Azure
/
azure-osconfig
зеркало из
1
0
Форкнуть 0
Код Задачи Пакеты Проекты Релизы Вики Активность

Fix for ASB v2's auditEnsureDotDoesNotAppearInRootsPath (#763)

This commit is contained in:
Marius Niculescu 2024-09-12 18:25:22 -07:00 коммит произвёл GitHub
Родитель b8429b4655
Коммит 0b85eadff1
Не найден ключ, соответствующий данной подписи
Идентификатор ключа GPG: B5690EEEBB952194
9 изменённых файлов: 62 добавлений и 55 удалений
Показать статистику Скачать Patch файл Скачать Diff файл Показать все файлы Свернуть все файлы

8
src/adapters/mc/asb/19params/LinuxSecurityBaseline_DeployIfNotExists.json
Просмотреть файл

@ -15,7 +15,7 @@
"version": "1.0.0",
"contentType": "Custom",
"contentUri": "https://github.com/Azure/azure-osconfig/releases/download/test_policy_package/LinuxSecurityBaseline.zip",
"contentHash": "AC3073C6E894F68C56D067E749B5FB49CDFEBFE14EBF6E38A4C82269834A9035",
"contentHash": "A92CA8F438CD39C51B78FAB0FCB9C6BA4808920E254E1E9EAEE739D02E8164B0",
"configurationParameter": {
"accessPermissionsForSshdConfig": "Ensure that permissions on /etc/ssh/sshd_config are configured;DesiredObjectValue",
"ignoreHosts": "Ensure that the SSH IgnoreRhosts is configured;DesiredObjectValue",
@ -640,7 +640,7 @@
"version": "1.0.0",
"contentType": "Custom",
"contentUri": "https://github.com/Azure/azure-osconfig/releases/download/test_policy_package/LinuxSecurityBaseline.zip",
"contentHash": "AC3073C6E894F68C56D067E749B5FB49CDFEBFE14EBF6E38A4C82269834A9035",
"contentHash": "A92CA8F438CD39C51B78FAB0FCB9C6BA4808920E254E1E9EAEE739D02E8164B0",
"assignmentType": "ApplyAndAutoCorrect",
"configurationParameter": [
{
@ -735,7 +735,7 @@
"version": "1.0.0",
"contentType": "Custom",
"contentUri": "https://github.com/Azure/azure-osconfig/releases/download/test_policy_package/LinuxSecurityBaseline.zip",
"contentHash": "AC3073C6E894F68C56D067E749B5FB49CDFEBFE14EBF6E38A4C82269834A9035",
"contentHash": "A92CA8F438CD39C51B78FAB0FCB9C6BA4808920E254E1E9EAEE739D02E8164B0",
"assignmentType": "ApplyAndAutoCorrect",
"configurationParameter": [
{
@ -830,7 +830,7 @@
"version": "1.0.0",
"contentType": "Custom",
"contentUri": "https://github.com/Azure/azure-osconfig/releases/download/test_policy_package/LinuxSecurityBaseline.zip",
"contentHash": "AC3073C6E894F68C56D067E749B5FB49CDFEBFE14EBF6E38A4C82269834A9035",
"contentHash": "A92CA8F438CD39C51B78FAB0FCB9C6BA4808920E254E1E9EAEE739D02E8164B0",
"assignmentType": "ApplyAndAutoCorrect",
"configurationParameter": [
{

8
src/adapters/mc/asb/LinuxSecurityBaseline_DeployIfNotExists.json
Просмотреть файл

@ -15,7 +15,7 @@
"version": "1.0.0",
"contentType": "Custom",
"contentUri": "https://github.com/Azure/azure-osconfig/releases/download/test_policy_package/LinuxSecurityBaseline.zip",
"contentHash": "AC3073C6E894F68C56D067E749B5FB49CDFEBFE14EBF6E38A4C82269834A9035",
"contentHash": "A92CA8F438CD39C51B78FAB0FCB9C6BA4808920E254E1E9EAEE739D02E8164B0",
"configurationParameter": {
"accessPermissionsForSshdConfig": "Ensure that permissions on /etc/ssh/sshd_config are configured;DesiredObjectValue",
"ignoreHosts": "Ensure that the SSH IgnoreRhosts is configured;DesiredObjectValue",
@ -625,7 +625,7 @@
"version": "1.0.0",
"contentType": "Custom",
"contentUri": "https://github.com/Azure/azure-osconfig/releases/download/test_policy_package/LinuxSecurityBaseline.zip",
"contentHash": "AC3073C6E894F68C56D067E749B5FB49CDFEBFE14EBF6E38A4C82269834A9035",
"contentHash": "A92CA8F438CD39C51B78FAB0FCB9C6BA4808920E254E1E9EAEE739D02E8164B0",
"assignmentType": "ApplyAndAutoCorrect",
"configurationParameter": [
{
@ -716,7 +716,7 @@
"version": "1.0.0",
"contentType": "Custom",
"contentUri": "https://github.com/Azure/azure-osconfig/releases/download/test_policy_package/LinuxSecurityBaseline.zip",
"contentHash": "AC3073C6E894F68C56D067E749B5FB49CDFEBFE14EBF6E38A4C82269834A9035",
"contentHash": "A92CA8F438CD39C51B78FAB0FCB9C6BA4808920E254E1E9EAEE739D02E8164B0",
"assignmentType": "ApplyAndAutoCorrect",
"configurationParameter": [
{
@ -807,7 +807,7 @@
"version": "1.0.0",
"contentType": "Custom",
"contentUri": "https://github.com/Azure/azure-osconfig/releases/download/test_policy_package/LinuxSecurityBaseline.zip",
"contentHash": "AC3073C6E894F68C56D067E749B5FB49CDFEBFE14EBF6E38A4C82269834A9035",
"contentHash": "A92CA8F438CD39C51B78FAB0FCB9C6BA4808920E254E1E9EAEE739D02E8164B0",
"assignmentType": "ApplyAndAutoCorrect",
"configurationParameter": [
{

8
src/adapters/mc/ssh/19params/LinuxSshServerSecurityBaseline_DeployIfNotExists.json
Просмотреть файл

@ -15,7 +15,7 @@
"version": "1.0.0",
"contentType": "Custom",
"contentUri": "https://github.com/Azure/azure-osconfig/releases/download/test_policy_package/LinuxSshServerSecurityBaseline.zip",
"contentHash": "C2CD04DBFC2521DDCBD86206C0F5F09D3B60A3E6BBC4A581F2B163EBEC78C3FD",
"contentHash": "6768ADF43D3A6C3601502E52F19CBB6F4C6C468B8ABD639008FE202504AB2FAE",
"configurationParameter": {
"accessPermissionsForSshdConfig": "Ensure that permissions on /etc/ssh/sshd_config are configured;DesiredObjectValue",
"ignoreHosts": "Ensure that the SSH IgnoreRhosts is configured;DesiredObjectValue",
@ -639,7 +639,7 @@
"version": "1.0.0",
"contentType": "Custom",
"contentUri": "https://github.com/Azure/azure-osconfig/releases/download/test_policy_package/LinuxSshServerSecurityBaseline.zip",
"contentHash": "C2CD04DBFC2521DDCBD86206C0F5F09D3B60A3E6BBC4A581F2B163EBEC78C3FD",
"contentHash": "6768ADF43D3A6C3601502E52F19CBB6F4C6C468B8ABD639008FE202504AB2FAE",
"assignmentType": "ApplyAndAutoCorrect",
"configurationParameter": [
{
@ -734,7 +734,7 @@
"version": "1.0.0",
"contentType": "Custom",
"contentUri": "https://github.com/Azure/azure-osconfig/releases/download/test_policy_package/LinuxSshServerSecurityBaseline.zip",
"contentHash": "C2CD04DBFC2521DDCBD86206C0F5F09D3B60A3E6BBC4A581F2B163EBEC78C3FD",
"contentHash": "6768ADF43D3A6C3601502E52F19CBB6F4C6C468B8ABD639008FE202504AB2FAE",
"assignmentType": "ApplyAndAutoCorrect",
"configurationParameter": [
{
@ -829,7 +829,7 @@
"version": "1.0.0",
"contentType": "Custom",
"contentUri": "https://github.com/Azure/azure-osconfig/releases/download/test_policy_package/LinuxSshServerSecurityBaseline.zip",
"contentHash": "C2CD04DBFC2521DDCBD86206C0F5F09D3B60A3E6BBC4A581F2B163EBEC78C3FD",
"contentHash": "6768ADF43D3A6C3601502E52F19CBB6F4C6C468B8ABD639008FE202504AB2FAE",
"assignmentType": "ApplyAndAutoCorrect",
"configurationParameter": [
{

8
src/adapters/mc/ssh/LinuxSshServerSecurityBaseline_DeployIfNotExists.json
Просмотреть файл

@ -15,7 +15,7 @@
"version": "1.0.0",
"contentType": "Custom",
"contentUri": "https://github.com/Azure/azure-osconfig/releases/download/test_policy_package/LinuxSshServerSecurityBaseline.zip",
"contentHash": "C2CD04DBFC2521DDCBD86206C0F5F09D3B60A3E6BBC4A581F2B163EBEC78C3FD",
"contentHash": "6768ADF43D3A6C3601502E52F19CBB6F4C6C468B8ABD639008FE202504AB2FAE",
"configurationParameter": {
"accessPermissionsForSshdConfig": "Ensure that permissions on /etc/ssh/sshd_config are configured;DesiredObjectValue",
"ignoreHosts": "Ensure that the SSH IgnoreRhosts is configured;DesiredObjectValue",
@ -624,7 +624,7 @@
"version": "1.0.0",
"contentType": "Custom",
"contentUri": "https://github.com/Azure/azure-osconfig/releases/download/test_policy_package/LinuxSshServerSecurityBaseline.zip",
"contentHash": "C2CD04DBFC2521DDCBD86206C0F5F09D3B60A3E6BBC4A581F2B163EBEC78C3FD",
"contentHash": "6768ADF43D3A6C3601502E52F19CBB6F4C6C468B8ABD639008FE202504AB2FAE",
"assignmentType": "ApplyAndAutoCorrect",
"configurationParameter": [
{
@ -715,7 +715,7 @@
"version": "1.0.0",
"contentType": "Custom",
"contentUri": "https://github.com/Azure/azure-osconfig/releases/download/test_policy_package/LinuxSshServerSecurityBaseline.zip",
"contentHash": "C2CD04DBFC2521DDCBD86206C0F5F09D3B60A3E6BBC4A581F2B163EBEC78C3FD",
"contentHash": "6768ADF43D3A6C3601502E52F19CBB6F4C6C468B8ABD639008FE202504AB2FAE",
"assignmentType": "ApplyAndAutoCorrect",
"configurationParameter": [
{
@ -806,7 +806,7 @@
"version": "1.0.0",
"contentType": "Custom",
"contentUri": "https://github.com/Azure/azure-osconfig/releases/download/test_policy_package/LinuxSshServerSecurityBaseline.zip",
"contentHash": "C2CD04DBFC2521DDCBD86206C0F5F09D3B60A3E6BBC4A581F2B163EBEC78C3FD",
"contentHash": "6768ADF43D3A6C3601502E52F19CBB6F4C6C468B8ABD639008FE202504AB2FAE",
"assignmentType": "ApplyAndAutoCorrect",
"configurationParameter": [
{

9
src/common/asb/Asb.c
Просмотреть файл

@ -1318,12 +1318,13 @@ static char* AuditEnsureDotDoesNotAppearInRootsPath(void* log)
{
const char* path = "PATH";
const char* dot = ".";
const char comment = '#';
char* reason = NULL;
RETURN_REASON_IF_NOT_ZERO(CheckTextNotFoundInEnvironmentVariable(path, dot, false, &reason, log));
RETURN_REASON_IF_NOT_ZERO(CheckMarkedTextNotFoundInFile("/etc/sudoers", "secure_path", dot, &reason, log));
RETURN_REASON_IF_NOT_ZERO(CheckMarkedTextNotFoundInFile(g_etcEnvironment, path, dot, &reason, log));
RETURN_REASON_IF_NOT_ZERO(CheckMarkedTextNotFoundInFile(g_etcProfile, path, dot, &reason, log));
CheckMarkedTextNotFoundInFile("/root/.profile", path, dot, &reason, log);
RETURN_REASON_IF_NOT_ZERO(CheckMarkedTextNotFoundInFile("/etc/sudoers", "secure_path", dot, comment, &reason, log));
RETURN_REASON_IF_NOT_ZERO(CheckMarkedTextNotFoundInFile(g_etcEnvironment, path, dot, comment, &reason, log));
RETURN_REASON_IF_NOT_ZERO(CheckMarkedTextNotFoundInFile(g_etcProfile, path, dot, comment, &reason, log));
CheckMarkedTextNotFoundInFile("/root/.profile", path, dot, comment, &reason, log);
return reason;
}

2
src/common/commonutils/CommonUtils.h
Просмотреть файл

@ -96,7 +96,7 @@ int ReplaceMarkedLinesInFile(const char* fileName, const char* marker, const cha
int FindTextInFile(const char* fileName, const char* text, void* log);
int CheckTextIsFoundInFile(const char* fileName, const char* text, char** reason, void* log);
int CheckTextIsNotFoundInFile(const char* fileName, const char* text, char** reason, void* log);
int CheckMarkedTextNotFoundInFile(const char* fileName, const char* text, const char* marker, char** reason, void* log);
int CheckMarkedTextNotFoundInFile(const char* fileName, const char* text, const char* marker, char commentCharacter, char** reason, void* log);
int CheckTextNotFoundInEnvironmentVariable(const char* variableName, const char* text, bool strictComparison, char** reason, void* log);
int CheckFileContents(const char* fileName, const char* text, char** reason, void* log);
int FindTextInFolder(const char* directory, const char* text, void* log);

27
src/common/commonutils/FileUtils.c
Просмотреть файл

@ -1121,13 +1121,13 @@ int CheckTextIsNotFoundInFile(const char* fileName, const char* text, char** rea
return result;
}
int CheckMarkedTextNotFoundInFile(const char* fileName, const char* text, const char* marker, char** reason, void* log)
int CheckMarkedTextNotFoundInFile(const char* fileName, const char* text, const char* marker, char commentCharacter, char** reason, void* log)
{
const char* commandTemplate = "cat %s | grep %s";
const char* commandTemplate = "grep -v '^%c' %s | grep %s";
char* command = NULL;
char* results = NULL;
char* found = 0;
size_t commandLength = 0;
char* found = NULL;
bool foundMarker = false;
int status = 0;
@ -1136,18 +1136,13 @@ int CheckMarkedTextNotFoundInFile(const char* fileName, const char* text, const
OsConfigLogError(log, "CheckMarkedTextNotFoundInFile called with invalid arguments");
return EINVAL;
}
commandLength = strlen(commandTemplate) + strlen(fileName) + strlen(text) + 1;
if (NULL == (command = malloc(commandLength)))
else if (NULL == (command = FormatAllocateString(commandTemplate, commentCharacter, fileName, text)))
{
OsConfigLogError(log, "CheckMarkedTextNotFoundInFile: out of memory");
status = ENOMEM;
return ENOMEM;
}
else
{
memset(command, 0, commandLength);
snprintf(command, commandLength, commandTemplate, fileName, text);
if ((0 == (status = ExecuteCommand(NULL, command, true, false, 0, 0, &results, NULL, log))) && results)
{
found = results;
@ -1160,8 +1155,8 @@ int CheckMarkedTextNotFoundInFile(const char* fileName, const char* text, const
}
else if (0 == isalpha(found[0]))
{
OsConfigLogInfo(log, "CheckMarkedTextNotFoundInFile: '%s' containing '%s' found in '%s' ('%s')", text, marker, fileName, found);
OsConfigCaptureReason(reason, "'%s' containing '%s' found in '%s' ('%s')", text, marker, fileName, found);
OsConfigLogInfo(log, "CheckMarkedTextNotFoundInFile: '%s' containing '%s' found in '%s' uncommented with '%c'", text, marker, fileName, commentCharacter);
OsConfigCaptureReason(reason, "'%s' containing '%s' found in '%s'", text, marker, fileName);
foundMarker = true;
status = EEXIST;
}
@ -1169,14 +1164,16 @@ int CheckMarkedTextNotFoundInFile(const char* fileName, const char* text, const
if (false == foundMarker)
{
OsConfigLogInfo(log, "CheckMarkedTextNotFoundInFile: '%s' containing '%s' not found in '%s'", text, marker, fileName);
OsConfigLogInfo(log, "CheckMarkedTextNotFoundInFile: '%s' containing '%s' not found in '%s' uncommented with '%c'", text, marker, fileName, commentCharacter);
OsConfigCaptureSuccessReason(reason, "'%s' containing '%s' not found in '%s'", text, marker, fileName);
status = 0;
}
}
else
{
OsConfigLogInfo(log, "CheckMarkedTextNotFoundInFile: '%s' not found in '%s' (%d)", text, fileName, status);
OsConfigLogInfo(log, "CheckMarkedTextNotFoundInFile: '%s' not found in '%s' uncommented with '%c' (%d)", text, fileName, commentCharacter, status);
OsConfigCaptureSuccessReason(reason, "'%s' not found in '%s' (%d)", text, fileName, status);
status = 0;
}
FREE_MEMORY(results);

2
src/common/commonutils/OtherUtils.c
Просмотреть файл

@ -565,7 +565,7 @@ int RemoveDotsFromPath(void* log)
{
for (i = 0; i < numPathLocations; i++)
{
if (0 == CheckMarkedTextNotFoundInFile(pathLocations[i].location, pathLocations[i].path, dot, NULL, log))
if (0 == CheckMarkedTextNotFoundInFile(pathLocations[i].location, pathLocations[i].path, dot, '#', NULL, log))
{
continue;
}

45
src/common/tests/CommonUtilsUT.cpp
Просмотреть файл

@ -1526,34 +1526,43 @@ TEST_F(CommonUtilsTest, FindTextInFile)
TEST_F(CommonUtilsTest, CheckMarkedTextNotFoundInFile)
{
const char* test = "Test \n FOO=test:/123:!abcdef.123:/test.d TEST1; TEST2/..TEST3:Blah=0";
const char* test = "Test \n"
" FOO=test:/123:!abcdef.123:/test.d TEST1; TEST2/..TEST3:Blah=0\n"
"# Test PATH!\n"
"#Another test !PATH\n"
"#\n"
"Test PATH..";
EXPECT_TRUE(CreateTestFile(m_path, test));
EXPECT_EQ(EINVAL, CheckMarkedTextNotFoundInFile(nullptr, nullptr, nullptr, nullptr, nullptr));
EXPECT_EQ(EINVAL, CheckMarkedTextNotFoundInFile(m_path, nullptr, nullptr, nullptr, nullptr));
EXPECT_EQ(EINVAL, CheckMarkedTextNotFoundInFile(m_path, "FOO", nullptr, nullptr, nullptr));
EXPECT_EQ(EINVAL, CheckMarkedTextNotFoundInFile(m_path, nullptr, ";", nullptr, nullptr));
EXPECT_EQ(EINVAL, CheckMarkedTextNotFoundInFile(nullptr, nullptr, nullptr, '#', nullptr, nullptr));
EXPECT_EQ(EINVAL, CheckMarkedTextNotFoundInFile(m_path, nullptr, nullptr, '#', nullptr, nullptr));
EXPECT_EQ(EINVAL, CheckMarkedTextNotFoundInFile(m_path, "FOO", nullptr, '#', nullptr, nullptr));
EXPECT_EQ(EINVAL, CheckMarkedTextNotFoundInFile(m_path, nullptr, ";", '#', nullptr, nullptr));
EXPECT_EQ(EINVAL, CheckMarkedTextNotFoundInFile(m_path, "", "", nullptr, nullptr));
EXPECT_EQ(EINVAL, CheckMarkedTextNotFoundInFile(m_path, "FOO", "", nullptr, nullptr));
EXPECT_EQ(EINVAL, CheckMarkedTextNotFoundInFile(m_path, "", ";", nullptr, nullptr));
EXPECT_EQ(EINVAL, CheckMarkedTextNotFoundInFile(m_path, "", "", '#', nullptr, nullptr));
EXPECT_EQ(EINVAL, CheckMarkedTextNotFoundInFile(m_path, "FOO", "", '#', nullptr, nullptr));
EXPECT_EQ(EINVAL, CheckMarkedTextNotFoundInFile(m_path, "", ";", '#', nullptr, nullptr));
EXPECT_EQ(EINVAL, CheckMarkedTextNotFoundInFile("~~DoesNotExist", "FOO", ";", nullptr, nullptr));
EXPECT_EQ(EINVAL, CheckMarkedTextNotFoundInFile("~~DoesNotExist", "FOO", ";", '#', nullptr, nullptr));
EXPECT_EQ(EEXIST, CheckMarkedTextNotFoundInFile(m_path, "FOO", ".", nullptr, nullptr));
EXPECT_EQ(EEXIST, CheckMarkedTextNotFoundInFile(m_path, "FOO", ".", '#', nullptr, nullptr));
EXPECT_EQ(0, CheckMarkedTextNotFoundInFile(m_path, "FOO", "!", nullptr, nullptr));
EXPECT_EQ(0, CheckMarkedTextNotFoundInFile(m_path, "FOO", "!", '#', nullptr, nullptr));
EXPECT_EQ(EEXIST, CheckMarkedTextNotFoundInFile(m_path, "FOO", ";", nullptr, nullptr));
EXPECT_EQ(EEXIST, CheckMarkedTextNotFoundInFile(m_path, "FOO", "..", nullptr, nullptr));
EXPECT_EQ(EEXIST, CheckMarkedTextNotFoundInFile(m_path, "FOO", ";", '#', nullptr, nullptr));
EXPECT_EQ(EEXIST, CheckMarkedTextNotFoundInFile(m_path, "FOO", "..", '#', nullptr, nullptr));
EXPECT_EQ(EEXIST, CheckMarkedTextNotFoundInFile(m_path, "TEST1", ";", nullptr, nullptr));
EXPECT_EQ(EEXIST, CheckMarkedTextNotFoundInFile(m_path, "TEST1", ".", nullptr, nullptr));
EXPECT_EQ(EEXIST, CheckMarkedTextNotFoundInFile(m_path, "TEST1", "..", nullptr, nullptr));
EXPECT_EQ(EEXIST, CheckMarkedTextNotFoundInFile(m_path, "TEST1", ";", '#', nullptr, nullptr));
EXPECT_EQ(EEXIST, CheckMarkedTextNotFoundInFile(m_path, "TEST1", ".", '#', nullptr, nullptr));
EXPECT_EQ(EEXIST, CheckMarkedTextNotFoundInFile(m_path, "TEST1", "..", '#', nullptr, nullptr));
EXPECT_EQ(EEXIST, CheckMarkedTextNotFoundInFile(m_path, "TEST2", ".", nullptr, nullptr));
EXPECT_EQ(EEXIST, CheckMarkedTextNotFoundInFile(m_path, "TEST2", "..", nullptr, nullptr));
EXPECT_EQ(EEXIST, CheckMarkedTextNotFoundInFile(m_path, "TEST2", ".", '#', nullptr, nullptr));
EXPECT_EQ(EEXIST, CheckMarkedTextNotFoundInFile(m_path, "TEST2", "..", '#', nullptr, nullptr));
EXPECT_EQ(0, CheckMarkedTextNotFoundInFile(m_path, "PATH", "!", '#', nullptr, nullptr));
EXPECT_EQ(EEXIST, CheckMarkedTextNotFoundInFile(m_path, "PATH", ".", '#', nullptr, nullptr));
EXPECT_EQ(EEXIST, CheckMarkedTextNotFoundInFile(m_path, "PATH", "..", '#', nullptr, nullptr));
EXPECT_TRUE(Cleanup(m_path));
}