Skip to content

Commit

Permalink
Fixing ASB v2's auditEnsureSystemdJournaldServicePersistsLogMessages …
Browse files Browse the repository at this point in the history 
…and remediateEnsureSystemdJournaldServicePersistsLogMessages (#764)
  • Loading branch information
@MariusNi
MariusNi authored Sep 17, 2024
1 parent 0b85ead commit 043878e
Show file tree
Hide file tree
Showing 9 changed files with 51 additions and 26 deletions.
8 changes: 4 additions & 4 deletions src/adapters/mc/asb/19params/LinuxSecurityBaseline_DeployIfNotExists.json
View file
Original file line number Diff line number Diff line change
Expand Up @@ -15,7 +15,7 @@
"version": "1.0.0",
"contentType": "Custom",
"contentUri": "https://github.com/Azure/azure-osconfig/releases/download/test_policy_package/LinuxSecurityBaseline.zip",
"contentHash": "A92CA8F438CD39C51B78FAB0FCB9C6BA4808920E254E1E9EAEE739D02E8164B0",
"contentHash": "C79CE86C44481316A94D3A69F75BC83C38165CE45B0C18B4B54EA7B812AB9070",
"configurationParameter": {
"accessPermissionsForSshdConfig": "Ensure that permissions on /etc/ssh/sshd_config are configured;DesiredObjectValue",
"ignoreHosts": "Ensure that the SSH IgnoreRhosts is configured;DesiredObjectValue",
Expand Down Expand Up @@ -640,7 +640,7 @@
"version": "1.0.0",
"contentType": "Custom",
"contentUri": "https://github.com/Azure/azure-osconfig/releases/download/test_policy_package/LinuxSecurityBaseline.zip",
"contentHash": "A92CA8F438CD39C51B78FAB0FCB9C6BA4808920E254E1E9EAEE739D02E8164B0",
"contentHash": "C79CE86C44481316A94D3A69F75BC83C38165CE45B0C18B4B54EA7B812AB9070",
"assignmentType": "ApplyAndAutoCorrect",
"configurationParameter": [
{
Expand Down Expand Up @@ -735,7 +735,7 @@
"version": "1.0.0",
"contentType": "Custom",
"contentUri": "https://github.com/Azure/azure-osconfig/releases/download/test_policy_package/LinuxSecurityBaseline.zip",
"contentHash": "A92CA8F438CD39C51B78FAB0FCB9C6BA4808920E254E1E9EAEE739D02E8164B0",
"contentHash": "C79CE86C44481316A94D3A69F75BC83C38165CE45B0C18B4B54EA7B812AB9070",
"assignmentType": "ApplyAndAutoCorrect",
"configurationParameter": [
{
Expand Down Expand Up @@ -830,7 +830,7 @@
"version": "1.0.0",
"contentType": "Custom",
"contentUri": "https://github.com/Azure/azure-osconfig/releases/download/test_policy_package/LinuxSecurityBaseline.zip",
"contentHash": "A92CA8F438CD39C51B78FAB0FCB9C6BA4808920E254E1E9EAEE739D02E8164B0",
"contentHash": "C79CE86C44481316A94D3A69F75BC83C38165CE45B0C18B4B54EA7B812AB9070",
"assignmentType": "ApplyAndAutoCorrect",
"configurationParameter": [
{
Expand Down
8 changes: 4 additions & 4 deletions src/adapters/mc/asb/LinuxSecurityBaseline_DeployIfNotExists.json
View file
Original file line number Diff line number Diff line change
Expand Up @@ -15,7 +15,7 @@
"version": "1.0.0",
"contentType": "Custom",
"contentUri": "https://github.com/Azure/azure-osconfig/releases/download/test_policy_package/LinuxSecurityBaseline.zip",
"contentHash": "A92CA8F438CD39C51B78FAB0FCB9C6BA4808920E254E1E9EAEE739D02E8164B0",
"contentHash": "C79CE86C44481316A94D3A69F75BC83C38165CE45B0C18B4B54EA7B812AB9070",
"configurationParameter": {
"accessPermissionsForSshdConfig": "Ensure that permissions on /etc/ssh/sshd_config are configured;DesiredObjectValue",
"ignoreHosts": "Ensure that the SSH IgnoreRhosts is configured;DesiredObjectValue",
Expand Down Expand Up @@ -625,7 +625,7 @@
"version": "1.0.0",
"contentType": "Custom",
"contentUri": "https://github.com/Azure/azure-osconfig/releases/download/test_policy_package/LinuxSecurityBaseline.zip",
"contentHash": "A92CA8F438CD39C51B78FAB0FCB9C6BA4808920E254E1E9EAEE739D02E8164B0",
"contentHash": "C79CE86C44481316A94D3A69F75BC83C38165CE45B0C18B4B54EA7B812AB9070",
"assignmentType": "ApplyAndAutoCorrect",
"configurationParameter": [
{
Expand Down Expand Up @@ -716,7 +716,7 @@
"version": "1.0.0",
"contentType": "Custom",
"contentUri": "https://github.com/Azure/azure-osconfig/releases/download/test_policy_package/LinuxSecurityBaseline.zip",
"contentHash": "A92CA8F438CD39C51B78FAB0FCB9C6BA4808920E254E1E9EAEE739D02E8164B0",
"contentHash": "C79CE86C44481316A94D3A69F75BC83C38165CE45B0C18B4B54EA7B812AB9070",
"assignmentType": "ApplyAndAutoCorrect",
"configurationParameter": [
{
Expand Down Expand Up @@ -807,7 +807,7 @@
"version": "1.0.0",
"contentType": "Custom",
"contentUri": "https://github.com/Azure/azure-osconfig/releases/download/test_policy_package/LinuxSecurityBaseline.zip",
"contentHash": "A92CA8F438CD39C51B78FAB0FCB9C6BA4808920E254E1E9EAEE739D02E8164B0",
"contentHash": "C79CE86C44481316A94D3A69F75BC83C38165CE45B0C18B4B54EA7B812AB9070",
"assignmentType": "ApplyAndAutoCorrect",
"configurationParameter": [
{
Expand Down
8 changes: 4 additions & 4 deletions src/adapters/mc/ssh/19params/LinuxSshServerSecurityBaseline_DeployIfNotExists.json
View file
Original file line number Diff line number Diff line change
Expand Up @@ -15,7 +15,7 @@
"version": "1.0.0",
"contentType": "Custom",
"contentUri": "https://github.com/Azure/azure-osconfig/releases/download/test_policy_package/LinuxSshServerSecurityBaseline.zip",
"contentHash": "6768ADF43D3A6C3601502E52F19CBB6F4C6C468B8ABD639008FE202504AB2FAE",
"contentHash": "29D9C8A8660C7424D73E277D80B8225D2A107966C7FF4AA10D65503AAB20BA60",
"configurationParameter": {
"accessPermissionsForSshdConfig": "Ensure that permissions on /etc/ssh/sshd_config are configured;DesiredObjectValue",
"ignoreHosts": "Ensure that the SSH IgnoreRhosts is configured;DesiredObjectValue",
Expand Down Expand Up @@ -639,7 +639,7 @@
"version": "1.0.0",
"contentType": "Custom",
"contentUri": "https://github.com/Azure/azure-osconfig/releases/download/test_policy_package/LinuxSshServerSecurityBaseline.zip",
"contentHash": "6768ADF43D3A6C3601502E52F19CBB6F4C6C468B8ABD639008FE202504AB2FAE",
"contentHash": "29D9C8A8660C7424D73E277D80B8225D2A107966C7FF4AA10D65503AAB20BA60",
"assignmentType": "ApplyAndAutoCorrect",
"configurationParameter": [
{
Expand Down Expand Up @@ -734,7 +734,7 @@
"version": "1.0.0",
"contentType": "Custom",
"contentUri": "https://github.com/Azure/azure-osconfig/releases/download/test_policy_package/LinuxSshServerSecurityBaseline.zip",
"contentHash": "6768ADF43D3A6C3601502E52F19CBB6F4C6C468B8ABD639008FE202504AB2FAE",
"contentHash": "29D9C8A8660C7424D73E277D80B8225D2A107966C7FF4AA10D65503AAB20BA60",
"assignmentType": "ApplyAndAutoCorrect",
"configurationParameter": [
{
Expand Down Expand Up @@ -829,7 +829,7 @@
"version": "1.0.0",
"contentType": "Custom",
"contentUri": "https://github.com/Azure/azure-osconfig/releases/download/test_policy_package/LinuxSshServerSecurityBaseline.zip",
"contentHash": "6768ADF43D3A6C3601502E52F19CBB6F4C6C468B8ABD639008FE202504AB2FAE",
"contentHash": "29D9C8A8660C7424D73E277D80B8225D2A107966C7FF4AA10D65503AAB20BA60",
"assignmentType": "ApplyAndAutoCorrect",
"configurationParameter": [
{
Expand Down
8 changes: 4 additions & 4 deletions src/adapters/mc/ssh/LinuxSshServerSecurityBaseline_DeployIfNotExists.json
View file
Original file line number Diff line number Diff line change
Expand Up @@ -15,7 +15,7 @@
"version": "1.0.0",
"contentType": "Custom",
"contentUri": "https://github.com/Azure/azure-osconfig/releases/download/test_policy_package/LinuxSshServerSecurityBaseline.zip",
"contentHash": "6768ADF43D3A6C3601502E52F19CBB6F4C6C468B8ABD639008FE202504AB2FAE",
"contentHash": "29D9C8A8660C7424D73E277D80B8225D2A107966C7FF4AA10D65503AAB20BA60",
"configurationParameter": {
"accessPermissionsForSshdConfig": "Ensure that permissions on /etc/ssh/sshd_config are configured;DesiredObjectValue",
"ignoreHosts": "Ensure that the SSH IgnoreRhosts is configured;DesiredObjectValue",
Expand Down Expand Up @@ -624,7 +624,7 @@
"version": "1.0.0",
"contentType": "Custom",
"contentUri": "https://github.com/Azure/azure-osconfig/releases/download/test_policy_package/LinuxSshServerSecurityBaseline.zip",
"contentHash": "6768ADF43D3A6C3601502E52F19CBB6F4C6C468B8ABD639008FE202504AB2FAE",
"contentHash": "29D9C8A8660C7424D73E277D80B8225D2A107966C7FF4AA10D65503AAB20BA60",
"assignmentType": "ApplyAndAutoCorrect",
"configurationParameter": [
{
Expand Down Expand Up @@ -715,7 +715,7 @@
"version": "1.0.0",
"contentType": "Custom",
"contentUri": "https://github.com/Azure/azure-osconfig/releases/download/test_policy_package/LinuxSshServerSecurityBaseline.zip",
"contentHash": "6768ADF43D3A6C3601502E52F19CBB6F4C6C468B8ABD639008FE202504AB2FAE",
"contentHash": "29D9C8A8660C7424D73E277D80B8225D2A107966C7FF4AA10D65503AAB20BA60",
"assignmentType": "ApplyAndAutoCorrect",
"configurationParameter": [
{
Expand Down Expand Up @@ -806,7 +806,7 @@
"version": "1.0.0",
"contentType": "Custom",
"contentUri": "https://github.com/Azure/azure-osconfig/releases/download/test_policy_package/LinuxSshServerSecurityBaseline.zip",
"contentHash": "6768ADF43D3A6C3601502E52F19CBB6F4C6C468B8ABD639008FE202504AB2FAE",
"contentHash": "29D9C8A8660C7424D73E277D80B8225D2A107966C7FF4AA10D65503AAB20BA60",
"assignmentType": "ApplyAndAutoCorrect",
"configurationParameter": [
{
Expand Down
10 changes: 8 additions & 2 deletions src/common/asb/Asb.c
View file
Original file line number Diff line number Diff line change
Expand Up @@ -627,6 +627,7 @@ static char* g_desiredEnsureUnnecessaryAccountsAreRemoved = NULL;
static char* g_desiredEnsureDefaultDenyFirewallPolicyIsSet = NULL;

static const int g_shadowGid = 42;
static const int g_varLogJournalMode = 2755;

void AsbInitialize(void* log)
{
Expand Down Expand Up @@ -693,6 +694,11 @@ void AsbInitialize(void* log)
FREE_MEMORY(prettyName);
FREE_MEMORY(kernelVersion);

if (IsCommodore(log))
{
OsConfigLogInfo(log, "AsbInitialize: running on product '%s'", PRODUCT_NAME_AZURE_COMMODORE);
}

OsConfigLogInfo(log, "%s initialized", g_asbName);
}

Expand Down Expand Up @@ -1722,7 +1728,7 @@ static char* AuditEnsureSystemdJournaldServicePersistsLogMessages(void* log)
{
char* reason = NULL;
RETURN_REASON_IF_NOT_ZERO(CheckPackageInstalled(g_systemd, &reason, log));
CheckDirectoryAccess(g_varLogJournal, 0, -1, 2775, false, &reason, log);
CheckDirectoryAccess(g_varLogJournal, 0, -1, g_varLogJournalMode, false, &reason, log);
return reason;
}

Expand Down Expand Up @@ -3301,7 +3307,7 @@ static int RemediateEnsureSystemdJournaldServicePersistsLogMessages(char* value,
{
UNUSED(value);
return ((0 == InstallPackage(g_systemd, log)) &&
(0 == SetDirectoryAccess(g_varLogJournal, 0, -1, 2775, log))) ? 0 : ENOENT;
(0 == SetDirectoryAccess(g_varLogJournal, 0, -1, g_varLogJournalMode, log))) ? 0 : ENOENT;
}

static int RemediateEnsureALoggingServiceIsEnabled(char* value, void* log)
Expand Down
1 change: 1 addition & 0 deletions src/common/asb/Asb.h
View file
Original file line number Diff line number Diff line change
Expand Up @@ -5,6 +5,7 @@
#define ASB_H

#define PRETTY_NAME_AZURE_LINUX_2 "CBL-Mariner/Linux"
#define PRODUCT_NAME_AZURE_COMMODORE "Azure Commodore"
#define PRETTY_NAME_ALMA_LINUX_9 "AlmaLinux 9 (Beryllium)"
#define PRETTY_NAME_ALMA_LINUX_9_3 "AlmaLinux 9.3 (Shamrock Pampas Cat)"
#define PRETTY_NAME_AMAZON_LINUX_2 "Amazon Linux 2"
Expand Down
1 change: 1 addition & 0 deletions src/common/commonutils/CommonUtils.h
View file
Original file line number Diff line number Diff line change
Expand Up @@ -169,6 +169,7 @@ int SetPassMaxDays(long days, void* log);
int SetPassWarnAge(long days, void* log);
bool IsCurrentOs(const char* name, void* log);
bool IsRedHatBased(void* log);
bool IsCommodore(void* log);

void RemovePrefixBlanks(char* target);
void RemovePrefixUpTo(char* target, char marker);
Expand Down
9 changes: 1 addition & 8 deletions src/common/commonutils/DaemonUtils.c
View file
Original file line number Diff line number Diff line change
Expand Up @@ -27,14 +27,7 @@ static int ExecuteSystemctlCommand(const char* command, const char* daemonName,

bool IsDaemonActive(const char* daemonName, void* log)
{
bool status = true;

if (ESRCH == ExecuteSystemctlCommand("is-active", daemonName, log))
{
status = false;
}

return status;
return (0 == ExecuteSystemctlCommand("is-active", daemonName, log)) ? true : false;
}

bool CheckDaemonActive(const char* daemonName, char** reason, void* log)
Expand Down
24 changes: 24 additions & 0 deletions src/common/commonutils/DeviceInfoUtils.c
View file
Original file line number Diff line number Diff line change
Expand Up @@ -916,4 +916,28 @@ int EnableVirtualMemoryRandomization(void* log)
}

return status;
}

bool IsCommodore(void* log)
{
const char* productNameCommand = "cat /etc/os-subrelease | grep PRODUCT_NAME=";
char* textResult = NULL;
bool status = false;

if (0 == ExecuteCommand(NULL, productNameCommand, true, true, 0, 0, &textResult, NULL, log))
{
RemovePrefixBlanks(textResult);
RemoveTrailingBlanks(textResult);
RemovePrefixUpTo(textResult, '=');
RemovePrefixBlanks(textResult);

if (0 == strcmp(textResult, PRODUCT_NAME_AZURE_COMMODORE))
{
status = true;
}
}

FREE_MEMORY(textResult);

return status;
}

0 comments on commit 043878e

Please sign in to comment.