Azure Governance and Management Blog articles

Azure Governance and Management Blog articles

https://techcommunity.microsoft.com/t5/azure-governance-and-management/bg-p/AzureGovernanceandManagementBlog

Azure Governance and Management Blog articles

Now Open Source: nxtools, managing Linux IaC just got simpler using Automanage machine configuration

Published

Now Open Source: nxtools, managing Linux IaC just got simpler using Automanage machine configuration

We are "nxcited" to announce the release of nxtools, an opensource collection of class-based DSC resources for commonly used Linux / Unix modules and built-in Machine Configuration packages for customers. Azure Automanage Machine Configuration (previously known as Azure Policy Guest Configuration) enables configuration as code allowing you to audit and configure OS, app, and workload level settings at scale, both for machines running in Azure and hybrid Azure Arc-enabled servers.

 

The nxtools module will be maintained by Automanage Machine Configuration. The module intends to make managing Linux easier for PowerShell users and will help in managing common tasks such as:

 

  • User and group management
  • File system operations (changing mode, owner, listing, set/replace content)
  • Service management (start, stop, restart, remove, add)
  • Archive operations (compress, extract)
  • Package Management (list, search, install, uninstall packages)

 

This module is intended to provide guidelines / samples to help authors to create their own configurations and resource modules for use in custom Machine Configuration projects.

 

How do I get started?

 

Prerequisites

 

To use nxtools, PowerShell must be installed on your system. GitVersion is recommended to build the right version of this project according to your git status.

 

To use Machine Configuration, the machine configuration extension and a managed identity are required to manage Azure virtual machines. The extension isn't required for Arc-enabled servers because it's included in the Arc Connected Machine agent. More information about Machine Configuration requirements can be found here.

 

Installing

 

On a fresh clone of the nxtools GitHub repo, run:

build.ps1 -Tasks build

This will build the nxtools module in your output/module folder.

 

If you want to build the Machine Configuration package, run the following instead:

build.ps1 -Tasks gcpol

 

 

You can also install the nxtools module from the PowerShell Gallery:

Install-Module -Name nxtools -AllowPrerelease

 

The most recent version is nxtools 0.4.0-preview0001.

 

 

Commands

 

Here are the public commands available:

 

Archive

  • Compress-nxArchive: Create an archive and add files and folders to it.
  • Expand-nxArchive: Expand the file and folders out of an archive.

 

File Content

  • Add-nxFileLine: Append or insert a line if it's not present. The line can be inserted before or after a pattern is found in the file.
  • Invoke-nxFileContentReplace: Edit a file by searching for a pattern, and replacing it by an expression or script block. This can also be done over multiple lines to replace several lines in one run.
  • Remove-nxFileLine: Remove specific lines from a file by line number. You can use this with Select-String to know which line to remove.

 

File System

  • Get-nxItem: Similar to Get-Item for file system provider but on Linux using ls -d.
  • Get-nxChildItem: Similar to Get-ChildItem for the FileSystem provider but on Linux, this will use the ls command.
  • Compare-nxFileSystemMode: An easy way to compare two sets of unix file system permissions.
    You can use a Symbolic notation (rwxrwxrwx), or the numericla permission (777 or 0777).
  • Set-nxMode: Set files and folder mode (permisisons) using chmod.
  • Set-nxOwner: Set the owner for files and folders (and optionally the group ownership) using chown.
  • Set-nxGroupOwnership: Set the group owning the files and folders using chgrp.

 

User And Groups

  • Get-nxLocalUser: Read and parse local users from /etc/passwd.
  • Get-nxLocalGroup: Read and parse local groups from /etc/group.
  • Get-nxLocalUserMemberOf: Get the groups ([nxLocalGroup[]]) a Local user is member of.
  • New-nxLocalUser: Creates a new Local User using useradd.
  • Add-nxLocalGroupMember: Add users to a group using gpasswd.
  • Add-nxLocalUserToGroup: Add user to groups using usermod.
  • New-nxLocalGroup: Create a new Local Group using groupadd.
  • Set-nxLocalGroup: Set the properties of an existing local group using gpasswd.
  • Set-nxLocalGroupMember: Set (and replace) the members of an existing group using gpasswd.
  • Remove-nxLocalUser: Delete a Local user using userdel.
  • Remove-nxLocalGroupMember: Removes users from a local group using gpasswd.
  • Remove-nxLocalGroup: Deletes a local group using groupdel.
  • Get-nxEtcShadow: Gets a user's /etc/shadow entry if it exists.
  • Disable-nxLocalUser: Lock a user's password, Expire its account and replace its Shell to /sbin/nologin.

 

System

  • Get-nxKernelInfo: A simple wrapper around uname -a.
  • Get-nxLinuxStandardBaseRelease: A quick wrap of lsb_release -a command (this lsb_release must be present on the system).
  • Get-nxDistributionInfo: Parsing information found in /etc/*-release.

 

 

DSC Resources

 

  • nxFile: Manage a file or a folder to make sure it's present/absent, its content, mode, owner group.
  • nxGroup: Simple resource to manage [nxLocalGroup] and group members.
  • nxUser: Simple resource to manage [nxLocalUser] accounts.
  • nxPackage: Audit (for now) whether a package is installed or not in a system (currently supports apt only).
  • nxFileLine: Ensure an exact line is present/absent in a file, and remediate by appending, inserting, deleting as needed.
  • nxFileContentReplace: Replace the content in a file if a pattern is found.

 

 

Guest Configuration Packages

 

  • No90CloudInitUserAllowdNoPasswdInSudoers: Ensure no user are granted NOPASSWD in sudoers file /etc/sudoers.d/90-cloud-init-users.
  • InstalledApplicationLinux [Audit]: Ensure the list of packages is installed (dpkg only)
  • LinuxGroupsMustExclude [AuditAndSet]: List of users that must be excluded from a group.
  • LinuxGroupsMustInclude [AuditAndSet]: List of users that must be included in a group.
  • NotInstalledApplicationLinux [Audit]: Ensure the list of packages is not installed (dpkg only)
  • PasswordPolicy_msid110 [Audit]: Remote connections from accounts with empty passwords should be disabled.
  • PasswordPolicy_msid121 [Audit]: file /etc/passwd permissions should be 0644
  • PasswordPolicy_msid232 [Audit]: Ensure there are no accounts without passwords.

 

 

Example

 

Get-nxKernelInfo # uname -a Get-nxDistributionInfo # cat /etc/*-release Get-nxLinuxStandardBaseRelease # lsb_release -a (not available by default on some Debian 10, Alpine and others) Get-nxLocalUser # cat /etc/passwd Get-nxLocalUser -UserName (whoami) Get-nxLocalUser -Pattern '^gcolas$' Get-nxLocalGroup # cat /etc/group Get-nxLocalGroup tape | Get-nxLocalUser Get-nxItem /tmp/testdir (Get-nxItem /tmp/testdir).Mode (Get-nxItem /tmp/testdir).Mode.ToString() (Get-nxItem /tmp/testdir).Mode.ToOctal() # using module output/nxtools # using module nxtools [nxFileSystemMode]'rwxr--r--' [nxFileSystemMode]'ugo=rwx' [nxFileSystemMode]'1777' [nxFileSystemMode]'u=rwx g=r o=r' # Proper handling of symbolic links not yet implemented Compare-nxMode -ReferenceMode 'r--r--r--' -DifferenceMode 1777 | FT -a Get-nxChildItem -Path /tmp/testdir | Compare-nxMode -ReferenceMode 'r--r--r--' | FT -a Get-nxChildItem /tmp/testdir/ -File | FT -a Get-nxChildItem /tmp/testdir/ -Directory | FT -a Get-nxChildItem /tmp/testdir/ | FT -a Get-nxChildItem /tmp/testdir/ -File | Move-Item -Destination /tmp/testdir/otherdir/ -Verbose Get-nxChildItem /tmp/testdir/ -File | FT -a Get-nxChildItem /tmp/testdir/ -File -recurse | FT -a Set-nxMode -Path /tmp/tmpjBneMD.tmp -Mode 'rwxr--r--' -Recurse -WhatIf # chmod -R 0744 Set-nxMode -Path /tmp/tmpjBneMD.tmp -Mode '0744' -Recurse -WhatIf # chmod -R 0744 Set-nxMode -Path /tmp/tmpjBneMD.tmp -Mode 744 -Recurse -Whatif # chmod -R 0744 # Get the other groups the members of the tape group are member of Get-nxLocalGroup tape | Get-nxLocalUser | Get-nxLocalUserMemberOf Set-nxOwner -Path /tmp/tmpjBneMD.tmp -Owner (whoami) # chown gcolas /tmp/tmpjBnedMD.tmp Set-nxGroupOwnership -Path /tmp/testdir -Recurse -Group users -RecursivelyTraverseSymLink

 

 

Where can I find more?

 

All of the above information plus more details about nxtools can be found in our nxtools GitHub repo README.

Learn more about Machine Configuration in the documentation.

 

Please note that the use of Automanage Machine Configuration on Azure Arc-enabled servers will incur a charge of $6/server/month. You only pay the charge once no matter how many machine configuration policies you apply to the server. If policies are assigned by Microsoft Defender for Servers Plan 2 or the policy is an Azure Security Benchmark, no charges will be incurred. Additionally, if Azure Change Tracking or Inventory Management are being used or the server is on Azure Stack HCI with Connected Machine agent version 1.13, no charges will be incurred.

 

Continue to website...

More from Azure Governance and Management Blog articles

Related Posts