Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Union #818 #821 #822 #823

Draft
wants to merge 11 commits into
base: main
Choose a base branch
from
+1,002 −3,355
Draft

Union #818 #821 #822 #823

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
11 commits
Select commit Hold shift + click to select a range
a78c9cb
mc/asb: Add missing init object names
jepio Nov 25, 2024
8a368fa
Add scripts and template used to generate ASB e2e test rcipe
jepio Nov 25, 2024
aca1d59
Add cmake target to regenerate e2e test recipe for ASB
jepio Nov 25, 2024
7ef3bf7
Update module test recipe for ASB
jepio Nov 25, 2024
5ab3ee7
github: Use src/modules/test/recipes for all module tests
jepio Nov 26, 2024
c4211aa
Replace e2e-test-recipes with marker files
jepio Nov 26, 2024
6ce258f
InstallOrUpdatePackage: Run 'apt-get update' once before any package …
jepio Nov 21, 2024
d2f67a7
Merge commit 'refs/pull/821/head' of https://github.com/azure/azure-o…
jepio Nov 26, 2024
584350e
Maintain selinux context when replacing config files
jepio Nov 26, 2024
62669b1
Merge commit 'refs/pull/818/head' of https://github.com/azure/azure-o…
jepio Nov 26, 2024
10e145f
Merge commit 'refs/pull/822/head' of https://github.com/azure/azure-o…
jepio Nov 26, 2024
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
5 changes: 4 additions & 1 deletion .github/workflows/module-test-run.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -49,9 +49,12 @@ jobs:
sudo chmod +x ./moduletest

result=0
recipes=$(ls -d ../../src/tests/e2e-test-recipes/*.json)
recipes=$(ls -d ../../src/modules/test/recipes/*.json)

for recipe in $recipes; do
if [ ! -f ../../src/tests/e2e-test-recipes/$(basename $recipe) ]; then
continue
fi
name=$(basename $recipe | tr '[:upper:]' '[:lower:]' | sed 's/\.[^.]*$//' | sed 's/\(test\|tests\)$//')

echo -n "testing $name ... "
Expand Down
2 changes: 1 addition & 1 deletion .github/workflows/package-build.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -140,7 +140,7 @@ jobs:
working-directory: ${{ env.MOUNT }}
cmd: |
mkdir -p build/modules/test/recipes
cp -r src/tests/e2e-test-recipes/*.json build/modules/test/recipes/
cp -r src/modules/test/recipes/*.json build/modules/test/recipes/

cp src/adapters/pnp/daemon/osconfig.json build/modules/test/osconfig.json

Expand Down
2 changes: 2 additions & 0 deletions src/adapters/mc/asb/AzureLinuxBaseline.mof
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -635,6 +635,7 @@ instance of OsConfigResource as $OsConfigResource38ref
RuleId = "1d498679-5780-6db3-14cc-6433011e0310";
PayloadKey = "EnsurePermissionsOnEtcHostsAllow";
ComponentName = "SecurityBaseline";
InitObjectName = "initEnsurePermissionsOnEtcHostsAllow";
ReportedObjectName = "auditEnsurePermissionsOnEtcHostsAllow";
ExpectedObjectValue = "PASS";
DesiredObjectName = "remediateEnsurePermissionsOnEtcHostsAllow";
Expand All @@ -651,6 +652,7 @@ instance of OsConfigResource as $OsConfigResource39ref
RuleId = "71d554b5-1436-9676-1966-939ded8d0a37";
PayloadKey = "EnsurePermissionsOnEtcHostsDeny";
ComponentName = "SecurityBaseline";
InitObjectName = "initEnsurePermissionsOnEtcHostsDeny";
ReportedObjectName = "auditEnsurePermissionsOnEtcHostsDeny";
ExpectedObjectValue = "PASS";
DesiredObjectName = "remediateEnsurePermissionsOnEtcHostsDeny";
Expand Down
5 changes: 5 additions & 0 deletions src/common/asb/Asb.c
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -910,6 +910,11 @@ void AsbInitialize(void* log)
FREE_MEMORY(prettyName);
FREE_MEMORY(kernelVersion);

if (DetectSelinux(log))
{
OsConfigLogInfo(log, "AsbInitialize: SELinux present; keeping file contexts");
}

if (IsCommodore(log))
{
OsConfigLogInfo(log, "AsbInitialize: running on product '%s'", PRODUCT_NAME_AZURE_COMMODORE);
Expand Down
3 changes: 2 additions & 1 deletion src/common/commonutils/CommonUtils.h
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -171,6 +171,7 @@ int SetPassWarnAge(long days, void* log);
bool IsCurrentOs(const char* name, void* log);
bool IsRedHatBased(void* log);
bool IsCommodore(void* log);
bool DetectSelinux(void* log);

void RemovePrefix(char* target, char marker);
void RemovePrefixBlanks(char* target);
Expand Down Expand Up @@ -238,4 +239,4 @@ char* GetGitBranchFromJsonConfig(const char* jsonString, void* log);
}
#endif

#endif // COMMONUTILS_H
#endif // COMMONUTILS_H
20 changes: 19 additions & 1 deletion src/common/commonutils/DeviceInfoUtils.c
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -947,4 +947,22 @@ bool IsCommodore(void* log)
FREE_MEMORY(textResult);

return status;
}
}

enum SelinuxState {
SelinuxUnknown = 0,
SelinuxFound,
SelinuxNotFound,
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Do all explicit initializations and complete with a typedef like this, for example:

enum PasswordEncryption
{
    unknown = 0,
    md5 = 1,
    blowfish = 2,
    eksBlowfish = 3,
    unknownBlowfish = 4,
    sha256 = 5,
    sha512 = 6
};
typedef enum PasswordEncryption PasswordEncryption;

};
static enum SelinuxState g_selinuxState = SelinuxUnknown;

bool DetectSelinux(void* log)
{
if (g_selinuxState != SelinuxUnknown)
{
return g_selinuxState == SelinuxFound;
}

g_selinuxState = (0 == CheckTextIsFoundInFile("/sys/kernel/security/lsm", "selinux", NULL, log)) ? SelinuxFound : SelinuxNotFound;
return g_selinuxState == SelinuxFound;
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

nit: line 969 appears blank, remove

}
33 changes: 33 additions & 0 deletions src/common/commonutils/FileUtils.c
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -872,6 +872,29 @@ int GetDirectoryAccess(const char* name, unsigned int* ownerId, unsigned int* gr
return GetAccess(true, name, ownerId, groupId, mode, log);
}

static int RestoreSelinuxContext(const char* target, void* log)
{
char* restoreCommand = NULL;
char* textResult = NULL;
int status = 0;

if (NULL == (restoreCommand = FormatAllocateString("restorecon -F '%s'", target)))
{
OsConfigLogError(log, "RestoreSelinuxContext: out of memory");
return ENOMEM;
}

if (0 != (status = ExecuteCommand(NULL, restoreCommand, false, false, 0, 0, &textResult, NULL, log)))
{
OsConfigLogError(log, "RestoreSelinuxContext: restorecon failed %d: %s", status, textResult);
}

FREE_MEMORY(textResult);
FREE_MEMORY(restoreCommand);

return status;
}

int RenameFile(const char* original, const char* target, void* log)
{
int status = 0;
Expand All @@ -893,6 +916,11 @@ int RenameFile(const char* original, const char* target, void* log)
status = (0 == errno) ? ENOENT : errno;
}

if (DetectSelinux(log))
{
RestoreSelinuxContext(target, log);
}
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Can you add a one line comment that describes why this is necessary?


return status;
}

Expand Down Expand Up @@ -946,6 +974,11 @@ int RenameFileWithOwnerAndAccess(const char* original, const char* target, void*
status = (0 == errno) ? ENOENT : errno;
}

if (DetectSelinux(log))
{
RestoreSelinuxContext(target, log);
}

return status;
}

Expand Down
23 changes: 23 additions & 0 deletions src/common/commonutils/PackageUtils.c
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -17,6 +17,7 @@ static bool g_tdnfIsPresent = false;
static bool g_dnfIsPresent = false;
static bool g_yumIsPresent = false;
static bool g_zypperIsPresent = false;
static bool g_aptGetUpdateExecuted = false;

int IsPresent(const char* what, void* log)
{
Expand Down Expand Up @@ -178,6 +179,27 @@ int CheckPackageNotInstalled(const char* packageName, char** reason, void* log)
return result;
}

void AptGetUpdateOnce(void* log)
{
const char* command = "apt-get update";
int status = 0;
if (g_aptGetUpdateExecuted)
{
return;
}

if (0 == (status = ExecuteCommand(NULL, command, false, false, 0, 0, NULL, NULL, log)))
{
OsConfigLogInfo(log, "AptGetUpdateOnce: apt-get update was successful");
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

"AptGetUpdateOnce: apt-get update was successful"

nit: wrap command in '' and reuse constant for logging, like this: (log "AptGetUpdateOnce: '%s' was successful", command) or

g_aptGetUpdateExecuted = true;
}
else
{
OsConfigLogError(log, "AptGetUpdateOnce: apt-get update failed with %d", status);
}
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

}

nit: line 200 is blank, please remove


}

int InstallOrUpdatePackage(const char* packageName, void* log)
{
const char* commandTemplate = "%s install -y %s";
Expand All @@ -187,6 +209,7 @@ int InstallOrUpdatePackage(const char* packageName, void* log)

if (g_aptGetIsPresent)
{
AptGetUpdateOnce(log);
Copy link
Contributor

@MariusNi MariusNi Dec 2, 2024
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

AptGetUpdateOnce(log);

How long can this take? There is a concern of ending in Azure Policy timeout on slow machines due to lengthy package operations during audit. Can we instead rely on the machine owner to ensure that the OS is up to date?

status = CheckOrInstallPackage(commandTemplate, g_aptGet, packageName, log);
}
else if (g_tdnfIsPresent)
Expand Down
17 changes: 16 additions & 1 deletion src/modules/test/CMakeLists.txt
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -23,4 +23,19 @@ target_include_directories(moduletest PRIVATE ${MODULES_INC_DIR} ${CMAKE_CURRENT
add_custom_command(TARGET moduletest POST_BUILD
COMMAND ${CMAKE_COMMAND} -E create_symlink $<TARGET_FILE:moduletest> ${CMAKE_BINARY_DIR}/moduletest
DEPENDS $<TARGET_FILE:moduletest>
)
)
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

nit: extra newlines



set(SRC ${moduletest_SOURCE_DIR}/recipes)
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

a CMake list might be better here as the list grows...
eg.

set(MOFS
  ${OsConfigResourceSsh_SOURCE_DIR}/LinuxSshServerSecurityBaseline.mof
  ${OsConfigResourceAsb_SOURCE_DIR}/AzureLinuxBaseline.mof
)
list(JOIN MOF_LIST " " flat_string)
add_custom_command(
    OUTPUT ${SRC}/SecurityBaselineTests.json
    DEPENDS ${SRC}/create-asb-json.sh ${SRC}/mof-to-json.awk ${SRC}/SecurityBaselineTests.json-header ${SRC}/SecurityBaselineTests.json-mid ${SRC}/SecurityBaselineTests.json-footer ${MOF1} ${MOF2}
    COMMAND ./create-asb-json.sh ${MOF_LIST} >${SRC}/SecurityBaselineTests.json
    WORKING_DIRECTORY ${SRC}
)

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

will do

set(MOF1 ${OsConfigResourceSsh_SOURCE_DIR}/LinuxSshServerSecurityBaseline.mof)
set(MOF2 ${OsConfigResourceAsb_SOURCE_DIR}/AzureLinuxBaseline.mof)

add_custom_command(
OUTPUT ${SRC}/SecurityBaselineTests.json
DEPENDS ${SRC}/create-asb-json.sh ${SRC}/mof-to-json.awk ${SRC}/SecurityBaselineTests.json-header ${SRC}/SecurityBaselineTests.json-mid ${SRC}/SecurityBaselineTests.json-footer ${MOF1} ${MOF2}
COMMAND ./create-asb-json.sh ${MOF1} ${MOF2} >${SRC}/SecurityBaselineTests.json
WORKING_DIRECTORY ${SRC}
)
add_custom_target(generate-asb-test-json
DEPENDS ${SRC}/SecurityBaselineTests.json
)
Loading
Loading