From 828aefde57d0636167583a08d1051b3c4efb57ab Mon Sep 17 00:00:00 2001 From: Purnendu Date: Tue, 31 Dec 2024 01:10:12 +0530 Subject: [PATCH] add some security directives in log --- example/linux/installation.md | 31 ++++++++++++++++++++++++- example/linux/systemd/Talawa-api.sh | 35 +++++++++++++++-------------- 2 files changed, 48 insertions(+), 18 deletions(-) diff --git a/example/linux/installation.md b/example/linux/installation.md index af5efb1883..b74f73478c 100644 --- a/example/linux/installation.md +++ b/example/linux/installation.md @@ -29,10 +29,12 @@ This guide provides step-by-step instructions for setting up the Talawa API serv ### 1. Create a Dedicated System User - Create a user named `talawa` for running the service: + ```bash sudo adduser --system --no-create-home --group talawa ``` - Verify the user creation: + ```bash id talawa ``` @@ -66,6 +68,7 @@ This guide provides step-by-step instructions for setting up the Talawa API serv ### 5. Verify Log File and Permissions - Create the log file if it does not exist: + ```bash sudo touch /var/log/talawa-api.log sudo chown talawa:talawa /var/log/talawa-api.log @@ -76,6 +79,7 @@ This guide provides step-by-step instructions for setting up the Talawa API serv ### 6. Set Up Log Rotation - Create a new logrotate configuration file for Talawa API: + ```bash sudo nano /etc/logrotate.d/talawa-api ``` @@ -90,6 +94,12 @@ This guide provides step-by-step instructions for setting up the Talawa API serv missingok notifempty create 664 talawa talawa + # Prevent symlink attacks + nolinkasym + # Delete old versions of log files + delaycompress + # Don't rotate empty log files + notifempty postrotate systemctl restart talawa-api.service > /dev/null 2>&1 || true endscript @@ -97,6 +107,7 @@ This guide provides step-by-step instructions for setting up the Talawa API serv ``` - Verify logrotate setup: + ```bash sudo logrotate -f /etc/logrotate.d/talawa-api sudo logrotate -v /etc/logrotate.conf @@ -105,6 +116,7 @@ This guide provides step-by-step instructions for setting up the Talawa API serv ``` - -f for forced rotation, -v for verbose rotation, -d for debuging mode rotation. - To confirm log rotation, check the rotated logs: + ```bash ls -la /var/log/talawa-api.log* ``` @@ -112,20 +124,24 @@ This guide provides step-by-step instructions for setting up the Talawa API serv ### 7. Install Dependencies - Install required Node.js version with `fnm`: + ```bash fnm install fnm use ``` Replace `` with the version specified in `package.json` (`engines.node`) - Install dependencies: + ```bash npm install ``` - Globally install `tsx` if not already installed: + ```bash npm install -g tsx ``` - Install `jq`: + ```bash sudo apt install jq ``` @@ -133,14 +149,17 @@ This guide provides step-by-step instructions for setting up the Talawa API serv ### 8. Enable and Start the Service 1. Reload the systemd configuration: + ```bash sudo systemctl daemon-reload ``` 2. Enable the service: + ```bash sudo systemctl enable talawa-api.service ``` 3. Start the service: + ```bash sudo systemctl start talawa-api.service ``` @@ -148,22 +167,27 @@ This guide provides step-by-step instructions for setting up the Talawa API serv ### 9. Verify the Installation - Check the status of the service: + ```bash sudo systemctl status talawa-api.service ``` - View logs in real-time: + ```bash sudo journalctl -u talawa-api.service -f ``` - Check for errors: + ```bash sudo journalctl -u talawa-api.service -p err ``` - Verify the service configuration: + ```bash sudo systemd-analyze verify talawa-api.service ``` - Verify service dependencies: + ```bash sudo systemctl list-dependencies talawa-api.service ``` @@ -171,25 +195,30 @@ This guide provides step-by-step instructions for setting up the Talawa API serv ## Notes - Ensure the `Talawa-api.sh` script has executable permissions: + ```bash chmod +x /path/to/Talawa-api.sh ``` - Adjust `LimitNOFILE` and security-related settings in the `talawa-api.service` file as needed for your environment - For production, ensure the `dist` folder exists by running: + ```bash npm run build ``` - If you encounter any issues, refer to the logs in `/var/log/talawa-api.log` or use `journalctl` -- Don't try to create a global variable to store paths for use in both systemd service and script files. Global variables (like `/path/to/your/talawa-api`) will not work properly as systemd services run in a separate environment. While there are various suggested solutions (using `/etc/environment`, `/etc/default/`, or `Environment` and `EnvironmentFile` directives), these approaches can complicate service execution and are not recommended +- Don't try to create a global variable to store paths for use in both systemd service and script files. Global variables (like `/path/to/your/talawa-api`) will not work properly as systemd services run in a separate environment. While there are various suggested solutions (using `/etc/environment`, `/etc/default/`, or `Environment` and `EnvironmentFile` directives), these approaches can complicate service execution and are not recommended. +- While systemd supports environment variables through EnvironmentFile and Environment directives, using absolute paths in both the service file and script ensures consistent behavior across different environments and makes debugging easier. ### Additional Steps for Troubleshooting 1. Verify Node.js and `tsx` installation: + ```bash node -v tsx -v ``` 2. Ensure MongoDB and Redis are running: + ```bash sudo systemctl status mongod sudo systemctl status redis diff --git a/example/linux/systemd/Talawa-api.sh b/example/linux/systemd/Talawa-api.sh index 1f3686f2e4..9122557030 100755 --- a/example/linux/systemd/Talawa-api.sh +++ b/example/linux/systemd/Talawa-api.sh @@ -1,7 +1,8 @@ #!/bin/bash +# filepath: /path/to/your/talawa-api/example/linux/systemd/Talawa-api.sh # Description: Talawa API startup script -# Don't use environment variables in this script, as when the script will run by systemd, it will not have access to the environment variables of the user.I have tried setting the environment variables in the systemd service file but it didn't work. So, directly use the absolute paths in the script.) +# Don't use environment variables in this script, as when the script will run by systemd, it will not have access to the environment variables of the user. I have tried setting the environment variables in the systemd service file but it didn't work. So, directly use the absolute paths in the script. PROJECT_DIR="/path/to/your/talawa-api" LOG_FILE="/var/log/talawa-api.log" DEV_PATH="src/index.ts" @@ -33,6 +34,7 @@ if [ ! -w "$LOG_FILE" ] || [ ! -r "$LOG_FILE" ]; then echo "Change permissions and try again." exit 1 fi + echo "-------------------------------***************------------------------------------" | tee -a "$LOG_FILE" echo "------------------------------>Talawa-API Logs<-----------------------------------" | tee -a "$LOG_FILE" echo "------------------------------>Current session date: $(date)" | tee -a "$LOG_FILE" @@ -62,7 +64,7 @@ echo "package.json is present in $(pwd). Proceeding..." | tee -a "$LOG_FILE" if ! command -v jq >/dev/null 2>&1; then echo "Error: 'jq' is not installed on this system. Exiting." | tee -a "$LOG_FILE" echo "It is required to parse the Node.js version from package.json." | tee -a "$LOG_FILE" - echo "Please install 'jq' manually, then rerurn to the script." | tee -a "$LOG_FILE" + echo "Please install 'jq' manually, then return to the script." | tee -a "$LOG_FILE" exit 1 fi @@ -84,8 +86,8 @@ echo "Installed Node.js version: $INSTALLED_NODE_VERSION" | tee -a "$LOG_FILE" echo "Target Node.js version: $TARGET_NODE_VERSION" | tee -a "$LOG_FILE" if [ "$INSTALLED_NODE_VERSION" != "$TARGET_NODE_VERSION" ]; then - echo "Error: Node.js version mismatch. Found $INSTALLED_NODE_VERSION, need $TARGET_NODE_VERSION". Exiting." | tee -a "$LOG_FILE" - echo "First install the required Node.js version from package.json in system then proceed further. It should match system Node.js version and Talawa-api Node.js version "$TARGET_NODE_VERSION" | tee -a "$LOG_FILE" + echo "Error: Node.js version mismatch. Found $INSTALLED_NODE_VERSION, need $TARGET_NODE_VERSION. Exiting." | tee -a "$LOG_FILE" + echo "First install the required Node.js version from package.json in system then proceed further. It should match system Node.js version and Talawa-api Node.js version v$TARGET_NODE_VERSION" | tee -a "$LOG_FILE" exit 1 fi @@ -145,16 +147,15 @@ if [ -z "$NODE_ENV" ]; then fi echo "Environment variable 'NODE_ENV' is set to '$NODE_ENV'. Proceeding..." | tee -a "$LOG_FILE" -{ - # Check the value of NODE_ENV and execute the corresponding command - if [ "$NODE_ENV" == "development" ]; then - echo "Starting Talawa API in development mode..." | tee -a "$LOG_FILE" - exec "$TSX_PATH" "$DEV_PATH" - elif [ "$NODE_ENV" == "production" ]; then - echo "Starting Talawa API in production mode..." | tee -a "$LOG_FILE" - exec "$TSX_PATH" "$PROD_PATH" - else - echo "NODE_ENV is not set to a valid value. Please set it to 'development' or 'production'. Exiting." | tee -a "$LOG_FILE" - exit 1 - fi -} 2>&1 | tee -a "$LOG_FILE" \ No newline at end of file + +# Check the value of NODE_ENV and execute the corresponding command +if [ "$NODE_ENV" == "development" ]; then + echo "Starting Talawa API in development mode..." | tee -a "$LOG_FILE" + exec "$TSX_PATH" "$DEV_PATH" +elif [ "$NODE_ENV" == "production" ]; then + echo "Starting Talawa API in production mode..." | tee -a "$LOG_FILE" + exec "$TSX_PATH" "$PROD_PATH" +else + echo "NODE_ENV is not set to a valid value. Please set it to 'development' or 'production'. Exiting." | tee -a "$LOG_FILE" + exit 1 +fi \ No newline at end of file