bmcweb: Message entry for user security Event
Message entry for
BMC should detect the following intrusion or non-allowed configuration and
log the security event with description.
1. Password storing hash algo changes from SHA2-256 to MD5 in Linux pwd file
2. When any user other than root has its UID set to 0 in Linux pwd file
3. When any unsupported shells (not bash or sh) are present in Linux pwd file
4. When the root user is assigned a password in Linux password file
Tested:
1. Ran Redfish validator - passed for this new addition.
{
"@odata.context": "/redfish/v1/$metadata#LogEntry.LogEntry",
"@odata.id": "/redfish/v1/Systems/system/LogServices/EventLog/Entries/75_1",
"@odata.type": "#LogEntry.v1_4_0.LogEntry",
"Created": "1970-01-01T00:01:15+00:00",
"EntryType": "Event",
"Id": "75_1",
"Message": "weak password computing hash algorithm is enabled = MD5 Hash algorithm .",
"MessageArgs": [
"MD5 Hash algorithm"
],
"MessageId": "OpenBMC.0.1.SecurityUserWeakHashAlgoEnabled",
"Name": "System Event Log Entry",
"Severity": "Critical"
},
{
"@odata.context": "/redfish/v1/$metadata#LogEntry.LogEntry",
"@odata.id": "/redfish/v1/Systems/system/LogServices/EventLog/Entries/240",
"@odata.type": "#LogEntry.v1_4_0.LogEntry",
"Created": "1970-01-01T00:04:00+00:00",
"EntryType": "Event",
"Id": "240",
"Message": "other than /bin/bash,/bin/sh, Unsupported shell is enabled",
"MessageArgs": [],
"MessageId": "OpenBMC.0.1.SecurityUserUnsupportedShellEnabled",
"Name": "System Event Log Entry",
"Severity": "Critical"
},
{
"@odata.context": "/redfish/v1/$metadata#LogEntry.LogEntry",
"@odata.id": "/redfish/v1/Systems/system/LogServices/EventLog/Entries/246",
"@odata.type": "#LogEntry.v1_4_0.LogEntry",
"Created": "1970-01-01T00:04:06+00:00",
"EntryType": "Event",
"Id": "246",
"Message": "Unsupported shell is removed",
"MessageArgs": [],
"MessageId": "OpenBMC.0.1.SecurityUserUnsupportedShellRemoved",
"Name": "System Event Log Entry",
"Severity": "OK"
},
{
"@odata.context": "/redfish/v1/$metadata#LogEntry.LogEntry",
"@odata.id": "/redfish/v1/Systems/system/LogServices/EventLog/Entries/604",
"@odata.type": "#LogEntry.v1_4_0.LogEntry",
"Created": "1970-01-01T00:10:04+00:00",
"EntryType": "Event",
"Id": "604",
"Message": "password computing hash algorithm is changed to sha256/sha512.",
"MessageArgs": [],
"MessageId": "OpenBMC.0.1.SecurityUserHashAlgoChanged",
"Name": "System Event Log Entry",
"Severity": "OK"
}
{
"@odata.context": "/redfish/v1/$metadata#LogEntry.LogEntry",
"@odata.id": "/redfish/v1/Systems/system/LogServices/EventLog/Entries/75",
"@odata.type": "#LogEntry.v1_4_0.LogEntry",
"Created": "1970-01-01T00:01:15+00:00",
"EntryType": "Event",
"Id": "75",
"Message": "root user is enabled.",
"MessageArgs": [],
"MessageId": "OpenBMC.0.1.SecurityUserRootEnabled",
"Name": "System Event Log Entry",
"Severity": "Critical"
},
{
"@odata.context": "/redfish/v1/$metadata#LogEntry.LogEntry",
"@odata.id": "/redfish/v1/Systems/system/LogServices/EventLog/Entries/1153",
"@odata.type": "#LogEntry.v1_4_0.LogEntry",
"Created": "1970-01-01T00:19:13+00:00",
"EntryType": "Event",
"Id": "1153",
"Message": "uid Zero is assigned with non-root user",
"MessageArgs": [],
"MessageId": "OpenBMC.0.1.SecurityUserNonRootUidZeroAssigned",
"Name": "System Event Log Entry",
"Severity": "Critical"
}
Signed-off-by: Suryakanth Sekar <suryakanth.sekar@linux.intel.com>
Change-Id: I8a3a10be2cc85614baa7b0d2f56b3376c3301e01
diff --git a/redfish-core/include/registries/openbmc_message_registry.hpp b/redfish-core/include/registries/openbmc_message_registry.hpp
index 1e9fa60..9b3cf28 100644
--- a/redfish-core/include/registries/openbmc_message_registry.hpp
+++ b/redfish-core/include/registries/openbmc_message_registry.hpp
@@ -29,7 +29,7 @@
"0.1.0",
"OpenBMC",
};
-constexpr std::array<MessageEntry, 144> registry = {
+constexpr std::array<MessageEntry, 152> registry = {
MessageEntry{
"ADDDCCorrectable",
{
@@ -1492,6 +1492,85 @@
{},
"None.",
}},
+ MessageEntry{
+ "SecurityUserStrongHashAlgoRestored",
+ {
+ "Indicates that password computing hash algorithm changed.",
+ "Password computing hash algorithm is changed to sha256/sha512.",
+ "OK",
+ 0,
+ {},
+ "None.",
+ }},
+
+ MessageEntry{"SecurityUserNonRootUidZeroAssigned",
+ {
+ "Indicates that non root user assigned with user ID zero.",
+ "User ID Zero is assigned with non-root user.",
+ "Critical",
+ 0,
+ {},
+ "None.",
+ }},
+ MessageEntry{"SecurityUserNonRootUidZeroRemoved",
+ {
+ "Indicates that non root user ID is removed",
+ "Non root user assigned with user ID zero is removed.",
+ "OK",
+ 0,
+ {},
+ "None.",
+ }},
+
+ MessageEntry{"SecurityUserRootEnabled",
+ {
+ "Indicates that system root user is enabled.",
+ "User root is enabled.",
+ "Critical",
+ 0,
+ {},
+ "None.",
+ }},
+ MessageEntry{"SecurityUserRootDisabled",
+ {
+ "Indicates that system root user is disabled.",
+ "User root is disabled.",
+ "OK",
+ 0,
+ {},
+ "None.",
+ }},
+
+ MessageEntry{"SecurityUserUnsupportedShellEnabled",
+ {
+ "Indicates that unsupported shell is enabled.",
+ "Unsupported shell is enabled.",
+ "Critical",
+ 0,
+ {},
+ "None.",
+ }},
+ MessageEntry{"SecurityUserUnsupportedShellRemoved",
+ {
+ "Indicates that unsupported shell is removed.",
+ "Unsupported shell is removed.",
+ "OK",
+ 0,
+ {},
+ "None.",
+ }},
+
+ MessageEntry{
+ "SecurityUserWeakHashAlgoEnabled",
+ {
+ "Indicates that weak password computing hash algorithm is enabled.",
+ "Weak password computing hash algorithm is enabled.",
+ "Critical",
+ 0,
+ {},
+ "None.",
+ }},
+
MessageEntry{"SELEntryAdded",
{
"Indicates a SEL entry was added using the "