Azure · jepio · Nov 25, 2024 · Nov 25, 2024 · Nov 25, 2024 · Nov 25, 2024
@@ -49,9 +49,12 @@ jobs:
           sudo chmod +x ./moduletest
 
           result=0
-          recipes=$(ls -d ../../src/tests/e2e-test-recipes/*.json)
+          recipes=$(ls -d ../../src/modules/test/recipes/*.json)
 
           for recipe in $recipes; do
+            if [ ! -f ../../src/tests/e2e-test-recipes/$(basename $recipe) ]; then
+              continue
+            fi
             name=$(basename $recipe | tr '[:upper:]' '[:lower:]' | sed 's/\.[^.]*$//' | sed 's/\(test\|tests\)$//')
 
             echo -n "testing $name ... "

@@ -140,7 +140,7 @@ jobs:
           working-directory: ${{ env.MOUNT }}
           cmd: |
             mkdir -p build/modules/test/recipes
-            cp -r src/tests/e2e-test-recipes/*.json build/modules/test/recipes/
+            cp -r src/modules/test/recipes/*.json build/modules/test/recipes/
 
             cp src/adapters/pnp/daemon/osconfig.json build/modules/test/osconfig.json
 

@@ -635,6 +635,7 @@ instance of OsConfigResource as $OsConfigResource38ref
     RuleId = "1d498679-5780-6db3-14cc-6433011e0310";
     PayloadKey = "EnsurePermissionsOnEtcHostsAllow";
     ComponentName = "SecurityBaseline";
+    InitObjectName = "initEnsurePermissionsOnEtcHostsAllow";
     ReportedObjectName = "auditEnsurePermissionsOnEtcHostsAllow";
     ExpectedObjectValue = "PASS";
     DesiredObjectName = "remediateEnsurePermissionsOnEtcHostsAllow";
@@ -651,6 +652,7 @@ instance of OsConfigResource as $OsConfigResource39ref
     RuleId = "71d554b5-1436-9676-1966-939ded8d0a37";
     PayloadKey = "EnsurePermissionsOnEtcHostsDeny";
     ComponentName = "SecurityBaseline";
+    InitObjectName = "initEnsurePermissionsOnEtcHostsDeny";
     ReportedObjectName = "auditEnsurePermissionsOnEtcHostsDeny";
     ExpectedObjectValue = "PASS";
     DesiredObjectName = "remediateEnsurePermissionsOnEtcHostsDeny";

@@ -910,6 +910,11 @@ void AsbInitialize(void* log)
     FREE_MEMORY(prettyName);
     FREE_MEMORY(kernelVersion);
 
+    if (DetectSelinux(log))
+    {
+        OsConfigLogInfo(log, "AsbInitialize: SELinux present; keeping file contexts");
+    }
+
     if (IsCommodore(log))
     {
         OsConfigLogInfo(log, "AsbInitialize: running on product '%s'", PRODUCT_NAME_AZURE_COMMODORE);

@@ -171,6 +171,7 @@ int SetPassWarnAge(long days, void* log);
 bool IsCurrentOs(const char* name, void* log);
 bool IsRedHatBased(void* log);
 bool IsCommodore(void* log);
+bool DetectSelinux(void* log);
 
 void RemovePrefix(char* target, char marker);
 void RemovePrefixBlanks(char* target);
@@ -238,4 +239,4 @@ char* GetGitBranchFromJsonConfig(const char* jsonString, void* log);
 }
 #endif
 
-#endif // COMMONUTILS_H
+#endif // COMMONUTILS_H
@@ -947,4 +947,22 @@ bool IsCommodore(void* log)
     FREE_MEMORY(textResult);
 
     return status;
-}
+}
+
+enum SelinuxState {
+  SelinuxUnknown = 0,
+  SelinuxFound,
+  SelinuxNotFound,
+};
+static enum SelinuxState g_selinuxState = SelinuxUnknown;
+
+bool DetectSelinux(void* log)
+{
+    if (g_selinuxState != SelinuxUnknown)
+    {
+        return g_selinuxState == SelinuxFound;
+    }
+
+    g_selinuxState = (0 == CheckTextIsFoundInFile("/sys/kernel/security/lsm", "selinux", NULL, log)) ? SelinuxFound : SelinuxNotFound;
+    return g_selinuxState == SelinuxFound;
+}
@@ -872,6 +872,29 @@ int GetDirectoryAccess(const char* name, unsigned int* ownerId, unsigned int* gr
     return GetAccess(true, name, ownerId, groupId, mode, log);
 }
 
+static int RestoreSelinuxContext(const char* target, void* log)
+{
+    char* restoreCommand = NULL;
+    char* textResult = NULL;
+    int status = 0;
+
+    if (NULL == (restoreCommand = FormatAllocateString("restorecon -F '%s'", target)))
+    {
+        OsConfigLogError(log, "RestoreSelinuxContext: out of memory");
+        return ENOMEM;
+    }
+
+    if (0 != (status = ExecuteCommand(NULL, restoreCommand, false, false, 0, 0, &textResult, NULL, log)))
+    {
+        OsConfigLogError(log, "RestoreSelinuxContext: restorecon failed %d: %s", status, textResult);
+    }
+
+    FREE_MEMORY(textResult);
+    FREE_MEMORY(restoreCommand);
+
+    return status;
+}
+
 int RenameFile(const char* original, const char* target, void* log)
 {
     int status = 0;
@@ -893,6 +916,11 @@ int RenameFile(const char* original, const char* target, void* log)
         status = (0 == errno) ? ENOENT : errno;
     }
 
+    if (DetectSelinux(log))
+    {
+        RestoreSelinuxContext(target, log);
+    }
+
     return status;
 }
 
@@ -946,6 +974,11 @@ int RenameFileWithOwnerAndAccess(const char* original, const char* target, void*
         status = (0 == errno) ? ENOENT : errno;
     }
 
+    if (DetectSelinux(log))
+    {
+        RestoreSelinuxContext(target, log);
+    }
+
     return status;
 }
 

@@ -17,6 +17,7 @@ static bool g_tdnfIsPresent = false;
 static bool g_dnfIsPresent = false;
 static bool g_yumIsPresent = false;
 static bool g_zypperIsPresent = false;
+static bool g_aptGetUpdateExecuted = false;
 
 int IsPresent(const char* what, void* log)
 {
@@ -178,6 +179,27 @@ int CheckPackageNotInstalled(const char* packageName, char** reason, void* log)
     return result;
 }
 
+void AptGetUpdateOnce(void* log)
+{
+    const char* command = "apt-get update";
+    int status = 0;
+    if (g_aptGetUpdateExecuted)
+    {
+        return;
+    }
+
+    if (0 == (status = ExecuteCommand(NULL, command, false, false, 0, 0, NULL, NULL, log)))
+    {
+        OsConfigLogInfo(log, "AptGetUpdateOnce: apt-get update was successful");
+        g_aptGetUpdateExecuted = true;
+    }
+    else
+    {
+        OsConfigLogError(log, "AptGetUpdateOnce: apt-get update failed with %d", status);
+    }
+
+}
+
 int InstallOrUpdatePackage(const char* packageName, void* log)
 {
     const char* commandTemplate = "%s install -y %s";
@@ -187,6 +209,7 @@ int InstallOrUpdatePackage(const char* packageName, void* log)
 
     if (g_aptGetIsPresent)
     {
+        AptGetUpdateOnce(log);
         status = CheckOrInstallPackage(commandTemplate, g_aptGet, packageName, log);
     }
     else if (g_tdnfIsPresent)

@@ -23,4 +23,19 @@ target_include_directories(moduletest PRIVATE ${MODULES_INC_DIR} ${CMAKE_CURRENT
 add_custom_command(TARGET moduletest POST_BUILD
     COMMAND ${CMAKE_COMMAND} -E create_symlink $<TARGET_FILE:moduletest> ${CMAKE_BINARY_DIR}/moduletest
     DEPENDS $<TARGET_FILE:moduletest>
-)
+)
+
+
+set(SRC  ${moduletest_SOURCE_DIR}/recipes)
+set(MOF1 ${OsConfigResourceSsh_SOURCE_DIR}/LinuxSshServerSecurityBaseline.mof)
+set(MOF2 ${OsConfigResourceAsb_SOURCE_DIR}/AzureLinuxBaseline.mof)
+
+add_custom_command(
+    OUTPUT ${SRC}/SecurityBaselineTests.json
+    DEPENDS ${SRC}/create-asb-json.sh ${SRC}/mof-to-json.awk ${SRC}/SecurityBaselineTests.json-header ${SRC}/SecurityBaselineTests.json-mid ${SRC}/SecurityBaselineTests.json-footer ${MOF1} ${MOF2}
+    COMMAND ./create-asb-json.sh ${MOF1} ${MOF2} >${SRC}/SecurityBaselineTests.json
+    WORKING_DIRECTORY ${SRC}
+)
+add_custom_target(generate-asb-test-json
+    DEPENDS ${SRC}/SecurityBaselineTests.json
+)