From 043878e345b9c96ae0feba78ecdbd3c071d284cb Mon Sep 17 00:00:00 2001 From: Marius Niculescu Date: Tue, 17 Sep 2024 09:15:39 -0700 Subject: [PATCH] Fixing ASB v2's auditEnsureSystemdJournaldServicePersistsLogMessages and remediateEnsureSystemdJournaldServicePersistsLogMessages (#764) --- ...nuxSecurityBaseline_DeployIfNotExists.json | 8 +++---- ...nuxSecurityBaseline_DeployIfNotExists.json | 8 +++---- ...verSecurityBaseline_DeployIfNotExists.json | 8 +++---- ...verSecurityBaseline_DeployIfNotExists.json | 8 +++---- src/common/asb/Asb.c | 10 ++++++-- src/common/asb/Asb.h | 1 + src/common/commonutils/CommonUtils.h | 1 + src/common/commonutils/DaemonUtils.c | 9 +------ src/common/commonutils/DeviceInfoUtils.c | 24 +++++++++++++++++++ 9 files changed, 51 insertions(+), 26 deletions(-) diff --git a/src/adapters/mc/asb/19params/LinuxSecurityBaseline_DeployIfNotExists.json b/src/adapters/mc/asb/19params/LinuxSecurityBaseline_DeployIfNotExists.json index 70d683b87..c7204c927 100644 --- a/src/adapters/mc/asb/19params/LinuxSecurityBaseline_DeployIfNotExists.json +++ b/src/adapters/mc/asb/19params/LinuxSecurityBaseline_DeployIfNotExists.json @@ -15,7 +15,7 @@ "version": "1.0.0", "contentType": "Custom", "contentUri": "https://github.com/Azure/azure-osconfig/releases/download/test_policy_package/LinuxSecurityBaseline.zip", - "contentHash": "A92CA8F438CD39C51B78FAB0FCB9C6BA4808920E254E1E9EAEE739D02E8164B0", + "contentHash": "C79CE86C44481316A94D3A69F75BC83C38165CE45B0C18B4B54EA7B812AB9070", "configurationParameter": { "accessPermissionsForSshdConfig": "Ensure that permissions on /etc/ssh/sshd_config are configured;DesiredObjectValue", "ignoreHosts": "Ensure that the SSH IgnoreRhosts is configured;DesiredObjectValue", @@ -640,7 +640,7 @@ "version": "1.0.0", "contentType": "Custom", "contentUri": "https://github.com/Azure/azure-osconfig/releases/download/test_policy_package/LinuxSecurityBaseline.zip", - "contentHash": "A92CA8F438CD39C51B78FAB0FCB9C6BA4808920E254E1E9EAEE739D02E8164B0", + "contentHash": "C79CE86C44481316A94D3A69F75BC83C38165CE45B0C18B4B54EA7B812AB9070", "assignmentType": "ApplyAndAutoCorrect", "configurationParameter": [ { @@ -735,7 +735,7 @@ "version": "1.0.0", "contentType": "Custom", "contentUri": "https://github.com/Azure/azure-osconfig/releases/download/test_policy_package/LinuxSecurityBaseline.zip", - "contentHash": "A92CA8F438CD39C51B78FAB0FCB9C6BA4808920E254E1E9EAEE739D02E8164B0", + "contentHash": "C79CE86C44481316A94D3A69F75BC83C38165CE45B0C18B4B54EA7B812AB9070", "assignmentType": "ApplyAndAutoCorrect", "configurationParameter": [ { @@ -830,7 +830,7 @@ "version": "1.0.0", "contentType": "Custom", "contentUri": "https://github.com/Azure/azure-osconfig/releases/download/test_policy_package/LinuxSecurityBaseline.zip", - "contentHash": "A92CA8F438CD39C51B78FAB0FCB9C6BA4808920E254E1E9EAEE739D02E8164B0", + "contentHash": "C79CE86C44481316A94D3A69F75BC83C38165CE45B0C18B4B54EA7B812AB9070", "assignmentType": "ApplyAndAutoCorrect", "configurationParameter": [ { diff --git a/src/adapters/mc/asb/LinuxSecurityBaseline_DeployIfNotExists.json b/src/adapters/mc/asb/LinuxSecurityBaseline_DeployIfNotExists.json index 6a2c3b53d..682b54b0b 100644 --- a/src/adapters/mc/asb/LinuxSecurityBaseline_DeployIfNotExists.json +++ b/src/adapters/mc/asb/LinuxSecurityBaseline_DeployIfNotExists.json @@ -15,7 +15,7 @@ "version": "1.0.0", "contentType": "Custom", "contentUri": "https://github.com/Azure/azure-osconfig/releases/download/test_policy_package/LinuxSecurityBaseline.zip", - "contentHash": "A92CA8F438CD39C51B78FAB0FCB9C6BA4808920E254E1E9EAEE739D02E8164B0", + "contentHash": "C79CE86C44481316A94D3A69F75BC83C38165CE45B0C18B4B54EA7B812AB9070", "configurationParameter": { "accessPermissionsForSshdConfig": "Ensure that permissions on /etc/ssh/sshd_config are configured;DesiredObjectValue", "ignoreHosts": "Ensure that the SSH IgnoreRhosts is configured;DesiredObjectValue", @@ -625,7 +625,7 @@ "version": "1.0.0", "contentType": "Custom", "contentUri": "https://github.com/Azure/azure-osconfig/releases/download/test_policy_package/LinuxSecurityBaseline.zip", - "contentHash": "A92CA8F438CD39C51B78FAB0FCB9C6BA4808920E254E1E9EAEE739D02E8164B0", + "contentHash": "C79CE86C44481316A94D3A69F75BC83C38165CE45B0C18B4B54EA7B812AB9070", "assignmentType": "ApplyAndAutoCorrect", "configurationParameter": [ { @@ -716,7 +716,7 @@ "version": "1.0.0", "contentType": "Custom", "contentUri": "https://github.com/Azure/azure-osconfig/releases/download/test_policy_package/LinuxSecurityBaseline.zip", - "contentHash": "A92CA8F438CD39C51B78FAB0FCB9C6BA4808920E254E1E9EAEE739D02E8164B0", + "contentHash": "C79CE86C44481316A94D3A69F75BC83C38165CE45B0C18B4B54EA7B812AB9070", "assignmentType": "ApplyAndAutoCorrect", "configurationParameter": [ { @@ -807,7 +807,7 @@ "version": "1.0.0", "contentType": "Custom", "contentUri": "https://github.com/Azure/azure-osconfig/releases/download/test_policy_package/LinuxSecurityBaseline.zip", - "contentHash": "A92CA8F438CD39C51B78FAB0FCB9C6BA4808920E254E1E9EAEE739D02E8164B0", + "contentHash": "C79CE86C44481316A94D3A69F75BC83C38165CE45B0C18B4B54EA7B812AB9070", "assignmentType": "ApplyAndAutoCorrect", "configurationParameter": [ { diff --git a/src/adapters/mc/ssh/19params/LinuxSshServerSecurityBaseline_DeployIfNotExists.json b/src/adapters/mc/ssh/19params/LinuxSshServerSecurityBaseline_DeployIfNotExists.json index 99de139c5..49ca0874e 100644 --- a/src/adapters/mc/ssh/19params/LinuxSshServerSecurityBaseline_DeployIfNotExists.json +++ b/src/adapters/mc/ssh/19params/LinuxSshServerSecurityBaseline_DeployIfNotExists.json @@ -15,7 +15,7 @@ "version": "1.0.0", "contentType": "Custom", "contentUri": "https://github.com/Azure/azure-osconfig/releases/download/test_policy_package/LinuxSshServerSecurityBaseline.zip", - "contentHash": "6768ADF43D3A6C3601502E52F19CBB6F4C6C468B8ABD639008FE202504AB2FAE", + "contentHash": "29D9C8A8660C7424D73E277D80B8225D2A107966C7FF4AA10D65503AAB20BA60", "configurationParameter": { "accessPermissionsForSshdConfig": "Ensure that permissions on /etc/ssh/sshd_config are configured;DesiredObjectValue", "ignoreHosts": "Ensure that the SSH IgnoreRhosts is configured;DesiredObjectValue", @@ -639,7 +639,7 @@ "version": "1.0.0", "contentType": "Custom", "contentUri": "https://github.com/Azure/azure-osconfig/releases/download/test_policy_package/LinuxSshServerSecurityBaseline.zip", - "contentHash": "6768ADF43D3A6C3601502E52F19CBB6F4C6C468B8ABD639008FE202504AB2FAE", + "contentHash": "29D9C8A8660C7424D73E277D80B8225D2A107966C7FF4AA10D65503AAB20BA60", "assignmentType": "ApplyAndAutoCorrect", "configurationParameter": [ { @@ -734,7 +734,7 @@ "version": "1.0.0", "contentType": "Custom", "contentUri": "https://github.com/Azure/azure-osconfig/releases/download/test_policy_package/LinuxSshServerSecurityBaseline.zip", - "contentHash": "6768ADF43D3A6C3601502E52F19CBB6F4C6C468B8ABD639008FE202504AB2FAE", + "contentHash": "29D9C8A8660C7424D73E277D80B8225D2A107966C7FF4AA10D65503AAB20BA60", "assignmentType": "ApplyAndAutoCorrect", "configurationParameter": [ { @@ -829,7 +829,7 @@ "version": "1.0.0", "contentType": "Custom", "contentUri": "https://github.com/Azure/azure-osconfig/releases/download/test_policy_package/LinuxSshServerSecurityBaseline.zip", - "contentHash": "6768ADF43D3A6C3601502E52F19CBB6F4C6C468B8ABD639008FE202504AB2FAE", + "contentHash": "29D9C8A8660C7424D73E277D80B8225D2A107966C7FF4AA10D65503AAB20BA60", "assignmentType": "ApplyAndAutoCorrect", "configurationParameter": [ { diff --git a/src/adapters/mc/ssh/LinuxSshServerSecurityBaseline_DeployIfNotExists.json b/src/adapters/mc/ssh/LinuxSshServerSecurityBaseline_DeployIfNotExists.json index 590e64227..d1b27a129 100644 --- a/src/adapters/mc/ssh/LinuxSshServerSecurityBaseline_DeployIfNotExists.json +++ b/src/adapters/mc/ssh/LinuxSshServerSecurityBaseline_DeployIfNotExists.json @@ -15,7 +15,7 @@ "version": "1.0.0", "contentType": "Custom", "contentUri": "https://github.com/Azure/azure-osconfig/releases/download/test_policy_package/LinuxSshServerSecurityBaseline.zip", - "contentHash": "6768ADF43D3A6C3601502E52F19CBB6F4C6C468B8ABD639008FE202504AB2FAE", + "contentHash": "29D9C8A8660C7424D73E277D80B8225D2A107966C7FF4AA10D65503AAB20BA60", "configurationParameter": { "accessPermissionsForSshdConfig": "Ensure that permissions on /etc/ssh/sshd_config are configured;DesiredObjectValue", "ignoreHosts": "Ensure that the SSH IgnoreRhosts is configured;DesiredObjectValue", @@ -624,7 +624,7 @@ "version": "1.0.0", "contentType": "Custom", "contentUri": "https://github.com/Azure/azure-osconfig/releases/download/test_policy_package/LinuxSshServerSecurityBaseline.zip", - "contentHash": "6768ADF43D3A6C3601502E52F19CBB6F4C6C468B8ABD639008FE202504AB2FAE", + "contentHash": "29D9C8A8660C7424D73E277D80B8225D2A107966C7FF4AA10D65503AAB20BA60", "assignmentType": "ApplyAndAutoCorrect", "configurationParameter": [ { @@ -715,7 +715,7 @@ "version": "1.0.0", "contentType": "Custom", "contentUri": "https://github.com/Azure/azure-osconfig/releases/download/test_policy_package/LinuxSshServerSecurityBaseline.zip", - "contentHash": "6768ADF43D3A6C3601502E52F19CBB6F4C6C468B8ABD639008FE202504AB2FAE", + "contentHash": "29D9C8A8660C7424D73E277D80B8225D2A107966C7FF4AA10D65503AAB20BA60", "assignmentType": "ApplyAndAutoCorrect", "configurationParameter": [ { @@ -806,7 +806,7 @@ "version": "1.0.0", "contentType": "Custom", "contentUri": "https://github.com/Azure/azure-osconfig/releases/download/test_policy_package/LinuxSshServerSecurityBaseline.zip", - "contentHash": "6768ADF43D3A6C3601502E52F19CBB6F4C6C468B8ABD639008FE202504AB2FAE", + "contentHash": "29D9C8A8660C7424D73E277D80B8225D2A107966C7FF4AA10D65503AAB20BA60", "assignmentType": "ApplyAndAutoCorrect", "configurationParameter": [ { diff --git a/src/common/asb/Asb.c b/src/common/asb/Asb.c index bcd1514d1..733af0fb3 100644 --- a/src/common/asb/Asb.c +++ b/src/common/asb/Asb.c @@ -627,6 +627,7 @@ static char* g_desiredEnsureUnnecessaryAccountsAreRemoved = NULL; static char* g_desiredEnsureDefaultDenyFirewallPolicyIsSet = NULL; static const int g_shadowGid = 42; +static const int g_varLogJournalMode = 2755; void AsbInitialize(void* log) { @@ -693,6 +694,11 @@ void AsbInitialize(void* log) FREE_MEMORY(prettyName); FREE_MEMORY(kernelVersion); + if (IsCommodore(log)) + { + OsConfigLogInfo(log, "AsbInitialize: running on product '%s'", PRODUCT_NAME_AZURE_COMMODORE); + } + OsConfigLogInfo(log, "%s initialized", g_asbName); } @@ -1722,7 +1728,7 @@ static char* AuditEnsureSystemdJournaldServicePersistsLogMessages(void* log) { char* reason = NULL; RETURN_REASON_IF_NOT_ZERO(CheckPackageInstalled(g_systemd, &reason, log)); - CheckDirectoryAccess(g_varLogJournal, 0, -1, 2775, false, &reason, log); + CheckDirectoryAccess(g_varLogJournal, 0, -1, g_varLogJournalMode, false, &reason, log); return reason; } @@ -3301,7 +3307,7 @@ static int RemediateEnsureSystemdJournaldServicePersistsLogMessages(char* value, { UNUSED(value); return ((0 == InstallPackage(g_systemd, log)) && - (0 == SetDirectoryAccess(g_varLogJournal, 0, -1, 2775, log))) ? 0 : ENOENT; + (0 == SetDirectoryAccess(g_varLogJournal, 0, -1, g_varLogJournalMode, log))) ? 0 : ENOENT; } static int RemediateEnsureALoggingServiceIsEnabled(char* value, void* log) diff --git a/src/common/asb/Asb.h b/src/common/asb/Asb.h index 0ad34a0a6..343e781d7 100644 --- a/src/common/asb/Asb.h +++ b/src/common/asb/Asb.h @@ -5,6 +5,7 @@ #define ASB_H #define PRETTY_NAME_AZURE_LINUX_2 "CBL-Mariner/Linux" +#define PRODUCT_NAME_AZURE_COMMODORE "Azure Commodore" #define PRETTY_NAME_ALMA_LINUX_9 "AlmaLinux 9 (Beryllium)" #define PRETTY_NAME_ALMA_LINUX_9_3 "AlmaLinux 9.3 (Shamrock Pampas Cat)" #define PRETTY_NAME_AMAZON_LINUX_2 "Amazon Linux 2" diff --git a/src/common/commonutils/CommonUtils.h b/src/common/commonutils/CommonUtils.h index 38b3aeb67..eead5c460 100644 --- a/src/common/commonutils/CommonUtils.h +++ b/src/common/commonutils/CommonUtils.h @@ -169,6 +169,7 @@ int SetPassMaxDays(long days, void* log); int SetPassWarnAge(long days, void* log); bool IsCurrentOs(const char* name, void* log); bool IsRedHatBased(void* log); +bool IsCommodore(void* log); void RemovePrefixBlanks(char* target); void RemovePrefixUpTo(char* target, char marker); diff --git a/src/common/commonutils/DaemonUtils.c b/src/common/commonutils/DaemonUtils.c index 9aa9669bc..b9d6523ef 100644 --- a/src/common/commonutils/DaemonUtils.c +++ b/src/common/commonutils/DaemonUtils.c @@ -27,14 +27,7 @@ static int ExecuteSystemctlCommand(const char* command, const char* daemonName, bool IsDaemonActive(const char* daemonName, void* log) { - bool status = true; - - if (ESRCH == ExecuteSystemctlCommand("is-active", daemonName, log)) - { - status = false; - } - - return status; + return (0 == ExecuteSystemctlCommand("is-active", daemonName, log)) ? true : false; } bool CheckDaemonActive(const char* daemonName, char** reason, void* log) diff --git a/src/common/commonutils/DeviceInfoUtils.c b/src/common/commonutils/DeviceInfoUtils.c index 20e8032d1..712398462 100644 --- a/src/common/commonutils/DeviceInfoUtils.c +++ b/src/common/commonutils/DeviceInfoUtils.c @@ -916,4 +916,28 @@ int EnableVirtualMemoryRandomization(void* log) } return status; +} + +bool IsCommodore(void* log) +{ + const char* productNameCommand = "cat /etc/os-subrelease | grep PRODUCT_NAME="; + char* textResult = NULL; + bool status = false; + + if (0 == ExecuteCommand(NULL, productNameCommand, true, true, 0, 0, &textResult, NULL, log)) + { + RemovePrefixBlanks(textResult); + RemoveTrailingBlanks(textResult); + RemovePrefixUpTo(textResult, '='); + RemovePrefixBlanks(textResult); + + if (0 == strcmp(textResult, PRODUCT_NAME_AZURE_COMMODORE)) + { + status = true; + } + } + + FREE_MEMORY(textResult); + + return status; } \ No newline at end of file