Archive, check,json and exec command with firejail for inspec

.license_scout.yml

@@ -99,6 +99,7 @@ allowed_licenses:
   - w32-Authors
   - WTFPL
   - Zlib
+  - GPL-2.0
 
 fallbacks:
   golang:

components/compliance-service/api/jobs/server/server.go

@@ -40,21 +40,21 @@ var empty = pb.Empty{}
 
 // New creates a new jobs server
 func New(db *pgdb.DB, connFactory *secureconn.Factory, eventsClient automate_event.EventServiceClient,
-	managerEndpoint string, cerealManager *cereal.Manager) *Server {
+	managerEndpoint string, cerealManager *cereal.Manager, fireJailExecProfilePath string) *Server {
 	conf := &Server{
 		db:           db,
 		connFactory:  connFactory,
 		eventsClient: eventsClient,
 	}
-	conf.getComplianceAndSecretsConnection(connFactory, db, managerEndpoint, cerealManager)
+	conf.getComplianceAndSecretsConnection(connFactory, db, managerEndpoint, cerealManager, fireJailExecProfilePath)
 	return conf
 }
 
 // get the ManagerClient, NodesClient, and IngestClient to be able to set up the scheduler server
 // the scheduler server is used to call the inspec-agent
 func (srv *Server) getComplianceAndSecretsConnection(
 	connectionFactory *secureconn.Factory, db *pgdb.DB,
-	managerEndpoint string, cerealManager *cereal.Manager) {
+	managerEndpoint string, cerealManager *cereal.Manager, fireJailExecProfilePath string) {
 	if managerEndpoint == "" {
 		logrus.Errorf("complianceEndpoint and managerEndpoint cannot be empty or Dial will get stuck")
 		return
@@ -78,7 +78,7 @@ func (srv *Server) getComplianceAndSecretsConnection(
 		return
 	}
 
-	scanner := scanner.New(mgrClient, nodesClient, db)
+	scanner := scanner.New(mgrClient, nodesClient, db, fireJailExecProfilePath)
 	srv.schedulerServer = scheduler.New(scanner, cerealManager)
 }
 

components/compliance-service/api/profiles/server/pgserver.go

@@ -29,11 +29,13 @@ import (
 
 // PGProfileServer implements the profile store GRPC interface
 type PGProfileServer struct {
-	es           *relaxting.ES2Backend
-	esClient     *ingestic.ESClient
-	profiles     *config.Profiles
-	store        *dbstore.Store
-	eventsClient automate_event.EventServiceClient
+	es                      *relaxting.ES2Backend
+	esClient                *ingestic.ESClient
+	profiles                *config.Profiles
+	store                   *dbstore.Store
+	eventsClient            automate_event.EventServiceClient
+	firejailProfilePath     string
+	fireJailExecProfilePath string
 }
 
 func (srv *PGProfileServer) convertProfileToTgz(reader io.ReadCloser, contentType string) (string, error) {
@@ -69,7 +71,7 @@ func (srv *PGProfileServer) convertProfileToTgz(reader io.ReadCloser, contentTyp
 			return "", err
 		}
 
-		err = util.ConvertZipToTarGz(tmpZipUpload, tmpWithSuffix)
+		err = util.ConvertZipToTarGz(tmpZipUpload, tmpWithSuffix, srv.firejailProfilePath)
 		if err != nil {
 			return "", err
 		}
@@ -80,15 +82,15 @@ func (srv *PGProfileServer) convertProfileToTgz(reader io.ReadCloser, contentTyp
 func (srv *PGProfileServer) storeProfile(owner string, cacheFile string) (inspec.CheckResult, error) {
 	var inspecCheckResult inspec.CheckResult
 	// Run InSpec check
-	inspecCheckResult, err := market.CheckProfile(cacheFile)
+	inspecCheckResult, err := market.CheckProfile(cacheFile, srv.firejailProfilePath)
 	if err != nil {
 		logrus.Errorf("Create CheckProfile error: %s", err.Error())
 		inspecCheckResult.Summary.Valid = false
 		inspecCheckResult.Errors = []inspec.CheckMessage{{Msg: err.Error()}}
 		return inspecCheckResult, status.Error(codes.InvalidArgument, err.Error())
 	}
 
-	sha256, tar, info, err := srv.store.GetProfileInfo(cacheFile)
+	sha256, tar, info, err := srv.store.GetProfileInfo(cacheFile, srv.firejailProfilePath)
 	if err != nil {
 		logrus.Errorf("Create GetProfileInfo error: %s", err.Error())
 		inspecCheckResult.Summary.Valid = false

components/compliance-service/api/profiles/server/profiles.go

@@ -14,21 +14,23 @@ import (
 
 // New creates a new server
 func New(db *pgdb.DB, esBackend *relaxting.ES2Backend, esClient *ingestic.ESClient, profiles *config.Profiles,
-	eventsClient automate_event.EventServiceClient, statusSrv *statusserver.Server) *PGProfileServer {
+	eventsClient automate_event.EventServiceClient, statusSrv *statusserver.Server, firejailProfilePath string, fireJailExecProfilePath string) *PGProfileServer {
 
 	srv := &PGProfileServer{
-		profiles:     profiles,
-		es:           esBackend,
-		esClient:     esClient,
-		store:        &dbstore.Store{DB: db},
-		eventsClient: eventsClient,
+		profiles:                profiles,
+		es:                      esBackend,
+		esClient:                esClient,
+		store:                   &dbstore.Store{DB: db},
+		eventsClient:            eventsClient,
+		firejailProfilePath:     firejailProfilePath,
+		fireJailExecProfilePath: fireJailExecProfilePath,
 	}
 
 	// TODO: unbundle object creation from service bootup sanity check
 
 	statusserver.AddMigrationUpdate(statusSrv, statusserver.MigrationLabelPRO, "Ensuring Market profiles are up-to-date...")
 	// ensure all market profiles are up to date
-	err := srv.store.LoadMarketProfiles(profiles.MarketPath)
+	err := srv.store.LoadMarketProfiles(profiles.MarketPath, firejailProfilePath)
 	if err != nil {
 		logrus.Errorf("could not ensure all market profiles are up to date: %v", err)
 	}

components/compliance-service/cmd/compliance-service/cmd/run.go

@@ -111,7 +111,8 @@ func init() {
 	runCmd.Flags().IntVar(&conf.Service.LcrOpenSearchRequests, "lcr-open-search-requests", conf.Service.LcrOpenSearchRequests, "number of concurrent requests to communicate with open search for large compliance reporting")
 	runCmd.Flags().BoolVar(&conf.Service.EnableEnhancedReporting, "enable-enhanced-reporting", false, "upgrade to support enhanced compliance reporting")
 	runCmd.Flags().IntVar(&conf.Service.ControlsPopulatorsCount, "control-populators-count", 1, "Number of  workers for control workers")
-
+	runCmd.Flags().StringVar(&conf.Service.FirejailProfilePath, "firejail-profile-path", conf.Service.FirejailProfilePath, "Firejail profile path")
+	runCmd.Flags().StringVar(&conf.Service.FireJailExecProfilePath, "firejail-exec-profile-path", conf.Service.FireJailExecProfilePath, "Firejail profile path for exec")
 	// Postgres Config Flags
 	runCmd.Flags().StringVar(&conf.Postgres.ConnectionString, "postgres-uri", conf.Postgres.ConnectionString, "PostgreSQL connection string to use")
 	runCmd.Flags().StringVar(&conf.Postgres.Database, "postgres-database", "", "PostgreSQL database to use. Will override postgres-uri")

components/compliance-service/compliance.go

@@ -231,11 +231,11 @@ func serveGrpc(ctx context.Context, db *pgdb.DB, connFactory *secureconn.Factory
 			conf.Service.MessageBufferSize, conf.Service.EnableLargeReporting, cerealManager))
 
 	jobs.RegisterJobsServiceServer(s, jobsserver.New(db, connFactory, eventClient,
-		conf.Manager.Endpoint, cerealManager))
+		conf.Manager.Endpoint, cerealManager, conf.Service.FireJailExecProfilePath))
 	reporting.RegisterReportingServiceServer(s, reportingserver.New(&esr, reportmanagerClient,
 		conf.Service.LcrOpenSearchRequests, db, conf.Service.EnableEnhancedReporting))
 
-	ps := profilesserver.New(db, &esr, ingesticESClient, &conf.Profiles, eventClient, statusSrv)
+	ps := profilesserver.New(db, &esr, ingesticESClient, &conf.Profiles, eventClient, statusSrv, conf.Service.FirejailProfilePath, conf.Service.FireJailExecProfilePath)
 	profiles.RegisterProfilesServiceServer(s, ps)
 	profiles.RegisterProfilesAdminServiceServer(s, ps)
 
@@ -602,8 +602,8 @@ func setup(ctx context.Context, connFactory *secureconn.Factory, conf config.Com
 
 	// set up the scanner, scheduler, and runner servers with needed clients
 	// these are all inspec-agent packages
-	scanner := scanner.New(mgrClient, nodesClient, db)
-	resolver := resolver.New(mgrClient, nodesClient, db, secretsClient)
+	scanner := scanner.New(mgrClient, nodesClient, db, conf.FireJailExecProfilePath)
+	resolver := resolver.New(mgrClient, nodesClient, db, secretsClient, conf.FireJailExecProfilePath)
 
 	err = runner.InitCerealManager(cerealManager, conf.InspecAgent.JobWorkers, ingestClient, scanner, resolver, conf.RemoteInspecVersion)
 	if err != nil {
@@ -703,7 +703,7 @@ type ServiceInfo struct {
 	connFactory *secureconn.Factory
 }
 
-//TODO(jaym) If these don't get exposed in the gateway, we need to provide the http server certs
+// TODO(jaym) If these don't get exposed in the gateway, we need to provide the http server certs
 // this custom route is used by the inspec-agent scanner to retrieve profile tars for scan execution
 func (conf *ServiceInfo) serveCustomRoutes() error {
 	conf.ServerBind = fmt.Sprintf("%s:%d", conf.HostBind, conf.Port)

components/compliance-service/config/types.go

@@ -19,6 +19,8 @@ type Service struct {
 	LcrOpenSearchRequests   int
 	EnableEnhancedReporting bool
 	ControlsPopulatorsCount int
+	FirejailProfilePath     string
+	FireJailExecProfilePath string
 }
 
 // Compliance service specific config options

components/compliance-service/firejail/secureexecprofile.profile

@@ -0,0 +1,90 @@
+include disable-common.inc      # dangerous directories like ~/.ssh and ~/.gnupg
+#include disable-devel.inc      # development tools such as gcc and gdb
+#include disable-exec.inc       # non-executable directories such as /var, /tmp, and /home
+#include disable-interpreters.inc       # perl, python, lua etc.
+include disable-programs.inc    # user configuration for programs such as firefox, vlc etc.
+#include disable-shell.inc      # sh, bash, zsh etc.
+#include disable-xdg.inc        # standard user directories: Documents, Pictures, Videos, Music
+
+### Home Directory Whitelisting ###
+### If something goes wrong, this section is the first one to comment out.
+### Instead, you'll have to relay on the basic blacklisting above.
+#private
+blacklist /hab/cache
+blacklist /hab/etc
+blacklist /hab/svc
+blacklist /hab/launcher
+blacklist /hab/user
+blacklist /hab/studios
+blacklist /hab/sup
+blacklist /hab/pkgs/chef/applications-service
+blacklist /hab/pkgs/chef/automate-dex
+blacklist /hab/pkgs/chef/automate-opensearch
+blacklist /hab/pkgs/chef/backup-gateway
+blacklist /hab/pkgs/chef/deployment-service
+blacklist /hab/pkgs/chef/infra-proxy-service
+blacklist /hab/pkgs/chef/local-user-service
+blacklist /hab/pkgs/chef/report-manager-service
+blacklist /hab/pkgs/chef/authn-service
+blacklist /hab/pkgs/chef/automate-es-gateway
+blacklist /hab/pkgs/chef/automate-pg-gateway
+blacklist /hab/pkgs/chef/cereal-service
+blacklist /hab/pkgs/chef/es-sidecar-service
+blacklist /hab/pkgs/chef/ingest-service
+blacklist /hab/pkgs/chef/mlsa
+blacklist /hab/pkgs/chef/secrets-service
+blacklist /hab/pkgs/chef/authz-service
+blacklist /hab/pkgs/chef/automate-gateway
+blacklist /hab/pkgs/chef/automate-platform-tools
+blacklist /hab/pkgs/chef/compliance-service
+blacklist /hab/pkgs/chef/event-feed-service
+blacklist /hab/pkgs/chef/nodemanager-service
+blacklist /hab/pkgs/chef/session-service
+blacklist /hab/pkgs/chef/automate-cli
+blacklist /hab/pkgs/chef/automate-load-balancer
+blacklist /hab/pkgs/chef/automate-postgresql
+blacklist /hab/pkgs/chef/config-mgmt-service
+blacklist /hab/pkgs/chef/event-gateway
+blacklist /hab/pkgs/chef/license-audit
+blacklist /hab/pkgs/chef/notifications-service
+blacklist /hab/pkgs/chef/teams-service
+blacklist /hab/pkgs/chef/automate-compliance-profiles
+blacklist /hab/pkgs/chef/automate-openjdk
+blacklist /hab/pkgs/chef/automate-ui
+blacklist /hab/pkgs/chef/data-feed-service
+blacklist /hab/pkgs/chef/event-service
+blacklist /hab/pkgs/chef/license-control-service
+blacklist /hab/pkgs/chef/pg-sidecar-service
+blacklist /hab/pkgs/chef/user-settings-service
+read-only /hab/pkgs/chef/inspec
+
+### Filesystem Whitelisting ###
+include whitelist-run-common.inc
+include whitelist-runuser-common.inc
+include whitelist-usr-share-common.inc
+include whitelist-var-common.inc
+
+#apparmor       # if you have AppArmor running, try this one!
+caps.drop all
+ipc-namespace
+#netfilter
+#no3d   # disable 3D acceleration
+#nodvd  # disable DVD and CD devices
+#nogroups       # disable supplementary user groups
+#noinput        # disable input devices
+nonewprivs
+noroot
+#notv   # disable DVB TV devices
+#nou2f  # disable U2F devices
+#novideo        # disable video capture devices
+##net none
+#ip 127.0.0.1
+protocol unix,inet,inet6,netlink
+#seccomp !chroot        # allowing chroot, just in case this is an Electron app
+#shell none
+#tracelog       # send blacklist violations to syslog
+
+#disable-mnt    # no access to /mnt, /media, /run/mount and /run/media
+#private-bin dash, hab
+#private-cache  # run with an
+#read-only /hab

components/compliance-service/firejail/secureprofile.profile

@@ -0,0 +1,88 @@
+include disable-common.inc      # dangerous directories like ~/.ssh and ~/.gnupg
+#include disable-devel.inc      # development tools such as gcc and gdb
+#include disable-exec.inc       # non-executable directories such as /var, /tmp, and /home
+#include disable-interpreters.inc       # perl, python, lua etc.
+include disable-programs.inc    # user configuration for programs such as firefox, vlc etc.
+#include disable-shell.inc      # sh, bash, zsh etc.
+#include disable-xdg.inc        # standard user directories: Documents, Pictures, Videos, Music
+
+### Home Directory Whitelisting ###
+### If something goes wrong, this section is the first one to comment out.
+### Instead, you'll have to relay on the basic blacklisting above.
+#private 
+blacklist /hab/cache
+blacklist /hab/etc
+blacklist /hab/svc
+blacklist /hab/launcher
+blacklist /hab/user
+blacklist /hab/studios
+blacklist /hab/sup
+blacklist /hab/pkgs/chef/applications-service
+blacklist /hab/pkgs/chef/automate-dex
+blacklist /hab/pkgs/chef/automate-opensearch
+blacklist /hab/pkgs/chef/backup-gateway
+blacklist /hab/pkgs/chef/deployment-service
+blacklist /hab/pkgs/chef/infra-proxy-service
+blacklist /hab/pkgs/chef/local-user-service
+blacklist /hab/pkgs/chef/report-manager-service
+blacklist /hab/pkgs/chef/authn-service
+blacklist /hab/pkgs/chef/automate-es-gateway
+blacklist /hab/pkgs/chef/automate-pg-gateway
+blacklist /hab/pkgs/chef/cereal-service
+blacklist /hab/pkgs/chef/es-sidecar-service
+blacklist /hab/pkgs/chef/ingest-service
+blacklist /hab/pkgs/chef/mlsa
+blacklist /hab/pkgs/chef/secrets-service
+blacklist /hab/pkgs/chef/authz-service
+blacklist /hab/pkgs/chef/automate-gateway
+blacklist /hab/pkgs/chef/automate-platform-tools
+blacklist /hab/pkgs/chef/compliance-service
+blacklist /hab/pkgs/chef/event-feed-service
+blacklist /hab/pkgs/chef/nodemanager-service
+blacklist /hab/pkgs/chef/session-service
+blacklist /hab/pkgs/chef/automate-cli
+blacklist /hab/pkgs/chef/automate-load-balancer
+blacklist /hab/pkgs/chef/automate-postgresql
+blacklist /hab/pkgs/chef/config-mgmt-service
+blacklist /hab/pkgs/chef/event-gateway
+blacklist /hab/pkgs/chef/license-audit
+blacklist /hab/pkgs/chef/notifications-service
+blacklist /hab/pkgs/chef/teams-service
+blacklist /hab/pkgs/chef/automate-compliance-profiles
+blacklist /hab/pkgs/chef/automate-openjdk
+blacklist /hab/pkgs/chef/automate-ui
+blacklist /hab/pkgs/chef/data-feed-service
+blacklist /hab/pkgs/chef/event-service
+blacklist /hab/pkgs/chef/license-control-service
+blacklist /hab/pkgs/chef/pg-sidecar-service
+blacklist /hab/pkgs/chef/user-settings-service
+read-only /hab/pkgs/chef/inspec
+
+### Filesystem Whitelisting ###
+include whitelist-run-common.inc
+include whitelist-runuser-common.inc
+include whitelist-usr-share-common.inc
+include whitelist-var-common.inc
+
+#apparmor       # if you have AppArmor running, try this one!
+caps.drop all
+ipc-namespace
+netfilter
+#no3d   # disable 3D acceleration
+#nodvd  # disable DVD and CD devices
+#nogroups       # disable supplementary user groups
+#noinput        # disable input devices
+nonewprivs
+noroot
+#notv   # disable DVB TV devices
+#nou2f  # disable U2F devices
+#novideo        # disable video capture devices
+net none
+#seccomp !chroot        # allowing chroot, just in case this is an Electron app
+#shell none
+#tracelog       # send blacklist violations to syslog
+
+#disable-mnt    # no access to /mnt, /media, /run/mount and /run/media
+#private-bin dash, hab
+#private-cache  # run with an
+#read-only /hab

components/compliance-service/habitat/default.toml

@@ -13,6 +13,8 @@ enable_large_reporting = false
 lcr_open_search_requests = 50
 enable_enhanced_compliance_reporting = false
 control_data_populators_count = 1
+firejail_profile_path="secureprofile.profile"
+firejail_exec_profile_path="secureexecprofile.profile"
 
 [storage]
 database = "chef_compliance_service"

components/compliance-service/habitat/hooks/run

@@ -25,6 +25,8 @@ pg-helper migrate-tables-v2 delivery "$DBNAME" \
   agents node_managers results profiles tags jobs jobs_nodes jobs_profiles \
   jobs_tags nodes nodes_agents nodes_secrets nodes_tags
 
+
+
 pg-helper ensure-service-database "$DBNAME"
 
 pg-helper create-extension "$DBNAME" pgcrypto
@@ -57,6 +59,8 @@ CONFIG="$CONFIG --enable-large-reporting={{cfg.service.enable_large_reporting}}"
 CONFIG="$CONFIG --lcr-open-search-requests {{cfg.service.lcr_open_search_requests}}"
 CONFIG="$CONFIG --enable-enhanced-reporting={{cfg.service.enable_enhanced_compliance_reporting}}"
 CONFIG="$CONFIG --control-populators-count {{cfg.service.control_data_populators_count}}"
+CONFIG="$CONFIG --firejail-profile-path {{pkg.path}}/data/firejail/{{cfg.service.firejail_profile_path}}"
+CONFIG="$CONFIG --firejail-exec-profile-path {{pkg.path}}/data/firejail/{{cfg.service.firejail_exec_profile_path}}"
 
 # Interval in minutes to poll for node status.
 CONFIG="$CONFIG --manager-awsec2-poll {{cfg.nodemanager.awsec2_polling_interval}}"
@@ -167,6 +171,10 @@ export HOME="{{pkg.svc_data_path}}"
 
 CONFIG="$CONFIG --inspec-tmp-dir {{pkg.svc_var_path}}/tmp"
 
+
+export FIREJAIL="{{pkgPathFor "core/firejail"}}/bin/firejail"
+
+
 # Start our service
 # shellcheck disable=SC2086
 exec compliance-service run ${CONFIG} ${ES_BACKEND} ${PG_BACKEND}