Add new version of systemd parameter checks

src/modules/complianceengine/src/lib/CMakeLists.txt

@@ -10,8 +10,8 @@ endif()
 find_package(Lua REQUIRED)
 
 set(PROCEDURES
-    procedures/EnsureAccountsWithoutShellAreLocked.cpp
     procedures/AuditdRulesCheck.cpp
+    procedures/EnsureAccountsWithoutShellAreLocked.cpp
     procedures/EnsureAllGroupsFromEtcPasswdExistInEtcGroup.cpp
     procedures/EnsureApparmorProfiles.cpp
     procedures/EnsureDconf.cpp
@@ -38,23 +38,23 @@ set(PROCEDURES
     procedures/EnsureSshdOption.cpp
     procedures/EnsureSysctl.cpp
     procedures/EnsureSystemAccountsDoNotHaveValidShell.cpp
+    procedures/EnsureSystemdParameter.cpp
     procedures/EnsureUserIsOnlyAccountWith.cpp
     procedures/EnsureWirelessIsDisabled.cpp
     procedures/EnsureXdmcp.cpp
     procedures/ExecuteCommandGrep.cpp
     procedures/FileRegexMatch.cpp
     procedures/PackageInstalled.cpp
     procedures/SCE.cpp
-    procedures/SystemdConfig.cpp
     procedures/SystemdUnitState.cpp
     procedures/TestingProcedures.cpp
     procedures/UfwStatus.cpp
     procedures/EnsureShadowContains.cpp
     procedures/EnsureSshKeyPerms.cpp
 )
 set(SCHEMAS
-    procedures/EnsureAccountsWithoutShellAreLocked.schema.json
     procedures/AuditdRulesCheck.schema.json
+    procedures/EnsureAccountsWithoutShellAreLocked.schema.json
     procedures/EnsureAllGroupsFromEtcPasswdExistInEtcGroup.schema.json
     procedures/EnsureApparmorProfiles.schema.json
     procedures/EnsureDconf.schema.json
@@ -81,14 +81,14 @@ set(SCHEMAS
     procedures/EnsureSshdOption.schema.json
     procedures/EnsureSysctl.schema.json
     procedures/EnsureSystemAccountsDoNotHaveValidShell.schema.json
+    procedures/EnsureSystemdParameter.schema.json
     procedures/EnsureUserIsOnlyAccountWith.schema.json
     procedures/EnsureWirelessIsDisabled.schema.json
     procedures/EnsureXdmcp.schema.json
     procedures/ExecuteCommandGrep.schema.json
     procedures/FileRegexMatch.schema.json
     procedures/PackageInstalled.schema.json
     procedures/SCE.schema.json
-    procedures/SystemdConfig.schema.json
     procedures/SystemdUnitState.schema.json
     procedures/TestingProcedures.schema.json
     procedures/UfwStatus.schema.json

src/modules/complianceengine/src/lib/ProcedureMap.cpp

@@ -59,6 +59,12 @@ const char* Bindings<EnsureSshdOptionParams>::names[] = {"option", "value", "op"
 // EnsureSysctl.h:21
 const char* Bindings<EnsureSysctlParams>::names[] = {"sysctlName", "value"};
 
+// EnsureSystemdParameter.h:25
+const char* Bindings<SystemdParameterParams>::names[] = {"parameter", "valueRegex", "file", "dir"};
+
+// EnsureSystemdParameter.h:66
+const char* Bindings<EnsureSystemdParameterV4Params>::names[] = {"file", "section", "option", "expression", "value"};
+
 // EnsureUserIsOnlyAccountWith.h:26
 const char* Bindings<EnsureUserIsOnlyAccountWithParams>::names[] = {"username", "uid", "gid", "test_etcPasswdPath"};
 
@@ -77,9 +83,6 @@ const char* Bindings<PackageInstalledParams>::names[] = {"packageName", "minPack
 // SCE.h:18
 const char* Bindings<SCEParams>::names[] = {"scriptName", "ENVIRONMENT"};
 
-// SystemdConfig.h:25
-const char* Bindings<SystemdParameterParams>::names[] = {"parameter", "valueRegex", "file", "dir"};
-
 // SystemdUnitState.h:28
 const char* Bindings<SystemdUnitStateParams>::names[] = {"unitName", "ActiveState", "LoadState", "UnitFileState", "Unit"};
 
@@ -131,6 +134,7 @@ const ProcedureMap Evaluator::mProcedureMap = {
     {"EnsureSshdOption", {MakeHandler(AuditEnsureSshdOption), nullptr}},
     {"EnsureSysctl", {MakeHandler(AuditEnsureSysctl), nullptr}},
     {"EnsureSystemAccountsDoNotHaveValidShell", {MakeHandler(AuditEnsureSystemAccountsDoNotHaveValidShell), nullptr}},
+    {"EnsureSystemdParameterV4", {MakeHandler(AuditEnsureSystemdParameterV4), nullptr}},
     {"EnsureUfwOpenPorts", {MakeHandler(AuditEnsureUfwOpenPorts), nullptr}},
     {"EnsureUserIsOnlyAccountWith", {MakeHandler(AuditEnsureUserIsOnlyAccountWith), nullptr}},
     {"EnsureWirelessIsDisabled", {MakeHandler(AuditEnsureWirelessIsDisabled), nullptr}},
@@ -246,6 +250,18 @@ string to_string(const ComplianceEngine::EnsureSshdOptionMode value) noexcept(fa
     return it->second;
 }
 
+string to_string(const ComplianceEngine::SystemdParameterExpression value) noexcept(false)
+{
+    const auto& map = ComplianceEngine::MapEnum<ComplianceEngine::SystemdParameterExpression>();
+    static const auto revmap = ComplianceEngine::RevertMap(map);
+    const auto it = revmap.find(value);
+    if (revmap.end() == it)
+    {
+        throw std::out_of_range("Invalid enum value");
+    }
+    return it->second;
+}
+
 string to_string(const ComplianceEngine::RegexType value) noexcept(false)
 {
     const auto& map = ComplianceEngine::MapEnum<ComplianceEngine::RegexType>();

src/modules/complianceengine/src/lib/ProcedureMap.h

@@ -32,14 +32,14 @@
 #include <EnsureSshdOption.h>
 #include <EnsureSysctl.h>
 #include <EnsureSystemAccountsDoNotHaveValidShell.h>
+#include <EnsureSystemdParameter.h>
 #include <EnsureUserIsOnlyAccountWith.h>
 #include <EnsureWirelessIsDisabled.h>
 #include <EnsureXdmcp.h>
 #include <ExecuteCommandGrep.h>
 #include <FileRegexMatch.h>
 #include <PackageInstalled.h>
 #include <SCE.h>
-#include <SystemdConfig.h>
 #include <SystemdUnitState.h>
 #include <TestingProcedures.h>
 #include <UfwStatus.h>
@@ -163,6 +163,20 @@ inline const std::map<std::string, EnsureSshdOptionMode>& MapEnum<EnsureSshdOpti
     return map;
 }
 
+// Maps the SystemdParameterExpression enum labels to the enum values.
+template <>
+inline const std::map<std::string, SystemdParameterExpression>& MapEnum<SystemdParameterExpression>()
+{
+    static const std::map<std::string, SystemdParameterExpression> map = {
+        {"lt", SystemdParameterExpression::LessThan},
+        {"le", SystemdParameterExpression::LessOrEqual},
+        {"gt", SystemdParameterExpression::GreaterThan},
+        {"ge", SystemdParameterExpression::GreaterOrEqual},
+        {"eq", SystemdParameterExpression::Equal},
+    };
+    return map;
+}
+
 // Maps the RegexType enum labels to the enum values.
 template <>
 inline const std::map<std::string, RegexType>& MapEnum<RegexType>()
@@ -404,6 +418,26 @@ struct Bindings<EnsureSysctlParams>
     static constexpr auto members = std::make_tuple(&T::sysctlName, &T::value);
 };
 
+// Defines the bindings for the SystemdParameterParams structure.
+template <>
+struct Bindings<SystemdParameterParams>
+{
+    using T = SystemdParameterParams;
+    static constexpr size_t size = 4;
+    static const char* names[];
+    static constexpr auto members = std::make_tuple(&T::parameter, &T::valueRegex, &T::file, &T::dir);
+};
+
+// Defines the bindings for the EnsureSystemdParameterV4Params structure.
+template <>
+struct Bindings<EnsureSystemdParameterV4Params>
+{
+    using T = EnsureSystemdParameterV4Params;
+    static constexpr size_t size = 5;
+    static const char* names[];
+    static constexpr auto members = std::make_tuple(&T::file, &T::section, &T::option, &T::expression, &T::value);
+};
+
 // Defines the bindings for the EnsureUserIsOnlyAccountWithParams structure.
 template <>
 struct Bindings<EnsureUserIsOnlyAccountWithParams>
@@ -464,16 +498,6 @@ struct Bindings<SCEParams>
     static constexpr auto members = std::make_tuple(&T::scriptName, &T::ENVIRONMENT);
 };
 
-// Defines the bindings for the SystemdParameterParams structure.
-template <>
-struct Bindings<SystemdParameterParams>
-{
-    using T = SystemdParameterParams;
-    static constexpr size_t size = 4;
-    static const char* names[];
-    static constexpr auto members = std::make_tuple(&T::parameter, &T::valueRegex, &T::file, &T::dir);
-};
-
 // Defines the bindings for the SystemdUnitStateParams structure.
 template <>
 struct Bindings<SystemdUnitStateParams>
@@ -552,6 +576,9 @@ string to_string(ComplianceEngine::EnsureSshdOptionOperation value) noexcept(fal
 // Returns a string representation of the EnsureSshdOptionMode enum value.
 string to_string(ComplianceEngine::EnsureSshdOptionMode value) noexcept(false); // NOLINT(*-identifier-naming)
 
+// Returns a string representation of the SystemdParameterExpression enum value.
+string to_string(ComplianceEngine::SystemdParameterExpression value) noexcept(false); // NOLINT(*-identifier-naming)
+
 // Returns a string representation of the RegexType enum value.
 string to_string(ComplianceEngine::RegexType value) noexcept(false); // NOLINT(*-identifier-naming)
 

src/modules/complianceengine/src/lib/SystemdCatConfig.cpp

@@ -2,14 +2,46 @@
 // Licensed under the MIT License.
 
 #include <SystemdCatConfig.h>
+#include <Telemetry.h>
 
 namespace ComplianceEngine
 {
-Result<std::string> SystemdCatConfig(const std::string& filename, ContextInterface& context)
+namespace
 {
-    auto result = context.ExecuteCommand("systemd-analyze cat-config " + filename);
+Result<std::string> DetermineCommandPath(const std::string& command, const ContextInterface& context)
+{
+    auto result = context.ExecuteCommand("readlink -e /bin/" + command);
+    if (result.HasValue())
+    {
+        OsConfigLogInfo(context.GetLogHandle(), "'%s' path is: %s", command.c_str(), result->c_str());
+        return std::move(result.Value());
+    }
+
+    result = context.ExecuteCommand("readlink -e /usr/bin/" + command);
+    if (result.HasValue())
+    {
+        OsConfigLogInfo(context.GetLogHandle(), "'%s' path is: %s", command.c_str(), result->c_str());
+        return std::move(result.Value());
+    }
+
+    OsConfigLogError(context.GetLogHandle(), "Failed to determine systemd-analyze command path");
+    return result.Error();
+}
+} // anonymous namespace
+
+Result<std::string> SystemdCatConfig(const std::string& filename, const ContextInterface& context)
+{
+    static const auto commandPath = DetermineCommandPath("systemd-analyze", context);
+    if (!commandPath.HasValue())
+    {
+        return commandPath.Error();
+    }
+
+    auto result = context.ExecuteCommand(commandPath.Value() + " cat-config " + filename);
     if (!result.HasValue())
     {
+        OsConfigLogError(context.GetLogHandle(), "Failed to execute systemd-analyze command: %s", result.Error().message.c_str());
+        OSConfigTelemetryStatusTrace("ExecuteCommand", result.Error().code);
         return result;
     }
 

src/modules/complianceengine/src/lib/SystemdCatConfig.h

@@ -9,7 +9,7 @@
 
 namespace ComplianceEngine
 {
-Result<std::string> SystemdCatConfig(const std::string& filename, ContextInterface& context);
+Result<std::string> SystemdCatConfig(const std::string& filename, const ContextInterface& context);
 } // namespace ComplianceEngine
 
 #endif // COMPLIANCEENGINE_SYSTEMD_CAT_CONFIG_H

src/modules/complianceengine/src/lib/payload.schema.json

@@ -242,6 +242,9 @@
         {
           "$ref": "procedures/EnsureSystemAccountsDoNotHaveValidShell.schema.json#/definitions/audit"
         },
+        {
+          "$ref": "procedures/EnsureSystemdParameter.schema.json#/definitions/audit"
+        },
         {
           "$ref": "procedures/EnsureUserIsOnlyAccountWith.schema.json#/definitions/audit"
         },
@@ -369,6 +372,9 @@
         {
           "$ref": "procedures/EnsureSystemAccountsDoNotHaveValidShell.schema.json#/definitions/remediation"
         },
+        {
+          "$ref": "procedures/EnsureSystemdParameter.schema.json#/definitions/remediation"
+        },
         {
           "$ref": "procedures/EnsureUserIsOnlyAccountWith.schema.json#/definitions/remediation"
         },