diff --git a/vhdbuilder/packer/cis-report.sh b/vhdbuilder/packer/cis-report.sh index dbcb0735efe..9763c3fd281 100644 --- a/vhdbuilder/packer/cis-report.sh +++ b/vhdbuilder/packer/cis-report.sh @@ -56,11 +56,50 @@ pushd "$(dirname "$CISASSESSOR_TARBALL_PATH")" || exit 1 # Disable GuestConfig agent to avoid interference with CIS checks systemctl disable --now gcd.service || true -# Fix permissions of log files -find /var/log -type f -exec chmod 640 {} \; +# Stop logging daemons to prevent new log files being created between our +# permission fix and the CIS assessor run (race condition). +systemctl stop rsyslog.service 2>/dev/null || true +systemctl stop systemd-journald.service 2>/dev/null || true + +# Extract assessor first so tar output doesn't go to /var/log tar xzf "$CISASSESSOR_TARBALL_PATH" +# CIS 6.1.3.1 (22.04) / 6.1.4.1 (24.04): Fix log file permissions and ownership. +# The scan VM boots from the VHD, and boot-time daemons (syslog, journal, etc.) may create +# new log files with default permissions that violate CIS rules. Fix comprehensively here +# immediately before the CIS assessor runs to minimize the race window. +# CIS benchmark requires: file perms ≤ 0640, dir perms ≤ 0750, +# file group ∈ {root, adm}, file owner ∈ {root, syslog}. +fix_logfile_permissions() { + find /var/log -type f -perm /7137 -exec chmod 'u-x,g-wx,o-rwx' {} + + find /var/log -type d -perm /7027 -exec chmod 'g-w,o-rwx' {} + + + # Fix group ownership: CIS only allows root or adm as group for log files + local target_group="root" + if getent group adm >/dev/null 2>&1; then + target_group="adm" + fi + find /var/log -type f ! -group root ! -group adm -exec chgrp "${target_group}" {} + + find /var/log -type d ! -group root ! -group adm -exec chgrp "${target_group}" {} + + + # Fix file ownership: CIS only allows root or syslog as owner for log files + find /var/log -type f ! -user root ! -user syslog -exec chown root {} + +} +fix_logfile_permissions + +# Diagnostic: show any remaining non-compliant files AFTER fix +echo "=== CIS 6.1 POST-FIX DIAGNOSTICS ===" +echo "--- Files with excess permissions (should be empty): ---" +find /var/log -type f \( -perm /0137 \) -exec stat -c '%a %U %G %n' {} + 2>/dev/null || echo "(none)" +echo "--- Dirs with excess permissions (should be empty): ---" +find /var/log -type d \( -perm /0027 \) -exec stat -c '%a %U %G %n' {} + 2>/dev/null || echo "(none)" +echo "--- Files with wrong group (not root/adm): ---" +find /var/log -type f ! -group root ! -group adm -exec stat -c '%a %U %G %n' {} + 2>/dev/null || echo "(none)" +echo "--- Files with wrong owner (not root/syslog): ---" +find /var/log -type f ! -user root ! -user syslog -exec stat -c '%a %U %G %n' {} + 2>/dev/null || echo "(none)" +echo "=== END DIAGNOSTICS ===" + # Run L1 and L2 and upload both text reports. L2 HTML is used to assist in fixing issues. REPORT_DIR="cisassessor/lib/app/reports" latest_report() { diff --git a/vhdbuilder/packer/packer_source.sh b/vhdbuilder/packer/packer_source.sh index c960d797a5c..9fe4ac4ef36 100644 --- a/vhdbuilder/packer/packer_source.sh +++ b/vhdbuilder/packer/packer_source.sh @@ -494,3 +494,16 @@ cpAndMode() { mode=$3 DIR=$(dirname "$dest") && mkdir -p ${DIR} && cp $src $dest && chmod $mode $dest || exit $ERR_PACKER_COPY_FILE } + +# Re-apply custom login banners to /etc/issue and /etc/issue.net. +# apt_get_dist_upgrade uses --force-confnew which overwrites these files +# with default content from the base-files package whenever it is upgraded. +# Call this after any apt operations that may trigger conffile replacement. +reapplyBanners() { + local etc_issue_src=/home/packer/etc-issue + local etc_issue_dest=/etc/issue + local etc_issue_net_src=/home/packer/etc-issue.net + local etc_issue_net_dest=/etc/issue.net + cpAndMode "$etc_issue_src" "$etc_issue_dest" 644 + cpAndMode "$etc_issue_net_src" "$etc_issue_net_dest" 644 +} diff --git a/vhdbuilder/packer/post-install-dependencies.sh b/vhdbuilder/packer/post-install-dependencies.sh index 362be0d8d52..67cccc26da3 100644 --- a/vhdbuilder/packer/post-install-dependencies.sh +++ b/vhdbuilder/packer/post-install-dependencies.sh @@ -5,6 +5,7 @@ UBUNTU_OS_NAME="UBUNTU" FLATCAR_OS_NAME="FLATCAR" ACL_OS_NAME="AZURECONTAINERLINUX" +source /home/packer/packer_source.sh source /home/packer/provision_installs.sh source /home/packer/provision_installs_distro.sh source /home/packer/provision_source.sh @@ -47,6 +48,11 @@ if [ $OS = $UBUNTU_OS_NAME ]; then retrycmd_if_failure 10 2 60 apt-get -y autoclean || exit 1 retrycmd_if_failure 10 2 60 apt-get -y autoremove --purge || exit 1 retrycmd_if_failure 10 2 60 apt-get -y clean || exit 1 + + # Re-apply custom login banners after all apt operations. + # apt_get_dist_upgrade uses --force-confnew which overwrites /etc/issue and /etc/issue.net + # with the default content from the base-files package whenever it is upgraded. + reapplyBanners capture_benchmark "${SCRIPT_NAME}_purge_ubuntu_kernels_and_packages" # Final step, FIPS, log ua status, detach UA and clean up