Azure
/
azure-osconfig
зеркало из
1
0
Форкнуть 0
Код Задачи Пакеты Проекты Релизы Вики Активность

Fixing ASB v2's auditEnsureSystemdJournaldServicePersistsLogMessages and remediateEnsureSystemdJournaldServicePersistsLogMessages (#764)

This commit is contained in:
Marius Niculescu 2024-09-17 09:15:39 -07:00 коммит произвёл GitHub
Родитель 0b85eadff1
Коммит 043878e345
Не найден ключ, соответствующий данной подписи
Идентификатор ключа GPG: B5690EEEBB952194
9 изменённых файлов: 51 добавлений и 26 удалений
Показать статистику Скачать Patch файл Скачать Diff файл Показать все файлы Свернуть все файлы

8
src/adapters/mc/asb/19params/LinuxSecurityBaseline_DeployIfNotExists.json
Просмотреть файл

@ -15,7 +15,7 @@
"version": "1.0.0",
"contentType": "Custom",
"contentUri": "https://github.com/Azure/azure-osconfig/releases/download/test_policy_package/LinuxSecurityBaseline.zip",
"contentHash": "A92CA8F438CD39C51B78FAB0FCB9C6BA4808920E254E1E9EAEE739D02E8164B0",
"contentHash": "C79CE86C44481316A94D3A69F75BC83C38165CE45B0C18B4B54EA7B812AB9070",
"configurationParameter": {
"accessPermissionsForSshdConfig": "Ensure that permissions on /etc/ssh/sshd_config are configured;DesiredObjectValue",
"ignoreHosts": "Ensure that the SSH IgnoreRhosts is configured;DesiredObjectValue",
@ -640,7 +640,7 @@
"version": "1.0.0",
"contentType": "Custom",
"contentUri": "https://github.com/Azure/azure-osconfig/releases/download/test_policy_package/LinuxSecurityBaseline.zip",
"contentHash": "A92CA8F438CD39C51B78FAB0FCB9C6BA4808920E254E1E9EAEE739D02E8164B0",
"contentHash": "C79CE86C44481316A94D3A69F75BC83C38165CE45B0C18B4B54EA7B812AB9070",
"assignmentType": "ApplyAndAutoCorrect",
"configurationParameter": [
{
@ -735,7 +735,7 @@
"version": "1.0.0",
"contentType": "Custom",
"contentUri": "https://github.com/Azure/azure-osconfig/releases/download/test_policy_package/LinuxSecurityBaseline.zip",
"contentHash": "A92CA8F438CD39C51B78FAB0FCB9C6BA4808920E254E1E9EAEE739D02E8164B0",
"contentHash": "C79CE86C44481316A94D3A69F75BC83C38165CE45B0C18B4B54EA7B812AB9070",
"assignmentType": "ApplyAndAutoCorrect",
"configurationParameter": [
{
@ -830,7 +830,7 @@
"version": "1.0.0",
"contentType": "Custom",
"contentUri": "https://github.com/Azure/azure-osconfig/releases/download/test_policy_package/LinuxSecurityBaseline.zip",
"contentHash": "A92CA8F438CD39C51B78FAB0FCB9C6BA4808920E254E1E9EAEE739D02E8164B0",
"contentHash": "C79CE86C44481316A94D3A69F75BC83C38165CE45B0C18B4B54EA7B812AB9070",
"assignmentType": "ApplyAndAutoCorrect",
"configurationParameter": [
{

8
src/adapters/mc/asb/LinuxSecurityBaseline_DeployIfNotExists.json
Просмотреть файл

@ -15,7 +15,7 @@
"version": "1.0.0",
"contentType": "Custom",
"contentUri": "https://github.com/Azure/azure-osconfig/releases/download/test_policy_package/LinuxSecurityBaseline.zip",
"contentHash": "A92CA8F438CD39C51B78FAB0FCB9C6BA4808920E254E1E9EAEE739D02E8164B0",
"contentHash": "C79CE86C44481316A94D3A69F75BC83C38165CE45B0C18B4B54EA7B812AB9070",
"configurationParameter": {
"accessPermissionsForSshdConfig": "Ensure that permissions on /etc/ssh/sshd_config are configured;DesiredObjectValue",
"ignoreHosts": "Ensure that the SSH IgnoreRhosts is configured;DesiredObjectValue",
@ -625,7 +625,7 @@
"version": "1.0.0",
"contentType": "Custom",
"contentUri": "https://github.com/Azure/azure-osconfig/releases/download/test_policy_package/LinuxSecurityBaseline.zip",
"contentHash": "A92CA8F438CD39C51B78FAB0FCB9C6BA4808920E254E1E9EAEE739D02E8164B0",
"contentHash": "C79CE86C44481316A94D3A69F75BC83C38165CE45B0C18B4B54EA7B812AB9070",
"assignmentType": "ApplyAndAutoCorrect",
"configurationParameter": [
{
@ -716,7 +716,7 @@
"version": "1.0.0",
"contentType": "Custom",
"contentUri": "https://github.com/Azure/azure-osconfig/releases/download/test_policy_package/LinuxSecurityBaseline.zip",
"contentHash": "A92CA8F438CD39C51B78FAB0FCB9C6BA4808920E254E1E9EAEE739D02E8164B0",
"contentHash": "C79CE86C44481316A94D3A69F75BC83C38165CE45B0C18B4B54EA7B812AB9070",
"assignmentType": "ApplyAndAutoCorrect",
"configurationParameter": [
{
@ -807,7 +807,7 @@
"version": "1.0.0",
"contentType": "Custom",
"contentUri": "https://github.com/Azure/azure-osconfig/releases/download/test_policy_package/LinuxSecurityBaseline.zip",
"contentHash": "A92CA8F438CD39C51B78FAB0FCB9C6BA4808920E254E1E9EAEE739D02E8164B0",
"contentHash": "C79CE86C44481316A94D3A69F75BC83C38165CE45B0C18B4B54EA7B812AB9070",
"assignmentType": "ApplyAndAutoCorrect",
"configurationParameter": [
{

8
src/adapters/mc/ssh/19params/LinuxSshServerSecurityBaseline_DeployIfNotExists.json
Просмотреть файл

@ -15,7 +15,7 @@
"version": "1.0.0",
"contentType": "Custom",
"contentUri": "https://github.com/Azure/azure-osconfig/releases/download/test_policy_package/LinuxSshServerSecurityBaseline.zip",
"contentHash": "6768ADF43D3A6C3601502E52F19CBB6F4C6C468B8ABD639008FE202504AB2FAE",
"contentHash": "29D9C8A8660C7424D73E277D80B8225D2A107966C7FF4AA10D65503AAB20BA60",
"configurationParameter": {
"accessPermissionsForSshdConfig": "Ensure that permissions on /etc/ssh/sshd_config are configured;DesiredObjectValue",
"ignoreHosts": "Ensure that the SSH IgnoreRhosts is configured;DesiredObjectValue",
@ -639,7 +639,7 @@
"version": "1.0.0",
"contentType": "Custom",
"contentUri": "https://github.com/Azure/azure-osconfig/releases/download/test_policy_package/LinuxSshServerSecurityBaseline.zip",
"contentHash": "6768ADF43D3A6C3601502E52F19CBB6F4C6C468B8ABD639008FE202504AB2FAE",
"contentHash": "29D9C8A8660C7424D73E277D80B8225D2A107966C7FF4AA10D65503AAB20BA60",
"assignmentType": "ApplyAndAutoCorrect",
"configurationParameter": [
{
@ -734,7 +734,7 @@
"version": "1.0.0",
"contentType": "Custom",
"contentUri": "https://github.com/Azure/azure-osconfig/releases/download/test_policy_package/LinuxSshServerSecurityBaseline.zip",
"contentHash": "6768ADF43D3A6C3601502E52F19CBB6F4C6C468B8ABD639008FE202504AB2FAE",
"contentHash": "29D9C8A8660C7424D73E277D80B8225D2A107966C7FF4AA10D65503AAB20BA60",
"assignmentType": "ApplyAndAutoCorrect",
"configurationParameter": [
{
@ -829,7 +829,7 @@
"version": "1.0.0",
"contentType": "Custom",
"contentUri": "https://github.com/Azure/azure-osconfig/releases/download/test_policy_package/LinuxSshServerSecurityBaseline.zip",
"contentHash": "6768ADF43D3A6C3601502E52F19CBB6F4C6C468B8ABD639008FE202504AB2FAE",
"contentHash": "29D9C8A8660C7424D73E277D80B8225D2A107966C7FF4AA10D65503AAB20BA60",
"assignmentType": "ApplyAndAutoCorrect",
"configurationParameter": [
{

8
src/adapters/mc/ssh/LinuxSshServerSecurityBaseline_DeployIfNotExists.json
Просмотреть файл

@ -15,7 +15,7 @@
"version": "1.0.0",
"contentType": "Custom",
"contentUri": "https://github.com/Azure/azure-osconfig/releases/download/test_policy_package/LinuxSshServerSecurityBaseline.zip",
"contentHash": "6768ADF43D3A6C3601502E52F19CBB6F4C6C468B8ABD639008FE202504AB2FAE",
"contentHash": "29D9C8A8660C7424D73E277D80B8225D2A107966C7FF4AA10D65503AAB20BA60",
"configurationParameter": {
"accessPermissionsForSshdConfig": "Ensure that permissions on /etc/ssh/sshd_config are configured;DesiredObjectValue",
"ignoreHosts": "Ensure that the SSH IgnoreRhosts is configured;DesiredObjectValue",
@ -624,7 +624,7 @@
"version": "1.0.0",
"contentType": "Custom",
"contentUri": "https://github.com/Azure/azure-osconfig/releases/download/test_policy_package/LinuxSshServerSecurityBaseline.zip",
"contentHash": "6768ADF43D3A6C3601502E52F19CBB6F4C6C468B8ABD639008FE202504AB2FAE",
"contentHash": "29D9C8A8660C7424D73E277D80B8225D2A107966C7FF4AA10D65503AAB20BA60",
"assignmentType": "ApplyAndAutoCorrect",
"configurationParameter": [
{
@ -715,7 +715,7 @@
"version": "1.0.0",
"contentType": "Custom",
"contentUri": "https://github.com/Azure/azure-osconfig/releases/download/test_policy_package/LinuxSshServerSecurityBaseline.zip",
"contentHash": "6768ADF43D3A6C3601502E52F19CBB6F4C6C468B8ABD639008FE202504AB2FAE",
"contentHash": "29D9C8A8660C7424D73E277D80B8225D2A107966C7FF4AA10D65503AAB20BA60",
"assignmentType": "ApplyAndAutoCorrect",
"configurationParameter": [
{
@ -806,7 +806,7 @@
"version": "1.0.0",
"contentType": "Custom",
"contentUri": "https://github.com/Azure/azure-osconfig/releases/download/test_policy_package/LinuxSshServerSecurityBaseline.zip",
"contentHash": "6768ADF43D3A6C3601502E52F19CBB6F4C6C468B8ABD639008FE202504AB2FAE",
"contentHash": "29D9C8A8660C7424D73E277D80B8225D2A107966C7FF4AA10D65503AAB20BA60",
"assignmentType": "ApplyAndAutoCorrect",
"configurationParameter": [
{

10
src/common/asb/Asb.c
Просмотреть файл

@ -627,6 +627,7 @@ static char* g_desiredEnsureUnnecessaryAccountsAreRemoved = NULL;
static char* g_desiredEnsureDefaultDenyFirewallPolicyIsSet = NULL;
static const int g_shadowGid = 42;
static const int g_varLogJournalMode = 2755;
void AsbInitialize(void* log)
{
@ -693,6 +694,11 @@ void AsbInitialize(void* log)
FREE_MEMORY(prettyName);
FREE_MEMORY(kernelVersion);
if (IsCommodore(log))
{
OsConfigLogInfo(log, "AsbInitialize: running on product '%s'", PRODUCT_NAME_AZURE_COMMODORE);
}
OsConfigLogInfo(log, "%s initialized", g_asbName);
}
@ -1722,7 +1728,7 @@ static char* AuditEnsureSystemdJournaldServicePersistsLogMessages(void* log)
{
char* reason = NULL;
RETURN_REASON_IF_NOT_ZERO(CheckPackageInstalled(g_systemd, &reason, log));
CheckDirectoryAccess(g_varLogJournal, 0, -1, 2775, false, &reason, log);
CheckDirectoryAccess(g_varLogJournal, 0, -1, g_varLogJournalMode, false, &reason, log);
return reason;
}
@ -3301,7 +3307,7 @@ static int RemediateEnsureSystemdJournaldServicePersistsLogMessages(char* value,
{
UNUSED(value);
return ((0 == InstallPackage(g_systemd, log)) &&
(0 == SetDirectoryAccess(g_varLogJournal, 0, -1, 2775, log))) ? 0 : ENOENT;
(0 == SetDirectoryAccess(g_varLogJournal, 0, -1, g_varLogJournalMode, log))) ? 0 : ENOENT;
}
static int RemediateEnsureALoggingServiceIsEnabled(char* value, void* log)

1
src/common/asb/Asb.h
Просмотреть файл

@ -5,6 +5,7 @@
#define ASB_H
#define PRETTY_NAME_AZURE_LINUX_2 "CBL-Mariner/Linux"
#define PRODUCT_NAME_AZURE_COMMODORE "Azure Commodore"
#define PRETTY_NAME_ALMA_LINUX_9 "AlmaLinux 9 (Beryllium)"
#define PRETTY_NAME_ALMA_LINUX_9_3 "AlmaLinux 9.3 (Shamrock Pampas Cat)"
#define PRETTY_NAME_AMAZON_LINUX_2 "Amazon Linux 2"

1
src/common/commonutils/CommonUtils.h
Просмотреть файл

@ -169,6 +169,7 @@ int SetPassMaxDays(long days, void* log);
int SetPassWarnAge(long days, void* log);
bool IsCurrentOs(const char* name, void* log);
bool IsRedHatBased(void* log);
bool IsCommodore(void* log);
void RemovePrefixBlanks(char* target);
void RemovePrefixUpTo(char* target, char marker);

9
src/common/commonutils/DaemonUtils.c
Просмотреть файл

@ -27,14 +27,7 @@ static int ExecuteSystemctlCommand(const char* command, const char* daemonName,
bool IsDaemonActive(const char* daemonName, void* log)
{
bool status = true;
if (ESRCH == ExecuteSystemctlCommand("is-active", daemonName, log))
{
status = false;
}
return status;
return (0 == ExecuteSystemctlCommand("is-active", daemonName, log)) ? true : false;
}
bool CheckDaemonActive(const char* daemonName, char** reason, void* log)

24
src/common/commonutils/DeviceInfoUtils.c
Просмотреть файл

@ -917,3 +917,27 @@ int EnableVirtualMemoryRandomization(void* log)
return status;
}
bool IsCommodore(void* log)
{
const char* productNameCommand = "cat /etc/os-subrelease | grep PRODUCT_NAME=";
char* textResult = NULL;
bool status = false;
if (0 == ExecuteCommand(NULL, productNameCommand, true, true, 0, 0, &textResult, NULL, log))
{
RemovePrefixBlanks(textResult);
RemoveTrailingBlanks(textResult);
RemovePrefixUpTo(textResult, '=');
RemovePrefixBlanks(textResult);
if (0 == strcmp(textResult, PRODUCT_NAME_AZURE_COMMODORE))
{
status = true;
}
}
FREE_MEMORY(textResult);
return status;
}