Compliance/procedures pt1 #881
Conversation
Test Results 44 files 44 suites 40m 53s ⏱️ Results for commit 791ffa3. ♻️ This comment has been updated with latest results. |
wupeka
force-pushed
the
compliance/procedures-pt1
branch
2 times, most recently
from
fa2fa36 to
b1ace1a
Compare
| @@ -16,6 +18,13 @@ add_library(compliancelib STATIC | |||
|
|
|||
| set_property(TARGET compliancelib PROPERTY POSITION_INDEPENDENT_CODE ON) | |||
|
|
|||
| include(FindPerl) | |||
| add_custom_command( | |||
| OUTPUT ProcedureMap.cpp ProcedureMap.h | |||
There was a problem hiding this comment.
make clean will drop these files
|
|
||
| namespace compliance { | ||
|
|
||
| AUDIT_FN(ensureFilePermissions) |
There was a problem hiding this comment.
Could we get rid of these macros? it reads as
| AUDIT_FN(ensureFilePermissions) | |
| Result<bool> Audit_ensureFilePermissions(std::map<std::string, std::string> args, std::ostringstream &logstream) |
|
|
||
| AUDIT_FN(ensureFilePermissions) | ||
| { | ||
| struct stat statbuf; |
There was a problem hiding this comment.
I think we can skip the struct keyword here
src/modules/compliance/src/lib/procedures/ensureFilePermissions.cpp
Outdated
Show resolved
Hide resolved
| #include <CommonUtils.h> | ||
|
|
||
| namespace compliance { | ||
| REMEDIATE_FN(remediationFailure) |
There was a problem hiding this comment.
We have the following define:
if (BUILD_TESTS)
add_compile_options(-D TEST_CODE)
add_subdirectory(tests)
endif()
Do you think it makes sense add these functions only when TEST_CODE is defined?
There was a problem hiding this comment.
We will be using those procedures for end-to-end tests etc, the costs of having them compiled in is neglible, so I'd keep them.
| @@ -0,0 +1,99 @@ | |||
| #!/usr/bin/env perl | |||
There was a problem hiding this comment.
Can we not just use bash for this? Bringing in Perl just for this seems like overkill
There was a problem hiding this comment.
- Perl is currently in all of our build environments. (unfortunately, Python is not).
- We haven't decided finally yet, but we'll probably pre-generate the ProcedureMap and put it in the repo, so this script won't be launched at build time - only manually when someone adds/removes a procedure. For now, with the amount of churn, it's easier to just have it automated.
There was a problem hiding this comment.
Ohh nice, i didn't realize the environments already contained Perl, i just validated that ubun14.04/debian-10 have it 👌
src/modules/compliance/src/lib/procedures/ensureFilesystemOption.cpp
Outdated
Show resolved
Hide resolved
|
|
||
| fstabMap[mnt->mnt_dir] = entry; | ||
| } | ||
| fclose(file); |
There was a problem hiding this comment.
ignoring fclose return value? Do we care if we cannot close file?
There was a problem hiding this comment.
It's open for read only, so we don't care (and it should never fail in those circumstances).
| struct passwd *pwd = getpwuid(statbuf.st_uid); | ||
| if (nullptr == pwd) | ||
| { | ||
| logstream << "No user with uid " << statbuf.st_uid; |
There was a problem hiding this comment.
why are we not using the OSCONFIG_LOG_INFO/OSCONFIG_LOG_ERROR macros here?
There was a problem hiding this comment.
The logstream is used to create a string with the result of the audit for the UI. It is then also logged to OSCONFIG_LOG.
There was a problem hiding this comment.
When you say the UI, do you mean this is whats displayed in the non-compliance reason in the portal? In the end however, wouldn't this string be a very long concatenated string, im not seeing any newlines?
There was a problem hiding this comment.
Unfortunately - yes, that's the only thing that we can (at least for now) present to the user.
It usually won't be that complex though.
| @@ -5,6 +5,7 @@ project(compliancetests) | |||
|
|
|||
| include(CTest) | |||
| find_package(GTest REQUIRED) | |||
| FILE(GLOB PROCEDURES procedures/*.cpp) | |||
There was a problem hiding this comment.
Im generally against CMake file GLOBS because CMake cannot track changes and re-run if there are new/removed files but i believe these procedures are generated dynamically? If so, i understand the need to
There was a problem hiding this comment.
Procedures are not generated dynamically, but at this stage we expect to have a lot of churn both here and in src/modules/compliance/src/lib/procedures, and we want to parallelilze the work on different procedures in different files. Having a glob means we don't need to change CMakeLists.txt with every new file, so we won't have conflicts. In the end we'll just put a static list there. (The same rationale applies to generating ProcedureMap at build time)
There was a problem hiding this comment.
i see, can you add a comment above to state that the GLOB is temporary until we stabilize?
There was a problem hiding this comment.
If Perl is being added as a build requirement, we would need to update every build container to include it. These are located in devops/docker
Makes me wonder though, can we not just do this in bash?
wupeka
force-pushed
the
compliance/procedures-pt1
branch
3 times, most recently
from
e369a13 to
ca00f6e
Compare
Signed-off-by: Krzysztof Kanas <kkanas@microsoft.com>
Fix logs from:
MmiGet(0x7ecdec017510, Compliance, auditEnsureAccessToEtcMotdIsConfigured, "{ allOf: [{ ensureFilePermissions: ensureFilePermissions for /etc/motdStat errorNo such file or directory } == FALSE] == FALSE }")
BaselineMmiGet(Compliance, auditEnsureAccessToEtcMotdIsConfigured): '"{ allOf: [{ ensureFilePermissions: ensureFilePermissions for /etc/motdStat errorNo such file or directory } == FALSE] == FALSE }"' (130)
To:
MmiGet(0x7cf35c02bf50, Compliance, auditEnsureAccessToEtcMotdIsConfigured, "{ allOf: [{ ensureFilePermissions: ensureFilePermissions for '/etc/motd' Stat error 'No such file or directory' } == FALSE] == FALSE }")
BaselineMmiGet(Compliance, auditEnsureAccessToEtcMotdIsConfigured): '"{ allOf: [{ ensureFilePermissions: ensureFilePermissions for '/etc/motd' Stat error 'No such file or directory' } == FALSE] == FALSE }"' (136)
Signed-off-by: Krzysztof Kanas <kkanas@microsoft.com>
Signed-off-by: Krzysztof Kanas <kkanas@microsoft.com>
This reverts commit 94c6b78.
wupeka
force-pushed
the
compliance/procedures-pt1
branch
from
ae9d7f5 to
791ffa3
Compare
Description
First set of compliance procedures - testing procedures, ensureFilesystemOptions, ensureFilePermissions.
FilePermissions procedures are missing tests.
Checklist
devbranch prior to this PR submission.devbranch.