H A D | openbmc_message_registry.hpp | 8988dda4 Thu Dec 12 10:09:14 CST 2019 Suryakanth Sekar <suryakanth.sekar@linux.intel.com> bmcweb: Message entry for user security Event Message entry for BMC should detect the following intrusion or non-allowed configuration and log the security event with description. 1. Password storing hash algo changes from SHA2-256 to MD5 in Linux pwd file 2. When any user other than root has its UID set to 0 in Linux pwd file 3. When any unsupported shells (not bash or sh) are present in Linux pwd file 4. When the root user is assigned a password in Linux password file Tested: 1. Ran Redfish validator - passed for this new addition. { "@odata.context": "/redfish/v1/$metadata#LogEntry.LogEntry", "@odata.id": "/redfish/v1/Systems/system/LogServices/EventLog/Entries/75_1", "@odata.type": "#LogEntry.v1_4_0.LogEntry", "Created": "1970-01-01T00:01:15+00:00", "EntryType": "Event", "Id": "75_1", "Message": "weak password computing hash algorithm is enabled = MD5 Hash algorithm .", "MessageArgs": [ "MD5 Hash algorithm" ], "MessageId": "OpenBMC.0.1.SecurityUserWeakHashAlgoEnabled", "Name": "System Event Log Entry", "Severity": "Critical" }, { "@odata.context": "/redfish/v1/$metadata#LogEntry.LogEntry", "@odata.id": "/redfish/v1/Systems/system/LogServices/EventLog/Entries/240", "@odata.type": "#LogEntry.v1_4_0.LogEntry", "Created": "1970-01-01T00:04:00+00:00", "EntryType": "Event", "Id": "240", "Message": "other than /bin/bash,/bin/sh, Unsupported shell is enabled", "MessageArgs": [], "MessageId": "OpenBMC.0.1.SecurityUserUnsupportedShellEnabled", "Name": "System Event Log Entry", "Severity": "Critical" }, { "@odata.context": "/redfish/v1/$metadata#LogEntry.LogEntry", "@odata.id": "/redfish/v1/Systems/system/LogServices/EventLog/Entries/246", "@odata.type": "#LogEntry.v1_4_0.LogEntry", "Created": "1970-01-01T00:04:06+00:00", "EntryType": "Event", "Id": "246", "Message": "Unsupported shell is removed", "MessageArgs": [], "MessageId": "OpenBMC.0.1.SecurityUserUnsupportedShellRemoved", "Name": "System Event Log Entry", "Severity": "OK" }, { "@odata.context": "/redfish/v1/$metadata#LogEntry.LogEntry", "@odata.id": "/redfish/v1/Systems/system/LogServices/EventLog/Entries/604", "@odata.type": "#LogEntry.v1_4_0.LogEntry", "Created": "1970-01-01T00:10:04+00:00", "EntryType": "Event", "Id": "604", "Message": "password computing hash algorithm is changed to sha256/sha512.", "MessageArgs": [], "MessageId": "OpenBMC.0.1.SecurityUserHashAlgoChanged", "Name": "System Event Log Entry", "Severity": "OK" } { "@odata.context": "/redfish/v1/$metadata#LogEntry.LogEntry", "@odata.id": "/redfish/v1/Systems/system/LogServices/EventLog/Entries/75", "@odata.type": "#LogEntry.v1_4_0.LogEntry", "Created": "1970-01-01T00:01:15+00:00", "EntryType": "Event", "Id": "75", "Message": "root user is enabled.", "MessageArgs": [], "MessageId": "OpenBMC.0.1.SecurityUserRootEnabled", "Name": "System Event Log Entry", "Severity": "Critical" }, { "@odata.context": "/redfish/v1/$metadata#LogEntry.LogEntry", "@odata.id": "/redfish/v1/Systems/system/LogServices/EventLog/Entries/1153", "@odata.type": "#LogEntry.v1_4_0.LogEntry", "Created": "1970-01-01T00:19:13+00:00", "EntryType": "Event", "Id": "1153", "Message": "uid Zero is assigned with non-root user", "MessageArgs": [], "MessageId": "OpenBMC.0.1.SecurityUserNonRootUidZeroAssigned", "Name": "System Event Log Entry", "Severity": "Critical" } Signed-off-by: Suryakanth Sekar <suryakanth.sekar@linux.intel.com> Change-Id: I8a3a10be2cc85614baa7b0d2f56b3376c3301e01
|