Stabilizing ASB v2's auditEnsureZeroconfNetworkingIsDisabled and remediateEnsureZeroconfNetworkingIsDisabled (#731)
This commit is contained in:
Marius Niculescu
GitHub
Родитель
8b179cc2fb
Коммит
af0326bc73
|
|
@ -1546,7 +1546,7 @@ static char* AuditEnsureZeroconfNetworkingIsDisabled(void* log)
|
|||
char* reason = NULL;
|
||||
RETURN_REASON_IF_NOT_ZERO(CheckDaemonNotActive(g_avahiDaemon, &reason, log) ? 0 : ENOENT);
|
||||
RETURN_REASON_IF_NOT_ZERO(CheckLineNotFoundOrCommentedOut(g_etcNetworkInterfaces, '#', g_ipv4ll, &reason, log));
|
||||
if (FileExists(g_etcSysconfigNetwork))
|
||||
if (FileExists(g_etcSysconfigNetwork) && IsAFile(g_etcSysconfigNetwork, log))
|
||||
{
|
||||
CheckLineFoundNotCommentedOut(g_etcSysconfigNetwork, '#', "NOZEROCONF=yes", &reason, log);
|
||||
}
|
||||
|
|
@ -2664,8 +2664,9 @@ static int RemediateEnsureAuditdServiceIsRunning(char* value, void* log)
|
|||
else if ((false == CheckDaemonActive(g_auditd, NULL, log)) && (false == EnableAndStartDaemon(g_auditd, log)))
|
||||
{
|
||||
ExecuteCommand(NULL, "restorecon -r -v /var/log/audit", false, false, 0, 0, NULL, NULL, log);
|
||||
if (0 != (status = StartDaemon(g_auditd, log) ? 0 : ENOENT))
|
||||
if (false == StartDaemon(g_auditd, log))
|
||||
{
|
||||
status = ENOENT;
|
||||
for (i = 0; i < 3; i++)
|
||||
{
|
||||
sleep(1);
|
||||
|
|
@ -3134,11 +3135,20 @@ static int RemediateEnsureTipcIsDisabled(char* value, void* log)
|
|||
|
||||
static int RemediateEnsureZeroconfNetworkingIsDisabled(char* value, void* log)
|
||||
{
|
||||
int status = 0;
|
||||
UNUSED(value);
|
||||
StopAndDisableDaemon(g_avahiDaemon, log);
|
||||
return ((false == IsDaemonActive(g_avahiDaemon, log)) &&
|
||||
(0 == ReplaceMarkedLinesInFile(g_etcNetworkInterfaces, g_ipv4ll, NULL, '#', true, log)) &&
|
||||
(0 == ReplaceMarkedLinesInFile(g_etcSysconfigNetwork, "NOZEROCONF", "NOZEROCONF=yes\n", '#', true, log))) ? 0 : ENOENT;
|
||||
if (0 == (status = (CheckDaemonNotActive(g_avahiDaemon, NULL, log) ? 0 : ENOENT)))
|
||||
{
|
||||
if (0 == (status = ReplaceMarkedLinesInFile(g_etcNetworkInterfaces, g_ipv4ll, NULL, '#', true, log)))
|
||||
{
|
||||
if (FileExists(g_etcSysconfigNetwork) && IsAFile(g_etcSysconfigNetwork, log))
|
||||
{
|
||||
status = ReplaceMarkedLinesInFile(g_etcSysconfigNetwork, "NOZEROCONF", "NOZEROCONF=yes\n", '#', true, log);
|
||||
}
|
||||
}
|
||||
}
|
||||
return status;
|
||||
}
|
||||
|
||||
static int RemediateEnsurePermissionsOnBootloaderConfig(char* value, void* log)
|
||||
|
|
|
|||
|
|
@ -60,6 +60,8 @@ int ExecuteCommand(void* context, const char* command, bool replaceEol, bool for
|
|||
|
||||
int RestrictFileAccessToCurrentAccountOnly(const char* fileName);
|
||||
|
||||
bool IsAFile(const char* fileName, void* log);
|
||||
bool IsADirectory(const char* fileName, void* log);
|
||||
bool FileExists(const char* fileName);
|
||||
bool DirectoryExists(const char* directoryName);
|
||||
int CheckFileExists(const char* fileName, char** reason, void* log);
|
||||
|
|
|
|||
|
|
@ -321,6 +321,91 @@ int RestrictFileAccessToCurrentAccountOnly(const char* fileName)
|
|||
return chmod(fileName, S_ISUID | S_ISGID | S_IRUSR | S_IWUSR | S_IRGRP | S_IWGRP | S_IXUSR | S_IXGRP);
|
||||
}
|
||||
|
||||
static bool IsATrueFileOrDirectory(bool directory, const char* name, void* log)
|
||||
{
|
||||
struct stat statStruct = {0};
|
||||
int format = 0;
|
||||
int status = 0;
|
||||
bool result = false;
|
||||
|
||||
if (NULL == name)
|
||||
{
|
||||
OsConfigLogError(log, "IsATrueFileOrDirectoryFileOrDirectory: invalid argument");
|
||||
return false;
|
||||
}
|
||||
|
||||
if (-1 != (status = lstat(name, &statStruct)))
|
||||
{
|
||||
format = S_IFMT & statStruct.st_mode;
|
||||
|
||||
switch (format)
|
||||
{
|
||||
case S_IFBLK:
|
||||
OsConfigLogError(log, "IsATrueFileOrDirectory: '%s' is a block device", name);
|
||||
break;
|
||||
|
||||
case S_IFCHR:
|
||||
OsConfigLogError(log, "IsATrueFileOrDirectory: '%s' is a character device", name);
|
||||
break;
|
||||
|
||||
case S_IFDIR:
|
||||
if (directory)
|
||||
{
|
||||
OsConfigLogInfo(log, "IsATrueFileOrDirectory: '%s' is a directory", name);
|
||||
result = true;
|
||||
}
|
||||
else
|
||||
{
|
||||
OsConfigLogError(log, "IsATrueFileOrDirectory: '%s' is a directory", name);
|
||||
}
|
||||
break;
|
||||
|
||||
case S_IFIFO:
|
||||
OsConfigLogError(log, "IsATrueFileOrDirectory: '%s' is a FIFO pipe", name);
|
||||
break;
|
||||
|
||||
case S_IFLNK:
|
||||
OsConfigLogError(log, "IsATrueFileOrDirectory: '%s' is a symnlink", name);
|
||||
break;
|
||||
|
||||
case S_IFREG:
|
||||
if (false == directory)
|
||||
{
|
||||
OsConfigLogInfo(log, "IsATrueFileOrDirectory: '%s' is a regular file", name);
|
||||
result = true;
|
||||
}
|
||||
else
|
||||
{
|
||||
OsConfigLogError(log, "IsATrueFileOrDirectory: '%s' is a regular file", name);
|
||||
}
|
||||
break;
|
||||
|
||||
case S_IFSOCK:
|
||||
OsConfigLogError(log, "IsATrueFileOrDirectory: '%s' is a socket", name);
|
||||
break;
|
||||
|
||||
default:
|
||||
OsConfigLogError(log, "IsATrueFileOrDirectory: '%s' is of an unknown format 0x%X", name, format);
|
||||
}
|
||||
}
|
||||
else
|
||||
{
|
||||
OsConfigLogError(log, "IsATrueFileOrDirectory: stat('%s') failed with %d (errno: %d)", name, status, errno);
|
||||
}
|
||||
|
||||
return result;
|
||||
}
|
||||
|
||||
bool IsAFile(const char* fileName, void* log)
|
||||
{
|
||||
return IsATrueFileOrDirectory(false, fileName, log);
|
||||
}
|
||||
|
||||
bool IsADirectory(const char* fileName, void* log)
|
||||
{
|
||||
return IsATrueFileOrDirectory(true, fileName, log);
|
||||
}
|
||||
|
||||
bool FileExists(const char* fileName)
|
||||
{
|
||||
return ((NULL != fileName) && (-1 != access(fileName, F_OK))) ? true : false;
|
||||
|
|
|
|||
|
|
@ -628,6 +628,14 @@ TEST_F(CommonUtilsTest, DirectoryExists)
|
|||
EXPECT_TRUE(DirectoryExists("/etc"));
|
||||
}
|
||||
|
||||
TEST_F(CommonUtilsTest, IsAFileOrDirectory)
|
||||
{
|
||||
EXPECT_TRUE(IsAFile("/etc/passwd", NULL));
|
||||
EXPECT_FALSE(IsADirectory("/etc/passwd", NULL));
|
||||
EXPECT_FALSE(IsAFile("/etc", NULL));
|
||||
EXPECT_TRUE(IsADirectory("/etc", NULL));
|
||||
}
|
||||
|
||||
struct HttpProxyOptions
|
||||
{
|
||||
const char* data;
|
||||
|
|
|
|||
|
|
@ -387,15 +387,13 @@ int RunTestStep(const TEST_STEP* test, const MANAGEMENT_MODULE* module)
|
|||
"auditEnsureKernelSupportForCpuNx",
|
||||
"auditEnsureDefaultDenyFirewallPolicyIsSet",
|
||||
"auditEnsureAuthenticationRequiredForSingleUserMode",
|
||||
"auditEnsureAllBootloadersHavePasswordProtectionEnabled",
|
||||
// Following are temporarily disabled and they will be re-enabled and fixed one by one for all target distros
|
||||
"auditEnsureZeroconfNetworkingIsDisabled"
|
||||
"auditEnsureAllBootloadersHavePasswordProtectionEnabled"
|
||||
// Add here more audit checks that need to be temporarily disabled during investigation
|
||||
};
|
||||
int numSkippedAudits = ARRAY_SIZE(skippedAudits);
|
||||
|
||||
const char* skippedRemediations[] = {
|
||||
// Following are temporarily disabled and they will be re-enabled and fixed one by one for all target distros
|
||||
"remediateEnsureZeroconfNetworkingIsDisabled"
|
||||
// Add here remediation checks that need to be temporarily disabled during investigation
|
||||
};
|
||||
int numSkippedRemediations = ARRAY_SIZE(skippedRemediations);
|
||||
|
||||
|
|
|
|||
Загрузка…
Ссылка в новой задаче