Skip to content

Commit

Permalink
bmcweb: Message entry for user security Event
Browse files Browse the repository at this point in the history 
Message entry for
BMC should detect the following intrusion or non-allowed configuration and
log the security event with description.
1. Password storing hash algo changes from SHA2-256 to MD5 in Linux pwd file
2. When any user other than root has its UID set to 0 in Linux pwd file
3. When any unsupported shells (not bash or sh) are present in Linux pwd file
4. When the root user is assigned a password in Linux password file

Tested:
1. Ran Redfish validator - passed for this new addition.

 {
  "@odata.context": "/redfish/v1/$metadata#LogEntry.LogEntry",
  "@odata.id": "/redfish/v1/Systems/system/LogServices/EventLog/Entries/75_1",
  "@odata.type": "#LogEntry.v1_4_0.LogEntry",
  "Created": "1970-01-01T00:01:15+00:00",
  "EntryType": "Event",
  "Id": "75_1",
  "Message": "weak password computing hash algorithm is enabled = MD5 Hash algorithm .",
  "MessageArgs": [
         "MD5 Hash algorithm"
     ],
  "MessageId": "OpenBMC.0.1.SecurityUserWeakHashAlgoEnabled",
  "Name": "System Event Log Entry",
  "Severity": "Critical"
 },
 {
  "@odata.context": "/redfish/v1/$metadata#LogEntry.LogEntry",
  "@odata.id": "/redfish/v1/Systems/system/LogServices/EventLog/Entries/240",
  "@odata.type": "#LogEntry.v1_4_0.LogEntry",
  "Created": "1970-01-01T00:04:00+00:00",
  "EntryType": "Event",
  "Id": "240",
  "Message": "other than /bin/bash,/bin/sh, Unsupported shell is enabled",
  "MessageArgs": [],
  "MessageId": "OpenBMC.0.1.SecurityUserUnsupportedShellEnabled",
  "Name": "System Event Log Entry",
  "Severity": "Critical"
 },
 {
  "@odata.context": "/redfish/v1/$metadata#LogEntry.LogEntry",
  "@odata.id": "/redfish/v1/Systems/system/LogServices/EventLog/Entries/246",
  "@odata.type": "#LogEntry.v1_4_0.LogEntry",
  "Created": "1970-01-01T00:04:06+00:00",
  "EntryType": "Event",
  "Id": "246",
  "Message": "Unsupported shell is removed",
  "MessageArgs": [],
  "MessageId": "OpenBMC.0.1.SecurityUserUnsupportedShellRemoved",
  "Name": "System Event Log Entry",
  "Severity": "OK"
 },

 {
  "@odata.context": "/redfish/v1/$metadata#LogEntry.LogEntry",
  "@odata.id": "/redfish/v1/Systems/system/LogServices/EventLog/Entries/604",
  "@odata.type": "#LogEntry.v1_4_0.LogEntry",
  "Created": "1970-01-01T00:10:04+00:00",
  "EntryType": "Event",
  "Id": "604",
  "Message": "password computing hash algorithm is changed to sha256/sha512.",
  "MessageArgs": [],
  "MessageId": "OpenBMC.0.1.SecurityUserHashAlgoChanged",
  "Name": "System Event Log Entry",
  "Severity": "OK"
 }
 {
 "@odata.context": "/redfish/v1/$metadata#LogEntry.LogEntry",
 "@odata.id": "/redfish/v1/Systems/system/LogServices/EventLog/Entries/75",
 "@odata.type": "#LogEntry.v1_4_0.LogEntry",
 "Created": "1970-01-01T00:01:15+00:00",
 "EntryType": "Event",
 "Id": "75",
 "Message": "root user is enabled.",
 "MessageArgs": [],
 "MessageId": "OpenBMC.0.1.SecurityUserRootEnabled",
 "Name": "System Event Log Entry",
 "Severity": "Critical"
 },
 {
 "@odata.context": "/redfish/v1/$metadata#LogEntry.LogEntry",
 "@odata.id": "/redfish/v1/Systems/system/LogServices/EventLog/Entries/1153",
 "@odata.type": "#LogEntry.v1_4_0.LogEntry",
 "Created": "1970-01-01T00:19:13+00:00",
 "EntryType": "Event",
 "Id": "1153",
 "Message": "uid Zero is assigned with non-root user",
 "MessageArgs": [],
 "MessageId": "OpenBMC.0.1.SecurityUserNonRootUidZeroAssigned",
 "Name": "System Event Log Entry",
 "Severity": "Critical"
 }

Signed-off-by: Suryakanth Sekar <suryakanth.sekar@linux.intel.com>
Change-Id: I8a3a10be2cc85614baa7b0d2f56b3376c3301e01
  • Loading branch information
@htnakayrus
htnakayrus committed Jan 8, 2020
1 parent 2830a9c commit 8988dda
Showing 1 changed file with 80 additions and 1 deletion.
81 changes: 80 additions & 1 deletion redfish-core/include/registries/openbmc_message_registry.hpp
View file
Original file line number Diff line number Diff line change
Expand Up @@ -29,7 +29,7 @@ const Header header = {
"0.1.0",
"OpenBMC",
};
constexpr std::array<MessageEntry, 144> registry = {
constexpr std::array<MessageEntry, 152> registry = {
MessageEntry{
"ADDDCCorrectable",
{
Expand Down Expand Up @@ -1492,6 +1492,85 @@ constexpr std::array<MessageEntry, 144> registry = {
{},
"None.",
}},
MessageEntry{
"SecurityUserStrongHashAlgoRestored",
{
"Indicates that password computing hash algorithm changed.",
"Password computing hash algorithm is changed to sha256/sha512.",
"OK",
0,
{},
"None.",
}},

MessageEntry{"SecurityUserNonRootUidZeroAssigned",
{
"Indicates that non root user assigned with user ID zero.",
"User ID Zero is assigned with non-root user.",
"Critical",
0,
{},
"None.",
}},
MessageEntry{"SecurityUserNonRootUidZeroRemoved",
{
"Indicates that non root user ID is removed",
"Non root user assigned with user ID zero is removed.",
"OK",
0,
{},
"None.",
}},

MessageEntry{"SecurityUserRootEnabled",
{
"Indicates that system root user is enabled.",
"User root is enabled.",
"Critical",
0,
{},
"None.",
}},
MessageEntry{"SecurityUserRootDisabled",
{
"Indicates that system root user is disabled.",
"User root is disabled.",
"OK",
0,
{},
"None.",
}},

MessageEntry{"SecurityUserUnsupportedShellEnabled",
{
"Indicates that unsupported shell is enabled.",
"Unsupported shell is enabled.",
"Critical",
0,
{},
"None.",
}},
MessageEntry{"SecurityUserUnsupportedShellRemoved",
{
"Indicates that unsupported shell is removed.",
"Unsupported shell is removed.",
"OK",
0,
{},
"None.",
}},

MessageEntry{
"SecurityUserWeakHashAlgoEnabled",
{
"Indicates that weak password computing hash algorithm is enabled.",
"Weak password computing hash algorithm is enabled.",
"Critical",
0,
{},
"None.",
}},

MessageEntry{"SELEntryAdded",
{
"Indicates a SEL entry was added using the "
Expand Down

0 comments on commit 8988dda

Please sign in to comment.