add some security directives in log

PalisadoesFoundation · Dec 30, 2024 · 828aefd · 828aefd
1 parent 117cc5e
commit 828aefd
Show file tree

Hide file tree

Showing 2 changed files with 48 additions and 18 deletions.
diff --git a/example/linux/installation.md b/example/linux/installation.md
@@ -29,10 +29,12 @@ This guide provides step-by-step instructions for setting up the Talawa API serv
 ### 1. Create a Dedicated System User
 
 - Create a user named `talawa` for running the service:
+
   ```bash
   sudo adduser --system --no-create-home --group talawa
   ```
 - Verify the user creation:
+
   ```bash
   id talawa
   ```
@@ -66,6 +68,7 @@ This guide provides step-by-step instructions for setting up the Talawa API serv
 ### 5. Verify Log File and Permissions
 
 - Create the log file if it does not exist:
+
   ```bash
   sudo touch /var/log/talawa-api.log
   sudo chown talawa:talawa /var/log/talawa-api.log
@@ -76,6 +79,7 @@ This guide provides step-by-step instructions for setting up the Talawa API serv
 ### 6. Set Up Log Rotation
 
 - Create a new logrotate configuration file for Talawa API:
+
   ```bash
   sudo nano /etc/logrotate.d/talawa-api
   ```
@@ -90,13 +94,20 @@ This guide provides step-by-step instructions for setting up the Talawa API serv
       missingok
       notifempty
       create 664 talawa talawa
+      # Prevent symlink attacks
+      nolinkasym
+      # Delete old versions of log files
+      delaycompress
+      # Don't rotate empty log files
+      notifempty
       postrotate
           systemctl restart talawa-api.service > /dev/null 2>&1 || true
       endscript
   }
   ```
 
 - Verify logrotate setup:
+
   ```bash
   sudo logrotate -f /etc/logrotate.d/talawa-api
   sudo logrotate -v /etc/logrotate.conf
@@ -105,91 +116,109 @@ This guide provides step-by-step instructions for setting up the Talawa API serv
   ```
 - -f for forced rotation, -v for verbose rotation, -d for debuging mode rotation.
 - To confirm log rotation, check the rotated logs:
+
   ```bash
   ls -la /var/log/talawa-api.log*
   ```
 
 ### 7. Install Dependencies
 
 - Install required Node.js version with `fnm`:
+
   ```bash
   fnm install <node_version>
   fnm use <node_version>
   ```
   Replace `<node_version>` with the version specified in `package.json` (`engines.node`)
 - Install dependencies:
+
   ```bash
   npm install
   ```
 - Globally install `tsx` if not already installed:
+
   ```bash
   npm install -g tsx
   ```
 - Install `jq`:
+
   ```bash
   sudo apt install jq
   ```
 
 ### 8. Enable and Start the Service
 
 1. Reload the systemd configuration:
+
    ```bash
    sudo systemctl daemon-reload
    ```
 2. Enable the service:
+
    ```bash
    sudo systemctl enable talawa-api.service
    ```
 3. Start the service:
+
    ```bash
    sudo systemctl start talawa-api.service
    ```
 
 ### 9. Verify the Installation
 
 - Check the status of the service:
+
   ```bash
   sudo systemctl status talawa-api.service
   ```
 - View logs in real-time:
+
   ```bash
   sudo journalctl -u talawa-api.service -f
   ```
 - Check for errors:
+
   ```bash
   sudo journalctl -u talawa-api.service -p err
   ```
 - Verify the service configuration:
+
   ```bash
   sudo systemd-analyze verify talawa-api.service
   ```
 - Verify service dependencies:
+
   ```bash
   sudo systemctl list-dependencies talawa-api.service
   ```
 
 ## Notes
 
 - Ensure the `Talawa-api.sh` script has executable permissions:
+
   ```bash
   chmod +x /path/to/Talawa-api.sh
   ```
 - Adjust `LimitNOFILE` and security-related settings in the `talawa-api.service` file as needed for your environment
 - For production, ensure the `dist` folder exists by running:
+
   ```bash
   npm run build
   ```
 - If you encounter any issues, refer to the logs in `/var/log/talawa-api.log` or use `journalctl`
-- Don't try to create a global variable to store paths for use in both systemd service and script files. Global variables (like `/path/to/your/talawa-api`) will not work properly as systemd services run in a separate environment. While there are various suggested solutions (using `/etc/environment`, `/etc/default/`, or `Environment` and `EnvironmentFile` directives), these approaches can complicate service execution and are not recommended
+- Don't try to create a global variable to store paths for use in both systemd service and script files. Global variables (like `/path/to/your/talawa-api`) will not work properly as systemd services run in a separate environment. While there are various suggested solutions (using `/etc/environment`, `/etc/default/`, or `Environment` and `EnvironmentFile` directives), these approaches can complicate service execution and are not recommended. 
+- While systemd supports environment variables through EnvironmentFile and Environment directives, using absolute paths in both the service file and script ensures consistent behavior across different environments and makes debugging easier.
 
 ### Additional Steps for Troubleshooting
 
 1. Verify Node.js and `tsx` installation:
+
    ```bash
    node -v
    tsx -v
    ```
 2. Ensure MongoDB and Redis are running:
+
    ```bash
    sudo systemctl status mongod
    sudo systemctl status redis

diff --git a/example/linux/systemd/Talawa-api.sh b/example/linux/systemd/Talawa-api.sh
@@ -1,7 +1,8 @@
 #!/bin/bash
+# filepath: /path/to/your/talawa-api/example/linux/systemd/Talawa-api.sh
 # Description: Talawa API startup script
 
-# Don't use environment variables in this script, as when the script will run by systemd, it will not have access to the environment variables of the user.I have tried setting the environment variables in the systemd service file but it didn't work. So, directly use the absolute paths in the script.)
+# Don't use environment variables in this script, as when the script will run by systemd, it will not have access to the environment variables of the user. I have tried setting the environment variables in the systemd service file but it didn't work. So, directly use the absolute paths in the script.
 PROJECT_DIR="/path/to/your/talawa-api"
 LOG_FILE="/var/log/talawa-api.log"
 DEV_PATH="src/index.ts"
@@ -33,6 +34,7 @@ if [ ! -w "$LOG_FILE" ] || [ ! -r "$LOG_FILE" ]; then
   echo "Change permissions and try again."
   exit 1
 fi
+
 echo "-------------------------------***************------------------------------------" | tee -a "$LOG_FILE"
 echo "------------------------------>Talawa-API Logs<-----------------------------------" | tee -a "$LOG_FILE"
 echo "------------------------------>Current session date: $(date)" | tee -a "$LOG_FILE" 
@@ -62,7 +64,7 @@ echo "package.json is present in $(pwd). Proceeding..." | tee -a "$LOG_FILE"
 if ! command -v jq >/dev/null 2>&1; then
   echo "Error: 'jq' is not installed on this system. Exiting." | tee -a "$LOG_FILE"
   echo "It is required to parse the Node.js version from package.json." | tee -a "$LOG_FILE"
-  echo "Please install 'jq' manually, then rerurn to the script." | tee -a "$LOG_FILE"
+  echo "Please install 'jq' manually, then return to the script." | tee -a "$LOG_FILE"
   exit 1
 fi
 
@@ -84,8 +86,8 @@ echo "Installed Node.js version: $INSTALLED_NODE_VERSION" | tee -a "$LOG_FILE"
 echo "Target Node.js version: $TARGET_NODE_VERSION" | tee -a "$LOG_FILE"
 
 if [ "$INSTALLED_NODE_VERSION" != "$TARGET_NODE_VERSION" ]; then
-  echo "Error: Node.js version mismatch. Found $INSTALLED_NODE_VERSION, need $TARGET_NODE_VERSION". Exiting." | tee -a "$LOG_FILE"
-  echo "First install the required Node.js version from package.json in system then proceed further. It should match system Node.js version and Talawa-api Node.js version "$TARGET_NODE_VERSION"  | tee -a "$LOG_FILE"
+  echo "Error: Node.js version mismatch. Found $INSTALLED_NODE_VERSION, need $TARGET_NODE_VERSION. Exiting." | tee -a "$LOG_FILE"
+  echo "First install the required Node.js version from package.json in system then proceed further. It should match system Node.js version and Talawa-api Node.js version v$TARGET_NODE_VERSION"  | tee -a "$LOG_FILE"
   exit 1
 fi
 
@@ -145,16 +147,15 @@ if [ -z "$NODE_ENV" ]; then
 fi
 
 echo "Environment variable 'NODE_ENV' is set to '$NODE_ENV'. Proceeding..." | tee -a "$LOG_FILE"
-{
-  # Check the value of NODE_ENV and execute the corresponding command
-  if [ "$NODE_ENV" == "development" ]; then
-      echo "Starting Talawa API in development mode..." | tee -a "$LOG_FILE"
-      exec "$TSX_PATH" "$DEV_PATH"
-  elif [ "$NODE_ENV" == "production" ]; then
-      echo "Starting Talawa API in production mode..." | tee -a "$LOG_FILE"
-      exec "$TSX_PATH" "$PROD_PATH"
-  else
-      echo "NODE_ENV is not set to a valid value. Please set it to 'development' or 'production'. Exiting." | tee -a "$LOG_FILE"
-      exit 1
-  fi
-} 2>&1 | tee -a "$LOG_FILE"
+
+# Check the value of NODE_ENV and execute the corresponding command
+if [ "$NODE_ENV" == "development" ]; then
+    echo "Starting Talawa API in development mode..." | tee -a "$LOG_FILE"
+    exec "$TSX_PATH" "$DEV_PATH"
+elif [ "$NODE_ENV" == "production" ]; then
+    echo "Starting Talawa API in production mode..." | tee -a "$LOG_FILE"
+    exec "$TSX_PATH" "$PROD_PATH"
+else
+    echo "NODE_ENV is not set to a valid value. Please set it to 'development' or 'production'. Exiting." | tee -a "$LOG_FILE"
+    exit 1
+fi