Correct logic now

Author: robertwoj-microsoft

src/modules/compliance/src/lib/procedures/ensureFilePermissions.cpp

@@ -3,6 +3,7 @@
 #include <Evaluator.h>
 #include <errno.h>
 #include <grp.h>
+#include <iomanip>
 #include <pwd.h>
 #include <string.h>
 #include <sys/stat.h>
@@ -74,7 +75,7 @@ AUDIT_FN(ensureFilePermissions)
     }
 
     mode_t perms = 0x0;
-    mode_t mask = 0x0;
+    mode_t mask = 0xFFF;
     bool has_perms_or_mask = false;
     if (args.find("permissions") != args.end())
     {
@@ -95,17 +96,19 @@ AUDIT_FN(ensureFilePermissions)
         {
             return Error("Invalid mask parameter");
         }
-        if (perms & mask)
+        if (perms & (~mask))
         {
-            return Error("Permissions and mask overlap");
+            return Error("Permissions must not have bits set that are not set in the mask");
         }
 
         has_perms_or_mask = true;
     }
-    if (has_perms_or_mask && ((statbuf.st_mode & mask) || (statbuf.st_mode & perms) != perms))
+    if (has_perms_or_mask && ((statbuf.st_mode & mask) != (perms & mask)))
     {
-        logstream << "Invalid permissions - are " << std::oct << (statbuf.st_mode & supportedMask) << " should be " << std::oct
-                  << (statbuf.st_mode & (~mask) & supportedMask) << " with mask " << std::oct << mask << std::dec;
+        auto currentPerms = statbuf.st_mode & supportedMask;
+        auto expectedPerms = ((statbuf.st_mode & ~mask) | (perms & mask)) & supportedMask;
+        logstream << "Invalid permissions - are " << std::setw(4) << std::setfill('0') << std::oct << currentPerms << " should be " << std::setw(4)
+                  << std::setfill('0') << std::oct << expectedPerms << " with mask " << std::setw(4) << std::setfill('0') << std::oct << mask << std::dec;
         return false;
     }
 
@@ -187,7 +190,7 @@ REMEDIATE_FN(ensureFilePermissions)
     }
 
     mode_t perms = 0x0;
-    mode_t mask = 0x0;
+    mode_t mask = 0xFFF;
     bool has_perms_or_mask = false;
     if (args.find("permissions") != args.end())
     {
@@ -209,16 +212,18 @@ REMEDIATE_FN(ensureFilePermissions)
             logstream << "ERROR: Invalid permissions mask: " << args["mask"];
             return Error("Invalid permissions mask: " + args["mask"]);
         }
-        if (perms & mask)
+        if (perms & (~mask))
         {
-            return Error("Permissions and mask overlap");
+            return Error("Permissions must not have bits set that are not set in the mask");
         }
         has_perms_or_mask = true;
     }
 
     unsigned short new_perms = (statbuf.st_mode & ~mask) | perms;
+    OsConfigLogInfo(NULL, "Setting permissions to %o, mask: %o, perms: %o, current: %o", new_perms, mask, perms, statbuf.st_mode);
     if (has_perms_or_mask && (new_perms != statbuf.st_mode))
     {
+        OsConfigLogInfo(NULL, "Setting permissions to %o", new_perms);
         if (chmod(args["filename"].c_str(), new_perms) < 0)
         {
             logstream << "ERROR: Chmod error";

src/modules/test/recipes/compliance/EnsureFilePermissions.json

@@ -70,9 +70,14 @@
     "ObjectName": "auditTest",
     "Payload": "PASS{ ensureFilePermissions: ensureFilePermissions for '\/tmp/testfile'  } == TRUE"
   },
-
+  {
+    "RunCommand": "stat /tmp/testfile | grep 'Access: (0777\/-rwxrwxrwx)'"
+  },
 
 
+  {
+    "RunCommand": "touch /tmp/testfile && chmod 777 /tmp/testfile && chown root:root /tmp/testfile"
+  },
   {
     "ObjectType": "Desired",
     "ComponentName": "Compliance",
@@ -83,7 +88,7 @@
     "ObjectType": "Reported",
     "ComponentName": "Compliance",
     "ObjectName": "auditTest",
-    "Payload": "PASS{ ensureFilePermissions: ensureFilePermissions for '\/tmp\/testfile'  } == TRUE"
+    "Payload": "{ ensureFilePermissions: ensureFilePermissions for '\/tmp\/testfile' Invalid permissions - are 0777 should be 0644 with mask 7777 } == FALSE"
   },
   {
     "ObjectType": "Desired",
@@ -100,6 +105,9 @@
 
 
 
+  {
+    "RunCommand": "touch /tmp/testfile && chmod 777 /tmp/testfile && chown root:root /tmp/testfile"
+  },
   {
     "ObjectType": "Desired",
     "ComponentName": "Compliance",
@@ -112,9 +120,6 @@
     "ObjectName": "auditTest",
     "Payload": "{ ensureFilePermissions: ensureFilePermissions for '\/tmp/testfile' Invalid user - is 'root' should be 'foo' } == FALSE"
   },
-
-
-
   {
     "ObjectType": "Desired",
     "ComponentName": "Compliance",
@@ -170,9 +175,6 @@
     "ObjectName": "auditTest",
     "Payload": "PASS{ ensureFilePermissions: ensureFilePermissions for '\/tmp/testfile'  } == TRUE"
   },
-
-
-
   {
     "ObjectType": "Desired",
     "ComponentName": "Compliance",
@@ -183,7 +185,7 @@
     "ObjectType": "Reported",
     "ComponentName": "Compliance",
     "ObjectName": "auditTest",
-    "Payload": "{ ensureFilePermissions: ensureFilePermissions for '\/tmp\/testfile' Invalid permissions - are 777 should be 600 with mask 177 } == FALSE"
+    "Payload": "{ ensureFilePermissions: ensureFilePermissions for '\/tmp\/testfile' Invalid permissions - are 0777 should be 0600 with mask 0177 } == FALSE"
   },
 
 
@@ -213,7 +215,7 @@
     "ObjectType": "Reported",
     "ComponentName": "Compliance",
     "ObjectName": "auditTest",
-    "Payload": "{ ensureFilePermissions: ensureFilePermissions for '\/tmp\/testfile' Invalid permissions - are 777 should be 600 with mask 177 } == FALSE"
+    "Payload": "{ ensureFilePermissions: ensureFilePermissions for '\/tmp\/testfile' Invalid permissions - are 0777 should be 0600 with mask 0177 } == FALSE"
   },
   {
     "ObjectType": "Desired",
@@ -227,7 +229,9 @@
     "ObjectName": "auditTest",
     "Payload": "PASS{ ensureFilePermissions: ensureFilePermissions for '\/tmp/testfile'  } == TRUE"
   },
-
+  {
+    "RunCommand": "stat /tmp/testfile | grep 'Access: (0600\/-rw-------)'"
+  },
 
 
   {
@@ -267,14 +271,17 @@
     "ObjectType": "Desired",
     "ComponentName": "Compliance",
     "ObjectName": "remediateTest",
-    "Payload": "MASK=177 USER=root GROUP=bar"
+    "Payload": "MASK=133 USER=root GROUP=bar"
   },
   {
     "ObjectType": "Reported",
     "ComponentName": "Compliance",
     "ObjectName": "auditTest",
     "Payload": "PASS{ ensureFilePermissions: ensureFilePermissions for '\/tmp\/testfile'  } == TRUE"
   },
+  {
+    "RunCommand": "stat /tmp/testfile | grep 'Access: (0644\/-rw-r--r--)  Uid: (    0\/    root)   Gid: ( 1001\/     bar)'"
+  },
 
 
 
@@ -302,6 +309,133 @@
     "ObjectName": "auditTest",
     "Payload": "PASS{ ensureFilePermissions: ensureFilePermissions for '\/tmp\/testfile'  } == TRUE"
   },
+  {
+    "RunCommand": "stat /tmp/testfile | grep 'Access: (0600\/-rw-------)  Uid: ( 1001\/     foo)   Gid: ( 1001\/     bar)'"
+  },
+
+
+  {
+    "ObjectType": "Desired",
+    "ComponentName": "Compliance",
+    "ObjectName": "procedureTest",
+    "Payload": {
+      "audit": {
+        "ensureFilePermissions": {
+          "filename": "/tmp/testfile",
+          "user": "$USER",
+          "permissions": "$PERMISSIONS",
+          "group": "$GROUP",
+          "mask": "$MASK"
+        }
+      },
+      "remediate": {
+        "ensureFilePermissions": {
+          "filename": "/tmp/testfile",
+          "user": "$USER",
+          "permissions": "$PERMISSIONS",
+          "group": "$GROUP",
+          "mask": "$MASK"
+        }
+      },
+      "parameters": {
+        "USER": "root",
+        "GROUP": "root",
+        "PERMISSIONS": "000",
+        "MASK": "777"
+      }
+    }
+  },
+  {
+    "RunCommand": "touch /tmp/testfile && chmod 777 /tmp/testfile && chown root:root /tmp/testfile"
+  },
+  {
+    "ObjectType": "Reported",
+    "ComponentName": "Compliance",
+    "ObjectName": "auditTest",
+    "Payload": "{ ensureFilePermissions: ensureFilePermissions for '\/tmp\/testfile' Invalid permissions - are 0777 should be 0000 with mask 0777 } == FALSE"
+  },
+
+
+
+  {
+    "ObjectType": "Desired",
+    "ComponentName": "Compliance",
+    "ObjectName": "initTest",
+    "Payload": "PERMISSIONS=777"
+  },
+  {
+    "ObjectType": "Reported",
+    "ComponentName": "Compliance",
+    "ObjectName": "auditTest",
+    "Payload": "PASS{ ensureFilePermissions: ensureFilePermissions for '\/tmp\/testfile'  } == TRUE"
+  },
+
+
+
+  {
+    "ObjectType": "Desired",
+    "ComponentName": "Compliance",
+    "ObjectName": "initTest",
+    "Payload": "PERMISSIONS=100 MASK=100"
+  },
+  {
+    "ObjectType": "Reported",
+    "ComponentName": "Compliance",
+    "ObjectName": "auditTest",
+    "Payload": "PASS{ ensureFilePermissions: ensureFilePermissions for '\/tmp\/testfile'  } == TRUE"
+  },
+
+
+
+  {
+    "ObjectType": "Desired",
+    "ComponentName": "Compliance",
+    "ObjectName": "initTest",
+    "Payload": "PERMISSIONS=333 MASK=777"
+  },
+  {
+    "ObjectType": "Reported",
+    "ComponentName": "Compliance",
+    "ObjectName": "auditTest",
+    "Payload": "{ ensureFilePermissions: ensureFilePermissions for '\/tmp\/testfile' Invalid permissions - are 0777 should be 0333 with mask 0777 } == FALSE"
+  },
+
+
+
+  {
+    "ObjectType": "Desired",
+    "ComponentName": "Compliance",
+    "ObjectName": "remediateTest",
+    "Payload": "PERMISSIONS=333 MASK=777"
+  },
+  {
+    "ObjectType": "Reported",
+    "ComponentName": "Compliance",
+    "ObjectName": "auditTest",
+    "Payload": "PASS{ ensureFilePermissions: ensureFilePermissions for '\/tmp\/testfile'  } == TRUE"
+  },
+  {
+    "RunCommand": "stat /tmp/testfile | grep 'Access: (0333\/--wx-wx-wx)'"
+  },
+
+
+
+  {
+    "ObjectType": "Desired",
+    "ComponentName": "Compliance",
+    "ObjectName": "remediateTest",
+    "Payload": "PERMISSIONS=1000 MASK=1000"
+  },
+  {
+    "ObjectType": "Reported",
+    "ComponentName": "Compliance",
+    "ObjectName": "auditTest",
+    "Payload": "PASS{ ensureFilePermissions: ensureFilePermissions for '\/tmp\/testfile'  } == TRUE"
+  },
+  {
+    "RunCommand": "stat /tmp/testfile | grep 'Access: (1333\/--wx-wx-wt)'"
+  },
+
 
 
   {