BRE-1893 fix(azure-marketplace): resolve certification failures (#504)

[BRE-1893](https://bitwarden.atlassian.net/browse/BRE-1893) Address Azure Marketplace certification failures from the 2026.4.1 release submission. * ClientAliveInterval (200.3.3.1): write the setting to /etc/ssh/sshd_config.d/10-azure-marketplace.conf so it wins over cloud-init's drop-in. Validator reads sshd -T to match what Azure tests. * No swap on OS disk (200.3.3.3): set ResourceDisk.EnableSwap=n in /etc/waagent.conf and drop a cloud-init swap module so swap is not recreated on first boot. Validator asserts the waagent.conf setting. * Linux Agent (200.3.3.4): explicitly install walinuxagent from noble-updates and systemctl enable it so the agent reports to the Azure fabric on first boot. Validator adds an is-enabled check. * Bash history (200.5.1): delete .bash_history in the final packer provisioner with HISTFILE=/dev/null so subsequent steps do not repopulate it. Validator checks for file absence.
2026-06-27 22:05:45 +00:00 · 2026-05-12 12:01:20 -04:00
parent 9076109dd8
commit 6a68aefd3f
3 changed files with 70 additions and 31 deletions
--- a/AzureMarketplace/scripts/99-img-check.sh
+++ b/AzureMarketplace/scripts/99-img-check.sh
@@ -2,6 +2,10 @@

 # Azure Marketplace Image Validation Tool

+# Prevent this script from writing to bash history
+unset HISTFILE
+export HISTSIZE=0
+
 VERSION="v. 1.0.0"
 RUNDATE=$( date )

@@ -73,6 +77,16 @@ else
  STATUS=2
 fi

+# Check Azure Linux Agent service is enabled (will start on the deployed VM)
+if systemctl is-enabled walinuxagent >/dev/null 2>&1; then
+  echo -en "\e[32m[PASS]\e[0m Azure Linux Agent service is enabled.\n"
+  ((PASS++))
+else
+  echo -en "\e[41m[FAIL]\e[0m Azure Linux Agent service is not enabled.\n"
+  ((FAIL++))
+  STATUS=2
+fi
+
 # Check Docker
 if hash docker 2>/dev/null; then
  echo -en "\e[32m[PASS]\e[0m Docker is installed.\n"
@@ -142,7 +156,7 @@ else
 fi

 # Check SSH ClientAliveInterval (Azure requirement: 30-235 seconds)
-ALIVE_INTERVAL=$(grep -i "^ClientAliveInterval" /etc/ssh/sshd_config | awk '{print $2}' | tail -1)
+ALIVE_INTERVAL=$(sshd -T 2>/dev/null | awk '/^clientaliveinterval/{print $2}')
 if [[ -n "${ALIVE_INTERVAL}" ]] && [[ "${ALIVE_INTERVAL}" -ge 30 ]] && [[ "${ALIVE_INTERVAL}" -le 235 ]]; then
  echo -en "\e[32m[PASS]\e[0m SSH ClientAliveInterval is ${ALIVE_INTERVAL} seconds (30-235 required).\n"
  ((PASS++))
@@ -163,20 +177,24 @@ else
  STATUS=2
 fi

-# Check bash history
-if [ -f /root/.bash_history ]; then
-  BH_S=$(wc -c < /root/.bash_history)
-  if [[ $BH_S -lt 200 ]]; then
-    echo -en "\e[32m[PASS]\e[0m Root bash history appears cleared.\n"
-    ((PASS++))
-  else
-    echo -en "\e[41m[FAIL]\e[0m Root bash history should be cleared.\n"
-    ((FAIL++))
-    STATUS=2
-  fi
-else
-  echo -en "\e[32m[PASS]\e[0m Root bash history is not present.\n"
+# Check waagent will not recreate swap on first boot of the deployed VM.
+if [ -f /etc/waagent.conf ] && grep -q "^ResourceDisk.EnableSwap=n" /etc/waagent.conf; then
+  echo -en "\e[32m[PASS]\e[0m waagent ResourceDisk.EnableSwap is disabled.\n"
  ((PASS++))
+else
+  echo -en "\e[41m[FAIL]\e[0m waagent will recreate swap on first boot (ResourceDisk.EnableSwap is not 'n').\n"
+  ((FAIL++))
+  STATUS=2
+fi
+
+# Check bash history — Azure tests for file existence, not size.
+if [ ! -f /root/.bash_history ] && [ ! -f /home/ubuntu/.bash_history ]; then
+  echo -en "\e[32m[PASS]\e[0m No bash history files present.\n"
+  ((PASS++))
+else
+  echo -en "\e[41m[FAIL]\e[0m bash history file present (must be deleted, not truncated).\n"
+  ((FAIL++))
+  STATUS=2
 fi

 # Check cloud-init first-boot script is present and executable