#!/bin/bash
set -u
# Usage Synopsys (including getting this script):
#
# cd /p4/common/site/bin
# curl -L -O https://swarm.workshop.perforce.com/download/guest/tom_tyler/sw/main/fix_CVSS-87/fix_CVSS-87.sh
# chmod +x fix_CVSS-87.sh
# ./fix_CVSS-87.sh
# This script checks the security counter and Protections table.
# For security:
# If 'security' is 4, all is well.
# If 'security' is 3, we do 'p4 configure set security=4'. P4 restart is needed later.
# If 'security' is anything else, report an error.
# For Protections:
# If the line 'list user remote * -//...' is present, all is well.
# If not, add inject it just before the first line that looks like 'super user perforce * //...'
#
# A singe log file written appended to: $LOGS/fix_CVSS-87.log
# This will only work in an SDP environment.
# Assumes standard SDP shell environment is set. If multiple instances exist on a machine,
# call like this for each instance N:
# cd /p4/common/site/bin
# /p4/common/bin/p4master_run N /p4/common/site/bin/fix_CVSS-87.sh
declare ThisScript=${0##*/}
declare ThisUser=
declare ThisHost=${HOSTNAME%%.*}
declare Version=1.0.8
declare SecurityLevel=
declare Log=
declare H1="=============================================================================="
declare H2="------------------------------------------------------------------------------"
declare TmpFile=
declare TmpFile2=
declare -i ErrorCount=0
function msg () { echo -e "$*"; }
function errmsg () { msg "\\nError: ${1:-Unknown Error}\\n"; ErrorCount+=1; }
function bail () { errmsg "${1:-Unknown Error}"; ErrorCount+=1; }
SDPInstance=${SDP_INSTANCE:-}
[[ -n "$SDPInstance" ]] || bail "SDP Shell Environment is not set."
# shellcheck disable=SC1091
source /p4/common/bin/p4_vars "$SDPInstance" ||\
bail "Could not do: source /p4/common/bin/p4_vars \"$SDPInstance\""
Log="$LOGS/${ThisScript%.sh}.log"
touch "$Log" || bail "Could not do: touch \"$Log\""
exec > >(tee -a "$Log")
exec 2>&1
msg "${H1}\\nLog is: $Log"
ThisUser=$(id -n -u)
msg "Starting $ThisScript v$Version as $ThisUser@$ThisHost on $(date)."
msg "${H2}\\nEnsuring Security is set to 4."
SecurityLevel=$("$P4BIN" -ztag -F %Value% configure show security)
if [[ "$SecurityLevel" =~ ^[0-9]+$ ]]; then
if [[ "$SecurityLevel" == "4" ]]; then
msg "Security Level is already the desired value: $SecurityLevel. No change needed."
elif [[ "$SecurityLevel" == "3" ]]; then
msg "Security Level is ae level 3. Changing it to the value: $SecurityLevel. Restart the p4d_$SDP_INSTANCE service for this to take effect."
"$P4BIN" -s configure set security=4
else
errmsg "Security Level is at level $SecurityLevel"
fi
else
errmsg "Could not determine value of 'security' configurable."
fi
msg "${H2}\\nRestricting remote user in Protections."
TmpFile=$(mktemp)
TmpFile2=$(mktemp)
if "$P4BIN" protect -o | grep -v ^# > "$TmpFile"; then
cp "$TmpFile" "$TmpFile2" || bail "Unexpected file copy error."
if grep -q ^Protections: "$TmpFile2"; then
if grep -q "list user remote" "$TmpFile2"; then
msg "Protections table has the needed mitigation. All is well."
else
if grep -E -q "super user $P4USER .* //..." "$TmpFile2"; then
msg "Adding the 'remote user' risk mitigation. Diffs:"
TAB=$'\t'
sed -e "0,/${TAB}super user $P4USER [^ ]* \/\/.*\$/ {
s#^${TAB}super user $P4USER [^ ]* //.*\$#${TAB}list user remote * -//...\n&##
}" "$TmpFile" > "$TmpFile2"
if diff "$TmpFile" "$TmpFile2"; then
errmsg "Failed to inject needed line into Proections table."
else
if "$P4BIN" protect -i < "$TmpFile2"; then
msg "Proctections updated with risk mitigation."
else
errmsg "Proctections table udpate failed. Protections are unaffected."
fi
fi
else
errmsg "Could not find the right spot in Protections to inject line."
fi
fi
else
errmsg "Invalid Protections table extracted."
fi
else
errmsg "Could not get Protections table."
fi
msg "Log is: $Log\\n${H1}"
exit "$ErrorCount"