Skip to content

Add new version of systemd parameter checks#1219

Open
robertwoj-microsoft wants to merge 2 commits intodevfrom
robertwoj/procedures/36002001
Open

Add new version of systemd parameter checks#1219
robertwoj-microsoft wants to merge 2 commits intodevfrom
robertwoj/procedures/36002001

Conversation

@robertwoj-microsoft
Copy link
Contributor

@robertwoj-microsoft robertwoj-microsoft commented Nov 25, 2025
edited
Loading

Description

Add new version of systemd parameter checks

  • CIS has reworked the way they match parameter values from regular expressions to matching on section, key and value with few operators
  • Use readlink to follow CIS guideline for both systemd parameter versions (symlink resolution).
  • The comparison handling is planned to be generalized across procedures in a follow-up PR.

Checklist

  • I have read the contribution guidelines.
  • I added unit-tests to validate my changes. All unit tests are passing.
  • I have merged the latest dev branch prior to this PR submission.
  • I ran pre-commit on my changes prior to this PR submission.
  • I submitted this PR against the dev branch.

@robertwoj-microsoft
Add new version of systemd parameter checks
4d58498 
- CIS has reworked the way they match parameter values from regular
  expressions to matching on section, key and value with few operators
@robertwoj-microsoft robertwoj-microsoft requested review from a team as code owners November 25, 2025 13:39
@github-actions
Copy link

github-actions bot commented Nov 25, 2025
edited
Loading

Test Results

    21 files   -     43   1 281 suites  +1 217   33m 55s ⏱️ - 24m 24s
 1 018 tests + 1 010   1 018 ✅ + 1 010  0 💤 ± 0  0 ❌ ±0 
21 378 runs  +21 122  21 378 ✅ +21 144  0 💤  - 22  0 ❌ ±0 

Results for commit 2989a89. ± Comparison against base commit 167271a.

This pull request removes 8 and adds 1018 tests. Note that renamed tests count towards both. 
/home/user1/UniversalNRP.Tests.ps1 ‑ Validate Universal NRP.Get.Ensure all resource instances have status
/home/user1/UniversalNRP.Tests.ps1 ‑ Validate Universal NRP.Get.Ensure resons are properly populated
/home/user1/UniversalNRP.Tests.ps1 ‑ Validate Universal NRP.Get.Ensure the total resource instances count
/home/user1/UniversalNRP.Tests.ps1 ‑ Validate Universal NRP.Set.Perform remediation
/mnt/vss/_work/azure-osconfig/azure-osconfig/src/tests/universal-nrp-e2e/UniversalNRP.Tests.ps1 ‑ Validate Universal NRP.Get.Ensure all resource instances have status
/mnt/vss/_work/azure-osconfig/azure-osconfig/src/tests/universal-nrp-e2e/UniversalNRP.Tests.ps1 ‑ Validate Universal NRP.Get.Ensure resons are properly populated
/mnt/vss/_work/azure-osconfig/azure-osconfig/src/tests/universal-nrp-e2e/UniversalNRP.Tests.ps1 ‑ Validate Universal NRP.Get.Ensure the total resource instances count
/mnt/vss/_work/azure-osconfig/azure-osconfig/src/tests/universal-nrp-e2e/UniversalNRP.Tests.ps1 ‑ Validate Universal NRP.Set.Perform remediation

AuditdRulesCheckTest ‑ AuditctlCommandFails
AuditdRulesCheckTest ‑ ExcludeOptionsSkipsMatchingRules
AuditdRulesCheckTest ‑ ImmutableRuleCompliant
AuditdRulesCheckTest ‑ ImmutableRuleMissingIsNonCompliant
AuditdRulesCheckTest ‑ InvalidExcludeOptionsRegexReturnsError
AuditdRulesCheckTest ‑ InvalidOverridePathReturnsNonCompliant
AuditdRulesCheckTest ‑ InvalidRequiredOptionsRegexReturnsError
AuditdRulesCheckTest ‑ MultiSyscallOneMissingInFilesIsNonCompliant
AuditdRulesCheckTest ‑ OverridePathMissingFileRuleIsNonCompliant
AuditdRulesCheckTest ‑ OverridePathWithMatchingFileRuleIsCompliant
…

♻️ This comment has been updated with latest results.

AhmedBM
AhmedBM reviewed Dec 2, 2025
View reviewed changes
src/modules/complianceengine/src/lib/procedures/EnsureSystemdParameter.cpp
auto result = SystemdCatConfig(filename, context);
if (!result.HasValue())
{
OsConfigLogError(context.GetLogHandle(), "Failed to execute systemd-analyze command: %s", result.Error().message.c_str());
Copy link
Contributor

@AhmedBM AhmedBM Dec 2, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

OSConfigTelemetryStatusTrace as well?

kkanas
kkanas approved these changes Jan 14, 2026
View reviewed changes
src/modules/complianceengine/src/lib/SystemdCatConfig.cpp
namespace
{
auto result = context.ExecuteCommand("systemd-analyze cat-config " + filename);
Result<std::string> DetermineCommandPath(const std::string& command, const ContextInterface& context)
Copy link
Contributor

@kkanas kkanas Jan 14, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Can we make it more generic by passing const std::vectorstd::string paths, etc ... ?

src/modules/complianceengine/tests/procedures/SystemdConfigTest.cpp
const auto filename = mContext.MakeTempfile("");
const std::string systemdOutput =
"# /etc/systemd/test.conf\n"
"[foo]\n"
Copy link
Contributor

@kkanas kkanas Jan 14, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pleas add test for

[broken_section

and

[] # invalid no name section

and lastly

          [space_idented_section_that_we_do_not_support]

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@kkanas kkanas kkanas approved these changes

+1 more reviewer

@AhmedBM AhmedBM AhmedBM approved these changes

Reviewers whose approvals may not affect merge requirements

At least 2 approving reviews are required to merge this pull request.

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@robertwoj-microsoft @AhmedBM @kkanas