Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Fixing ASB v2's auditEnsureSystemdJournaldServicePersistsLogMessages and remediateEnsureSystemdJournaldServicePersistsLogMessages #764

Merged
merged 17 commits into from
Sep 17, 2024
Merged

Fixing ASB v2's auditEnsureSystemdJournaldServicePersistsLogMessages and remediateEnsureSystemdJournaldServicePersistsLogMessages #764

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
17 commits
Select commit Hold shift + click to select a range
dcf12b5
Work in progress
MariusNi Sep 14, 2024
0c7fe75
Work in progress
MariusNi Sep 14, 2024
991e4e1
Work in progress
MariusNi Sep 14, 2024
a99065c
Work in progress
MariusNi Sep 14, 2024
ade7235
Work in progress
MariusNi Sep 14, 2024
3a930a8
Work in progress
MariusNi Sep 14, 2024
4dfcfaa
Work in progress
MariusNi Sep 14, 2024
ecec6df
Updating the test policy definitions
MariusNi Sep 14, 2024
9cab1ae
Experimenting with installing semanage tool when not present
MariusNi Sep 16, 2024
7dd6af0
Updating the test policy definitions
MariusNi Sep 16, 2024
010c44a
Fixing commonuntils!IsDaemonActive
MariusNi Sep 16, 2024
a77209c
Work in progress
MariusNi Sep 16, 2024
74e39cf
Fix for auditEnsureSystemdJournaldServicePersistsLogMessages and reme…
MariusNi Sep 16, 2024
944c0ae
Work in progress
MariusNi Sep 16, 2024
d265d29
Updatiung the test policy definitions
MariusNi Sep 17, 2024
cfd011f
Work in progress
MariusNi Sep 17, 2024
aecca29
Work in progress
MariusNi Sep 17, 2024
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
8 changes: 4 additions & 4 deletions src/adapters/mc/asb/19params/LinuxSecurityBaseline_DeployIfNotExists.json
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -15,7 +15,7 @@
"version": "1.0.0",
"contentType": "Custom",
"contentUri": "https://github.com/Azure/azure-osconfig/releases/download/test_policy_package/LinuxSecurityBaseline.zip",
"contentHash": "A92CA8F438CD39C51B78FAB0FCB9C6BA4808920E254E1E9EAEE739D02E8164B0",
"contentHash": "C79CE86C44481316A94D3A69F75BC83C38165CE45B0C18B4B54EA7B812AB9070",
"configurationParameter": {
"accessPermissionsForSshdConfig": "Ensure that permissions on /etc/ssh/sshd_config are configured;DesiredObjectValue",
"ignoreHosts": "Ensure that the SSH IgnoreRhosts is configured;DesiredObjectValue",
Expand Down Expand Up @@ -640,7 +640,7 @@
"version": "1.0.0",
"contentType": "Custom",
"contentUri": "https://github.com/Azure/azure-osconfig/releases/download/test_policy_package/LinuxSecurityBaseline.zip",
"contentHash": "A92CA8F438CD39C51B78FAB0FCB9C6BA4808920E254E1E9EAEE739D02E8164B0",
"contentHash": "C79CE86C44481316A94D3A69F75BC83C38165CE45B0C18B4B54EA7B812AB9070",
"assignmentType": "ApplyAndAutoCorrect",
"configurationParameter": [
{
Expand Down Expand Up @@ -735,7 +735,7 @@
"version": "1.0.0",
"contentType": "Custom",
"contentUri": "https://github.com/Azure/azure-osconfig/releases/download/test_policy_package/LinuxSecurityBaseline.zip",
"contentHash": "A92CA8F438CD39C51B78FAB0FCB9C6BA4808920E254E1E9EAEE739D02E8164B0",
"contentHash": "C79CE86C44481316A94D3A69F75BC83C38165CE45B0C18B4B54EA7B812AB9070",
"assignmentType": "ApplyAndAutoCorrect",
"configurationParameter": [
{
Expand Down Expand Up @@ -830,7 +830,7 @@
"version": "1.0.0",
"contentType": "Custom",
"contentUri": "https://github.com/Azure/azure-osconfig/releases/download/test_policy_package/LinuxSecurityBaseline.zip",
"contentHash": "A92CA8F438CD39C51B78FAB0FCB9C6BA4808920E254E1E9EAEE739D02E8164B0",
"contentHash": "C79CE86C44481316A94D3A69F75BC83C38165CE45B0C18B4B54EA7B812AB9070",
"assignmentType": "ApplyAndAutoCorrect",
"configurationParameter": [
{
Expand Down
8 changes: 4 additions & 4 deletions src/adapters/mc/asb/LinuxSecurityBaseline_DeployIfNotExists.json
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -15,7 +15,7 @@
"version": "1.0.0",
"contentType": "Custom",
"contentUri": "https://github.com/Azure/azure-osconfig/releases/download/test_policy_package/LinuxSecurityBaseline.zip",
"contentHash": "A92CA8F438CD39C51B78FAB0FCB9C6BA4808920E254E1E9EAEE739D02E8164B0",
"contentHash": "C79CE86C44481316A94D3A69F75BC83C38165CE45B0C18B4B54EA7B812AB9070",
"configurationParameter": {
"accessPermissionsForSshdConfig": "Ensure that permissions on /etc/ssh/sshd_config are configured;DesiredObjectValue",
"ignoreHosts": "Ensure that the SSH IgnoreRhosts is configured;DesiredObjectValue",
Expand Down Expand Up @@ -625,7 +625,7 @@
"version": "1.0.0",
"contentType": "Custom",
"contentUri": "https://github.com/Azure/azure-osconfig/releases/download/test_policy_package/LinuxSecurityBaseline.zip",
"contentHash": "A92CA8F438CD39C51B78FAB0FCB9C6BA4808920E254E1E9EAEE739D02E8164B0",
"contentHash": "C79CE86C44481316A94D3A69F75BC83C38165CE45B0C18B4B54EA7B812AB9070",
"assignmentType": "ApplyAndAutoCorrect",
"configurationParameter": [
{
Expand Down Expand Up @@ -716,7 +716,7 @@
"version": "1.0.0",
"contentType": "Custom",
"contentUri": "https://github.com/Azure/azure-osconfig/releases/download/test_policy_package/LinuxSecurityBaseline.zip",
"contentHash": "A92CA8F438CD39C51B78FAB0FCB9C6BA4808920E254E1E9EAEE739D02E8164B0",
"contentHash": "C79CE86C44481316A94D3A69F75BC83C38165CE45B0C18B4B54EA7B812AB9070",
"assignmentType": "ApplyAndAutoCorrect",
"configurationParameter": [
{
Expand Down Expand Up @@ -807,7 +807,7 @@
"version": "1.0.0",
"contentType": "Custom",
"contentUri": "https://github.com/Azure/azure-osconfig/releases/download/test_policy_package/LinuxSecurityBaseline.zip",
"contentHash": "A92CA8F438CD39C51B78FAB0FCB9C6BA4808920E254E1E9EAEE739D02E8164B0",
"contentHash": "C79CE86C44481316A94D3A69F75BC83C38165CE45B0C18B4B54EA7B812AB9070",
"assignmentType": "ApplyAndAutoCorrect",
"configurationParameter": [
{
Expand Down
8 changes: 4 additions & 4 deletions src/adapters/mc/ssh/19params/LinuxSshServerSecurityBaseline_DeployIfNotExists.json
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -15,7 +15,7 @@
"version": "1.0.0",
"contentType": "Custom",
"contentUri": "https://github.com/Azure/azure-osconfig/releases/download/test_policy_package/LinuxSshServerSecurityBaseline.zip",
"contentHash": "6768ADF43D3A6C3601502E52F19CBB6F4C6C468B8ABD639008FE202504AB2FAE",
"contentHash": "29D9C8A8660C7424D73E277D80B8225D2A107966C7FF4AA10D65503AAB20BA60",
"configurationParameter": {
"accessPermissionsForSshdConfig": "Ensure that permissions on /etc/ssh/sshd_config are configured;DesiredObjectValue",
"ignoreHosts": "Ensure that the SSH IgnoreRhosts is configured;DesiredObjectValue",
Expand Down Expand Up @@ -639,7 +639,7 @@
"version": "1.0.0",
"contentType": "Custom",
"contentUri": "https://github.com/Azure/azure-osconfig/releases/download/test_policy_package/LinuxSshServerSecurityBaseline.zip",
"contentHash": "6768ADF43D3A6C3601502E52F19CBB6F4C6C468B8ABD639008FE202504AB2FAE",
"contentHash": "29D9C8A8660C7424D73E277D80B8225D2A107966C7FF4AA10D65503AAB20BA60",
"assignmentType": "ApplyAndAutoCorrect",
"configurationParameter": [
{
Expand Down Expand Up @@ -734,7 +734,7 @@
"version": "1.0.0",
"contentType": "Custom",
"contentUri": "https://github.com/Azure/azure-osconfig/releases/download/test_policy_package/LinuxSshServerSecurityBaseline.zip",
"contentHash": "6768ADF43D3A6C3601502E52F19CBB6F4C6C468B8ABD639008FE202504AB2FAE",
"contentHash": "29D9C8A8660C7424D73E277D80B8225D2A107966C7FF4AA10D65503AAB20BA60",
"assignmentType": "ApplyAndAutoCorrect",
"configurationParameter": [
{
Expand Down Expand Up @@ -829,7 +829,7 @@
"version": "1.0.0",
"contentType": "Custom",
"contentUri": "https://github.com/Azure/azure-osconfig/releases/download/test_policy_package/LinuxSshServerSecurityBaseline.zip",
"contentHash": "6768ADF43D3A6C3601502E52F19CBB6F4C6C468B8ABD639008FE202504AB2FAE",
"contentHash": "29D9C8A8660C7424D73E277D80B8225D2A107966C7FF4AA10D65503AAB20BA60",
"assignmentType": "ApplyAndAutoCorrect",
"configurationParameter": [
{
Expand Down
8 changes: 4 additions & 4 deletions src/adapters/mc/ssh/LinuxSshServerSecurityBaseline_DeployIfNotExists.json
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -15,7 +15,7 @@
"version": "1.0.0",
"contentType": "Custom",
"contentUri": "https://github.com/Azure/azure-osconfig/releases/download/test_policy_package/LinuxSshServerSecurityBaseline.zip",
"contentHash": "6768ADF43D3A6C3601502E52F19CBB6F4C6C468B8ABD639008FE202504AB2FAE",
"contentHash": "29D9C8A8660C7424D73E277D80B8225D2A107966C7FF4AA10D65503AAB20BA60",
"configurationParameter": {
"accessPermissionsForSshdConfig": "Ensure that permissions on /etc/ssh/sshd_config are configured;DesiredObjectValue",
"ignoreHosts": "Ensure that the SSH IgnoreRhosts is configured;DesiredObjectValue",
Expand Down Expand Up @@ -624,7 +624,7 @@
"version": "1.0.0",
"contentType": "Custom",
"contentUri": "https://github.com/Azure/azure-osconfig/releases/download/test_policy_package/LinuxSshServerSecurityBaseline.zip",
"contentHash": "6768ADF43D3A6C3601502E52F19CBB6F4C6C468B8ABD639008FE202504AB2FAE",
"contentHash": "29D9C8A8660C7424D73E277D80B8225D2A107966C7FF4AA10D65503AAB20BA60",
"assignmentType": "ApplyAndAutoCorrect",
"configurationParameter": [
{
Expand Down Expand Up @@ -715,7 +715,7 @@
"version": "1.0.0",
"contentType": "Custom",
"contentUri": "https://github.com/Azure/azure-osconfig/releases/download/test_policy_package/LinuxSshServerSecurityBaseline.zip",
"contentHash": "6768ADF43D3A6C3601502E52F19CBB6F4C6C468B8ABD639008FE202504AB2FAE",
"contentHash": "29D9C8A8660C7424D73E277D80B8225D2A107966C7FF4AA10D65503AAB20BA60",
"assignmentType": "ApplyAndAutoCorrect",
"configurationParameter": [
{
Expand Down Expand Up @@ -806,7 +806,7 @@
"version": "1.0.0",
"contentType": "Custom",
"contentUri": "https://github.com/Azure/azure-osconfig/releases/download/test_policy_package/LinuxSshServerSecurityBaseline.zip",
"contentHash": "6768ADF43D3A6C3601502E52F19CBB6F4C6C468B8ABD639008FE202504AB2FAE",
"contentHash": "29D9C8A8660C7424D73E277D80B8225D2A107966C7FF4AA10D65503AAB20BA60",
"assignmentType": "ApplyAndAutoCorrect",
"configurationParameter": [
{
Expand Down
10 changes: 8 additions & 2 deletions src/common/asb/Asb.c
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -627,6 +627,7 @@ static char* g_desiredEnsureUnnecessaryAccountsAreRemoved = NULL;
static char* g_desiredEnsureDefaultDenyFirewallPolicyIsSet = NULL;

static const int g_shadowGid = 42;
static const int g_varLogJournalMode = 2755;

void AsbInitialize(void* log)
{
Expand Down Expand Up @@ -693,6 +694,11 @@ void AsbInitialize(void* log)
FREE_MEMORY(prettyName);
FREE_MEMORY(kernelVersion);

if (IsCommodore(log))
{
OsConfigLogInfo(log, "AsbInitialize: running on product '%s'", PRODUCT_NAME_AZURE_COMMODORE);
}

OsConfigLogInfo(log, "%s initialized", g_asbName);
}

Expand Down Expand Up @@ -1722,7 +1728,7 @@ static char* AuditEnsureSystemdJournaldServicePersistsLogMessages(void* log)
{
char* reason = NULL;
RETURN_REASON_IF_NOT_ZERO(CheckPackageInstalled(g_systemd, &reason, log));
CheckDirectoryAccess(g_varLogJournal, 0, -1, 2775, false, &reason, log);
CheckDirectoryAccess(g_varLogJournal, 0, -1, g_varLogJournalMode, false, &reason, log);
return reason;
}

Expand Down Expand Up @@ -3301,7 +3307,7 @@ static int RemediateEnsureSystemdJournaldServicePersistsLogMessages(char* value,
{
UNUSED(value);
return ((0 == InstallPackage(g_systemd, log)) &&
(0 == SetDirectoryAccess(g_varLogJournal, 0, -1, 2775, log))) ? 0 : ENOENT;
(0 == SetDirectoryAccess(g_varLogJournal, 0, -1, g_varLogJournalMode, log))) ? 0 : ENOENT;
}

static int RemediateEnsureALoggingServiceIsEnabled(char* value, void* log)
Expand Down
1 change: 1 addition & 0 deletions src/common/asb/Asb.h
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -5,6 +5,7 @@
#define ASB_H

#define PRETTY_NAME_AZURE_LINUX_2 "CBL-Mariner/Linux"
#define PRODUCT_NAME_AZURE_COMMODORE "Azure Commodore"
#define PRETTY_NAME_ALMA_LINUX_9 "AlmaLinux 9 (Beryllium)"
#define PRETTY_NAME_ALMA_LINUX_9_3 "AlmaLinux 9.3 (Shamrock Pampas Cat)"
#define PRETTY_NAME_AMAZON_LINUX_2 "Amazon Linux 2"
Expand Down
1 change: 1 addition & 0 deletions src/common/commonutils/CommonUtils.h
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -169,6 +169,7 @@ int SetPassMaxDays(long days, void* log);
int SetPassWarnAge(long days, void* log);
bool IsCurrentOs(const char* name, void* log);
bool IsRedHatBased(void* log);
bool IsCommodore(void* log);

void RemovePrefixBlanks(char* target);
void RemovePrefixUpTo(char* target, char marker);
Expand Down
9 changes: 1 addition & 8 deletions src/common/commonutils/DaemonUtils.c
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -27,14 +27,7 @@ static int ExecuteSystemctlCommand(const char* command, const char* daemonName,

bool IsDaemonActive(const char* daemonName, void* log)
{
bool status = true;

if (ESRCH == ExecuteSystemctlCommand("is-active", daemonName, log))
{
status = false;
}

return status;
return (0 == ExecuteSystemctlCommand("is-active", daemonName, log)) ? true : false;
}

bool CheckDaemonActive(const char* daemonName, char** reason, void* log)
Expand Down
24 changes: 24 additions & 0 deletions src/common/commonutils/DeviceInfoUtils.c
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -916,4 +916,28 @@ int EnableVirtualMemoryRandomization(void* log)
}

return status;
}

bool IsCommodore(void* log)
{
const char* productNameCommand = "cat /etc/os-subrelease | grep PRODUCT_NAME=";
char* textResult = NULL;
bool status = false;

if (0 == ExecuteCommand(NULL, productNameCommand, true, true, 0, 0, &textResult, NULL, log))
{
RemovePrefixBlanks(textResult);
RemoveTrailingBlanks(textResult);
RemovePrefixUpTo(textResult, '=');
RemovePrefixBlanks(textResult);

if (0 == strcmp(textResult, PRODUCT_NAME_AZURE_COMMODORE))
{
status = true;
}
}

FREE_MEMORY(textResult);

return status;
}