Azure
/
azure-osconfig
зеркало из
1
0
Форкнуть 0
Код Задачи Пакеты Проекты Релизы Вики Активность

Stabilizing the SecurityBaseline auditEnsureUsersCannotSetSshEnvironmentOptions, auditEnsureSshIdleTimeoutIntervalIsConfigured, auditEnsureALoggingServiceIsSnabled, auditEnsureLockoutForFailedPasswordAttempts, auditEnsurePasswordCreationRequirements audit checks plus fixing build break with latest gcc due to memory free mismatch the HostName module's unit-test (#533)

This commit is contained in:
Marius Niculescu 2023-07-10 12:00:27 -07:00 коммит произвёл GitHub
Родитель 66fe88c857
Коммит 6535be7f97
Не найден ключ, соответствующий данной подписи
Идентификатор ключа GPG: 4AEE18F83AFDEB23
16 изменённых файлов: 353 добавлений и 149 удалений
Показать статистику Скачать Patch файл Скачать Diff файл Показать все файлы Свернуть все файлы

4
dtmi/osconfig/securitybaseline-1.json
Просмотреть файл

@ -721,7 +721,7 @@
},
{
"@type": "Property",
"name": "auditEnsureALoggingServiceIsSnabled",
"name": "auditEnsureALoggingServiceIsEnabled",
"schema": "string",
"writable": false
},
@ -1705,7 +1705,7 @@
},
{
"@type": "Property",
"name": "remediateEnsureALoggingServiceIsSnabled",
"name": "remediateEnsureALoggingServiceIsEnabled",
"schema": "string",
"writable": true
},

2
src/adapters/mc/LinuxOsConfigResource.c
Просмотреть файл

@ -66,7 +66,7 @@ bool RefreshMpiClientSession(void)
{
bool status = true;
if (g_mpiHandle && IsDaemonActive(MPI_SERVER, GetLog()))
if (g_mpiHandle && IsDaemonActive(MPI_SERVER))
{
return status;
}

2
src/adapters/pnp/PnpAgent.c
Просмотреть файл

@ -317,7 +317,7 @@ bool RefreshMpiClientSession(bool* platformAlreadyRunning)
{
bool status = true;
if (g_mpiHandle && IsDaemonActive(OSCONFIG_PLATFORM, GetLog()))
if (g_mpiHandle && IsDaemonActive(OSCONFIG_PLATFORM))
{
// Platform is already running

2
src/adapters/pnp/daemon/osconfig.json
Просмотреть файл

@ -638,7 +638,7 @@
},
{
"ComponentName": "SecurityBaseline",
"ObjectName": "auditEnsureALoggingServiceIsSnabled"
"ObjectName": "auditEnsureALoggingServiceIsEnabled"
},
{
"ComponentName": "SecurityBaseline",

5
src/common/commonutils/CommonUtils.h
Просмотреть файл

@ -83,6 +83,8 @@ int FindTextInFolder(const char* directory, const char* text, void* log);
int CheckLineNotFoundOrCommentedOut(const char* fileName, char commentMark, const char* text, void* log);
int FindTextInCommandOutput(const char* command, const char* text, void* log);
int CheckLockoutForFailedPasswordAttempts(const char* fileName, void* log);
char* GetStringOptionFromFile(const char* fileName, const char* option, char separator, void* log);
int GetIntegerOptionFromFile(const char* fileName, const char* option, char separator, void* log);
@ -134,7 +136,8 @@ int ReadHttpContentLengthFromSocket(int socketHandle, void* log);
int SleepMilliseconds(long milliseconds);
bool IsDaemonActive(const char* daemonName, void* log);
bool IsDaemonActive(const char* daemonName);
bool CheckIfDaemonActive(const char* daemonName, void* log);
bool EnableAndStartDaemon(const char* daemonName, void* log);
void StopAndDisableDaemon(const char* daemonName, void* log);
bool RestartDaemon(const char* daemonName, void* log);

26
src/common/commonutils/DaemonUtils.c
Просмотреть файл

@ -5,7 +5,7 @@
#define MAX_DAEMON_COMMAND_LENGTH 256
bool IsDaemonActive(const char* daemonName, void* log)
bool IsDaemonActive(const char* daemonName)
{
const char* isActiveTemplate = "systemctl is-active %s";
char isActiveCommand[MAX_DAEMON_COMMAND_LENGTH] = {0};
@ -15,15 +15,23 @@ bool IsDaemonActive(const char* daemonName, void* log)
if (ESRCH == ExecuteCommand(NULL, isActiveCommand, false, false, 0, 0, NULL, NULL, log))
{
if (IsFullLoggingEnabled())
{
OsConfigLogError(log, "IsDaemonActive: '%s' appears inactive", daemonName);
}
status = false;
}
else if (IsFullLoggingEnabled())
return status;
}
bool CheckIfDaemonActive(const char* daemonName, void* log)
{
bool status = false;
if (true == (status = IsDaemonActive(daemonName)))
{
OsConfigLogInfo(log, "IsDaemonActive: '%s' appears active", daemonName);
OsConfigLogInfo(log, "CheckIfDaemonActive: '%s' appears active", daemonName);
}
else
{
OsConfigLogInfo(log, "CheckIfDaemonActive: '%s' appears inactive", daemonName);
}
return status;
@ -37,7 +45,7 @@ bool EnableAndStartDaemon(const char* daemonName, void* log)
char startCommand[MAX_DAEMON_COMMAND_LENGTH] = {0};
bool status = true;
if (false == IsDaemonActive(daemonName, log))
if (false == IsDaemonActive(daemonName))
{
snprintf(enableCommand, sizeof(enableCommand), enableTemplate, daemonName);
snprintf(startCommand, sizeof(startCommand), startTemplate, daemonName);
@ -71,7 +79,7 @@ bool RestartDaemon(const char* daemonName, void* log)
char restartCommand[MAX_DAEMON_COMMAND_LENGTH] = {0};
bool status = true;
if (true == IsDaemonActive(daemonName, log))
if (true == IsDaemonActive(daemonName))
{
snprintf(restartCommand, sizeof(restartCommand), restartTemplate, daemonName);

180
src/common/commonutils/FileUtils.c
Просмотреть файл

@ -489,7 +489,8 @@ int InstallPackage(const char* packageName, void* log)
if (0 != (status = CheckPackageInstalled(packageName, log)))
{
if (0 == (status = CheckOrInstallPackage(commandTemplate, packageName, log)))
if ((0 == (status = CheckOrInstallPackage(commandTemplate, packageName, log))) &&
(0 == (status = CheckPackageInstalled(packageName, log))))
{
OsConfigLogInfo(log, "InstallPackage: '%s' was successfully installed", packageName);
}
@ -606,7 +607,7 @@ int FindTextInFile(const char* fileName, const char* text, void* log)
if (false == FileExists(fileName))
{
OsConfigLogError(log, "FindTextInFile: file '%s' not found", fileName);
OsConfigLogInfo(log, "FindTextInFile: file '%s' not found", fileName);
return ENOENT;
}
@ -959,19 +960,63 @@ int FindTextInCommandOutput(const char* command, const char* text, void* log)
return status;
}
static char* GetStringOptionFromBuffer(const char* buffer, const char* option, char separator, void* log)
{
char* found = NULL;
char* internal = NULL;
char* result = NULL;
if ((NULL == buffer) || (NULL == option))
{
OsConfigLogError(log, "GetStringOptionFromBuffer called with invalid arguments");
return result;
}
if (NULL == (internal = DuplicateString(buffer)))
{
OsConfigLogError(log, "GetStringOptionFromBuffer: failed to duplicate buffer string failed (%d)", errno);
}
else if (NULL != (found = strstr(internal, option)))
{
RemovePrefixUpTo(found, separator);
RemovePrefixBlanks(found);
RemoveTrailingBlanks(found);
TruncateAtFirst(found, '\n');
TruncateAtFirst(found, ' ');
OsConfigLogInfo(log, "GetStringOptionFromBuffer: found '%s' for '%s'", found, option);
if (NULL == (result = DuplicateString(found)))
{
OsConfigLogError(log, "GetStringOptionFromBuffer: failed to duplicate result string (%d)", errno);
}
FREE_MEMORY(internal);
}
return result;
}
static int GetIntegerOptionFromBuffer(const char* buffer, const char* option, char separator, void* log)
{
char* stringValue = NULL;
int value = -999;
if (NULL != (stringValue = GetStringOptionFromBuffer(buffer, option, separator, log)))
{
value = atoi(stringValue);
FREE_MEMORY(stringValue);
}
return value;
}
char* GetStringOptionFromFile(const char* fileName, const char* option, char separator, void* log)
{
char* result = NULL;
char* contents = NULL;
char* found = NULL;
char* result = NULL;
if ((NULL == fileName) || (NULL == option) || (0 == strlen(fileName) || (0 == strlen(option))))
{
OsConfigLogError(log, "GetStringOptionFromFile called with invalid arguments");
return NULL;
}
if (FileExists(fileName))
if (option && (0 == CheckFileExists(fileName, log)))
{
if (NULL == (contents = LoadStringFromFile(fileName, false, log)))
{
@ -979,20 +1024,9 @@ char* GetStringOptionFromFile(const char* fileName, const char* option, char sep
}
else
{
if (NULL != (found = strstr(contents, option)))
if (NULL != (result = GetStringOptionFromBuffer(contents, option, separator, log)))
{
RemovePrefixUpTo(found, separator);
RemovePrefixBlanks(found);
RemoveTrailingBlanks(found);
TruncateAtFirst(found, '\n');
TruncateAtFirst(found, ' ');
OsConfigLogInfo(log, "GetStringOptionFromFile: found '%s' in '%s' for '%s'", found, fileName, option);
if (NULL == (result = DuplicateString(found)))
{
OsConfigLogError(log, "GetStringOptionFromFile: DuplicateString failed (%d)", errno);
}
OsConfigLogInfo(log, "GetStringOptionFromFile: found '%s' in '%s' for '%s'", result, fileName, option);
}
else
{
@ -1002,24 +1036,100 @@ char* GetStringOptionFromFile(const char* fileName, const char* option, char sep
FREE_MEMORY(contents);
}
}
else
{
OsConfigLogError(log, "GetStringOptionFromFile: '%s' not found", fileName);
}
return result;
}
int GetIntegerOptionFromFile(const char* fileName, const char* option, char separator, void* log)
{
char* stringValue = NULL;
int value = -1;
char* contents = NULL;
int result = -999;
if (NULL != (stringValue = GetStringOptionFromFile(fileName, option, separator, log)))
if (option && (0 == CheckFileExists(fileName, log)))
{
value = atoi(stringValue);
FREE_MEMORY(stringValue);
if (NULL == (contents = LoadStringFromFile(fileName, false, log)))
{
OsConfigLogError(log, "GetIntegerOptionFromFile: cannot read from '%s'", fileName);
}
else
{
if (-999 != (result = GetIntegerOptionFromBuffer(contents, option, separator, log)))
{
OsConfigLogInfo(log, "GetIntegerOptionFromFile: found '%d' in '%s' for '%s'", result, fileName, option);
}
else
{
OsConfigLogInfo(log, "GetIntegerOptionFromFile: '%s' not found in '%s'", option, fileName);
}
FREE_MEMORY(contents);
}
}
return value;
}
return result;
}
static bool Free(void* value)
{
FREE_MEMORY(value);
return true;
}
int CheckLockoutForFailedPasswordAttempts(const char* fileName, void* log)
{
char* contents = NULL;
char* buffer = NULL;
char* value = NULL;
int option = 0;
int status = ENOENT;
if (0 == CheckFileExists(fileName, log))
{
if (NULL == (contents = LoadStringFromFile(fileName, false, log)))
{
OsConfigLogError(log, "CheckLockoutForFailedPasswordAttempts: cannot read from '%s'", fileName);
}
else
{
buffer = contents;
// Example of a valid line:
//
// auth required pam_tally2.so file=/var/log/tallylog deny=5 even_deny_root unlock_time=2000
//
// To pass, all attributes must be present, including pam_tally2.so, the deny value must be between
// 1 and 5 (inclusive), the unlock_time set to a positive value, with any number of spaces between.
// The even_deny_root and any other attribute like it are optional.
//
// There can be multiple 'auth' lines in the file. Only the right one matters.
while (NULL != (value = GetStringOptionFromBuffer(buffer, "auth", ' ', log)))
{
if (((0 == strcmp("required", value)) && Free(value)) &&
((NULL != (value = GetStringOptionFromBuffer(buffer, "required", ' ', log))) && (0 == strcmp("pam_tally2.so", value)) && Free(value)) &&
((NULL != (value = GetStringOptionFromBuffer(buffer, "pam_tally2.so", ' ', log))) && (0 == strcmp("file=/var/log/tallylog", value)) && Free(value)) &&
((NULL != (value = GetStringOptionFromBuffer(buffer, "file", '=', log))) && (0 == strcmp("/var/log/tallylog", value)) && Free(value)) &&
((0 < (option = GetIntegerOptionFromBuffer(buffer, "deny", '=', log))) && (6 > option)) &&
(0 < (option = GetIntegerOptionFromBuffer(buffer, "unlock_time", '=', log))))
{
status = 0;
break;
}
else if (NULL == (buffer = strchr(buffer, EOL)))
{
break;
}
else
{
buffer += 1;
}
}
FREE_MEMORY(contents);
}
}
OsConfigLogInfo(log, "CheckLockoutForFailedPasswordAttempts: %s (%d)", status ? "failed" : "passed", status);
return status;
}

102
src/common/tests/CommonUtilsUT.cpp
Просмотреть файл

@ -1412,13 +1412,12 @@ TEST_F(CommonUtilsTest, CheckRootUserAndGroup)
TEST_F(CommonUtilsTest, CheckUsersHavePasswords)
{
EXPECT_EQ(0, CheckAllUsersHavePasswordsSet(nullptr));
EXPECT_EQ(0, CheckUsersRecordedPasswordChangeDates(nullptr));
EXPECT_EQ(0, CheckMinDaysBetweenPasswordChanges(0, nullptr));
EXPECT_EQ(0, CheckMaxDaysBetweenPasswordChanges(99999, nullptr));
EXPECT_EQ(0, CheckPasswordExpirationWarning(0, nullptr));
//Optional:
// Optional:
CheckAllUsersHavePasswordsSet(nullptr);
CheckUsersRecordedPasswordChangeDates(nullptr);
CheckMinDaysBetweenPasswordChanges(0, nullptr);
CheckMaxDaysBetweenPasswordChanges(99999, nullptr);
CheckPasswordExpirationWarning(0, nullptr);
CheckPasswordExpirationLessThan(99999, nullptr);
}
@ -1618,20 +1617,20 @@ TEST_F(CommonUtilsTest, GetOptionFromFile)
"abc Test4 0456 # rt 4 $"
"Test2: 12 $! test test\n"
"password [success=1 default=ignore] pam_unix.so obscure sha512 remember=5\n"
"password [success=1 default=ignore] pam_unix.so obscure sha512 remembering = 3";
"password [success=1 default=ignore] pam_unix.so obscure sha512 remembering = -1";
char* value = nullptr;
EXPECT_TRUE(CreateTestFile(m_path, testFile));
EXPECT_EQ(nullptr, GetStringOptionFromFile(nullptr, nullptr, ':', nullptr));
EXPECT_EQ(-1, GetIntegerOptionFromFile(nullptr, nullptr, ':', nullptr));
EXPECT_EQ(-999, GetIntegerOptionFromFile(nullptr, nullptr, ':', nullptr));
EXPECT_EQ(nullptr, GetStringOptionFromFile(m_path, nullptr, ':', nullptr));
EXPECT_EQ(-1, GetIntegerOptionFromFile(m_path, nullptr, ':', nullptr));
EXPECT_EQ(-999, GetIntegerOptionFromFile(m_path, nullptr, ':', nullptr));
EXPECT_EQ(nullptr, GetStringOptionFromFile(nullptr, "Test1", ':', nullptr));
EXPECT_EQ(-1, GetIntegerOptionFromFile(nullptr, "Test1", ':', nullptr));
EXPECT_EQ(-999, GetIntegerOptionFromFile(nullptr, "Test1", ':', nullptr));
EXPECT_EQ(nullptr, GetStringOptionFromFile("~does_not_exist", "Test", '=', nullptr));
EXPECT_EQ(-1, GetIntegerOptionFromFile("~does_not_exist", "Test", '=', nullptr));
EXPECT_EQ(-999, GetIntegerOptionFromFile("~does_not_exist", "Test", '=', nullptr));
EXPECT_STREQ("test", value = GetStringOptionFromFile(m_path, "FooEntry1:", ':', nullptr));
FREE_MEMORY(value);
@ -1672,9 +1671,84 @@ TEST_F(CommonUtilsTest, GetOptionFromFile)
EXPECT_EQ(5, GetIntegerOptionFromFile(m_path, "remember=", '=', nullptr));
EXPECT_EQ(5, GetIntegerOptionFromFile(m_path, "remember", '=', nullptr));
EXPECT_STREQ("3", value = GetStringOptionFromFile(m_path, "remembering", '=', nullptr));
EXPECT_STREQ("-1", value = GetStringOptionFromFile(m_path, "remembering", '=', nullptr));
FREE_MEMORY(value);
EXPECT_EQ(3, GetIntegerOptionFromFile(m_path, "remembering", '=', nullptr));
EXPECT_EQ(-1, GetIntegerOptionFromFile(m_path, "remembering", '=', nullptr));
EXPECT_TRUE(Cleanup(m_path));
}
TEST_F(CommonUtilsTest, CheckLockoutForFailedPasswordAttempts)
{
const char* goodTestFileContents[] = {
"auth required pam_tally2.so file=/var/log/tallylog deny=1 unlock_time=1000",
"auth required pam_tally2.so file=/var/log/tallylog unlock_time=2000 deny=2",
"auth required pam_tally2.so file=/var/log/tallylog deny=3 even_deny_root unlock_time=1000",
"auth required pam_tally2.so file=/var/log/tallylog test deny=3 even_deny_root 123 unlock_time=1000 456",
"auth required pam_tally2.so file=/var/log/tallylog deny=3 unlock_time=100",
"auth required pam_tally2.so file=/var/log/tallylog deny=1 unlock_time=10",
"auth required pam_tally2.so file=/var/log/tallylog deny=5 unlock_time=2000",
"This is a positive test\nauth required pam_tally2.so file=/var/log/tallylog deny=3 unlock_time=123",
"This is a positive test\nAnother one with auth test\nauth required pam_tally2.so file=/var/log/tallylog deny=3 unlock_time=123",
"auth [success=1 default=ignore] pam_unix.so nullok\n"
"# here's the fallback if no module succeeds\n"
"auth requisite pam_deny.so\n"
"# prime the stack with a positive return value if there isn't one already;\n"
"# this avoids us returning an error just because nothing sets a success code\n"
"# since the modules above will each just jump around\n"
"auth required pam_permit.so\n"
"auth required pam_tally2.so file=/var/log/tallylog deny=3 unlock_time=888\n"
"# and here are more per-package modules (the Additional block)\n"
"auth optional pam_cap.so\n"
"# end of pam-auth-update config"
};
const char* badTestFileContents[] = {
"auth optional pam_tally2.so file=/var/log/tallylog deny=2 even_deny_root unlock_time=1000",
"auth required pam_tally2.so file=/var/log/foolog deny=3 even_deny_root unlock_time=100",
"auth required pam_tally.so file=/var/log/tallylog deny=1 even_deny_root unlock_time=10",
"auth required pam_tally2.so deny=5 even_deny_root unlock_time=2000",
"auth required pam_tally.so file=/var/log/tallylog deny=1 even_deny_root unlock_time=10",
"auth required pam_tally2.so file=/var/log/tallylog deny=1 unlock_time=-1",
"auth required pam_tally2.so file=/var/log/tallylog deny=-1 unlock_time=-1",
"auth required pam_tally2.so file=/var/log/tallylog deny=2 unlock_time=0",
"auth required pam_tally2.so file=/var/log/tallylog deny=0 unlock_time=0",
"auth required pam_tally2.so file=/var/log/tallylog deny=2 unlock_time=",
"auth required pam_tally2.so file=/var/log/tallylog",
"This is a negative auth test",
"This is a negative test",
"auth [success=1 default=ignore] pam_unix.so nullok\n"
"# here's the fallback if no module succeeds\n"
"auth requisite pam_deny.so\n"
"# prime the stack with a positive return value if there isn't one already;\n"
"# this avoids us returning an error just because nothing sets a success code\n"
"# since the modules above will each just jump around\n"
"auth required pam_permit.so\n"
"auth required pam_tally2.so file=/var/log/tallylog deny=0 unlock_time=888\n"
"# and here are more per-package modules (the Additional block)\n"
"auth optional pam_cap.so\n"
"# end of pam-auth-update config"
};
int goodTestFileContentsSize = ARRAY_SIZE(goodTestFileContents);
int badTestFileContentsSize = ARRAY_SIZE(badTestFileContents);
int i = 0;
EXPECT_NE(0, CheckLockoutForFailedPasswordAttempts(nullptr, nullptr));
EXPECT_NE(0, CheckLockoutForFailedPasswordAttempts("~file_that_does_not_exist", nullptr));
for (i = 0; i < goodTestFileContentsSize; i++)
{
EXPECT_TRUE(CreateTestFile(m_path, goodTestFileContents[i]));
EXPECT_EQ(0, CheckLockoutForFailedPasswordAttempts(m_path, nullptr));
EXPECT_TRUE(Cleanup(m_path));
}
for (i = 0; i < badTestFileContentsSize; i++)
{
EXPECT_TRUE(CreateTestFile(m_path, badTestFileContents[i]));
EXPECT_NE(0, CheckLockoutForFailedPasswordAttempts(m_path, nullptr));
EXPECT_TRUE(Cleanup(m_path));
}
}

8
src/modules/hostname/src/lib/HostNameBase.h
Просмотреть файл

@ -11,6 +11,14 @@
#define HOST_NAME_CONFIGURATOR_LOGFILE "/var/log/osconfig_hostname.log"
#define HOST_NAME_CONFIGURATOR_ROLLEDLOGFILE "/var/log/osconfig_hostname.bak"
inline void HostNameFree(MMI_JSON_STRING payload)
{
if (payload)
{
delete[] payload;
}
}
class HostNameLog
{
public:

11
src/modules/hostname/src/so/HostNameModule.cpp
Просмотреть файл

@ -280,20 +280,11 @@ int MmiGet(MMI_HANDLE clientSession, const char* componentName, const char* obje
}
}
void MmiFreeInternal(MMI_JSON_STRING payload)
{
if (!payload)
{
return;
}
delete[] payload;
}
void MmiFree(MMI_JSON_STRING payload)
{
try
{
return MmiFreeInternal(payload);
return ::HostNameFree(payload);
}
catch (const std::exception &e)
{

38
src/modules/hostname/tests/HostNameBaseTests.cpp
Просмотреть файл

@ -51,7 +51,7 @@ int HostNameBaseTests::RunCommand(const char* command, bool replaceEol, std::str
return ENOSYS;
}
namespace OSConfig::Platform::Tests
namespace OSConfig::HostName::Tests
{
constexpr const size_t g_maxPayloadSizeBytes = 4000;
@ -73,7 +73,7 @@ namespace OSConfig::Platform::Tests
EXPECT_EQ(status, MMI_OK);
EXPECT_STREQ(result.c_str(), "\"device\"");
FREE_MEMORY(payload);
::HostNameFree(payload);
}
TEST(HostNameBaseTests, GetNameWithNewLine)
@ -94,7 +94,7 @@ namespace OSConfig::Platform::Tests
EXPECT_EQ(status, MMI_OK);
EXPECT_STREQ(result.c_str(), "\"device\"");
FREE_MEMORY(payload);
::HostNameFree(payload);
}
TEST(HostNameBaseTests, GetNameWithNullTerminator)
@ -115,7 +115,7 @@ namespace OSConfig::Platform::Tests
EXPECT_EQ(status, MMI_OK);
EXPECT_STREQ(result.c_str(), "\"device\"");
FREE_MEMORY(payload);
::HostNameFree(payload);
}
TEST(HostNameBaseTests, GetNameWithZeroPayloadByteSize)
@ -136,7 +136,7 @@ namespace OSConfig::Platform::Tests
EXPECT_EQ(status, MMI_OK);
EXPECT_STREQ(result.c_str(), "\"device\"");
FREE_MEMORY(payload);
::HostNameFree(payload);
}
TEST(HostNameBaseTests, GetHosts)
@ -164,7 +164,7 @@ namespace OSConfig::Platform::Tests
EXPECT_EQ(status, MMI_OK);
EXPECT_STREQ(result.c_str(), "\"127.0.0.1 localhost;::1 ip6-localhost ip6-loopback;fe00::0 ip6-localnet;ff00::0 ip6-mcastprefix;ff02::1 ip6-allnodes;ff02::2 ip6-allrouters;ff02::3 ip6-allhosts\"");
FREE_MEMORY(payload);
::HostNameFree(payload);
}
TEST(HostNameBaseTests, GetHostsWithNewLine)
@ -192,7 +192,7 @@ namespace OSConfig::Platform::Tests
EXPECT_EQ(status, MMI_OK);
EXPECT_STREQ(result.c_str(), "\"127.0.0.1 localhost;::1 ip6-localhost ip6-loopback;fe00::0 ip6-localnet;ff00::0 ip6-mcastprefix;ff02::1 ip6-allnodes;ff02::2 ip6-allrouters;ff02::3 ip6-allhosts\"");
FREE_MEMORY(payload);
::HostNameFree(payload);
}
TEST(HostNameBaseTests, GetHostsWithNullTerminator)
@ -220,7 +220,7 @@ namespace OSConfig::Platform::Tests
EXPECT_EQ(status, MMI_OK);
EXPECT_STREQ(result.c_str(), "\"127.0.0.1 localhost;::1 ip6-localhost ip6-loopback;fe00::0 ip6-localnet;ff00::0 ip6-mcastprefix;ff02::1 ip6-allnodes;ff02::2 ip6-allrouters;ff02::3 ip6-allhosts\"");
FREE_MEMORY(payload);
::HostNameFree(payload);
}
TEST(HostNameBaseTests, GetHostsWithComments)
@ -249,7 +249,7 @@ namespace OSConfig::Platform::Tests
EXPECT_EQ(status, MMI_OK);
EXPECT_STREQ(result.c_str(), "\"127.0.0.1 localhost;::1 ip6-localhost ip6-loopback;fe00::0 ip6-localnet;ff00::0 ip6-mcastprefix;ff02::1 ip6-allnodes;ff02::2 ip6-allrouters;ff02::3 ip6-allhosts\"");
FREE_MEMORY(payload);
::HostNameFree(payload);
}
TEST(HostNameBaseTests, GetHostsWithWhitespace)
@ -272,7 +272,7 @@ namespace OSConfig::Platform::Tests
EXPECT_EQ(status, MMI_OK);
EXPECT_STREQ(result.c_str(), "\"127.0.0.1 localhost;::1 ip6-localhost ip6-loopback\"");
FREE_MEMORY(payload);
::HostNameFree(payload);
}
TEST(HostNameBaseTests, GetInvalidObject)
@ -327,7 +327,7 @@ namespace OSConfig::Platform::Tests
EXPECT_EQ(status, MMI_OK);
EXPECT_STREQ(result.c_str(), "\"\"");
FREE_MEMORY(payload);
::HostNameFree(payload);
}
TEST(HostNameBaseTests, SetName)
@ -348,7 +348,7 @@ namespace OSConfig::Platform::Tests
EXPECT_EQ(status, MMI_OK);
FREE_MEMORY(payload);
::HostNameFree(payload);
}
TEST(HostNameBaseTests, SetHosts)
@ -369,7 +369,7 @@ namespace OSConfig::Platform::Tests
EXPECT_EQ(status, MMI_OK);
FREE_MEMORY(payload);
::HostNameFree(payload);
}
TEST(HostNameBaseTests, SetHostsWithWhitespace)
@ -390,7 +390,7 @@ namespace OSConfig::Platform::Tests
EXPECT_EQ(status, MMI_OK);
FREE_MEMORY(payload);
::HostNameFree(payload);
}
TEST(HostNameBaseTests, SetInvalidObject)
@ -408,7 +408,7 @@ namespace OSConfig::Platform::Tests
EXPECT_EQ(status, EINVAL);
FREE_MEMORY(payload);
::HostNameFree(payload);
}
TEST(HostNameBaseTests, SetInvalidPayload)
@ -439,7 +439,7 @@ namespace OSConfig::Platform::Tests
EXPECT_EQ(status, EINVAL);
FREE_MEMORY(payload);
::HostNameFree(payload);
}
TEST(HostNameBaseTests, SetInvalidHosts)
@ -459,7 +459,7 @@ namespace OSConfig::Platform::Tests
EXPECT_EQ(status, EINVAL);
FREE_MEMORY(payload);
::HostNameFree(payload);
}
TEST(HostNameBaseTests, SetPayloadTooLarge)
@ -475,7 +475,7 @@ namespace OSConfig::Platform::Tests
EXPECT_EQ(status, E2BIG);
FREE_MEMORY(payload);
::HostNameFree(payload);
}
} // namespace OSConfig::Platform::Tests
} // namespace OSConfig::HostName::Tests

4
src/modules/mim/securitybaseline.json
Просмотреть файл

@ -715,7 +715,7 @@
"schema": "string"
},
{
"name": "auditEnsureALoggingServiceIsSnabled",
"name": "auditEnsureALoggingServiceIsEnabled",
"type": "mimObject",
"desired": false,
"schema": "string"
@ -1705,7 +1705,7 @@
"schema": "string"
},
{
"name": "remediateEnsureALoggingServiceIsSnabled",
"name": "remediateEnsureALoggingServiceIsEnabled",
"type": "mimObject",
"desired": true,
"schema": "string"

4
src/modules/securitybaseline/README.md
Просмотреть файл

@ -122,7 +122,7 @@ An example of a completed check, `auditEnsureAuditdServiceIsRunning` and `remedi
```C
static int AuditEnsureAuditdServiceIsRunning(void)
{
return IsDaemonActive(g_auditd, SecurityBaselineGetLog()) ? 0 : ENOENT;
return CheckIfDaemonActive(g_auditd, SecurityBaselineGetLog()) ? 0 : ENOENT;
}
```
@ -134,7 +134,7 @@ static int RemediateEnsureAuditdServiceIsRunning(void)
}
```
These simple functions invoke functions like `IsDaemonActive` and `InstallPackage` that are implemented in [commonutils](../../common/commonutils/).
These simple functions invoke functions like `CheckIfDaemonActive` and `InstallPackage` that are implemented in [commonutils](../../common/commonutils/).
Remember, we want to separate the bulk of generic check implementations from this security baseline so that they could be reused in the future for the implementations of other baselines.

102
src/modules/securitybaseline/src/lib/SecurityBaseline.c
Просмотреть файл

@ -138,7 +138,7 @@ static const char* g_auditEnsureAllBootloadersHavePasswordProtectionEnabledObjec
static const char* g_auditEnsureLoggingIsConfiguredObject = "auditEnsureLoggingIsConfigured";
static const char* g_auditEnsureSyslogPackageIsInstalledObject = "auditEnsureSyslogPackageIsInstalled";
static const char* g_auditEnsureSystemdJournaldServicePersistsLogMessagesObject = "auditEnsureSystemdJournaldServicePersistsLogMessages";
static const char* g_auditEnsureALoggingServiceIsSnabledObject = "auditEnsureALoggingServiceIsSnabled";
static const char* g_auditEnsureALoggingServiceIsEnabledObject = "auditEnsureALoggingServiceIsEnabled";
static const char* g_auditEnsureFilePermissionsForAllRsyslogLogFilesObject = "auditEnsureFilePermissionsForAllRsyslogLogFiles";
static const char* g_auditEnsureLoggerConfigurationFilesAreRestrictedObject = "auditEnsureLoggerConfigurationFilesAreRestricted";
static const char* g_auditEnsureAllRsyslogLogFilesAreOwnedByAdmGroupObject = "auditEnsureAllRsyslogLogFilesAreOwnedByAdmGroup";
@ -306,7 +306,7 @@ static const char* g_remediateEnsureAllBootloadersHavePasswordProtectionEnabledO
static const char* g_remediateEnsureLoggingIsConfiguredObject = "remediateEnsureLoggingIsConfigured";
static const char* g_remediateEnsureSyslogPackageIsInstalledObject = "remediateEnsureSyslogPackageIsInstalled";
static const char* g_remediateEnsureSystemdJournaldServicePersistsLogMessagesObject = "remediateEnsureSystemdJournaldServicePersistsLogMessages";
static const char* g_remediateEnsureALoggingServiceIsSnabledObject = "remediateEnsureALoggingServiceIsSnabled";
static const char* g_remediateEnsureALoggingServiceIsEnabledObject = "remediateEnsureALoggingServiceIsEnabled";
static const char* g_remediateEnsureFilePermissionsForAllRsyslogLogFilesObject = "remediateEnsureFilePermissionsForAllRsyslogLogFiles";
static const char* g_remediateEnsureLoggerConfigurationFilesAreRestrictedObject = "remediateEnsureLoggerConfigurationFilesAreRestricted";
static const char* g_remediateEnsureAllRsyslogLogFilesAreOwnedByAdmGroupObject = "remediateEnsureAllRsyslogLogFilesAreOwnedByAdmGroup";
@ -377,6 +377,7 @@ static const char* g_etcGShadow = "/etc/gshadow";
static const char* g_etcGShadowDash = "/etc/gshadow-";
static const char* g_etcPasswd = "/etc/passwd";
static const char* g_etcPasswdDash = "/etc/passwd-";
static const char* g_etcPamdCommonPassword = "/etc/pam.d/common-password";
static const char* g_etcGroup = "/etc/group";
static const char* g_etcGroupDash = "/etc/group-";
static const char* g_etcAnacronTab = "/etc/anacrontab";
@ -614,6 +615,7 @@ static int AuditEnsureNosuidOptionEnabledForAllRemovableMedia(void)
static int AuditEnsureNoexecNosuidOptionsEnabledForAllNfsMounts(void)
{
const char* nfs = "nfs";
return ((0 == CheckFileSystemMountingOption(g_etcFstab, NULL, nfs, g_noexec, SecurityBaselineGetLog())) &&
(0 == CheckFileSystemMountingOption(g_etcFstab, NULL, nfs, g_nosuid, SecurityBaselineGetLog()))) ? 0 : ENOENT;
}
@ -850,7 +852,7 @@ static int AuditEnsureDotDoesNotAppearInRootsPath(void)
static int AuditEnsureCronServiceIsEnabled(void)
{
return (0 == CheckPackageInstalled(g_cron, SecurityBaselineGetLog()) &&
IsDaemonActive(g_cron, SecurityBaselineGetLog())) ? 0 : ENOENT;
CheckIfDaemonActive(g_cron, SecurityBaselineGetLog())) ? 0 : ENOENT;
}
static int AuditEnsureRemoteLoginWarningBannerIsConfigured(void)
@ -871,7 +873,7 @@ static int AuditEnsureLocalLoginWarningBannerIsConfigured(void)
static int AuditEnsureAuditdServiceIsRunning(void)
{
return IsDaemonActive(g_auditd, SecurityBaselineGetLog()) ? 0 : ENOENT;
return CheckIfDaemonActive(g_auditd, SecurityBaselineGetLog()) ? 0 : ENOENT;
}
static int AuditEnsureSuRestrictedToRootGroup(void)
@ -887,8 +889,9 @@ static int AuditEnsureDefaultUmaskForAllUsers(void)
static int AuditEnsureAutomountingDisabled(void)
{
const char* autofs = "autofs";
return (CheckPackageInstalled(autofs, SecurityBaselineGetLog()) &&
(false == IsDaemonActive(autofs, SecurityBaselineGetLog()))) ? 0 : ENOENT;
(false == CheckIfDaemonActive(autofs, SecurityBaselineGetLog()))) ? 0 : ENOENT;
}
static int AuditEnsureKernelCompiledFromApprovedSources(void)
@ -908,6 +911,7 @@ static int AuditEnsureDefaultDenyFirewallPolicyIsSet(void)
static int AuditEnsurePacketRedirectSendingIsDisabled(void)
{
const char* command = "sysctl -a";
return ((0 == FindTextInCommandOutput(command, "net.ipv4.conf.all.send_redirects = 0", SecurityBaselineGetLog())) &&
(0 == FindTextInCommandOutput(command, "net.ipv4.conf.default.send_redirects = 0", SecurityBaselineGetLog()))) ? 0 : ENOENT;
}
@ -915,6 +919,7 @@ static int AuditEnsurePacketRedirectSendingIsDisabled(void)
static int AuditEnsureIcmpRedirectsIsDisabled(void)
{
const char* command = "sysctl -a";
return ((0 == FindTextInCommandOutput(command, "net.ipv4.conf.default.accept_redirects = 0", SecurityBaselineGetLog())) &&
(0 == FindTextInCommandOutput(command, "net.ipv6.conf.default.accept_redirects = 0", SecurityBaselineGetLog())) &&
(0 == FindTextInCommandOutput(command, "net.ipv4.conf.all.accept_redirects = 0", SecurityBaselineGetLog())) &&
@ -948,6 +953,7 @@ static int AuditEnsureIgnoringIcmpEchoPingsToMulticast(void)
static int AuditEnsureMartianPacketLoggingIsEnabled(void)
{
const char* command = "sysctl -a";
return ((0 == FindTextInCommandOutput(command, "net.ipv4.conf.all.log_martians = 1", SecurityBaselineGetLog())) &&
(0 == FindTextInCommandOutput(command, "net.ipv4.conf.default.log_martians = 1", SecurityBaselineGetLog()))) ? 0 : ENOENT;
}
@ -980,7 +986,7 @@ static int AuditEnsureAllWirelessInterfacesAreDisabled(void)
static int AuditEnsureIpv6ProtocolIsEnabled(void)
{
static const char* etcSysCtlConf = "/etc/sysctl.conf";
const char* etcSysCtlConf = "/etc/sysctl.conf";
return ((0 == CheckFileExists("/proc/net/if_inet6", SecurityBaselineGetLog())) &&
(EEXIST == CheckLineNotFoundOrCommentedOut(etcSysCtlConf, '#', "net.ipv6.conf.all.disable_ipv6 = 0", SecurityBaselineGetLog())) &&
@ -1022,7 +1028,7 @@ static int AuditEnsurePermissionsOnBootloaderConfig(void)
static int AuditEnsurePasswordReuseIsLimited(void)
{
//TBD: refine this and expand to other distros
return (4 < GetIntegerOptionFromFile("/etc/pam.d/common-password", "remember", '=', SecurityBaselineGetLog())) ? 0 : ENOENT;
return (4 < GetIntegerOptionFromFile(g_etcPamdCommonPassword, "remember", '=', SecurityBaselineGetLog())) ? 0 : ENOENT;
}
static int AuditEnsureMountingOfUsbStorageDevicesIsDisabled(void)
@ -1041,22 +1047,26 @@ static int AuditEnsureCoreDumpsAreRestricted(void)
static int AuditEnsurePasswordCreationRequirements(void)
{
const char* etcSecurityPwQualityConf = "/etc/security/pwquality.conf";
return ((EEXIST == CheckLineNotFoundOrCommentedOut(etcSecurityPwQualityConf, '#', "minlen=14", SecurityBaselineGetLog())) &&
(EEXIST == CheckLineNotFoundOrCommentedOut(etcSecurityPwQualityConf, '#', "minclass=4", SecurityBaselineGetLog())) &&
(EEXIST == CheckLineNotFoundOrCommentedOut(etcSecurityPwQualityConf, '#', "dcredit=-1", SecurityBaselineGetLog())) &&
(EEXIST == CheckLineNotFoundOrCommentedOut(etcSecurityPwQualityConf, '#', "ucredit=-1", SecurityBaselineGetLog())) &&
(EEXIST == CheckLineNotFoundOrCommentedOut(etcSecurityPwQualityConf, '#', "ocredit=-1", SecurityBaselineGetLog())) &&
(EEXIST == CheckLineNotFoundOrCommentedOut(etcSecurityPwQualityConf, '#', "lcredit=-1", SecurityBaselineGetLog()))) ? 0 : ENOENT;
//TBD: expand to other distros
return ((14 == GetIntegerOptionFromFile(g_etcPamdCommonPassword, "minlen", '=', SecurityBaselineGetLog())) &&
(4 == GetIntegerOptionFromFile(g_etcPamdCommonPassword, "minclass", '=', SecurityBaselineGetLog())) &&
(-1 == GetIntegerOptionFromFile(g_etcPamdCommonPassword, "dcredit", '=', SecurityBaselineGetLog())) &&
(-1 == GetIntegerOptionFromFile(g_etcPamdCommonPassword, "ucredit", '=', SecurityBaselineGetLog())) &&
(-1 == GetIntegerOptionFromFile(g_etcPamdCommonPassword, "ocredit", '=', SecurityBaselineGetLog())) &&
(-1 == GetIntegerOptionFromFile(g_etcPamdCommonPassword, "lcredit", '=', SecurityBaselineGetLog()))) ? 0 : ENOENT;
}
static int AuditEnsureLockoutForFailedPasswordAttempts(void)
{
//TBD: refine this and expand to other distros
return ((EEXIST == CheckLineNotFoundOrCommentedOut("/etc/pam.d/common-auth", '#', "pam_tally", SecurityBaselineGetLog())) ||
(EEXIST == CheckLineNotFoundOrCommentedOut("/etc/pam.d/password-auth", '#', "pam_faillock", SecurityBaselineGetLog())) ||
(EEXIST == CheckLineNotFoundOrCommentedOut("/etc/pam.d/system-auth", '#', "pam_faillock", SecurityBaselineGetLog()))) ? 0 : ENOENT;
//TBD: expand to other distros
const char* passwordAuth = "/etc/pam.d/password-auth";
return ((0 == CheckLockoutForFailedPasswordAttempts(passwordAuth, SecurityBaselineGetLog())) &&
(EEXIST == CheckLineNotFoundOrCommentedOut(passwordAuth, '#', "auth", SecurityBaselineGetLog())) &&
(EEXIST == CheckLineNotFoundOrCommentedOut(passwordAuth, '#', "pam_tally2.so", SecurityBaselineGetLog())) &&
(EEXIST == CheckLineNotFoundOrCommentedOut(passwordAuth, '#', "file=/var/log/tallylog", SecurityBaselineGetLog())) &&
(0 < GetIntegerOptionFromFile(passwordAuth, "deny", '=', SecurityBaselineGetLog())) &&
(0 < GetIntegerOptionFromFile(passwordAuth, "unlock_time", '=', SecurityBaselineGetLog()))) ? 0 : ENOENT;
}
static int AuditEnsureDisabledInstallationOfCramfsFileSystem(void)
@ -1093,6 +1103,7 @@ static int AuditEnsureVirtualMemoryRandomizationIsEnabled(void)
static int AuditEnsureAllBootloadersHavePasswordProtectionEnabled(void)
{
const char* password = "password";
return ((EEXIST == CheckLineNotFoundOrCommentedOut("/boot/grub/grub.cfg", '#', password, SecurityBaselineGetLog())) ||
(EEXIST == CheckLineNotFoundOrCommentedOut("/boot/grub/grub.conf", '#', password, SecurityBaselineGetLog())) ||
(EEXIST == CheckLineNotFoundOrCommentedOut("/boot/grub2/grub.conf", '#', password, SecurityBaselineGetLog()))) ? 0 : ENOENT;
@ -1116,11 +1127,11 @@ static int AuditEnsureSystemdJournaldServicePersistsLogMessages(void)
(0 == CheckDirectoryAccess("/var/log/journal", 0, -1, 2775, false, SecurityBaselineGetLog()))) ? 0 : ENOENT;
}
static int AuditEnsureALoggingServiceIsSnabled(void)
static int AuditEnsureALoggingServiceIsEnabled(void)
{
return (((0 == CheckPackageInstalled(g_rsyslog, SecurityBaselineGetLog())) && IsDaemonActive(g_rsyslog, SecurityBaselineGetLog())) ||
((0 == CheckPackageInstalled(g_syslogNg, SecurityBaselineGetLog())) && IsDaemonActive(g_syslogNg, SecurityBaselineGetLog())) ||
((0 == CheckPackageInstalled(g_systemd, SecurityBaselineGetLog())) && IsDaemonActive("systemd-journald", SecurityBaselineGetLog()))) ? 0 : ENOENT;
return ((CheckPackageInstalled(g_syslogNg, SecurityBaselineGetLog()) && CheckPackageInstalled(g_systemd, SecurityBaselineGetLog()) && CheckIfDaemonActive(g_rsyslog, SecurityBaselineGetLog())) ||
(CheckPackageInstalled(g_rsyslog, SecurityBaselineGetLog()) && CheckPackageInstalled(g_systemd, SecurityBaselineGetLog()) && CheckIfDaemonActive(g_syslogNg, SecurityBaselineGetLog())) ||
((0 == CheckPackageInstalled(g_systemd, SecurityBaselineGetLog())) && CheckIfDaemonActive("systemd-journald", SecurityBaselineGetLog()))) ? 0 : ENOENT;
}
static int AuditEnsureFilePermissionsForAllRsyslogLogFiles(void)
@ -1160,7 +1171,7 @@ static int AuditEnsureRsyslogNotAcceptingRemoteMessages(void)
static int AuditEnsureSyslogRotaterServiceIsEnabled(void)
{
return ((0 == CheckPackageInstalled("logrotate", SecurityBaselineGetLog())) &&
IsDaemonActive("logrotate.timer", SecurityBaselineGetLog()) &&
CheckIfDaemonActive("logrotate.timer", SecurityBaselineGetLog()) &&
(0 == CheckFileAccess("/etc/cron.daily/logrotate", 0, 0, 755, SecurityBaselineGetLog()))) ? 0 : ENOENT;
}
@ -1251,9 +1262,8 @@ static int AuditEnsureSshPermitEmptyPasswordsIsDisabled(void)
static int AuditEnsureSshIdleTimeoutIntervalIsConfigured(void)
{
return ((EEXIST == CheckFileExists(g_etcSshSshdConfig, SecurityBaselineGetLog())) ||
((EEXIST == CheckLineNotFoundOrCommentedOut(g_etcSshSshdConfig, '#', "ClientAliveCountMax 0", SecurityBaselineGetLog())) &&
(EEXIST == CheckLineNotFoundOrCommentedOut(g_etcSshSshdConfig, '#', "ClientAliveInterval", SecurityBaselineGetLog())))) ? 0 : ENOENT;
return ((0 == GetIntegerOptionFromFile(g_etcSshSshdConfig, "ClientAliveCountMax", ' ', SecurityBaselineGetLog())) &&
(0 < GetIntegerOptionFromFile(g_etcSshSshdConfig, "ClientAliveInterval", ' ', SecurityBaselineGetLog()))) ? 0 : ENOENT;
}
static int AuditEnsureSshLoginGraceTimeIsSet(void)
@ -1280,7 +1290,7 @@ static int AuditEnsureSshWarningBannerIsEnabled(void)
static int AuditEnsureUsersCannotSetSshEnvironmentOptions(void)
{
return CheckLineNotFoundOrCommentedOut("/etc/ssh/ssh_config", '#', "PermitUserEnvironment yes", SecurityBaselineGetLog());
return (EEXIST == CheckLineNotFoundOrCommentedOut("/etc/ssh/ssh_config", '#', "PermitUserEnvironment yes", SecurityBaselineGetLog())) ? 0 : ENOENT;
}
static int AuditEnsureAppropriateCiphersForSsh(void)
@ -1294,14 +1304,14 @@ static int AuditEnsureAppropriateCiphersForSsh(void)
static int AuditEnsureAvahiDaemonServiceIsDisabled(void)
{
return (false == IsDaemonActive("avahi-daemon", SecurityBaselineGetLog())) ? 0 : ENOENT;
return (false == CheckIfDaemonActive("avahi-daemon", SecurityBaselineGetLog())) ? 0 : ENOENT;
}
static int AuditEnsureCupsServiceisDisabled(void)
{
const char* cups = "cups";
return (CheckPackageInstalled(cups, SecurityBaselineGetLog()) &&
(false == IsDaemonActive(cups, SecurityBaselineGetLog()))) ? 0 : ENOENT;
(false == CheckIfDaemonActive(cups, SecurityBaselineGetLog()))) ? 0 : ENOENT;
}
static int AuditEnsurePostfixPackageIsUninstalled(void)
@ -1317,24 +1327,24 @@ static int AuditEnsurePostfixNetworkListeningIsDisabled(void)
static int AuditEnsureRpcgssdServiceIsDisabled(void)
{
return (false == IsDaemonActive("rpcgssd", SecurityBaselineGetLog())) ? 0 : ENOENT;
return (false == CheckIfDaemonActive("rpcgssd", SecurityBaselineGetLog())) ? 0 : ENOENT;
}
static int AuditEnsureRpcidmapdServiceIsDisabled(void)
{
return (false == IsDaemonActive("rpcidmapd", SecurityBaselineGetLog())) ? 0 : ENOENT;
return (false == CheckIfDaemonActive("rpcidmapd", SecurityBaselineGetLog())) ? 0 : ENOENT;
}
static int AuditEnsurePortmapServiceIsDisabled(void)
{
return ((false == IsDaemonActive("rpcbind", SecurityBaselineGetLog())) &&
(false == IsDaemonActive("rpcbind.service", SecurityBaselineGetLog())) &&
(false == IsDaemonActive("rpcbind.socket", SecurityBaselineGetLog()))) ? 0 : ENOENT;
return ((false == CheckIfDaemonActive("rpcbind", SecurityBaselineGetLog())) &&
(false == CheckIfDaemonActive("rpcbind.service", SecurityBaselineGetLog())) &&
(false == CheckIfDaemonActive("rpcbind.socket", SecurityBaselineGetLog()))) ? 0 : ENOENT;
}
static int AuditEnsureNetworkFileSystemServiceIsDisabled(void)
{
return IsDaemonActive("nfs-server", SecurityBaselineGetLog()) ? ENOENT : 0;
return CheckIfDaemonActive("nfs-server", SecurityBaselineGetLog()) ? ENOENT : 0;
}
static int AuditEnsureRpcsvcgssdServiceIsDisabled(void)
@ -1344,17 +1354,17 @@ static int AuditEnsureRpcsvcgssdServiceIsDisabled(void)
static int AuditEnsureSnmpServerIsDisabled(void)
{
return IsDaemonActive("snmpd", SecurityBaselineGetLog()) ? ENOENT : 0;
return CheckIfDaemonActive("snmpd", SecurityBaselineGetLog()) ? ENOENT : 0;
}
static int AuditEnsureRsynServiceIsDisabled(void)
{
return IsDaemonActive("rsyncd", SecurityBaselineGetLog()) ? ENOENT : 0;
return CheckIfDaemonActive("rsyncd", SecurityBaselineGetLog()) ? ENOENT : 0;
}
static int AuditEnsureNisServerIsDisabled(void)
{
return IsDaemonActive("ypserv", SecurityBaselineGetLog()) ? ENOENT : 0;
return CheckIfDaemonActive("ypserv", SecurityBaselineGetLog()) ? ENOENT : 0;
}
static int AuditEnsureRshClientNotInstalled(void)
@ -1524,7 +1534,7 @@ AuditRemediate g_auditChecks[] =
&AuditEnsureLoggingIsConfigured,
&AuditEnsureSyslogPackageIsInstalled,
&AuditEnsureSystemdJournaldServicePersistsLogMessages,
&AuditEnsureALoggingServiceIsSnabled,
&AuditEnsureALoggingServiceIsEnabled,
&AuditEnsureFilePermissionsForAllRsyslogLogFiles,
&AuditEnsureLoggerConfigurationFilesAreRestricted,
&AuditEnsureAllRsyslogLogFilesAreOwnedByAdmGroup,
@ -2182,7 +2192,7 @@ static int RemediateEnsureSystemdJournaldServicePersistsLogMessages(void)
return 0; //TODO: add remediation respecting all existing patterns
}
static int RemediateEnsureALoggingServiceIsSnabled(void)
static int RemediateEnsureALoggingServiceIsEnabled(void)
{
return 0; //TODO: add remediation respecting all existing patterns
}
@ -2532,7 +2542,7 @@ AuditRemediate g_remediateChecks[] =
&RemediateEnsureLoggingIsConfigured,
&RemediateEnsureSyslogPackageIsInstalled,
&RemediateEnsureSystemdJournaldServicePersistsLogMessages,
&RemediateEnsureALoggingServiceIsSnabled,
&RemediateEnsureALoggingServiceIsEnabled,
&RemediateEnsureFilePermissionsForAllRsyslogLogFiles,
&RemediateEnsureLoggerConfigurationFilesAreRestricted,
&RemediateEnsureAllRsyslogLogFilesAreOwnedByAdmGroup,
@ -3172,9 +3182,9 @@ int SecurityBaselineMmiGet(MMI_HANDLE clientSession, const char* componentName,
{
result = AuditEnsureSystemdJournaldServicePersistsLogMessages() ? g_fail : g_pass;
}
else if (0 == strcmp(objectName, g_auditEnsureALoggingServiceIsSnabledObject))
else if (0 == strcmp(objectName, g_auditEnsureALoggingServiceIsEnabledObject))
{
result = AuditEnsureALoggingServiceIsSnabled() ? g_fail : g_pass;
result = AuditEnsureALoggingServiceIsEnabled() ? g_fail : g_pass;
}
else if (0 == strcmp(objectName, g_auditEnsureFilePermissionsForAllRsyslogLogFilesObject))
{
@ -3916,9 +3926,9 @@ int SecurityBaselineMmiSet(MMI_HANDLE clientSession, const char* componentName,
{
status = RemediateEnsureSystemdJournaldServicePersistsLogMessages();
}
else if (0 == strcmp(objectName, g_remediateEnsureALoggingServiceIsSnabledObject))
else if (0 == strcmp(objectName, g_remediateEnsureALoggingServiceIsEnabledObject))
{
status = RemediateEnsureALoggingServiceIsSnabled();
status = RemediateEnsureALoggingServiceIsEnabled();
}
else if (0 == strcmp(objectName, g_remediateEnsureFilePermissionsForAllRsyslogLogFilesObject))
{

8
src/modules/securitybaseline/tests/SecurityBaselineTests.cpp
Просмотреть файл

@ -144,7 +144,7 @@ class SecurityBaselineTest : public ::testing::Test
const char* m_auditEnsureLoggingIsConfiguredObject = "auditEnsureLoggingIsConfigured";
const char* m_auditEnsureSyslogPackageIsInstalledObject = "auditEnsureSyslogPackageIsInstalled";
const char* m_auditEnsureSystemdJournaldServicePersistsLogMessagesObject = "auditEnsureSystemdJournaldServicePersistsLogMessages";
const char* m_auditEnsureALoggingServiceIsSnabledObject = "auditEnsureALoggingServiceIsSnabled";
const char* m_auditEnsureALoggingServiceIsEnabledObject = "auditEnsureALoggingServiceIsEnabled";
const char* m_auditEnsureFilePermissionsForAllRsyslogLogFilesObject = "auditEnsureFilePermissionsForAllRsyslogLogFiles";
const char* m_auditEnsureLoggerConfigurationFilesAreRestrictedObject = "auditEnsureLoggerConfigurationFilesAreRestricted";
const char* m_auditEnsureAllRsyslogLogFilesAreOwnedByAdmGroupObject = "auditEnsureAllRsyslogLogFilesAreOwnedByAdmGroup";
@ -311,7 +311,7 @@ class SecurityBaselineTest : public ::testing::Test
const char* m_remediateEnsureLoggingIsConfiguredObject = "remediateEnsureLoggingIsConfigured";
const char* m_remediateEnsureSyslogPackageIsInstalledObject = "remediateEnsureSyslogPackageIsInstalled";
const char* m_remediateEnsureSystemdJournaldServicePersistsLogMessagesObject = "remediateEnsureSystemdJournaldServicePersistsLogMessages";
const char* m_remediateEnsureALoggingServiceIsSnabledObject = "remediateEnsureALoggingServiceIsSnabled";
const char* m_remediateEnsureALoggingServiceIsEnabledObject = "remediateEnsureALoggingServiceIsEnabled";
const char* m_remediateEnsureFilePermissionsForAllRsyslogLogFilesObject = "remediateEnsureFilePermissionsForAllRsyslogLogFiles";
const char* m_remediateEnsureLoggerConfigurationFilesAreRestrictedObject = "remediateEnsureLoggerConfigurationFilesAreRestricted";
const char* m_remediateEnsureAllRsyslogLogFilesAreOwnedByAdmGroupObject = "remediateEnsureAllRsyslogLogFilesAreOwnedByAdmGroup";
@ -544,7 +544,7 @@ TEST_F(SecurityBaselineTest, MmiSet)
m_remediateEnsureLoggingIsConfiguredObject,
m_remediateEnsureSyslogPackageIsInstalledObject,
m_remediateEnsureSystemdJournaldServicePersistsLogMessagesObject,
m_remediateEnsureALoggingServiceIsSnabledObject,
m_remediateEnsureALoggingServiceIsEnabledObject,
m_remediateEnsureFilePermissionsForAllRsyslogLogFilesObject,
m_remediateEnsureLoggerConfigurationFilesAreRestrictedObject,
m_remediateEnsureAllRsyslogLogFilesAreOwnedByAdmGroupObject,
@ -767,7 +767,7 @@ TEST_F(SecurityBaselineTest, MmiGet)
m_auditEnsureLoggingIsConfiguredObject,
m_auditEnsureSyslogPackageIsInstalledObject,
m_auditEnsureSystemdJournaldServicePersistsLogMessagesObject,
m_auditEnsureALoggingServiceIsSnabledObject,
m_auditEnsureALoggingServiceIsEnabledObject,
m_auditEnsureFilePermissionsForAllRsyslogLogFilesObject,
m_auditEnsureLoggerConfigurationFilesAreRestrictedObject,
m_auditEnsureAllRsyslogLogFilesAreOwnedByAdmGroupObject,

4
src/modules/test/recipes/SecurityBaselineTests.json
Просмотреть файл

@ -626,7 +626,7 @@
{
"ObjectType": "Desired",
"ComponentName": "SecurityBaseline",
"ObjectName": "remediateEnsureALoggingServiceIsSnabled"
"ObjectName": "remediateEnsureALoggingServiceIsEnabled"
},
{
"ObjectType": "Desired",
@ -1563,7 +1563,7 @@
{
"ObjectType": "Reported",
"ComponentName": "SecurityBaseline",
"ObjectName": "auditEnsureALoggingServiceIsSnabled",
"ObjectName": "auditEnsureALoggingServiceIsEnabled",
"Payload": "PASS"
},
{