootUidZeroRemoved", + { + "Indicates that non root user ID is removed", + "Non root user assigned with user ID zero is removed.", + "OK", + 0, + {}, + "None.", + }}, + + MessageEntry{"SecurityUserRootEnabled", + { + "Indicates that system root user is enabled.", + "User root is enabled.", + "Critical", + 0, + {}, + "None.", + }}, + MessageEntry{"SecurityUserRootDisabled", + { + "Indicates that system root user is disabled.", + "User root is disabled.", + "OK", + 0, + {}, + "None.", + }}, + + MessageEntry{"SecurityUserUnsupportedShellEnabled", + { + "Indicates that unsupported shell is enabled.", + "Unsupported shell is enabled.", + "Critical", + 0, + {}, + "None.", + }}, + MessageEntry{"SecurityUserUnsupportedShellRemoved", + { + "Indicates that unsupported shell is removed.", + "Unsupported shell is removed.", + "OK", + 0, + {}, + "None.", + }}, + + MessageEntry{ + "SecurityUserWeakHashAlgoEnabled", + { + "Indicates that weak password computing hash algorithm is enabled.", + "Weak password computing hash algorithm is enabled.", + "Critical", + 0, + {}, + "None.", + }}, + MessageEntry{"SELEntryAdded", { "Indicates a SEL entry was added using the " |