Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Add scheduled cryptographic verification of root file systme #15677

Closed
wants to merge 15 commits into from
Closed

Add scheduled cryptographic verification of root file systme #15677

wants to merge 15 commits into from

Conversation

mgrimesix
Copy link
Contributor

Add scheduled cryptographic verification of root file system for STIG

This PR should be merged with the same named PRs in truenas_verify and scale-build.

  • Add OS file system cryptographic verification to audit setup. The audit setup runs at initial install and every OS update. The verification is achieved via truenas_verify . The install/update truenas_verify call will generate a versioned discrepancy log in the /var/log/audit directory.
  • Add scheduled cryptographic verification of the OS file system via an Alert check. Discrepancies found during the scheduled runs are reported in syslog.
  • The schedule is currently set to run every 60 minutes.

NOTE: The truenas_verify call can take several seconds on a VM. This increases the initial boot and update boots by the same amount.

CI tests and inclusion in a diagnostic will be added in separate PRs

yocalebo and others added 15 commits February 7, 2025 15:05
@yocalebo
remove legacy vm tests (#15641)
a982ce6
@themylogin
Make run_with_user_context crash if multiprocessing worker tries to…
c18409f 
… import API (#15553)
@anodos325
Remove handling for POST requests for legacy TC (#15511)
e34cd3b 
This nginx directive is not required anymore since the middleware
path was removed.
@Qubad786
Specify secure boot key in image choices (#15654)
504afd7
@yocalebo
NAS-133930 / 25.10 / Clean-up device info plugin (#15550)
5164210 
* remove dead end-point

* remove unused imports

* remove more dead endpoints and test

* remove unnecessary endpoint from device

* fix device.get_info SERIAL
@yocalebo
NAS-134132 / 25.10 / Fix STIG API tests (#15656)
788bf81 
* remove unused imports

* fix STIG api tests
@yocalebo
NAS-134133 / 25.10 / Privatize certain failover endpoints (#15661)
19b2fd2 
* convert unused public to private

* remove dead endpoints
@Qubad786
NAS-134104 / 25.10 / Fix netmask being empty string (#15660)
0464eaf 
* Fix bug when retrieving netmask for virt aliases

* Reflect change in 25.10 API
@anodos325
Use a proper job id for download token test (#15650)
0127633 
We now raise exception if job id does not match an existing
job for the user.
@Qubad786 @yocalebo
NAS-133858 / 25.10 / Make sure CPU temperature is reported for virtua…
03d3183 
…l cores (#15514)

* map hyper-threaded ids temps

* be sure and add virtual temp to total_temp

* Small fix

---------

Co-authored-by: Caleb <[email protected]>
@yocalebo
fix typo in device.get_info (#15669)
766bf67
@yocalebo
remove schema validation for dataset_encryption.py (#15663)
2a01066
@yocalebo
remove unnecessary api test (#15668)
5687315
@NianwenDan
clarify ACME DNS-Authenticators cloudflare error message (#15667)
ee5cf86
@themylogin
Remove unused API endpoints (#15651)
6deae71
@mgrimesix mgrimesix requested review from anodos325, bmeagherix and a team February 12, 2025 07:51
@mgrimesix mgrimesix closed this Feb 12, 2025
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@anodos325 anodos325 Awaiting requested review from anodos325

@bmeagherix bmeagherix Awaiting requested review from bmeagherix

Assignees
No one assigned
Labels
backport-25.04-RC.1
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
6 participants
@mgrimesix @yocalebo @themylogin @anodos325 @Qubad786 @NianwenDan