feat: PatchMonEnhanced-agent v1.5.55 - Compliance Scanning, Security Fixes, and WebSocket Enhancements #42
Conversation
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Add compliance scanning integration with OpenSCAP and Docker Bench for Security: - internal/integrations/compliance/compliance.go: Main integration implementing the Integration interface - internal/integrations/compliance/openscap.go: OpenSCAP CIS benchmark scanner for Linux hosts - internal/integrations/compliance/docker_bench.go: Docker Bench for Security scanner - pkg/models/compliance.go: Data models for compliance scans, results, and payloads - internal/client/client.go: Add SendComplianceData method for API communication - cmd/patchmon-agent/commands/report.go: Register compliance integration and send data The compliance integration follows the existing Docker integration pattern and supports: - CIS Level 1 and Level 2 server profiles for Ubuntu, Debian, RHEL, Rocky, Alma - Docker Bench for Security container scanning - Automatic OS detection for appropriate SCAP content selection - Score calculation and result status mapping 🤖 Generated with [Claude Code](https://claude.com/claude-code) Co-Authored-By: Claude Opus 4.5 <[email protected]>
- Add binary hash verification before update (version_update.go) - Use restrictive 0700 permissions on helper scripts and /etc/patchmon dir - Pin Docker Bench image to specific digest with verification (docker_bench.go) - Add security comments documenting TOCTOU mitigations Closes #2, #3, #4 🤖 Generated with [Claude Code](https://claude.com/claude-code) Co-Authored-By: Claude Opus 4.5 <[email protected]>
- Add prominent TLS bypass warnings in client.go, serve.go, version_update.go (#1) - Fix goroutine leaks with done channels and WaitGroups (#5) - Truncate error responses to prevent information leakage (#6) - Use restrictive file/directory permissions (0700/0750) (#8) Closes #1, #5, #6, #8 Defers #7 (hardcoded config values) for future enhancement 🤖 Generated with [Claude Code](https://claude.com/claude-code) Co-Authored-By: Claude Opus 4.5 <[email protected]>
Security patch release including: - TLS certificate verification bypass warnings - Goroutine leak fixes in WebSocket connections - Error message truncation to prevent info leakage - File permission hardening (0700/0750) 🤖 Generated with [Claude Code](https://claude.com/claude-code) Co-Authored-By: Claude Opus 4.5 <[email protected]>
Major security release addressing agent-specific issues: CRITICAL: - TLS certificate verification bypass now shows prominent warnings MEDIUM: - Goroutine leak fixes in WebSocket connections - Error message truncation to prevent info leakage LOW: - File permission hardening (0700/0750) 🤖 Generated with [Claude Code](https://claude.com/claude-code) Co-Authored-By: Claude Opus 4.5 <[email protected]>
Fixes build error caused by unused import. 🤖 Generated with [Claude Code](https://claude.com/claude-code) Co-Authored-By: Claude Opus 4.5 <[email protected]>
Security fixes: - Add binary download size limit (100MB max) to prevent DoS (#10) - Add WebSocket message size limit (64KB max) (#10) - Make binary hash verification mandatory (#12) Code cleanup: - Remove unused ParseTime and FormatTimeForDisplay functions (#13) - Remove unused OS type constants (#13) - Remove unused NetTypeLoopback constant (#13) Closes #10, #12, #13 🤖 Generated with [Claude Code](https://claude.com/claude-code) Co-Authored-By: Claude Opus 4.5 <[email protected]>
- Add shared IsProductionEnvironment() helper in utils package - Block TLS skip for HTTP client, WebSocket, and version update - Agent refuses to start if PATCHMON_ENV=production with skip_ssl_verify - Clear error messages guide users to set PATCHMON_ENV=development 🤖 Generated with [Claude Code](https://claude.com/claude-code) Co-Authored-By: Claude Opus 4.5 <[email protected]>
- Add compliance_scan message handler in serve.go for on-demand scans - Add runComplianceScan function to trigger and send compliance data - Fix ComplianceResult JSON tag: rule_id -> rule_ref (matches backend) - Add missing fields to ComplianceResult (description, severity, remediation) 🤖 Generated with [Claude Code](https://claude.com/claude-code) Co-Authored-By: Claude Opus 4.5 <[email protected]>
🤖 Generated with [Claude Code](https://claude.com/claude-code) Co-Authored-By: Claude Opus 4.5 <[email protected]>
When compliance integration is enabled via toggle: - Installs OpenSCAP scanner and SCAP content packages - Pre-pulls Docker Bench security image When disabled: - Cleans up Docker Bench image - Retains OpenSCAP packages (may be used by other tools) Supports Debian, RHEL, and SUSE package managers. 🤖 Generated with [Claude Code](https://claude.com/claude-code) Co-Authored-By: Claude Opus 4.5 <[email protected]>
New features: - Auto-install compliance tools when integration enabled - Auto-cleanup Docker Bench image when integration disabled 🤖 Generated with [Claude Code](https://claude.com/claude-code) Co-Authored-By: Claude Opus 4.5 <[email protected]>
- Added IntegrationSetupStatus model for reporting setup progress - Added SendIntegrationSetupStatus client method - toggleIntegration now sends status updates during compliance install/remove - Reports component-level status (openscap, docker-bench) - Sends "installing"/"removing" status at start, "ready"/"disabled" at end 🤖 Generated with [Claude Code](https://claude.com/claude-code) Co-Authored-By: Claude Opus 4.5 <[email protected]>
🤖 Generated with [Claude Code](https://claude.com/claude-code) Co-Authored-By: Claude Opus 4.5 <[email protected]>
Previously, OpenSCAP packages were retained when disabling compliance. Now they are removed along with Docker Bench images for a clean uninstall. 🤖 Generated with [Claude Code](https://claude.com/claude-code) Co-Authored-By: Claude Opus 4.5 <[email protected]>
- Add Version field to root command for --version/-v flag support - Update version constant to 1.5.2 🤖 Generated with [Claude Code](https://claude.com/claude-code) Co-Authored-By: Claude Opus 4.5 <[email protected]>
- Add SetDockerIntegrationEnabled method to compliance integration - Skip Docker Bench setup/scan when Docker integration is not enabled - Update serve.go and report.go to set Docker integration status - Bump version to 1.5.3 This ensures Docker Bench compliance scanning only runs when: 1. Docker integration is explicitly enabled in the UI 2. Docker daemon is actually available on the system 🤖 Generated with [Claude Code](https://claude.com/claude-code) Co-Authored-By: Claude Opus 4.5 <[email protected]>
Updated OpenSCAP scanner to: - Explicitly upgrade ssg-base and ssg-debderived packages after install - This ensures Ubuntu 24.04 systems get ssg-base >= 0.1.76 which has proper Ubuntu 24.04 CIS benchmark content - Added checkContentCompatibility() to warn when content doesn't match the OS version (helps diagnose "notapplicable" issues) - Improved logging for content file detection Fixes issue where scans on Ubuntu 24.04 showed all rules as "notapplicable" due to using older content files (Ubuntu 22.04). 🤖 Generated with [Claude Code](https://claude.com/claude-code) Co-Authored-By: Claude Opus 4.5 <[email protected]>
- Add ComplianceScannerDetails struct with OpenSCAP version, content file, content package version, available profiles, OS info, and mismatch warnings - Add ScanProfileInfo struct for describing available scan profiles - Add GetScannerDetails(), GetContentFilePath(), GetContentPackageVersion() methods to OpenSCAPScanner for retrieving detailed scanner information - Update serve.go to send scanner_info with integration status reports - Add Docker Bench availability and version info to scanner details - Enable UI to dynamically display scanner configuration and available profiles 🤖 Generated with [Claude Code](https://claude.com/claude-code) Co-Authored-By: Claude Opus 4.5 <[email protected]>
- Add DEBIAN_FRONTEND=noninteractive environment variable - Add NEEDRESTART_MODE=a to prevent needrestart prompts - Add dpkg options --force-confdef and --force-confold - Add context timeouts (5 min for install, 3 min for remove) - Fixes compliance toggle hanging at 50% progress 🤖 Generated with [Claude Code](https://claude.com/claude-code) Co-Authored-By: Claude Opus 4.5 <[email protected]>
Features: - Add DiscoverProfiles() to dynamically list all profiles from SCAP content - Use `oscap info --profiles` to discover available profiles at runtime - Support profile categorization (CIS, STIG, PCI-DSS, HIPAA, ANSSI, etc.) - Accept full XCCDF profile IDs directly (xccdf_org.ssgproject.content_...) - Add ComplianceScanOptions model for future scan configuration Changes: - Add categorizeProfile() to classify profiles by type - Add createShortId() to generate user-friendly profile IDs - Update getProfileID() to accept both short IDs and full XCCDF IDs - Add XCCDFId and Category fields to ScanProfileInfo model This enables the UI to display all available profiles grouped by category. 🤖 Generated with [Claude Code](https://claude.com/claude-code) Co-Authored-By: Claude Opus 4.5 <[email protected]>
Remediation Features (per OpenSCAP manual best practices): - Online remediation: --remediate flag during scan for real-time fixes - Offline remediation: RunOfflineRemediation() to apply fixes from results - Script generation: GenerateRemediationScript() for review/manual execution Scan Options: - EnableRemediation: Enable automatic fixes during scan - FetchRemoteResources: Download external OVAL content - TailoringFile: Use custom tailoring file - OutputFormat: Support for ARF (Asset Reporting Format) Model Updates: - Add RemediationApplied and RemediationCount to ComplianceScan - Track remediation status in scan results 🤖 Generated with [Claude Code](https://claude.com/claude-code) Co-Authored-By: Claude Opus 4.5 <[email protected]>
- Add enable_remediation and fetch_remote_resources to WebSocket payload - Add runComplianceScanWithOptions function to pass options to scanner - Add CollectWithOptions method to compliance integration - Bump version to 1.5.9 🤖 Generated with [Claude Code](https://claude.com/claude-code) Co-Authored-By: Claude Opus 4.5 <[email protected]>
- Add openscap-common package for Ubuntu 24.04+ - Separate core OpenSCAP and SSG content package installation - Add better warnings when SSG content is unavailable - Improve mismatch warnings with Ubuntu 24.04 specific guidance - Recommend Canonical's USG tool for Ubuntu Pro users - Bump version to 1.5.10 Ubuntu 24.04 (Noble Numbat) has limited CIS/STIG content availability as official benchmarks are not yet publicly released. 🤖 Generated with [Claude Code](https://claude.com/claude-code) Co-Authored-By: Claude Opus 4.5 <[email protected]>
- Update messaging: CIS/STIG content IS available in ssg-base v0.1.76+ - Update mismatch warnings to suggest upgrading ssg-base package - Clarify that USG is an alternative, not the only option 🤖 Generated with [Claude Code](https://claude.com/claude-code) Co-Authored-By: Claude Opus 4.5 <[email protected]>
- Add SSG version detection and comparison in OpenSCAP scanner - Add UpgradeSSGContent function to upgrade ssg-base packages - Add upgrade_ssg WebSocket message handler - Report SSG version, min version, and upgrade status to backend - Version 1.5.11 🤖 Generated with [Claude Code](https://claude.com/claude-code) Co-Authored-By: Claude Opus 4.5 <[email protected]>
- Close stdin on apt commands to prevent waiting for input - Add APT_LISTCHANGES_FRONTEND=none to suppress changelog prompts - Add UCF_FORCE_CONFFOLD=1 for ucf config prompts - Use helper function for consistent apt command setup - Version 1.5.12 🤖 Generated with [Claude Code](https://claude.com/claude-code) Co-Authored-By: Claude Opus 4.5 <[email protected]>
- Log raw messages received from WebSocket - Log parsed message types - Log when upgrade_ssg is sent to message channel - Add default case to catch unknown message types - Version 1.5.13 🤖 Generated with [Claude Code](https://claude.com/claude-code) Co-Authored-By: Claude Opus 4.5 <[email protected]>
- Download SSG 0.1.79 directly from ComplianceAsCode GitHub releases - Extract and install datastream files to /usr/share/xml/scap/ssg/content/ - Create version marker file for tracking installed version - Bypasses outdated Ubuntu repo versions (0.1.71 vs required 0.1.76+) - Version 1.5.14 🤖 Generated with [Claude Code](https://claude.com/claude-code) Co-Authored-By: Claude Opus 4.5 <[email protected]>
- GetContentPackageVersion now checks .ssg-version marker first - Show "SSG X.X.X (GitHub)" for GitHub installs in UI - Fixes version detection showing old package version after GitHub install - Version 1.5.15 🤖 Generated with [Claude Code](https://claude.com/claude-code) Co-Authored-By: Claude Opus 4.5 <[email protected]>
- Fix Docker Bench scan only running when specifically selected as profile - Skip OpenSCAP when docker-bench profile is selected (avoids invalid profile error) - Truncate error messages to 500 chars to avoid ugly raw output in scan history - Add proper context cancellation handling for compliance scans 🤖 Generated with [Claude Code](https://claude.com/claude-code) Co-Authored-By: Claude Opus 4.5 <[email protected]>
The previous pinned digest (from 2024-01) was no longer valid, causing Docker Bench installation to fail. Changed to use :latest tag from Docker's official repo for reliability. - Remove digest pinning from dockerBenchImage constant - Simplify image pull error handling - Check for existing local image before failing 🤖 Generated with [Claude Code](https://claude.com/claude-code) Co-Authored-By: Claude Opus 4.5 <[email protected]>
The go.mod file had an invalid Go version (1.25) which doesn't exist. Updated to Go 1.24.0 which is the latest stable version. Addresses GitHub issue #19 🤖 Generated with [Claude Code](https://claude.com/claude-code) Co-Authored-By: Claude Opus 4.5 <[email protected]>
- Add docker_inventory_refresh case to WebSocket message handler - Add refreshDockerInventory function to collect and send Docker data - Enables on-demand Docker inventory refresh from server 🤖 Generated with [Claude Code](https://claude.com/claude-code) Co-Authored-By: Claude Opus 4.5 <[email protected]>
Corrects embedded version in binary to match release tag. 🤖 Generated with [Claude Code](https://claude.com/claude-code) Co-Authored-By: Claude Opus 4.5 <[email protected]>
- Make optional mounts conditional (only mount if path exists) - Add better logging when container produces no output - Log output preview when no rules are parsed for debugging - Required mounts: /etc, /var/lib, /var/run/docker.sock - Optional mounts: systemd paths, containerd, runc 🤖 Generated with [Claude Code](https://claude.com/claude-code) Co-Authored-By: Claude Opus 4.5 <[email protected]>
- Check DOCKER_HOST environment variable first - Search common socket paths: /var/run/docker.sock, /run/docker.sock, /docker.sock - Map found socket to expected location inside Docker Bench container - Fixes Docker Bench when agent runs inside Docker container 🤖 Generated with [Claude Code](https://claude.com/claude-code) Co-Authored-By: Claude Opus 4.5 <[email protected]>
OpenSCAP CIS scans can take 2-5 minutes to complete. The 60-second timeout was causing scans to fail with "context deadline exceeded" errors. 🤖 Generated with [Claude Code](https://claude.com/claude-code) Co-Authored-By: Claude Opus 4.5 <[email protected]>
- Log every 30 seconds while scan is running - Helps diagnose if scan is stuck vs just slow - Shows elapsed time so users know it's still working 🤖 Generated with [Claude Code](https://claude.com/claude-code) Co-Authored-By: Claude Opus 4.5 <[email protected]>
- WebSocket connects immediately so agent appears online - Initial report runs in background goroutine - Compliance scans (5-10 min) no longer block agent connectivity - Agent can receive commands while initial scan is running 🤖 Generated with [Claude Code](https://claude.com/claude-code) Co-Authored-By: Claude Opus 4.5 <[email protected]>
- Increase compliance scan timeout from 10 to 15 minutes for complex systems - Docker Bench already has improved socket detection and logging 🤖 Generated with [Claude Code](https://claude.com/claude-code) Co-Authored-By: Claude Opus 4.5 <[email protected]>
The official docker/docker-bench-security image is deprecated and uses an ancient Docker client (API 1.38) that is incompatible with modern Docker daemons requiring API 1.44+. The jauderho/docker-bench-security image is actively maintained with Alpine 3.23 and Docker 29.1.3. 🤖 Generated with [Claude Code](https://claude.com/claude-code) Co-Authored-By: Claude Opus 4.5 <[email protected]>
The ANSI color codes in the output were breaking the regex parser. The -b flag disables colors for clean machine-readable output. 🤖 Generated with [Claude Code](https://claude.com/claude-code) Co-Authored-By: Claude Opus 4.5 <[email protected]>
- Add -p flag to print remediation measures - Parse remediation lines after each check result - Parse detail/finding lines (e.g., container names) - Store findings and remediation in ComplianceResult 🤖 Generated with [Claude Code](https://claude.com/claude-code) Co-Authored-By: Claude Opus 4.5 <[email protected]>
- Add continuation pattern to capture multi-line remediation text - Track inRemediation state to append continuation lines - Handle indented text, empty lines, and non-bullet continuations - Reset state on new results and section headers - Bump version to 1.5.48 🤖 Generated with [Claude Code](https://claude.com/claude-code) Co-Authored-By: Claude Opus 4.5 <[email protected]>
- Add debug logging to parseOutput() to track status counts during parsing - Add debug logging before sending compliance payload to trace result statuses - Log when warnings are parsed to verify regex matching - Compare parse_counts vs result_counts to identify any discrepancy This helps investigate why Docker Bench warnings (scan.Warnings=135) are being counted but individual results aren't stored with status='warn' in database. 🤖 Generated with [Claude Code](https://claude.com/claude-code) Co-Authored-By: Claude Opus 4.5 <[email protected]>
- Add regex-based input validation for WebSocket message fields to prevent
command injection:
- ProfileID: alphanumeric, underscores, dots, hyphens (max 256 chars)
- RuleID: same pattern for compliance rule remediation
- ImageName: Docker image naming pattern (max 512 chars)
- ContainerName: Docker container naming pattern (max 256 chars)
- Fix TOCTOU race condition in SaveCredentials():
- Previously: write file then chmod (race window where credentials readable)
- Now: atomic write pattern - create temp file with 0600 permissions,
write content, sync, then atomic rename to target
🤖 Generated with [Claude Code](https://claude.com/claude-code)
Co-Authored-By: Claude Opus 4.5 <[email protected]>
Sync version.go with the v1.5.51 release tag. 🤖 Generated with [Claude Code](https://claude.com/claude-code) Co-Authored-By: Claude Opus 4.5 <[email protected]>
OpenSCAP CIS Level 1 Server scans can take 15+ minutes on systems with many packages. The previous 15-minute timeout caused Docker Bench to fail when OpenSCAP used most of the allocated time. - serve.go: Increase on-demand scan timeout to 25 minutes - report.go: Increase scheduled scan timeout to 25 minutes Co-Authored-By: Claude Opus 4.5 <[email protected]>
When set to true, compliance scans will only run when triggered from the UI (on-demand) and will be skipped during scheduled reports. This is useful for systems where compliance scans take a long time (15+ minutes). To enable: Add `compliance_on_demand_only: true` to /etc/patchmon/config.yml Co-Authored-By: Claude Opus 4.5 <[email protected]>
Add WebSocket message handler for set_compliance_on_demand_only to allow UI toggle control of whether compliance scans run during scheduled reports. - Add case handler in WebSocket message parsing - Add case handler in main message loop - Store setting via cfgManager.SetComplianceOnDemandOnly() - Bump version to 1.5.54 Co-Authored-By: Claude Opus 4.5 <[email protected]>
Co-Authored-By: Claude Opus 4.5 <[email protected]>
Co-Authored-By: Claude Opus 4.5 <[email protected]>
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
PatchMonEnhanced-agent v1.5.55 - Comprehensive PR
Base:
PatchMon/PatchMon-agentv1.3.7Head:
MacJediWizard/PatchMonEnhanced-agentv1.5.55Summary
This PR introduces major enhancements to the PatchMon agent including:
Related GitHub Issues
Upstream Issues (PatchMon/PatchMon) - Related
Agent Issues (PatchMonEnhanced-agent) - Resolved
Closed Issues
Open Issues (Still in Progress)
New Features
1. Compliance Scanning (OpenSCAP + Docker Bench)
Full CIS benchmark scanning integration.
OpenSCAP Features:
Docker Bench Security Features:
2. Security Improvements
3. Compliance On-Demand Only Mode
Control whether compliance scans run during scheduled reports.
Behavior:
WebSocket Message Handlers
New Message Types Handled
compliance_scan{ profile_id, profile_type, enable_remediation, fetch_remote_resources }upgrade_ssgremediate_rule{ profile_id, profile_type, rule_id }docker_image_scan{ image_name, container_name, scan_all_images }set_compliance_on_demand_only{ on_demand_only }refresh_integration_statusdocker_inventory_refreshintegration_toggle{ integration, enabled }Messages Sent to Server
integration_statuscompliance_progresscompliance_resultssg_upgrade_resultremediation_resultAgent Configuration
config.yml
New Config Fields
compliance_on_demand_onlytrueFiles Changed Summary
cmd/patchmon-agent/commands/serve.go- WebSocket handlerscmd/patchmon-agent/commands/report.go- Compliance integrationinternal/config/config.go- Config managementinternal/compliance/*- OpenSCAP integrationinternal/dockerbench/*- Docker Bench integrationpkg/models/models.go- Data structuresBreaking Changes
compliance_on_demand_onlyadded (defaults totrue)Version Information
Testing Checklist
go fmt,go vet)Contributors