search

bb-Ricardo / check_redfish

A monitoring/inventory plugin to check components and health status of systems which support Redfish. It will also create a inventory of all components of a system.
MIT License
110 stars 30 forks source link

Adds a check for ILO5 SecurityState #95

Closed lausser closed 1 year ago

lausser commented 1 year ago

Hi,

my admins pointed me to a setting SecurityState which can be used to enforce ssl and some stronger security guidelines. https://support.hpe.com/hpesc/public/docDisplay?docId=a00030074en_us&docLocale=en_US It can be queried by 

curl -u ilomonuser:secret  --insecure -L https://my-gen10-hp/redfish/v1/managers/1/securityservice | jq
{
  "@odata.context": "/redfish/v1/$metadata#HpeSecurityService.HpeSecurityService",
  "@odata.etag": "W/\"0D950D81\"",
  "@odata.id": "/redfish/v1/Managers/1/SecurityService",
  "@odata.type": "#HpeSecurityService.v2_3_1.HpeSecurityService",
  "Id": "SecurityService",
  "CurrentCipher": "ECDHE-RSA-AES256-GCM-SHA384",
  "Links": {
...
  "SecurityState": "Production",
  "SecurityState@Redfish.AllowableValues": [
    "Production",
    "HighSecurity",
    "FIPS"
  ],
...

It warns if the value of this setting is default/weak.

check_redfish.py --security ...
[WARNING]: SecurityState is Production

I tried to understand your way to implement all the functions (thanks a lot for all these features by the way) and added my code in cr_module/securityservice.py Not sure if it looks like if you implemented it yourself. Feel free to modify it like you want in case you accept the pull request.

Gerhard

bb-Ricardo commented 1 year ago

Hi, long time no see. Thank you for the contribution. Will have a look at it.

bb-Ricardo commented 1 year ago

Hi @lausser,

I added a commit to the new branch ilo-security-settings. I'm not sure if it's a good idea to output a WARNING if it's set to "Production". According to your link this is the default and would create a lot of alarms for a default setting.

lausser commented 1 year ago

Yes, that's true, it will produce alarms. On the other side, the default is bad from a security perspective and the purpose of this check is to find the ILOs which have not been switched to the good HighSecurity mode. That's at least the use case why the admins here came up with htis requirement. If default would be OK, then there would be nothing left to raise a WARNING. (FIPS is even more stricter than HighSecurity) (Adding an extra parameter where one can pass a list of "good" modes like --security --acceptable-states=HighSecurity,FIPS is too much imho, and in case HP adds an extra status with a firmware update, then there will be really a lot of alerts where nobody knows immediately what caused them) Ah, now i understand, there is no extra request --security, it's part of --bmc. Then you are right. Maybe a lot of people intentionally leave "Production" because their management software can not handle the secure states or they simply don't want to.

bb-Ricardo commented 1 year ago

Hi,

I ended up adding a --enable_bmc_security_warning cli option. This way the user can choose if a WARNING should be returned or not.

bb-Ricardo commented 1 year ago

Closing this one as it's added to the next-release branch