Adds a check for ILO5 SecurityState

[lausser]

Hi,

my admins pointed me to a setting SecurityState which can be used to enforce ssl and some stronger security guidelines.
https://support.hpe.com/hpesc/public/docDisplay?docId=a00030074en_us&docLocale=en_US
It can be queried by

curl -u ilomonuser:secret  --insecure -L https://my-gen10-hp/redfish/v1/managers/1/securityservice | jq
{
  "@odata.context": "/redfish/v1/$metadata#HpeSecurityService.HpeSecurityService",
  "@odata.etag": "W/\"0D950D81\"",
  "@odata.id": "/redfish/v1/Managers/1/SecurityService",
  "@odata.type": "#HpeSecurityService.v2_3_1.HpeSecurityService",
  "Id": "SecurityService",
  "CurrentCipher": "ECDHE-RSA-AES256-GCM-SHA384",
  "Links": {
...
  "SecurityState": "Production",
  "[email protected]": [
    "Production",
    "HighSecurity",
    "FIPS"
  ],
...

It warns if the value of this setting is default/weak.

check_redfish.py --security ...
[WARNING]: SecurityState is Production

I tried to understand your way to implement all the functions (thanks a lot for all these features by the way) and added my code in cr_module/securityservice.py
Not sure if it looks like if you implemented it yourself. Feel free to modify it like you want in case you accept the pull request.

Gerhard

[bb-Ricardo]

Hi, long time no see. Thank you for the contribution. Will have a look at it.

[bb-Ricardo]

Hi @lausser,

I added a commit to the new branch ilo-security-settings. I'm not sure if it's a good idea to output a WARNING if it's set to "Production". According to your link this is the default and would create a lot of alarms for a default setting.

[lausser]

Yes, that's true, it will produce alarms. On the other side, the default is bad from a security perspective and the purpose of this check is to find the ILOs which have not been switched to the good HighSecurity mode. That's at least the use case why the admins here came up with htis requirement. If default would be OK, then there would be nothing left to raise a WARNING. (FIPS is even more stricter than HighSecurity)
(Adding an extra parameter where one can pass a list of "good" modes like --security --acceptable-states=HighSecurity,FIPS is too much imho, and in case HP adds an extra status with a firmware update, then there will be really a lot of alerts where nobody knows immediately what caused them)
Ah, now i understand, there is no extra request --security, it's part of --bmc. Then you are right. Maybe a lot of people intentionally leave "Production" because their management software can not handle the secure states or they simply don't want to.

[bb-Ricardo]

Hi,

I ended up adding a --enable_bmc_security_warning cli option. This way the user can choose if a WARNING should be returned or not.

[bb-Ricardo]

Closing this one as it's added to the next-release branch