Skip to content

Commit

Permalink
Fixing Samba service name used to check if Samba is running and more …
Browse files Browse the repository at this point in the history
…stabilization for ASB v2 (#709)
  • Loading branch information
MariusNi authored Jun 5, 2024
1 parent 1228693 commit 9f19a4e
Show file tree
Hide file tree
Showing 7 changed files with 149 additions and 75 deletions.
59 changes: 30 additions & 29 deletions src/common/asb/Asb.c
Original file line number Diff line number Diff line change
Expand Up @@ -564,6 +564,7 @@ static const char* g_rhosts = "rhosts";
static const char* g_systemdJournald = "systemd-journald";
static const char* g_allTelnetd = "*telnetd*";
static const char* g_samba = "samba";
static const char* g_smbd = "smbd";
static const char* g_rpcSvcgssd = "rpc.svcgssd";
static const char* g_needSvcgssd = "NEED_SVCGSSD = yes";
static const char* g_inetInterfacesLocalhost = "inet_interfaces localhost";
Expand Down Expand Up @@ -661,7 +662,7 @@ void AsbInitialize(void* log)

if (false == FileExists(g_etcFstabCopy))
{
if (false == MakeFileBackupCopy(g_etcFstab, g_etcFstabCopy, log))
if (false == MakeFileBackupCopy(g_etcFstab, g_etcFstabCopy, true, log))
{
OsConfigLogError(log, "AsbInitialize: failed to make a local backup copy of '%s'", g_etcFstab);
}
Expand Down Expand Up @@ -2039,7 +2040,7 @@ static char* AuditEnsureSmbWithSambaIsDisabled(void* log)
const char* minProtocol = "min protocol = SMB2";
char* reason = NULL;

if (false == CheckDaemonNotActive(g_samba, &reason, log))
if (false == CheckDaemonNotActive(g_smbd, &reason, log))
{
RETURN_REASON_IF_NOT_ZERO(CheckLineNotFoundOrCommentedOut(g_etcSambaConf, '#', minProtocol, &reason, log));
CheckLineNotFoundOrCommentedOut(g_etcSambaConf, ';', minProtocol, &reason, log);
Expand Down Expand Up @@ -2772,19 +2773,19 @@ static int RemediateEnsureNonRootAccountsHaveUniqueUidsGreaterThanZero(char* val
static int RemediateEnsureNoLegacyPlusEntriesInEtcPasswd(char* value, void* log)
{
UNUSED(value);
return ReplaceMarkedLinesInFile(g_etcPasswd, "+", NULL, '#', log);
return ReplaceMarkedLinesInFile(g_etcPasswd, "+", NULL, '#', true, log);
}

static int RemediateEnsureNoLegacyPlusEntriesInEtcShadow(char* value, void* log)
{
UNUSED(value);
return ReplaceMarkedLinesInFile(g_etcShadow, "+", NULL, '#', log);
return ReplaceMarkedLinesInFile(g_etcShadow, "+", NULL, '#', true, log);
}

static int RemediateEnsureNoLegacyPlusEntriesInEtcGroup(char* value, void* log)
{
UNUSED(value);
return ReplaceMarkedLinesInFile(g_etcGroup, "+", NULL, '#', log);
return ReplaceMarkedLinesInFile(g_etcGroup, "+", NULL, '#', true, log);
}

static int RemediateEnsureDefaultRootAccountGroupIsGidZero(char* value, void* log)
Expand Down Expand Up @@ -2955,8 +2956,8 @@ static int RemediateEnsurePacketRedirectSendingIsDisabled(char* value, void* log
UNUSED(value);
return ((0 == ExecuteCommand(NULL, "sysctl -w net.ipv4.conf.all.send_redirects=0", true, false, 0, 0, NULL, NULL, log)) &&
(0 == ExecuteCommand(NULL, "sysctl -w net.ipv4.conf.default.send_redirects=0", true, false, 0, 0, NULL, NULL, log)) &&
(0 == ReplaceMarkedLinesInFile(g_etcSysctlConf, "net.ipv4.conf.all.send_redirects", "net.ipv4.conf.all.send_redirects = 0\n", '#', log)) &&
(0 == ReplaceMarkedLinesInFile(g_etcSysctlConf, "net.ipv4.conf.default.send_redirects", "net.ipv4.conf.default.send_redirects = 0\n", '#', log))) ? 0 : ENOENT;
(0 == ReplaceMarkedLinesInFile(g_etcSysctlConf, "net.ipv4.conf.all.send_redirects", "net.ipv4.conf.all.send_redirects = 0\n", '#', true, log)) &&
(0 == ReplaceMarkedLinesInFile(g_etcSysctlConf, "net.ipv4.conf.default.send_redirects", "net.ipv4.conf.default.send_redirects = 0\n", '#', true, log))) ? 0 : ENOENT;
}

static int RemediateEnsureIcmpRedirectsIsDisabled(char* value, void* log)
Expand All @@ -2968,12 +2969,12 @@ static int RemediateEnsureIcmpRedirectsIsDisabled(char* value, void* log)
(0 == ExecuteCommand(NULL, "sysctl -w net.ipv6.conf.all.accept_redirects=0", true, false, 0, 0, NULL, NULL, log)) &&
(0 == ExecuteCommand(NULL, "sysctl -w net.ipv4.conf.default.secure_redirects=0", true, false, 0, 0, NULL, NULL, log)) &&
(0 == ExecuteCommand(NULL, "sysctl -w net.ipv4.conf.all.secure_redirects=0", true, false, 0, 0, NULL, NULL, log)) &&
(0 == ReplaceMarkedLinesInFile(g_etcSysctlConf, "net.ipv4.conf.default.accept_redirects", "net.ipv4.conf.default.accept_redirects = 0\n", '#', log)) &&
(0 == ReplaceMarkedLinesInFile(g_etcSysctlConf, "net.ipv6.conf.default.accept_redirects", "net.ipv6.conf.default.accept_redirects = 0\n", '#', log)) &&
(0 == ReplaceMarkedLinesInFile(g_etcSysctlConf, "net.ipv4.conf.all.accept_redirects", "net.ipv4.conf.all.accept_redirects = 0\n", '#', log)) &&
(0 == ReplaceMarkedLinesInFile(g_etcSysctlConf, "net.ipv6.conf.all.accept_redirects", "net.ipv6.conf.all.accept_redirects = 0\n", '#', log)) &&
(0 == ReplaceMarkedLinesInFile(g_etcSysctlConf, "net.ipv4.conf.default.secure_redirects", "net.ipv4.conf.default.secure_redirects = 0\n", '#', log)) &&
(0 == ReplaceMarkedLinesInFile(g_etcSysctlConf, "net.ipv4.conf.all.secure_redirects", "net.ipv4.conf.all.secure_redirects = 0\n", '#', log))) ? 0 : ENOENT;
(0 == ReplaceMarkedLinesInFile(g_etcSysctlConf, "net.ipv4.conf.default.accept_redirects", "net.ipv4.conf.default.accept_redirects = 0\n", '#', true, log)) &&
(0 == ReplaceMarkedLinesInFile(g_etcSysctlConf, "net.ipv6.conf.default.accept_redirects", "net.ipv6.conf.default.accept_redirects = 0\n", '#', true, log)) &&
(0 == ReplaceMarkedLinesInFile(g_etcSysctlConf, "net.ipv4.conf.all.accept_redirects", "net.ipv4.conf.all.accept_redirects = 0\n", '#', true, log)) &&
(0 == ReplaceMarkedLinesInFile(g_etcSysctlConf, "net.ipv6.conf.all.accept_redirects", "net.ipv6.conf.all.accept_redirects = 0\n", '#', true, log)) &&
(0 == ReplaceMarkedLinesInFile(g_etcSysctlConf, "net.ipv4.conf.default.secure_redirects", "net.ipv4.conf.default.secure_redirects = 0\n", true, '#', log)) &&
(0 == ReplaceMarkedLinesInFile(g_etcSysctlConf, "net.ipv4.conf.all.secure_redirects", "net.ipv4.conf.all.secure_redirects = 0\n", '#', true, log))) ? 0 : ENOENT;
}

static int RemediateEnsureSourceRoutedPacketsIsDisabled(char* value, void* log)
Expand Down Expand Up @@ -3007,8 +3008,8 @@ static int RemediateEnsureMartianPacketLoggingIsEnabled(char* value, void* log)
UNUSED(value);
return ((0 == ExecuteCommand(NULL, "sysctl -w net.ipv4.conf.all.log_martians=1", true, false, 0, 0, NULL, NULL, log)) &&
(0 == ExecuteCommand(NULL, "sysctl -w net.ipv4.conf.default.log_martians=1", true, false, 0, 0, NULL, NULL, log)) &&
(0 == ReplaceMarkedLinesInFile(g_etcSysctlConf, "net.ipv4.conf.all.log_martians", "net.ipv4.conf.all.log_martians = 1\n", '#', log)) &&
(0 == ReplaceMarkedLinesInFile(g_etcSysctlConf, "net.ipv4.conf.default.log_martians", "net.ipv4.conf.default.log_martians = 1\n", '#', log))) ? 0 : ENOENT;
(0 == ReplaceMarkedLinesInFile(g_etcSysctlConf, "net.ipv4.conf.all.log_martians", "net.ipv4.conf.all.log_martians = 1\n", '#', true, log)) &&
(0 == ReplaceMarkedLinesInFile(g_etcSysctlConf, "net.ipv4.conf.default.log_martians", "net.ipv4.conf.default.log_martians = 1\n", '#', true, log))) ? 0 : ENOENT;
}

static int RemediateEnsureReversePathSourceValidationIsEnabled(char* value, void* log)
Expand All @@ -3027,8 +3028,8 @@ static int RemediateEnsureTcpSynCookiesAreEnabled(char* value, void* log)
static int RemediateEnsureSystemNotActingAsNetworkSniffer(char* value, void* log)
{
UNUSED(value);
return ((0 == ReplaceMarkedLinesInFile(g_etcNetworkInterfaces, "PROMISC", NULL, '#', log)) &&
(0 == ReplaceMarkedLinesInFile(g_etcRcLocal, "PROMISC", NULL, '#', log))) ? 0 : ENOENT;
return ((0 == ReplaceMarkedLinesInFile(g_etcNetworkInterfaces, "PROMISC", NULL, '#', true, log)) &&
(0 == ReplaceMarkedLinesInFile(g_etcRcLocal, "PROMISC", NULL, '#', true, log))) ? 0 : ENOENT;
}

static int RemediateEnsureAllWirelessInterfacesAreDisabled(char* value, void* log)
Expand All @@ -3042,8 +3043,8 @@ static int RemediateEnsureIpv6ProtocolIsEnabled(char* value, void* log)
UNUSED(value);
return ((0 == ExecuteCommand(NULL, "sysctl -w net.ipv6.conf.default.disable_ipv6=0", true, false, 0, 0, NULL, NULL, log)) &&
(0 == ExecuteCommand(NULL, "sysctl -w net.ipv6.conf.all.disable_ipv6=0", true, false, 0, 0, NULL, NULL, log)) &&
(0 == ReplaceMarkedLinesInFile(g_etcSysctlConf, "net.ipv6.conf.default.disable_ipv6", "net.ipv6.conf.default.disable_ipv6 = 0\n", '#', log)) &&
(0 == ReplaceMarkedLinesInFile(g_etcSysctlConf, "net.ipv6.conf.all.disable_ipv6", "net.ipv6.conf.all.disable_ipv6 = 0\n", '#', log))) ? 0 : ENOENT;
(0 == ReplaceMarkedLinesInFile(g_etcSysctlConf, "net.ipv6.conf.default.disable_ipv6", "net.ipv6.conf.default.disable_ipv6 = 0\n", '#', true, log)) &&
(0 == ReplaceMarkedLinesInFile(g_etcSysctlConf, "net.ipv6.conf.all.disable_ipv6", "net.ipv6.conf.all.disable_ipv6 = 0\n", '#', true, log))) ? 0 : ENOENT;
}

static int RemediateEnsureDccpIsDisabled(char* value, void* log)
Expand Down Expand Up @@ -3083,8 +3084,8 @@ static int RemediateEnsureZeroconfNetworkingIsDisabled(char* value, void* log)
UNUSED(value);
StopAndDisableDaemon(g_avahiDaemon, log);
return ((false == IsDaemonActive(g_avahiDaemon, log)) &&
(0 == ReplaceMarkedLinesInFile(g_etcNetworkInterfaces, g_ipv4ll, NULL, '#', log)) &&
(0 == ReplaceMarkedLinesInFile(g_etcSysconfigNetwork, "NOZEROCONF", "NOZEROCONF=yes\n", '#', log))) ? 0 : ENOENT;
(0 == ReplaceMarkedLinesInFile(g_etcNetworkInterfaces, g_ipv4ll, NULL, '#', true, log)) &&
(0 == ReplaceMarkedLinesInFile(g_etcSysconfigNetwork, "NOZEROCONF", "NOZEROCONF=yes\n", '#', true, log))) ? 0 : ENOENT;
}

static int RemediateEnsurePermissionsOnBootloaderConfig(char* value, void* log)
Expand Down Expand Up @@ -3117,7 +3118,7 @@ static int RemediateEnsureCoreDumpsAreRestricted(char* value, void* log)
const char* hardCore = "hard core";
int status = 0;
UNUSED(value);
if ((0 == (status = ReplaceMarkedLinesInFile(g_etcSecurityLimitsConf, hardCore, g_hardCoreZero, '#', log))) && DirectoryExists(g_etcSecurityLimitsD))
if ((0 == (status = ReplaceMarkedLinesInFile(g_etcSecurityLimitsConf, hardCore, g_hardCoreZero, '#', true, log))) && DirectoryExists(g_etcSecurityLimitsD))
{
status = SecureSaveToFile(fileName, g_fsSuidDumpable, strlen(g_fsSuidDumpable), log) ? 0 : ENOENT;
}
Expand Down Expand Up @@ -3300,8 +3301,8 @@ static int RemediateEnsureAllRsyslogLogFilesAreOwnedBySyslogUser(char* value, vo
static int RemediateEnsureRsyslogNotAcceptingRemoteMessages(char* value, void* log)
{
UNUSED(value);
return ((0 == ReplaceMarkedLinesInFile(g_etcRsyslogConf, "$ModLoad imudp", NULL, '#', log)) &&
(0 == ReplaceMarkedLinesInFile(g_etcRsyslogConf, "$ModLoad imtcp", NULL, '#', log))) ? 0 : ENOENT;
return ((0 == ReplaceMarkedLinesInFile(g_etcRsyslogConf, "$ModLoad imudp", NULL, '#', true, log)) &&
(0 == ReplaceMarkedLinesInFile(g_etcRsyslogConf, "$ModLoad imtcp", NULL, '#', true, log))) ? 0 : ENOENT;
}

static int RemediateEnsureSyslogRotaterServiceIsEnabled(char* value, void* log)
Expand All @@ -3316,7 +3317,7 @@ static int RemediateEnsureTelnetServiceIsDisabled(char* value, void* log)
UNUSED(value);
StopAndDisableDaemon(g_telnet, log);
return ((false == CheckDaemonActive(g_telnet, NULL, log)) &&
(0 == ReplaceMarkedLinesInFile(g_etcInetdConf, g_telnet, NULL, '#', log))) ? 0 : ENOENT;
(0 == ReplaceMarkedLinesInFile(g_etcInetdConf, g_telnet, NULL, '#', true, log))) ? 0 : ENOENT;
}

static int RemediateEnsureRcprshServiceIsDisabled(char* value, void* log)
Expand All @@ -3332,7 +3333,7 @@ static int RemediateEnsureTftpServiceisDisabled(char* value, void* log)
UNUSED(value);
StopAndDisableDaemon(g_tftpHpa, log);
return ((false == CheckDaemonActive(g_tftpHpa, NULL, log)) &&
(0 == ReplaceMarkedLinesInFile(g_etcInetdConf, g_tftp, NULL, '#', log))) ? 0 : ENOENT;
(0 == ReplaceMarkedLinesInFile(g_etcInetdConf, g_tftp, NULL, '#', true, log))) ? 0 : ENOENT;
}

static int RemediateEnsureAtCronIsRestrictedToAuthorizedUsers(char* value, void* log)
Expand Down Expand Up @@ -3510,7 +3511,7 @@ static int RemediateEnsureRpcsvcgssdServiceIsDisabled(char* value, void* log)
StopAndDisableDaemon(g_rpcSvcgssd, log);
if (FileExists(g_etcInetdConf))
{
status = ReplaceMarkedLinesInFile(g_etcInetdConf, g_needSvcgssd, NULL, '#', log);
status = ReplaceMarkedLinesInFile(g_etcInetdConf, g_needSvcgssd, NULL, '#', true, log);
}
return ((0 == status) && (false == IsDaemonActive(g_rpcSvcgssd, log))) ? 0 : ENOENT;
}
Expand Down Expand Up @@ -3550,9 +3551,9 @@ static int RemediateEnsureSmbWithSambaIsDisabled(char* value, void* log)

UNUSED(value);

if (IsDaemonActive(g_samba, log))
if (IsDaemonActive(g_smbd, log))
{
status = ((0 == ReplaceMarkedLinesInFile(g_etcSambaConf, "SMB1", NULL, '#', log)) &&
status = ((0 == ReplaceMarkedLinesInFile(g_etcSambaConf, "SMB1", NULL, '#', true, log)) &&
(0 == ExecuteCommand(NULL, command, true, false, 0, 0, NULL, NULL, log))) ? 0 : ENOENT;
}
else
Expand Down
6 changes: 3 additions & 3 deletions src/common/commonutils/CommonUtils.h
Original file line number Diff line number Diff line change
Expand Up @@ -47,7 +47,7 @@ bool SavePayloadToFile(const char* fileName, const char* payload, const int payl
bool AppendPayloadToFile(const char* fileName, const char* payload, const int payloadSizeBytes, void* log);
bool SecureSaveToFile(const char* fileName, const char* payload, const int payloadSizeBytes, void* log);
bool AppendToFile(const char* fileName, const char* payload, const int payloadSizeBytes, void* log);
bool ConcatenateFiles(const char* firstFileName, const char* secondFileName, void* log);
bool ConcatenateFiles(const char* firstFileName, const char* secondFileName, bool preserveAccess, void* log);
int RenameFile(const char* original, const char* target, void* log);

void SetCommandLogging(bool commandLogging);
Expand All @@ -65,7 +65,7 @@ bool DirectoryExists(const char* directoryName);
int CheckFileExists(const char* fileName, char** reason, void* log);
int CheckFileNotFound(const char* fileName, char** reason, void* log);

bool MakeFileBackupCopy(const char* fileName, const char* backupName, void* log);
bool MakeFileBackupCopy(const char* fileName, const char* backupName, bool preserveAccess, void* log);

int CheckFileAccess(const char* fileName, int desiredOwnerId, int desiredGroupId, unsigned int desiredAccess, char** reason, void* log);
int SetFileAccess(const char* fileName, unsigned int desiredOwnerId, unsigned int desiredGroupId, unsigned int desiredAccess, void* log);
Expand All @@ -89,7 +89,7 @@ int UninstallPackage(const char* packageName, void* log);
unsigned int GetNumberOfLinesInFile(const char* fileName);
bool CharacterFoundInFile(const char* fileName, char what);
int CheckNoLegacyPlusEntriesInFile(const char* fileName, char** reason, void* log);
int ReplaceMarkedLinesInFile(const char* fileName, const char* marker, const char* newline, char commentCharacter, void* log);
int ReplaceMarkedLinesInFile(const char* fileName, const char* marker, const char* newline, char commentCharacter, bool preserveAccess, void* log);
int FindTextInFile(const char* fileName, const char* text, void* log);
int CheckTextIsFoundInFile(const char* fileName, const char* text, char** reason, void* log);
int CheckTextIsNotFoundInFile(const char* fileName, const char* text, char** reason, void* log);
Expand Down
41 changes: 33 additions & 8 deletions src/common/commonutils/FileUtils.c
Original file line number Diff line number Diff line change
Expand Up @@ -208,7 +208,7 @@ bool AppendToFile(const char* fileName, const char* payload, const int payloadSi
return InternalSecureSaveToFile(fileName, "a", payload, payloadSizeBytes, log);
}

bool MakeFileBackupCopy(const char* fileName, const char* backupName, void* log)
bool MakeFileBackupCopy(const char* fileName, const char* backupName, bool preserveAccess, void* log)
{
char* fileContents = NULL;
char* newFileName = NULL;
Expand All @@ -220,7 +220,14 @@ bool MakeFileBackupCopy(const char* fileName, const char* backupName, void* log)
{
if (NULL != (fileContents = LoadStringFromFile(fileName, false, log)))
{
result = SecureSaveToFile(backupName, fileContents, strlen(fileContents), log);
if (preserveAccess)
{
result = SecureSaveToFile(backupName, fileContents, strlen(fileContents), log);
}
else
{
result = SavePayloadToFile(backupName, fileContents, strlen(fileContents), log);
}
}
else
{
Expand All @@ -246,7 +253,7 @@ bool MakeFileBackupCopy(const char* fileName, const char* backupName, void* log)
return result;
}

bool ConcatenateFiles(const char* firstFileName, const char* secondFileName, void* log)
bool ConcatenateFiles(const char* firstFileName, const char* secondFileName, bool preserveAccess, void* log)
{
char* contents = NULL;
bool result = false;
Expand All @@ -259,7 +266,15 @@ bool ConcatenateFiles(const char* firstFileName, const char* secondFileName, voi

if (NULL != (contents = LoadStringFromFile(secondFileName, false, log)))
{
result = AppendToFile(firstFileName, contents, strlen(contents), log);
if (preserveAccess)
{
result = AppendToFile(firstFileName, contents, strlen(contents), log);
}
else
{
result = AppendPayloadToFile(firstFileName, contents, strlen(contents), log);
}

FREE_MEMORY(contents);
}

Expand Down Expand Up @@ -749,7 +764,7 @@ int RenameFileWithOwnerAndAccess(const char* original, const char* target, void*
return status;
}

int ReplaceMarkedLinesInFile(const char* fileName, const char* marker, const char* newline, char commentCharacter, void* log)
int ReplaceMarkedLinesInFile(const char* fileName, const char* marker, const char* newline, char commentCharacter, bool preserveAccess, void* log)
{
const char* tempFileNameTemplate = "%s/~OSConfig.ReplacingLines%u";
char* tempFileName = NULL;
Expand Down Expand Up @@ -862,9 +877,19 @@ int ReplaceMarkedLinesInFile(const char* fileName, const char* marker, const cha

if (0 == status)
{
if (0 != (status = RenameFileWithOwnerAndAccess(tempFileName, fileName, log)))
if (preserveAccess)
{
OsConfigLogError(log, "ReplaceMarkedLinesInFile: RenameFileWithOwnerAndAccess('%s' to '%s') failed with %d", tempFileName, fileName, status);
if (0 != (status = RenameFileWithOwnerAndAccess(tempFileName, fileName, log)))
{
OsConfigLogError(log, "ReplaceMarkedLinesInFile: RenameFileWithOwnerAndAccess('%s' to '%s') failed with %d", tempFileName, fileName, status);
}
}
else
{
if (0 != (status = RenameFile(tempFileName, fileName, log)))
{
OsConfigLogError(log, "ReplaceMarkedLinesInFile: RenameFile('%s' to '%s') failed with %d", tempFileName, fileName, status);
}
}

remove(tempFileName);
Expand Down Expand Up @@ -1633,7 +1658,7 @@ int SetEtcConfValue(const char* file, const char* name, const char* value, void*
return ENOMEM;
}

if (0 == (status = ReplaceMarkedLinesInFile(file, name, newline, '#', log)))
if (0 == (status = ReplaceMarkedLinesInFile(file, name, newline, '#', true, log)))
{
OsConfigLogInfo(log, "SetEtcConfValue: successfully set '%s' to '%s' in '%s'", name, value, file);
}
Expand Down
Loading

0 comments on commit 9f19a4e

Please sign in to comment.