Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

NAS-133968 / 25.10 / Add scheduled cryptographic verification of OS file system for STIG #15678

Open
wants to merge 1 commit into
base: master
Choose a base branch
from

Conversation

mgrimesix
Copy link
Contributor

Scheduled cryptographic verification of the OS file system

This PR should be merged with the same named PRs in truenas_verify and scale-build

  • Added scheduled cryptographic verification via Alert check. The current schedule is once every 60 minutes.
    • Discrepancies found during the scheduled runs are logged to syslog
  • Install and update: Generate a version tagged discrepancy log in /var/log/audit directory.

NOTE: A verification run can take several seconds on a VM. This time is added to the initial boot and update boots. All other boots are not impacted.


CI tests and update to the diagnostic will be done in separate PRs

@bugclerk
Copy link
Contributor

@bugclerk bugclerk changed the title Add scheduled cryptographic verification of OS file system for STIG NAS-133968 / 25.10 / Add scheduled cryptographic verification of OS file system for STIG Feb 12, 2025
@mgrimesix mgrimesix requested a review from yocalebo February 12, 2025 16:15
Copy link
Contributor

@yocalebo yocalebo left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Awesome! Like the other review, get @bmeagherix and/or @anodos325 final review.

Update audit setup to generate an 'initial' version tagged truenas_verify log.

Fix truenas_verify audit setup.

Use ThreadedAlertSource

Fix up import formatting.

Removed setup_truenas_verify as an API endpoint.  Moved to an audit utility.
Converted truenas_verify call to middleware async 'run'.
Small Flake8 fix:  json was imported but not used.

Convert to run_in_thread module call.

Move from once per hour to once per day.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
None yet
Development

Successfully merging this pull request may close these issues.

4 participants