SystemdParameter: block parameter do not need [], add Journal.Compress=yes as default

kkanas · kkanas · commit a4db680942f7 · 2026-03-18T12:50:11.000+01:00
Signed-off-by: Krzysztof Kanas &lt;kkanas@microsoft.com&gt;
diff --git a/src/modules/complianceengine/src/lib/procedures/SystemdConfig.cpp b/src/modules/complianceengine/src/lib/procedures/SystemdConfig.cpp
@@ -21,6 +21,14 @@ namespace
 // Maps (block, parameter) -> (value, sourceFile)
 typedef std::map<std::pair<std::string, std::string>, std::pair<std::string, std::string>> SystemdConfigMap_t;
 
+const SystemdConfigMap_t& GetSystemdConfigDefaults()
+{
+    static const SystemdConfigMap_t defaults = {
+        {{"[Journal]", "Compress"}, {"yes", "<default>"}},
+    };
+    return defaults;
+}
+
 Result<bool> GetSystemdConfig(SystemdConfigMap_t& config, const std::string& filename, ContextInterface& context)
 {
     auto result = context.ExecuteCommand("/usr/bin/systemd-analyze cat-config " + filename);
@@ -67,6 +75,14 @@ Result<bool> GetSystemdConfig(SystemdConfigMap_t& config, const std::string& fil
         std::string value = line.substr(eqSign + 1);
         config[std::make_pair(currentBlock, key)] = std::make_pair(value, currentConfig);
     }
+
+    // Merge defaults: only insert entries not already present (parsed config wins)
+    for (const auto& entry : GetSystemdConfigDefaults())
+    {
+        if (config.find(entry.first) == config.end())
+            config.insert(entry);
+    }
+
     return true;
 }
 } // namespace
@@ -160,7 +176,9 @@ Result<Status> AuditSystemdParameter(const SystemdParameterParams& params, Indic
     SystemdConfigMap_t::const_iterator paramIt = config.end();
     if (params.block.HasValue())
     {
-        paramIt = config.find(std::make_pair(params.block.Value(), params.parameter));
+        auto block = params.block.Value();
+        block = "[" + block + "]";
+        paramIt = config.find(std::make_pair(block, params.parameter));
     }
     else
     {
@@ -178,8 +196,10 @@ Result<Status> AuditSystemdParameter(const SystemdParameterParams& params, Indic
     {
         if (params.block.HasValue())
         {
-            OsConfigLogInfo(log, "Parameter '%s' not found in block '%s'", params.parameter.c_str(), params.block->c_str());
-            return indicators.NonCompliant("Parameter '" + params.parameter + "' not found in block '" + params.block.Value() + "'");
+            auto block = params.block.Value();
+            block = "[" + block + "]";
+            OsConfigLogInfo(log, "Parameter '%s' not found in block '%s'", params.parameter.c_str(), block.c_str());
+            return indicators.NonCompliant("Parameter '" + params.parameter + "' not found in block '" + block + "'");
         }
         else
         {
diff --git a/src/modules/complianceengine/tests/procedures/SystemdConfigTest.cpp b/src/modules/complianceengine/tests/procedures/SystemdConfigTest.cpp
@@ -643,7 +643,7 @@ TEST_F(SystemdConfigTest, BlockParameterFoundInCorrectBlock)
     params.parameter = "Restart";
     params.valueRegex = regex("^always$");
     params.file = "test.conf";
-    params.block = std::string("[Service]");
+    params.block = std::string("Service");
 
     auto result = AuditSystemdParameter(params, mIndicators, mContext);
     ASSERT_TRUE(result.HasValue());
@@ -666,7 +666,7 @@ TEST_F(SystemdConfigTest, BlockParameterNotFoundInWrongBlock)
     params.parameter = "Restart";
     params.valueRegex = regex("^always$");
     params.file = "test.conf";
-    params.block = std::string("[Unit]");
+    params.block = std::string("Unit");
 
     auto result = AuditSystemdParameter(params, mIndicators, mContext);
     ASSERT_TRUE(result.HasValue());
@@ -686,7 +686,7 @@ TEST_F(SystemdConfigTest, BlockParameterNotFoundInNonexistentBlock)
     params.parameter = "ExecStart";
     params.valueRegex = regex(".*");
     params.file = "test.conf";
-    params.block = std::string("[Install]");
+    params.block = std::string("Install");
 
     auto result = AuditSystemdParameter(params, mIndicators, mContext);
     ASSERT_TRUE(result.HasValue());
@@ -709,7 +709,7 @@ TEST_F(SystemdConfigTest, SameParameterInDifferentBlocksWithBlockFilter)
     params.op = SystemdParameterOperator::Equal;
     params.value = std::string("stream");
     params.file = "test.conf";
-    params.block = std::string("[Socket]");
+    params.block = std::string("Socket");
 
     auto result = AuditSystemdParameter(params, mIndicators, mContext);
     ASSERT_TRUE(result.HasValue());
@@ -755,7 +755,7 @@ TEST_F(SystemdConfigTest, BlockWithOperatorComparison)
     params.op = SystemdParameterOperator::GreaterOrEqual;
     params.value = std::string("1024");
     params.file = "test.conf";
-    params.block = std::string("[Service]");
+    params.block = std::string("Service");
 
     auto result = AuditSystemdParameter(params, mIndicators, mContext);
     ASSERT_TRUE(result.HasValue());
@@ -783,3 +783,60 @@ TEST_F(SystemdConfigTest, ParameterWithoutBlockHeaderFoundWithoutBlockFilter)
     ASSERT_TRUE(result.HasValue());
     ASSERT_EQ(result.Value(), Status::Compliant);
 }
+
+TEST_F(SystemdConfigTest, JournalCompressUsesDefaultWhenOutputHasNoJournalSection)
+{
+    std::string systemdOutput = "# /etc/systemd/journald.conf\n";
+
+    EXPECT_CALL(mContext, ExecuteCommand(::testing::HasSubstr("/usr/bin/systemd-analyze cat-config journald.conf"))).WillOnce(Return(Result<std::string>(systemdOutput)));
+
+    SystemdParameterParams params;
+    params.parameter = "Compress";
+    params.valueRegex = regex("^yes$");
+    params.file = "journald.conf";
+    params.block = std::string("Journal");
+
+    auto result = AuditSystemdParameter(params, mIndicators, mContext);
+    ASSERT_TRUE(result.HasValue());
+    ASSERT_EQ(result.Value(), Status::Compliant);
+}
+
+TEST_F(SystemdConfigTest, JournalCompressUsesDefaultWhenJournalSectionHasNoCompressLine)
+{
+    std::string systemdOutput =
+        "# /etc/systemd/journald.conf\n"
+        "[Journal]\n"
+        "Storage=auto\n";
+
+    EXPECT_CALL(mContext, ExecuteCommand(::testing::HasSubstr("/usr/bin/systemd-analyze cat-config journald.conf"))).WillOnce(Return(Result<std::string>(systemdOutput)));
+
+    SystemdParameterParams params;
+    params.parameter = "Compress";
+    params.valueRegex = regex("^yes$");
+    params.file = "journald.conf";
+    params.block = std::string("Journal");
+
+    auto result = AuditSystemdParameter(params, mIndicators, mContext);
+    ASSERT_TRUE(result.HasValue());
+    ASSERT_EQ(result.Value(), Status::Compliant);
+}
+
+TEST_F(SystemdConfigTest, JournalCompressOverrideWinsOverDefaultCompliant)
+{
+    std::string systemdOutput =
+        "# /etc/systemd/journald.conf\n"
+        "[Journal]\n"
+        "Compress=no\n";
+
+    EXPECT_CALL(mContext, ExecuteCommand(::testing::HasSubstr("/usr/bin/systemd-analyze cat-config journald.conf"))).WillOnce(Return(Result<std::string>(systemdOutput)));
+
+    SystemdParameterParams params;
+    params.parameter = "Compress";
+    params.valueRegex = regex("^no$");
+    params.file = "journald.conf";
+    params.block = std::string("Journal");
+
+    auto result = AuditSystemdParameter(params, mIndicators, mContext);
+    ASSERT_TRUE(result.HasValue());
+    ASSERT_EQ(result.Value(), Status::Compliant);
+}

Original file line number	Diff line number	Diff line change
`@@ -21,6 +21,14 @@ namespace`
`21`	`21`	`// Maps (block, parameter) -> (value, sourceFile)`
`22`	`22`	`typedef std::map<std::pair<std::string, std::string>, std::pair<std::string, std::string>> SystemdConfigMap_t;`
`23`	`23`
	`24`	`+const SystemdConfigMap_t& GetSystemdConfigDefaults()`
	`25`	`+{`
	`26`	`+ static const SystemdConfigMap_t defaults = {`
	`27`	`+ {{"[Journal]", "Compress"}, {"yes", "<default>"}},`
	`28`	`+ };`
	`29`	`+ return defaults;`
	`30`	`+}`
	`31`	`+`
`24`	`32`	`Result<bool> GetSystemdConfig(SystemdConfigMap_t& config, const std::string& filename, ContextInterface& context)`
`25`	`33`	`{`
`26`	`34`	`auto result = context.ExecuteCommand("/usr/bin/systemd-analyze cat-config " + filename);`
`@@ -67,6 +75,14 @@ Result<bool> GetSystemdConfig(SystemdConfigMap_t& config, const std::string& fil`
`67`	`75`	`std::string value = line.substr(eqSign + 1);`
`68`	`76`	`config[std::make_pair(currentBlock, key)] = std::make_pair(value, currentConfig);`
`69`	`77`	`}`
	`78`	`+`
	`79`	`+ // Merge defaults: only insert entries not already present (parsed config wins)`
	`80`	`+ for (const auto& entry : GetSystemdConfigDefaults())`
	`81`	`+ {`
	`82`	`+ if (config.find(entry.first) == config.end())`
	`83`	`+ config.insert(entry);`
	`84`	`+ }`
	`85`	`+`
`70`	`86`	`return true;`
`71`	`87`	`}`
`72`	`88`	`} // namespace`
`@@ -160,7 +176,9 @@ Result<Status> AuditSystemdParameter(const SystemdParameterParams& params, Indic`
`160`	`176`	`SystemdConfigMap_t::const_iterator paramIt = config.end();`
`161`	`177`	`if (params.block.HasValue())`
`162`	`178`	`{`
`163`		`- paramIt = config.find(std::make_pair(params.block.Value(), params.parameter));`
	`179`	`+ auto block = params.block.Value();`
	`180`	`+ block = "[" + block + "]";`
	`181`	`+ paramIt = config.find(std::make_pair(block, params.parameter));`
`164`	`182`	`}`
`165`	`183`	`else`
`166`	`184`	`{`
`@@ -178,8 +196,10 @@ Result<Status> AuditSystemdParameter(const SystemdParameterParams& params, Indic`
`178`	`196`	`{`
`179`	`197`	`if (params.block.HasValue())`
`180`	`198`	`{`
`181`		`- OsConfigLogInfo(log, "Parameter '%s' not found in block '%s'", params.parameter.c_str(), params.block->c_str());`
`182`		`- return indicators.NonCompliant("Parameter '" + params.parameter + "' not found in block '" + params.block.Value() + "'");`
	`199`	`+ auto block = params.block.Value();`
	`200`	`+ block = "[" + block + "]";`
	`201`	`+ OsConfigLogInfo(log, "Parameter '%s' not found in block '%s'", params.parameter.c_str(), block.c_str());`
	`202`	`+ return indicators.NonCompliant("Parameter '" + params.parameter + "' not found in block '" + block + "'");`
`183`	`203`	`}`
`184`	`204`	`else`
`185`	`205`	`{`