import scap-security-guide-0.1.63-3.el8

This commit is contained in:
CentOS Sources 2022-08-17 10:15:09 +00:00 committed by Stepan Oksanichenko
parent 526c2cf585
commit 6c1cb717a2
16 changed files with 8923 additions and 1 deletions

View File

@ -0,0 +1,227 @@
From b4291642f301c18b33ad9b722f0f26490bb55047 Mon Sep 17 00:00:00 2001
From: Matej Tyc <matyc@redhat.com>
Date: Thu, 21 Jul 2022 16:42:41 +0200
Subject: [PATCH 1/3] Add platforms for partition existence
---
shared/applicability/general.yml | 14 +++++++++++++
.../checks/oval/installed_env_mounts_tmp.xml | 10 +++++++++
.../oval/installed_env_mounts_var_tmp.xml | 10 +++++++++
shared/macros/10-ansible.jinja | 5 +++++
shared/macros/10-bash.jinja | 5 +++++
shared/macros/10-oval.jinja | 21 +++++++++++++++++++
6 files changed, 65 insertions(+)
create mode 100644 shared/checks/oval/installed_env_mounts_tmp.xml
create mode 100644 shared/checks/oval/installed_env_mounts_var_tmp.xml
diff --git a/shared/applicability/general.yml b/shared/applicability/general.yml
index 2d23d753148..e2f5d04ce00 100644
--- a/shared/applicability/general.yml
+++ b/shared/applicability/general.yml
@@ -77,6 +77,20 @@ cpes:
bash_conditional: {{{ bash_pkg_conditional("pam") }}}
ansible_conditional: {{{ ansible_pkg_conditional("pam") }}}
+ - partition-var-tmp:
+ name: "cpe:/a:partition-var-tmp"
+ title: "There is a /var/tmp partition"
+ check_id: installed_env_mounts_var_tmp
+ bash_conditional: {{{ bash_partition_conditional("/var/tmp") }}}
+ ansible_conditional: {{{ ansible_partition_conditional("/var/tmp") }}}
+
+ - partition-tmp:
+ name: "cpe:/a:partition-tmp"
+ title: "There is a /tmp partition"
+ check_id: installed_env_mounts_tmp
+ bash_conditional: {{{ bash_partition_conditional("/tmp") }}}
+ ansible_conditional: {{{ ansible_partition_conditional("/tmp") }}}
+
- polkit:
name: "cpe:/a:polkit"
title: "Package polkit is installed"
diff --git a/shared/checks/oval/installed_env_mounts_tmp.xml b/shared/checks/oval/installed_env_mounts_tmp.xml
new file mode 100644
index 00000000000..c1bcd6b2431
--- /dev/null
+++ b/shared/checks/oval/installed_env_mounts_tmp.xml
@@ -0,0 +1,10 @@
+<def-group>
+ <definition class="inventory" id="installed_env_mounts_tmp" version="1">
+ {{{ oval_metadata("", title="Partition /tmp exists", affected_platforms=[full_name]) }}}
+ <criteria>
+ {{{ partition_exists_criterion("/tmp") }}}
+ </criteria>
+ </definition>
+
+ {{{ partition_exists_tos("/tmp") }}}
+</def-group>
diff --git a/shared/checks/oval/installed_env_mounts_var_tmp.xml b/shared/checks/oval/installed_env_mounts_var_tmp.xml
new file mode 100644
index 00000000000..a72f49c8a8f
--- /dev/null
+++ b/shared/checks/oval/installed_env_mounts_var_tmp.xml
@@ -0,0 +1,10 @@
+<def-group>
+ <definition class="inventory" id="installed_env_mounts_var_tmp" version="1">
+ {{{ oval_metadata("", title="Partition /var/tmp exists", affected_platforms=[full_name]) }}}
+ <criteria>
+ {{{ partition_exists_criterion("/var/tmp") }}}
+ </criteria>
+ </definition>
+
+ {{{ partition_exists_tos("/var/tmp") }}}
+</def-group>
diff --git a/shared/macros/10-ansible.jinja b/shared/macros/10-ansible.jinja
index 2d24f730d3f..478f0072bc7 100644
--- a/shared/macros/10-ansible.jinja
+++ b/shared/macros/10-ansible.jinja
@@ -1439,3 +1439,8 @@ Part of the grub2_bootloader_argument_absent template.
when:
- result_pam_file_present.stat.exists
{{%- endmacro -%}}
+
+
+{{%- macro ansible_partition_conditional(path) -%}}
+"ansible_facts.ansible_mounts | json_query(\"[?mount=='{{{ path }}}'].mount\") | length == 1"
+{{%- endmacro -%}}
diff --git a/shared/macros/10-bash.jinja b/shared/macros/10-bash.jinja
index 94c3c6f9570..6a7fb165fd2 100644
--- a/shared/macros/10-bash.jinja
+++ b/shared/macros/10-bash.jinja
@@ -2085,3 +2085,8 @@ else
echo "{{{ pam_file }}} was not found" >&2
fi
{{%- endmacro -%}}
+
+
+{{%- macro bash_partition_conditional(path) -%}}
+'findmnt --mountpoint "{{{ path }}}" > /dev/null'
+{{%- endmacro -%}}
diff --git a/shared/macros/10-oval.jinja b/shared/macros/10-oval.jinja
index c8d7bbeffb7..1ec93b6ef7d 100644
--- a/shared/macros/10-oval.jinja
+++ b/shared/macros/10-oval.jinja
@@ -926,3 +926,24 @@ Generates the :code:`<affected>` tag for OVAL check using correct product platfo
{{%- else %}}
{{%- set user_list="nobody" %}}
{{%- endif %}}
+
+
+{{%- macro partition_exists_criterion(path) %}}
+{{%- set escaped_path = path | replace("/", "_") %}}
+ <criterion comment="The path {{{ path }}} is a partition's mount point" test_ref="test_partition_{{{ escaped_path }}}_exists" />
+{{%- endmacro %}}
+
+{{%- macro partition_exists_tos(path) %}}
+{{%- set escaped_path = path | replace("/", "_") %}}
+ <linux:partition_test check="all" check_existence="all_exist"
+ comment="Partition {{{ path }}} exists"
+ id="test_partition_{{{ escaped_path }}}_exists"
+ version="1">
+ <linux:object object_ref="object_partition_{{{ escaped_path }}}_exists" />
+ {{#- <linux:partition_state state_ref="" /> #}}
+ </linux:partition_test>
+
+ <linux:partition_object id="object_partition_{{{ escaped_path }}}_exists" version="1">
+ <linux:mount_point>{{{ path }}}</linux:mount_point>
+ </linux:partition_object>
+{{%- endmacro %}}
From 704da46c44f50c93acbfe172212f1687763013b0 Mon Sep 17 00:00:00 2001
From: Matej Tyc <matyc@redhat.com>
Date: Thu, 21 Jul 2022 16:43:21 +0200
Subject: [PATCH 2/3] Use partition exist platforms on a real rule
---
.../partitions/mount_option_var_tmp_nodev/rule.yml | 3 ++-
.../mount_option_var_tmp_nodev/tests/notapplicable.pass.sh | 5 +++++
2 files changed, 7 insertions(+), 1 deletion(-)
create mode 100644 linux_os/guide/system/permissions/partitions/mount_option_var_tmp_nodev/tests/notapplicable.pass.sh
diff --git a/linux_os/guide/system/permissions/partitions/mount_option_var_tmp_nodev/rule.yml b/linux_os/guide/system/permissions/partitions/mount_option_var_tmp_nodev/rule.yml
index 8ee8c8b12e0..741d0973283 100644
--- a/linux_os/guide/system/permissions/partitions/mount_option_var_tmp_nodev/rule.yml
+++ b/linux_os/guide/system/permissions/partitions/mount_option_var_tmp_nodev/rule.yml
@@ -38,7 +38,8 @@ references:
stigid@ol8: OL08-00-040132
stigid@rhel8: RHEL-08-040132
-platform: machine
+platforms:
+ - machine and partition-var-tmp
template:
name: mount_option
diff --git a/linux_os/guide/system/permissions/partitions/mount_option_var_tmp_nodev/tests/notapplicable.pass.sh b/linux_os/guide/system/permissions/partitions/mount_option_var_tmp_nodev/tests/notapplicable.pass.sh
new file mode 100644
index 00000000000..241c0103d82
--- /dev/null
+++ b/linux_os/guide/system/permissions/partitions/mount_option_var_tmp_nodev/tests/notapplicable.pass.sh
@@ -0,0 +1,5 @@
+#!/bin/bash
+
+. $SHARED/partition.sh
+
+clean_up_partition /var/tmp # Remove the partition from the system, and unmount it
From 7b3c9eb40d362ffcfda542cc2b267bce13e25d5a Mon Sep 17 00:00:00 2001
From: Matej Tyc <matyc@redhat.com>
Date: Wed, 10 Aug 2022 11:32:38 +0200
Subject: [PATCH 3/3] Improve code style
- Improve description of OVAL macro
- Use the escape_id filter to produce IDs
---
shared/checks/oval/installed_env_mounts_tmp.xml | 2 +-
shared/checks/oval/installed_env_mounts_var_tmp.xml | 2 +-
shared/macros/10-oval.jinja | 7 +++----
3 files changed, 5 insertions(+), 6 deletions(-)
diff --git a/shared/checks/oval/installed_env_mounts_tmp.xml b/shared/checks/oval/installed_env_mounts_tmp.xml
index c1bcd6b2431..edd8ad050f5 100644
--- a/shared/checks/oval/installed_env_mounts_tmp.xml
+++ b/shared/checks/oval/installed_env_mounts_tmp.xml
@@ -6,5 +6,5 @@
</criteria>
</definition>
- {{{ partition_exists_tos("/tmp") }}}
+ {{{ partition_exists_test_object("/tmp") }}}
</def-group>
diff --git a/shared/checks/oval/installed_env_mounts_var_tmp.xml b/shared/checks/oval/installed_env_mounts_var_tmp.xml
index a72f49c8a8f..cf9aafbdb04 100644
--- a/shared/checks/oval/installed_env_mounts_var_tmp.xml
+++ b/shared/checks/oval/installed_env_mounts_var_tmp.xml
@@ -6,5 +6,5 @@
</criteria>
</definition>
- {{{ partition_exists_tos("/var/tmp") }}}
+ {{{ partition_exists_test_object("/var/tmp") }}}
</def-group>
diff --git a/shared/macros/10-oval.jinja b/shared/macros/10-oval.jinja
index 1ec93b6ef7d..f302091f7df 100644
--- a/shared/macros/10-oval.jinja
+++ b/shared/macros/10-oval.jinja
@@ -929,18 +929,17 @@ Generates the :code:`<affected>` tag for OVAL check using correct product platfo
{{%- macro partition_exists_criterion(path) %}}
-{{%- set escaped_path = path | replace("/", "_") %}}
+{{%- set escaped_path = path | escape_id %}}
<criterion comment="The path {{{ path }}} is a partition's mount point" test_ref="test_partition_{{{ escaped_path }}}_exists" />
{{%- endmacro %}}
-{{%- macro partition_exists_tos(path) %}}
-{{%- set escaped_path = path | replace("/", "_") %}}
+{{%- macro partition_exists_test_object(path) %}}
+{{%- set escaped_path = path | escape_id %}}
<linux:partition_test check="all" check_existence="all_exist"
comment="Partition {{{ path }}} exists"
id="test_partition_{{{ escaped_path }}}_exists"
version="1">
<linux:object object_ref="object_partition_{{{ escaped_path }}}_exists" />
- {{#- <linux:partition_state state_ref="" /> #}}
</linux:partition_test>
<linux:partition_object id="object_partition_{{{ escaped_path }}}_exists" version="1">

View File

@ -0,0 +1,92 @@
From 51d7ee352dd2e90cb711d949cc59fb36c7fbe5da Mon Sep 17 00:00:00 2001
From: Matej Tyc <matyc@redhat.com>
Date: Wed, 10 Aug 2022 13:35:50 +0200
Subject: [PATCH] Add the platform applicability to relevant rules
---
.../permissions/partitions/mount_option_tmp_nodev/rule.yml | 2 +-
.../permissions/partitions/mount_option_tmp_noexec/rule.yml | 2 +-
.../permissions/partitions/mount_option_tmp_nosuid/rule.yml | 2 +-
.../permissions/partitions/mount_option_var_tmp_bind/rule.yml | 2 +-
.../permissions/partitions/mount_option_var_tmp_noexec/rule.yml | 2 +-
.../permissions/partitions/mount_option_var_tmp_nosuid/rule.yml | 2 +-
6 files changed, 6 insertions(+), 6 deletions(-)
diff --git a/linux_os/guide/system/permissions/partitions/mount_option_tmp_nodev/rule.yml b/linux_os/guide/system/permissions/partitions/mount_option_tmp_nodev/rule.yml
index 45a73e0286a..79a19a8d30b 100644
--- a/linux_os/guide/system/permissions/partitions/mount_option_tmp_nodev/rule.yml
+++ b/linux_os/guide/system/permissions/partitions/mount_option_tmp_nodev/rule.yml
@@ -45,7 +45,7 @@ references:
stigid@ol8: OL08-00-040123
stigid@rhel8: RHEL-08-040123
-platform: machine
+platform: machine and partition-tmp
template:
name: mount_option
diff --git a/linux_os/guide/system/permissions/partitions/mount_option_tmp_noexec/rule.yml b/linux_os/guide/system/permissions/partitions/mount_option_tmp_noexec/rule.yml
index 7356183bab3..d3f6d6175e5 100644
--- a/linux_os/guide/system/permissions/partitions/mount_option_tmp_noexec/rule.yml
+++ b/linux_os/guide/system/permissions/partitions/mount_option_tmp_noexec/rule.yml
@@ -44,7 +44,7 @@ references:
stigid@ol8: OL08-00-040125
stigid@rhel8: RHEL-08-040125
-platform: machine
+platform: machine and partition-tmp
template:
name: mount_option
diff --git a/linux_os/guide/system/permissions/partitions/mount_option_tmp_nosuid/rule.yml b/linux_os/guide/system/permissions/partitions/mount_option_tmp_nosuid/rule.yml
index d153b86934f..10790dc95a7 100644
--- a/linux_os/guide/system/permissions/partitions/mount_option_tmp_nosuid/rule.yml
+++ b/linux_os/guide/system/permissions/partitions/mount_option_tmp_nosuid/rule.yml
@@ -45,7 +45,7 @@ references:
stigid@ol8: OL08-00-040124
stigid@rhel8: RHEL-08-040124
-platform: machine
+platform: machine and partition-tmp
template:
name: mount_option
diff --git a/linux_os/guide/system/permissions/partitions/mount_option_var_tmp_bind/rule.yml b/linux_os/guide/system/permissions/partitions/mount_option_var_tmp_bind/rule.yml
index 133e7727ca7..05992df4b49 100644
--- a/linux_os/guide/system/permissions/partitions/mount_option_var_tmp_bind/rule.yml
+++ b/linux_os/guide/system/permissions/partitions/mount_option_var_tmp_bind/rule.yml
@@ -31,7 +31,7 @@ references:
nist: CM-7(a),CM-7(b),CM-6(a),AC-6,AC-6(1),MP-7
nist-csf: PR.IP-1,PR.PT-3
-platform: machine
+platform: machine and partition-var-tmp
template:
name: mount_option
diff --git a/linux_os/guide/system/permissions/partitions/mount_option_var_tmp_noexec/rule.yml b/linux_os/guide/system/permissions/partitions/mount_option_var_tmp_noexec/rule.yml
index 39fd458ec6b..dc00b2f2376 100644
--- a/linux_os/guide/system/permissions/partitions/mount_option_var_tmp_noexec/rule.yml
+++ b/linux_os/guide/system/permissions/partitions/mount_option_var_tmp_noexec/rule.yml
@@ -38,7 +38,7 @@ references:
stigid@ol8: OL08-00-040134
stigid@rhel8: RHEL-08-040134
-platform: machine
+platform: machine and partition-var-tmp
template:
name: mount_option
diff --git a/linux_os/guide/system/permissions/partitions/mount_option_var_tmp_nosuid/rule.yml b/linux_os/guide/system/permissions/partitions/mount_option_var_tmp_nosuid/rule.yml
index 349f3348955..f0c26b6d9c5 100644
--- a/linux_os/guide/system/permissions/partitions/mount_option_var_tmp_nosuid/rule.yml
+++ b/linux_os/guide/system/permissions/partitions/mount_option_var_tmp_nosuid/rule.yml
@@ -38,7 +38,7 @@ references:
stigid@ol8: OL08-00-040133
stigid@rhel8: RHEL-08-040133
-platform: machine
+platform: machine and partition-var-tmp
template:
name: mount_option

View File

@ -0,0 +1,48 @@
From 779ffcf0a51a1ad5a13e5b8ee29ce044d93eca55 Mon Sep 17 00:00:00 2001
From: Watson Sato <wsato@redhat.com>
Date: Mon, 15 Aug 2022 13:14:58 +0200
Subject: [PATCH 1/2] Access the mounts via ansible_mounts
It seems that the data about ansible_mounts should be accessed without
the 'ansible_facts' prefix.
---
shared/macros/10-ansible.jinja | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/shared/macros/10-ansible.jinja b/shared/macros/10-ansible.jinja
index 478f0072bc7..e8bff0973f5 100644
--- a/shared/macros/10-ansible.jinja
+++ b/shared/macros/10-ansible.jinja
@@ -1442,5 +1442,5 @@ Part of the grub2_bootloader_argument_absent template.
{{%- macro ansible_partition_conditional(path) -%}}
-"ansible_facts.ansible_mounts | json_query(\"[?mount=='{{{ path }}}'].mount\") | length == 1"
+"ansible_mounts | json_query(\"[?mount=='{{{ path }}}'].mount\") | length == 1"
{{%- endmacro -%}}
From 4963d70d565919d0db6c0bc35f3fd4274d474310 Mon Sep 17 00:00:00 2001
From: Watson Sato <wsato@redhat.com>
Date: Mon, 15 Aug 2022 13:16:24 +0200
Subject: [PATCH 2/2] Avoid use of json_query and additional dependency
The json_query filter requires package jmespath to be installed.
This also avoids mismatchs in python version between ansible and
python3-jmespath. Some distros (RHEL8) don't have jmespath module
available for the same python version ansible is using.
---
shared/macros/10-ansible.jinja | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/shared/macros/10-ansible.jinja b/shared/macros/10-ansible.jinja
index e8bff0973f5..beb2bc11403 100644
--- a/shared/macros/10-ansible.jinja
+++ b/shared/macros/10-ansible.jinja
@@ -1442,5 +1442,5 @@ Part of the grub2_bootloader_argument_absent template.
{{%- macro ansible_partition_conditional(path) -%}}
-"ansible_mounts | json_query(\"[?mount=='{{{ path }}}'].mount\") | length == 1"
+'"{{{ path }}}" in ansible_mounts | map(attribute="mount") | list'
{{%- endmacro -%}}

View File

@ -0,0 +1,107 @@
From 9243f7615c2656003e4a64c88076d0d660f58580 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Jan=20=C4=8Cern=C3=BD?= <jcerny@redhat.com>
Date: Fri, 5 Aug 2022 12:45:24 +0200
Subject: [PATCH] Fix rule sudo_custom_logfile
- Allow only white space after the Default keyword to avoid
matching words that only start with Default.
- If the variable value contains slashes they need to be escaped
because the sed command uses slashes as a separator, otherwise
the sed doesn't replace the wrong line during a remediation.
Also adds 2 test scenarios.
Resolves: https://bugzilla.redhat.com/show_bug.cgi?id=2083109
---
.../guide/system/software/sudo/sudo_custom_logfile/rule.yml | 2 +-
.../sudo/sudo_custom_logfile/tests/broken_defaults.fail.sh | 4 ++++
.../sudo/sudo_custom_logfile/tests/wrong_logfile.fail.sh | 4 ++++
shared/templates/sudo_defaults_option/ansible.template | 2 +-
shared/templates/sudo_defaults_option/bash.template | 5 +++--
shared/templates/sudo_defaults_option/oval.template | 2 +-
6 files changed, 14 insertions(+), 5 deletions(-)
create mode 100644 linux_os/guide/system/software/sudo/sudo_custom_logfile/tests/broken_defaults.fail.sh
create mode 100644 linux_os/guide/system/software/sudo/sudo_custom_logfile/tests/wrong_logfile.fail.sh
diff --git a/linux_os/guide/system/software/sudo/sudo_custom_logfile/rule.yml b/linux_os/guide/system/software/sudo/sudo_custom_logfile/rule.yml
index 739f5f14936..94fbaaa33ed 100644
--- a/linux_os/guide/system/software/sudo/sudo_custom_logfile/rule.yml
+++ b/linux_os/guide/system/software/sudo/sudo_custom_logfile/rule.yml
@@ -29,7 +29,7 @@ ocil_clause: 'logfile is not enabled in sudo'
ocil: |-
To determine if <tt>logfile</tt> has been configured for sudo, run the following command:
- <pre>$ sudo grep -ri "^[\s]*Defaults.*\blogfile\b.*" /etc/sudoers /etc/sudoers.d/</pre>
+ <pre>$ sudo grep -ri "^[\s]*Defaults\s*\blogfile\b.*" /etc/sudoers /etc/sudoers.d/</pre>
The command should return a matching output.
template:
diff --git a/linux_os/guide/system/software/sudo/sudo_custom_logfile/tests/broken_defaults.fail.sh b/linux_os/guide/system/software/sudo/sudo_custom_logfile/tests/broken_defaults.fail.sh
new file mode 100644
index 00000000000..13ff4559edb
--- /dev/null
+++ b/linux_os/guide/system/software/sudo/sudo_custom_logfile/tests/broken_defaults.fail.sh
@@ -0,0 +1,4 @@
+#!/bin/bash
+# platform = multi_platform_all
+
+echo "Defaultsabc logfile=/var/log/sudo.log" >> /etc/sudoers
diff --git a/linux_os/guide/system/software/sudo/sudo_custom_logfile/tests/wrong_logfile.fail.sh b/linux_os/guide/system/software/sudo/sudo_custom_logfile/tests/wrong_logfile.fail.sh
new file mode 100644
index 00000000000..ec24854f0f9
--- /dev/null
+++ b/linux_os/guide/system/software/sudo/sudo_custom_logfile/tests/wrong_logfile.fail.sh
@@ -0,0 +1,4 @@
+#!/bin/bash
+# platform = multi_platform_all
+
+echo "Defaults logfile=/var/log/othersudologfile.log" >> /etc/sudoers
diff --git a/shared/templates/sudo_defaults_option/ansible.template b/shared/templates/sudo_defaults_option/ansible.template
index 094fa430b64..c9e344ec772 100644
--- a/shared/templates/sudo_defaults_option/ansible.template
+++ b/shared/templates/sudo_defaults_option/ansible.template
@@ -8,7 +8,7 @@
- name: Ensure {{{ OPTION }}} is enabled with the appropriate value in /etc/sudoers
lineinfile:
path: /etc/sudoers
- regexp: '^[\s]*Defaults\s(.*)\b{{{ OPTION }}}=[-]?\w+\b(.*)$'
+ regexp: '^[\s]*Defaults\s(.*)\b{{{ OPTION }}}=[-]?.+\b(.*)$'
line: 'Defaults \1{{{ OPTION }}}={{ {{{ VARIABLE_NAME }}} }}\2'
validate: /usr/sbin/visudo -cf %s
backrefs: yes
diff --git a/shared/templates/sudo_defaults_option/bash.template b/shared/templates/sudo_defaults_option/bash.template
index e3563d42db6..e7d962a668d 100644
--- a/shared/templates/sudo_defaults_option/bash.template
+++ b/shared/templates/sudo_defaults_option/bash.template
@@ -9,7 +9,7 @@
{{% endif %}}
if /usr/sbin/visudo -qcf /etc/sudoers; then
cp /etc/sudoers /etc/sudoers.bak
- if ! grep -P '^[\s]*Defaults.*\b{{{ OPTION_REGEX }}}\b.*$' /etc/sudoers; then
+ if ! grep -P '^[\s]*Defaults[\s]*\b{{{ OPTION_REGEX }}}\b.*$' /etc/sudoers; then
# sudoers file doesn't define Option {{{ OPTION }}}
echo "Defaults {{{ OPTION_VALUE }}}" >> /etc/sudoers
{{%- if not VARIABLE_NAME %}}
@@ -21,7 +21,8 @@ if /usr/sbin/visudo -qcf /etc/sudoers; then
{{% if '/' in OPTION %}}
{{{ raise("OPTION (" + OPTION + ") uses sed path separator (/) in " + rule_id) }}}
{{% endif %}}
- sed -Ei "s/(^[\s]*Defaults.*\b{{{ OPTION }}}=)[-]?\w+(\b.*$)/\1{{{ '${' ~ VARIABLE_NAME ~ '}' }}}\2/" /etc/sudoers
+ escaped_variable={{{ "${" ~ VARIABLE_NAME ~ "//$'/'/$'\/'}" }}}
+ sed -Ei "s/(^[\s]*Defaults.*\b{{{ OPTION }}}=)[-]?.+(\b.*$)/\1$escaped_variable\2/" /etc/sudoers
fi
fi
{{% endif %}}
diff --git a/shared/templates/sudo_defaults_option/oval.template b/shared/templates/sudo_defaults_option/oval.template
index c0d81c95093..a9636a7204a 100644
--- a/shared/templates/sudo_defaults_option/oval.template
+++ b/shared/templates/sudo_defaults_option/oval.template
@@ -13,7 +13,7 @@
</ind:textfilecontent54_test>
<ind:textfilecontent54_object id="object_{{{ OPTION }}}_sudoers" version="1">
<ind:filepath operation="pattern match">^/etc/sudoers(|\.d/.*)$</ind:filepath>
- <ind:pattern operation="pattern match">^[\s]*Defaults.*\b{{{ OPTION_REGEX }}}.*$</ind:pattern>
+ <ind:pattern operation="pattern match">^[\s]*Defaults[\s]*\b{{{ OPTION_REGEX }}}.*$</ind:pattern>
<ind:instance datatype="int" operation="greater than or equal" >1</ind:instance>
</ind:textfilecontent54_object>

View File

@ -0,0 +1,967 @@
From 2d22616a6223e26662c1dc81e0389349defd716a Mon Sep 17 00:00:00 2001
From: Flos Lonicerae <lonicerae@gmail.com>
Date: Wed, 13 Apr 2022 20:06:18 +0800
Subject: [PATCH 01/15] rsyslog: Fix array creation when path has wildcard
This patch fixes the issue that the array is expanded to wildcard path instead of its elements.
A simple test case as follows:
/etc/rsyslog.conf
include(file="/etc/rsyslog.d/*.conf" mode="optional")
/etc/rsyslog.d/custom1.conf
local1.* /tmp/local1.out
/etc/rsyslog.d/custom2.conf
local2.* /tmp/local2.out
---
.../rsyslog_files_permissions/bash/shared.sh | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_files_permissions/bash/shared.sh b/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_files_permissions/bash/shared.sh
index b794ea8db31..02b0c36d899 100644
--- a/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_files_permissions/bash/shared.sh
+++ b/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_files_permissions/bash/shared.sh
@@ -5,8 +5,8 @@
RSYSLOG_ETC_CONFIG="/etc/rsyslog.conf"
# * And also the log file paths listed after rsyslog's $IncludeConfig directive
# (store the result into array for the case there's shell glob used as value of IncludeConfig)
-readarray -t RSYSLOG_INCLUDE_CONFIG < <(grep -e "\$IncludeConfig[[:space:]]\+[^[:space:];]\+" /etc/rsyslog.conf | cut -d ' ' -f 2)
-readarray -t RSYSLOG_INCLUDE < <(awk '/)/{f=0} /include\(/{f=1} f{nf=gensub("^(include\\(|\\s*)file=\"(\\S+)\".*","\\2",1); if($0!=nf){print nf}}' /etc/rsyslog.conf)
+readarray -t RSYSLOG_INCLUDE_CONFIG < <(printf '%s\n' $(grep -e "\$IncludeConfig[[:space:]]\+[^[:space:];]\+" /etc/rsyslog.conf | cut -d ' ' -f 2))
+readarray -t RSYSLOG_INCLUDE < <(printf '%s\n' $(awk '/)/{f=0} /include\(/{f=1} f{nf=gensub("^(include\\(|\\s*)file=\"(\\S+)\".*","\\2",1); if($0!=nf){print nf}}' /etc/rsyslog.conf))
# Declare an array to hold the final list of different log file paths
declare -a LOG_FILE_PATHS
From 37a57668e98ba613d850e4c4ec4363dc7687d06d Mon Sep 17 00:00:00 2001
From: Flos Lonicerae <lonicerae@gmail.com>
Date: Thu, 14 Apr 2022 15:58:04 +0800
Subject: [PATCH 02/15] A better fix.
* Should also fixed the CI failure.
---
.../rsyslog_files_permissions/bash/shared.sh | 6 ++++--
1 file changed, 4 insertions(+), 2 deletions(-)
diff --git a/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_files_permissions/bash/shared.sh b/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_files_permissions/bash/shared.sh
index 02b0c36d899..1aebb8f9da5 100644
--- a/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_files_permissions/bash/shared.sh
+++ b/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_files_permissions/bash/shared.sh
@@ -5,8 +5,10 @@
RSYSLOG_ETC_CONFIG="/etc/rsyslog.conf"
# * And also the log file paths listed after rsyslog's $IncludeConfig directive
# (store the result into array for the case there's shell glob used as value of IncludeConfig)
-readarray -t RSYSLOG_INCLUDE_CONFIG < <(printf '%s\n' $(grep -e "\$IncludeConfig[[:space:]]\+[^[:space:];]\+" /etc/rsyslog.conf | cut -d ' ' -f 2))
-readarray -t RSYSLOG_INCLUDE < <(printf '%s\n' $(awk '/)/{f=0} /include\(/{f=1} f{nf=gensub("^(include\\(|\\s*)file=\"(\\S+)\".*","\\2",1); if($0!=nf){print nf}}' /etc/rsyslog.conf))
+readarray -t OLD_INC < <(grep -e "\$IncludeConfig[[:space:]]\+[^[:space:];]\+" /etc/rsyslog.conf | cut -d ' ' -f 2)
+readarray -t RSYSLOG_INCLUDE_CONFIG < <(for INCPATH in "${OLD_INC[@]}"; do eval printf '%s\\n' "${INCPATH}"; done)
+readarray -t NEW_INC < <(awk '/)/{f=0} /include\(/{f=1} f{nf=gensub("^(include\\(|\\s*)file=\"(\\S+)\".*","\\2",1); if($0!=nf){print nf}}' /etc/rsyslog.conf)
+readarray -t RSYSLOG_INCLUDE < <(for INCPATH in "${NEW_INC[@]}"; do eval printf '%s\\n' "${INCPATH}"; done)
# Declare an array to hold the final list of different log file paths
declare -a LOG_FILE_PATHS
From 5135fb64fb773400234c740a3feeac206ac7f42a Mon Sep 17 00:00:00 2001
From: Flos Lonicerae <lonicerae@gmail.com>
Date: Fri, 15 Apr 2022 10:47:37 +0800
Subject: [PATCH 03/15] Add test for wildcard paths used in rsyslog
---
.../include_config_syntax_perms_0600.pass.sh | 56 ++++++++++++++++++
.../include_config_syntax_perms_0601.fail.sh | 57 +++++++++++++++++++
2 files changed, 113 insertions(+)
create mode 100755 linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_files_permissions/tests/include_config_syntax_perms_0600.pass.sh
create mode 100755 linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_files_permissions/tests/include_config_syntax_perms_0601.fail.sh
diff --git a/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_files_permissions/tests/include_config_syntax_perms_0600.pass.sh b/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_files_permissions/tests/include_config_syntax_perms_0600.pass.sh
new file mode 100755
index 00000000000..7cb09128d78
--- /dev/null
+++ b/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_files_permissions/tests/include_config_syntax_perms_0600.pass.sh
@@ -0,0 +1,56 @@
+#!/bin/bash
+# platform = multi_platform_rhel,multi_platform_fedora,multi_platform_ol,multi_platform_sle
+
+# Check rsyslog.conf with log file permissions 0600 from rules and
+# log file permissions 0600 from $IncludeConfig passes.
+
+source $SHARED/rsyslog_log_utils.sh
+
+PERMS=0600
+
+# setup test data
+create_rsyslog_test_logs 3
+
+# setup test log files and permissions
+chmod $PERMS ${RSYSLOG_TEST_LOGS[0]}
+chmod $PERMS ${RSYSLOG_TEST_LOGS[1]}
+chmod $PERMS ${RSYSLOG_TEST_LOGS[2]}
+
+# create test configuration file
+conf_subdir=${RSYSLOG_TEST_DIR}/subdir
+mkdir ${conf_subdir}
+test_subdir_conf=${conf_subdir}/test_subdir.conf
+test_conf=${RSYSLOG_TEST_DIR}/test.conf
+cat << EOF > ${test_subdir_conf}
+# rsyslog configuration file
+
+#### RULES ####
+
+*.* ${RSYSLOG_TEST_LOGS[2]}
+EOF
+
+cat << EOF > ${test_conf}
+# rsyslog configuration file
+
+#### RULES ####
+
+*.* ${RSYSLOG_TEST_LOGS[1]}
+EOF
+
+# create rsyslog.conf configuration file
+cat << EOF > $RSYSLOG_CONF
+# rsyslog configuration file
+
+#### RULES ####
+
+*.* ${RSYSLOG_TEST_LOGS[0]}
+
+#### MODULES ####
+
+include(file="${RSYSLOG_TEST_DIR}/*/*.conf" mode="optional")
+include(file="${RSYSLOG_TEST_DIR}/*.conf" mode="optional")
+
+\$IncludeConfig ${RSYSLOG_TEST_DIR}/*/*.conf
+\$IncludeConfig ${RSYSLOG_TEST_DIR}/*.conf
+
+EOF
diff --git a/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_files_permissions/tests/include_config_syntax_perms_0601.fail.sh b/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_files_permissions/tests/include_config_syntax_perms_0601.fail.sh
new file mode 100755
index 00000000000..942eaf086a1
--- /dev/null
+++ b/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_files_permissions/tests/include_config_syntax_perms_0601.fail.sh
@@ -0,0 +1,57 @@
+#!/bin/bash
+# platform = multi_platform_rhel,multi_platform_fedora,multi_platform_ol
+
+# Check rsyslog.conf with log file permissions 0600 from rules and
+# log file permissions 0601 from $IncludeConfig fails.
+
+source $SHARED/rsyslog_log_utils.sh
+
+PERMS_PASS=0600
+PERMS_FAIL=0601
+
+# setup test data
+create_rsyslog_test_logs 3
+
+# setup test log files and permissions
+chmod $PERMS_PASS ${RSYSLOG_TEST_LOGS[0]}
+chmod $PERMS_FAIL ${RSYSLOG_TEST_LOGS[1]}
+chmod $PERMS_FAIL ${RSYSLOG_TEST_LOGS[2]}
+
+# create test configuration file
+conf_subdir=${RSYSLOG_TEST_DIR}/subdir
+mkdir ${conf_subdir}
+test_subdir_conf=${conf_subdir}/test_subdir.conf
+test_conf=${RSYSLOG_TEST_DIR}/test.conf
+cat << EOF > ${test_subdir_conf}
+# rsyslog configuration file
+
+#### RULES ####
+
+*.* ${RSYSLOG_TEST_LOGS[2]}
+EOF
+
+cat << EOF > ${test_conf}
+# rsyslog configuration file
+
+#### RULES ####
+
+*.* ${RSYSLOG_TEST_LOGS[1]}
+EOF
+
+# create rsyslog.conf configuration file
+cat << EOF > $RSYSLOG_CONF
+# rsyslog configuration file
+
+#### RULES ####
+
+*.* ${RSYSLOG_TEST_LOGS[0]}
+
+#### MODULES ####
+
+include(file="${RSYSLOG_TEST_DIR}/*/*.conf" mode="optional")
+include(file="${RSYSLOG_TEST_DIR}/*.conf" mode="optional")
+
+\$IncludeConfig ${RSYSLOG_TEST_DIR}/*/*.conf
+\$IncludeConfig ${RSYSLOG_TEST_DIR}/*.conf
+
+EOF
From 052558d8d5be3b8ce49067ab8c05ed9ea92bab0b Mon Sep 17 00:00:00 2001
From: Flos Lonicerae <lonicerae@gmail.com>
Date: Thu, 19 May 2022 01:22:19 +0800
Subject: [PATCH 04/15] The way using 'find' can be retired.
---
.../rsyslog_files_permissions/bash/shared.sh | 20 +++++--------------
1 file changed, 5 insertions(+), 15 deletions(-)
diff --git a/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_files_permissions/bash/shared.sh b/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_files_permissions/bash/shared.sh
index 1aebb8f9da5..cece5930ee8 100644
--- a/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_files_permissions/bash/shared.sh
+++ b/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_files_permissions/bash/shared.sh
@@ -13,22 +13,12 @@ readarray -t RSYSLOG_INCLUDE < <(for INCPATH in "${NEW_INC[@]}"; do eval printf
# Declare an array to hold the final list of different log file paths
declare -a LOG_FILE_PATHS
-RSYSLOG_CONFIGS=()
-RSYSLOG_CONFIGS=("${RSYSLOG_ETC_CONFIG}" "${RSYSLOG_INCLUDE_CONFIG[@]}" "${RSYSLOG_INCLUDE[@]}")
+declare -a RSYSLOG_CONFIGS
+RSYSLOG_CONFIGS+=("${RSYSLOG_ETC_CONFIG}" "${RSYSLOG_INCLUDE_CONFIG[@]}" "${RSYSLOG_INCLUDE[@]}")
-# Get full list of files to be checked
-# RSYSLOG_CONFIGS may contain globs such as
-# /etc/rsyslog.d/*.conf /etc/rsyslog.d/*.frule
-# So, loop over the entries in RSYSLOG_CONFIGS and use find to get the list of included files.
-RSYSLOG_FILES=()
-for ENTRY in "${RSYSLOG_CONFIGS[@]}"
-do
- mapfile -t FINDOUT < <(find "$(dirname "${ENTRY}")" -maxdepth 1 -name "$(basename "${ENTRY}")")
- RSYSLOG_FILES+=("${FINDOUT[@]}")
-done
-
-# Check file and fix if needed.
-for LOG_FILE in "${RSYSLOG_FILES[@]}"
+# Browse each file selected above as containing paths of log files
+# ('/etc/rsyslog.conf' and '/etc/rsyslog.d/*.conf' in the default configuration)
+for LOG_FILE in "${RSYSLOG_CONFIGS[@]}"
do
# From each of these files extract just particular log file path(s), thus:
# * Ignore lines starting with space (' '), comment ('#"), or variable syntax ('$') characters,
From 4f1d08642a74c0be7cd02815784a2c81b7b558ee Mon Sep 17 00:00:00 2001
From: Flos Lonicerae <lonicerae@gmail.com>
Date: Fri, 20 May 2022 01:30:37 +0800
Subject: [PATCH 05/15] Cover the include pattern '/etc/rsyslog.d/'
---
.../rsyslog_files_permissions/bash/shared.sh | 20 ++++++++++++++++++-
1 file changed, 19 insertions(+), 1 deletion(-)
diff --git a/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_files_permissions/bash/shared.sh b/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_files_permissions/bash/shared.sh
index cece5930ee8..50d36d7426f 100644
--- a/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_files_permissions/bash/shared.sh
+++ b/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_files_permissions/bash/shared.sh
@@ -13,12 +13,30 @@ readarray -t RSYSLOG_INCLUDE < <(for INCPATH in "${NEW_INC[@]}"; do eval printf
# Declare an array to hold the final list of different log file paths
declare -a LOG_FILE_PATHS
+# Array to hold all rsyslog config entries
declare -a RSYSLOG_CONFIGS
RSYSLOG_CONFIGS+=("${RSYSLOG_ETC_CONFIG}" "${RSYSLOG_INCLUDE_CONFIG[@]}" "${RSYSLOG_INCLUDE[@]}")
+# Array to hold all rsyslog config files
+declare -a RSYSLOG_CONFIG_FILES
+for ENTRY in "${RSYSLOG_CONFIGS[@]}"
+do
+ # If directory, need to include files recursively
+ if [ -d "${ENTRY}" ]
+ then
+ readarray -t FINDOUT < <(find "${ENTRY}" -type f -name '*.conf')
+ RSYSLOG_CONFIG_FILES+=("${FINDOUT[@]}")
+ elif [ -f "${ENTRY}" ]
+ then
+ RSYSLOG_CONFIG_FILES+=("${ENTRY}")
+ else
+ echo "Invalid include object: ${ENTRY}"
+ fi
+done
+
# Browse each file selected above as containing paths of log files
# ('/etc/rsyslog.conf' and '/etc/rsyslog.d/*.conf' in the default configuration)
-for LOG_FILE in "${RSYSLOG_CONFIGS[@]}"
+for LOG_FILE in "${RSYSLOG_CONFIG_FILES[@]}"
do
# From each of these files extract just particular log file path(s), thus:
# * Ignore lines starting with space (' '), comment ('#"), or variable syntax ('$') characters,
From d77551b64c4d67226627d0819dc30fff9433ac2b Mon Sep 17 00:00:00 2001
From: Flos Lonicerae <lonicerae@gmail.com>
Date: Fri, 20 May 2022 01:46:33 +0800
Subject: [PATCH 06/15] Update test files.
---
.../tests/include_config_syntax_perms_0600.pass.sh | 2 ++
.../tests/include_config_syntax_perms_0601.fail.sh | 2 ++
2 files changed, 4 insertions(+)
diff --git a/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_files_permissions/tests/include_config_syntax_perms_0600.pass.sh b/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_files_permissions/tests/include_config_syntax_perms_0600.pass.sh
index 7cb09128d78..2ddd9fcb697 100755
--- a/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_files_permissions/tests/include_config_syntax_perms_0600.pass.sh
+++ b/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_files_permissions/tests/include_config_syntax_perms_0600.pass.sh
@@ -49,8 +49,10 @@ cat << EOF > $RSYSLOG_CONF
include(file="${RSYSLOG_TEST_DIR}/*/*.conf" mode="optional")
include(file="${RSYSLOG_TEST_DIR}/*.conf" mode="optional")
+include(file="${RSYSLOG_TEST_DIR}" mode="optional")
\$IncludeConfig ${RSYSLOG_TEST_DIR}/*/*.conf
\$IncludeConfig ${RSYSLOG_TEST_DIR}/*.conf
+\$IncludeConfig ${RSYSLOG_TEST_DIR}
EOF
diff --git a/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_files_permissions/tests/include_config_syntax_perms_0601.fail.sh b/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_files_permissions/tests/include_config_syntax_perms_0601.fail.sh
index 942eaf086a1..73ff3332c6d 100755
--- a/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_files_permissions/tests/include_config_syntax_perms_0601.fail.sh
+++ b/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_files_permissions/tests/include_config_syntax_perms_0601.fail.sh
@@ -50,8 +50,10 @@ cat << EOF > $RSYSLOG_CONF
include(file="${RSYSLOG_TEST_DIR}/*/*.conf" mode="optional")
include(file="${RSYSLOG_TEST_DIR}/*.conf" mode="optional")
+include(file="${RSYSLOG_TEST_DIR}" mode="optional")
\$IncludeConfig ${RSYSLOG_TEST_DIR}/*/*.conf
\$IncludeConfig ${RSYSLOG_TEST_DIR}/*.conf
+\$IncludeConfig ${RSYSLOG_TEST_DIR}
EOF
From 9a97bfa1ca4c918a39a68131e5fbc46fa7b00961 Mon Sep 17 00:00:00 2001
From: Flos Lonicerae <lonicerae@gmail.com>
Date: Fri, 20 May 2022 10:03:32 +0800
Subject: [PATCH 07/15] Rsyslog says we should include all files
---
.../rsyslog_files_permissions/bash/shared.sh | 2 +-
.../include_config_syntax_perms_0600.pass.sh | 16 +++++++++++++++-
.../include_config_syntax_perms_0601.fail.sh | 16 +++++++++++++++-
3 files changed, 31 insertions(+), 3 deletions(-)
diff --git a/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_files_permissions/bash/shared.sh b/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_files_permissions/bash/shared.sh
index 50d36d7426f..cd5014105e9 100644
--- a/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_files_permissions/bash/shared.sh
+++ b/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_files_permissions/bash/shared.sh
@@ -24,7 +24,7 @@ do
# If directory, need to include files recursively
if [ -d "${ENTRY}" ]
then
- readarray -t FINDOUT < <(find "${ENTRY}" -type f -name '*.conf')
+ readarray -t FINDOUT < <(find "${ENTRY}" -type f)
RSYSLOG_CONFIG_FILES+=("${FINDOUT[@]}")
elif [ -f "${ENTRY}" ]
then
diff --git a/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_files_permissions/tests/include_config_syntax_perms_0600.pass.sh b/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_files_permissions/tests/include_config_syntax_perms_0600.pass.sh
index 2ddd9fcb697..755865ca522 100755
--- a/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_files_permissions/tests/include_config_syntax_perms_0600.pass.sh
+++ b/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_files_permissions/tests/include_config_syntax_perms_0600.pass.sh
@@ -9,20 +9,24 @@ source $SHARED/rsyslog_log_utils.sh
PERMS=0600
# setup test data
-create_rsyslog_test_logs 3
+create_rsyslog_test_logs 4
# setup test log files and permissions
chmod $PERMS ${RSYSLOG_TEST_LOGS[0]}
chmod $PERMS ${RSYSLOG_TEST_LOGS[1]}
chmod $PERMS ${RSYSLOG_TEST_LOGS[2]}
+chmod $PERMS ${RSYSLOG_TEST_LOGS[3]}
# create test configuration file
conf_subdir=${RSYSLOG_TEST_DIR}/subdir
mkdir ${conf_subdir}
test_subdir_conf=${conf_subdir}/test_subdir.conf
test_conf=${RSYSLOG_TEST_DIR}/test.conf
+test_bak=${RSYSLOG_TEST_DIR}/test.bak
+
cat << EOF > ${test_subdir_conf}
# rsyslog configuration file
+# test_subdir_conf
#### RULES ####
@@ -31,12 +35,22 @@ EOF
cat << EOF > ${test_conf}
# rsyslog configuration file
+# test_conf
#### RULES ####
*.* ${RSYSLOG_TEST_LOGS[1]}
EOF
+cat << EOF > ${test_bak}
+# rsyslog configuration file
+# test_bak
+
+#### RULES ####
+
+*.* ${RSYSLOG_TEST_LOGS[3]}
+EOF
+
# create rsyslog.conf configuration file
cat << EOF > $RSYSLOG_CONF
# rsyslog configuration file
diff --git a/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_files_permissions/tests/include_config_syntax_perms_0601.fail.sh b/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_files_permissions/tests/include_config_syntax_perms_0601.fail.sh
index 73ff3332c6d..063b1a0cbe5 100755
--- a/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_files_permissions/tests/include_config_syntax_perms_0601.fail.sh
+++ b/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_files_permissions/tests/include_config_syntax_perms_0601.fail.sh
@@ -10,20 +10,24 @@ PERMS_PASS=0600
PERMS_FAIL=0601
# setup test data
-create_rsyslog_test_logs 3
+create_rsyslog_test_logs 4
# setup test log files and permissions
chmod $PERMS_PASS ${RSYSLOG_TEST_LOGS[0]}
chmod $PERMS_FAIL ${RSYSLOG_TEST_LOGS[1]}
chmod $PERMS_FAIL ${RSYSLOG_TEST_LOGS[2]}
+chmod $PERMS_FAIL ${RSYSLOG_TEST_LOGS[3]}
# create test configuration file
conf_subdir=${RSYSLOG_TEST_DIR}/subdir
mkdir ${conf_subdir}
test_subdir_conf=${conf_subdir}/test_subdir.conf
test_conf=${RSYSLOG_TEST_DIR}/test.conf
+test_bak=${RSYSLOG_TEST_DIR}/test.bak
+
cat << EOF > ${test_subdir_conf}
# rsyslog configuration file
+# test_subdir_conf
#### RULES ####
@@ -32,12 +36,22 @@ EOF
cat << EOF > ${test_conf}
# rsyslog configuration file
+# test_conf
#### RULES ####
*.* ${RSYSLOG_TEST_LOGS[1]}
EOF
+cat << EOF > ${test_bak}
+# rsyslog configuration file
+# test_bak
+
+#### RULES ####
+
+*.* ${RSYSLOG_TEST_LOGS[3]}
+EOF
+
# create rsyslog.conf configuration file
cat << EOF > $RSYSLOG_CONF
# rsyslog configuration file
From fcfc7c126ed76488085ef35cd0fd497c272aa364 Mon Sep 17 00:00:00 2001
From: Flos Lonicerae <lonicerae@gmail.com>
Date: Sat, 21 May 2022 16:02:26 +0800
Subject: [PATCH 08/15] Match glob() function of rsyslog
---
.../rsyslog_files_permissions/bash/shared.sh | 5 ++-
.../include_config_syntax_perms_0600.pass.sh | 39 ++++++++++++-------
.../include_config_syntax_perms_0601.fail.sh | 39 ++++++++++++-------
3 files changed, 55 insertions(+), 28 deletions(-)
diff --git a/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_files_permissions/bash/shared.sh b/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_files_permissions/bash/shared.sh
index cd5014105e9..38105bf086b 100644
--- a/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_files_permissions/bash/shared.sh
+++ b/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_files_permissions/bash/shared.sh
@@ -21,10 +21,11 @@ RSYSLOG_CONFIGS+=("${RSYSLOG_ETC_CONFIG}" "${RSYSLOG_INCLUDE_CONFIG[@]}" "${RSYS
declare -a RSYSLOG_CONFIG_FILES
for ENTRY in "${RSYSLOG_CONFIGS[@]}"
do
- # If directory, need to include files recursively
+ # If directory, rsyslog will search for config files in recursively.
+ # However, files in hidden sub-directories or hidden files will be ignored.
if [ -d "${ENTRY}" ]
then
- readarray -t FINDOUT < <(find "${ENTRY}" -type f)
+ readarray -t FINDOUT < <(find "${ENTRY}" -not -path '*/.*' -type f)
RSYSLOG_CONFIG_FILES+=("${FINDOUT[@]}")
elif [ -f "${ENTRY}" ]
then
diff --git a/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_files_permissions/tests/include_config_syntax_perms_0600.pass.sh b/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_files_permissions/tests/include_config_syntax_perms_0600.pass.sh
index 755865ca522..a5a2f67fadc 100755
--- a/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_files_permissions/tests/include_config_syntax_perms_0600.pass.sh
+++ b/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_files_permissions/tests/include_config_syntax_perms_0600.pass.sh
@@ -9,48 +9,61 @@ source $SHARED/rsyslog_log_utils.sh
PERMS=0600
# setup test data
-create_rsyslog_test_logs 4
+create_rsyslog_test_logs 5
# setup test log files and permissions
chmod $PERMS ${RSYSLOG_TEST_LOGS[0]}
chmod $PERMS ${RSYSLOG_TEST_LOGS[1]}
chmod $PERMS ${RSYSLOG_TEST_LOGS[2]}
chmod $PERMS ${RSYSLOG_TEST_LOGS[3]}
+chmod $PERMS ${RSYSLOG_TEST_LOGS[4]}
-# create test configuration file
+# create test configuration files
conf_subdir=${RSYSLOG_TEST_DIR}/subdir
+conf_hiddir=${RSYSLOG_TEST_DIR}/.hiddir
mkdir ${conf_subdir}
-test_subdir_conf=${conf_subdir}/test_subdir.conf
-test_conf=${RSYSLOG_TEST_DIR}/test.conf
-test_bak=${RSYSLOG_TEST_DIR}/test.bak
+mkdir ${conf_hiddir}
-cat << EOF > ${test_subdir_conf}
+test_conf_in_subdir=${conf_subdir}/in_subdir.conf
+test_conf_name_bak=${RSYSLOG_TEST_DIR}/name.bak
+
+test_conf_in_hiddir=${conf_hiddir}/in_hiddir.conf
+test_conf_dot_name=${RSYSLOG_TEST_DIR}/.name.conf
+
+cat << EOF > ${test_conf_in_subdir}
# rsyslog configuration file
-# test_subdir_conf
#### RULES ####
-*.* ${RSYSLOG_TEST_LOGS[2]}
+*.* ${RSYSLOG_TEST_LOGS[1]}
EOF
-cat << EOF > ${test_conf}
+cat << EOF > ${test_conf_name_bak}
# rsyslog configuration file
-# test_conf
#### RULES ####
-*.* ${RSYSLOG_TEST_LOGS[1]}
+*.* ${RSYSLOG_TEST_LOGS[2]}
EOF
-cat << EOF > ${test_bak}
+cat << EOF > ${test_conf_in_hiddir}
# rsyslog configuration file
-# test_bak
+# not used
#### RULES ####
*.* ${RSYSLOG_TEST_LOGS[3]}
EOF
+cat << EOF > ${test_conf_dot_name}
+# rsyslog configuration file
+# not used
+
+#### RULES ####
+
+*.* ${RSYSLOG_TEST_LOGS[4]}
+EOF
+
# create rsyslog.conf configuration file
cat << EOF > $RSYSLOG_CONF
# rsyslog configuration file
diff --git a/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_files_permissions/tests/include_config_syntax_perms_0601.fail.sh b/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_files_permissions/tests/include_config_syntax_perms_0601.fail.sh
index 063b1a0cbe5..a9d0adfb727 100755
--- a/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_files_permissions/tests/include_config_syntax_perms_0601.fail.sh
+++ b/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_files_permissions/tests/include_config_syntax_perms_0601.fail.sh
@@ -10,48 +10,61 @@ PERMS_PASS=0600
PERMS_FAIL=0601
# setup test data
-create_rsyslog_test_logs 4
+create_rsyslog_test_logs 5
# setup test log files and permissions
chmod $PERMS_PASS ${RSYSLOG_TEST_LOGS[0]}
chmod $PERMS_FAIL ${RSYSLOG_TEST_LOGS[1]}
chmod $PERMS_FAIL ${RSYSLOG_TEST_LOGS[2]}
chmod $PERMS_FAIL ${RSYSLOG_TEST_LOGS[3]}
+chmod $PERMS_FAIL ${RSYSLOG_TEST_LOGS[4]}
-# create test configuration file
+# create test configuration files
conf_subdir=${RSYSLOG_TEST_DIR}/subdir
+conf_hiddir=${RSYSLOG_TEST_DIR}/.hiddir
mkdir ${conf_subdir}
-test_subdir_conf=${conf_subdir}/test_subdir.conf
-test_conf=${RSYSLOG_TEST_DIR}/test.conf
-test_bak=${RSYSLOG_TEST_DIR}/test.bak
+mkdir ${conf_hiddir}
-cat << EOF > ${test_subdir_conf}
+test_conf_in_subdir=${conf_subdir}/in_subdir.conf
+test_conf_name_bak=${RSYSLOG_TEST_DIR}/name.bak
+
+test_conf_in_hiddir=${conf_hiddir}/in_hiddir.conf
+test_conf_dot_name=${RSYSLOG_TEST_DIR}/.name.conf
+
+cat << EOF > ${test_conf_in_subdir}
# rsyslog configuration file
-# test_subdir_conf
#### RULES ####
-*.* ${RSYSLOG_TEST_LOGS[2]}
+*.* ${RSYSLOG_TEST_LOGS[1]}
EOF
-cat << EOF > ${test_conf}
+cat << EOF > ${test_conf_name_bak}
# rsyslog configuration file
-# test_conf
#### RULES ####
-*.* ${RSYSLOG_TEST_LOGS[1]}
+*.* ${RSYSLOG_TEST_LOGS[2]}
EOF
-cat << EOF > ${test_bak}
+cat << EOF > ${test_conf_in_hiddir}
# rsyslog configuration file
-# test_bak
+# not used
#### RULES ####
*.* ${RSYSLOG_TEST_LOGS[3]}
EOF
+cat << EOF > ${test_conf_dot_name}
+# rsyslog configuration file
+# not used
+
+#### RULES ####
+
+*.* ${RSYSLOG_TEST_LOGS[4]}
+EOF
+
# create rsyslog.conf configuration file
cat << EOF > $RSYSLOG_CONF
# rsyslog configuration file
From 313094b7d5c13ba38a2d02fad544cd4665c5a17d Mon Sep 17 00:00:00 2001
From: Flos Lonicerae <lonicerae@gmail.com>
Date: Sun, 22 May 2022 21:10:16 +0800
Subject: [PATCH 09/15] Fixed incorrect parsing of rules in old code
---
.../rsyslog_files_permissions/bash/shared.sh | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_files_permissions/bash/shared.sh b/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_files_permissions/bash/shared.sh
index 38105bf086b..e1129e34c81 100644
--- a/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_files_permissions/bash/shared.sh
+++ b/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_files_permissions/bash/shared.sh
@@ -54,7 +54,7 @@ do
then
NORMALIZED_CONFIG_FILE_LINES=$(sed -e "/^[#|$]/d" "${LOG_FILE}")
LINES_WITH_PATHS=$(grep '[^/]*\s\+\S*/\S\+$' <<< "${NORMALIZED_CONFIG_FILE_LINES}")
- FILTERED_PATHS=$(sed -e 's/[^\/]*[[:space:]]*\([^:;[:space:]]*\)/\1/g' <<< "${LINES_WITH_PATHS}")
+ FILTERED_PATHS=$(awk '{if(NF>=2&&($2~/^\//||$2~/^-\//)){sub(/^-\//,"/",$2);print $2}}' <<< "${LINES_WITH_PATHS}")
CLEANED_PATHS=$(sed -e "s/[\"')]//g; /\\/etc.*\.conf/d; /\\/dev\\//d" <<< "${FILTERED_PATHS}")
MATCHED_ITEMS=$(sed -e "/^$/d" <<< "${CLEANED_PATHS}")
# Since above sed command might return more than one item (delimited by newline), split the particular
From 86f655ac79d879c1f47bda7a06cc15a64e65e5fb Mon Sep 17 00:00:00 2001
From: Flos Lonicerae <lonicerae@gmail.com>
Date: Tue, 24 May 2022 00:42:17 +0800
Subject: [PATCH 10/15] Added platform.
---
.../tests/include_config_syntax_perms_0601.fail.sh | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_files_permissions/tests/include_config_syntax_perms_0601.fail.sh b/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_files_permissions/tests/include_config_syntax_perms_0601.fail.sh
index a9d0adfb727..fe4db0a3c91 100755
--- a/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_files_permissions/tests/include_config_syntax_perms_0601.fail.sh
+++ b/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_files_permissions/tests/include_config_syntax_perms_0601.fail.sh
@@ -1,5 +1,5 @@
#!/bin/bash
-# platform = multi_platform_rhel,multi_platform_fedora,multi_platform_ol
+# platform = multi_platform_rhel,multi_platform_fedora,multi_platform_ol,multi_platform_sle
# Check rsyslog.conf with log file permissions 0600 from rules and
# log file permissions 0601 from $IncludeConfig fails.
From e71901895f29af9a34fe81938be1332691b6f64a Mon Sep 17 00:00:00 2001
From: Watson Sato <wsato@redhat.com>
Date: Wed, 10 Aug 2022 13:56:39 +0200
Subject: [PATCH 11/15] Reset the arrays before using them
When bash remediations for a profile are generated, it can happen that a
variable with same name is used for multiple remediations.
So let's reset the array before using it.
---
.../rsyslog_files_permissions/bash/shared.sh | 11 +++++++----
1 file changed, 7 insertions(+), 4 deletions(-)
diff --git a/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_files_permissions/bash/shared.sh b/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_files_permissions/bash/shared.sh
index e1129e34c81..d1856ffbe7b 100644
--- a/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_files_permissions/bash/shared.sh
+++ b/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_files_permissions/bash/shared.sh
@@ -14,11 +14,14 @@ readarray -t RSYSLOG_INCLUDE < <(for INCPATH in "${NEW_INC[@]}"; do eval printf
declare -a LOG_FILE_PATHS
# Array to hold all rsyslog config entries
-declare -a RSYSLOG_CONFIGS
-RSYSLOG_CONFIGS+=("${RSYSLOG_ETC_CONFIG}" "${RSYSLOG_INCLUDE_CONFIG[@]}" "${RSYSLOG_INCLUDE[@]}")
+RSYSLOG_CONFIGS=()
+RSYSLOG_CONFIGS=("${RSYSLOG_ETC_CONFIG}" "${RSYSLOG_INCLUDE_CONFIG[@]}" "${RSYSLOG_INCLUDE[@]}")
-# Array to hold all rsyslog config files
-declare -a RSYSLOG_CONFIG_FILES
+# Get full list of files to be checked
+# RSYSLOG_CONFIGS may contain globs such as
+# /etc/rsyslog.d/*.conf /etc/rsyslog.d/*.frule
+# So, loop over the entries in RSYSLOG_CONFIGS and use find to get the list of included files.
+RSYSLOG_CONFIG_FILES=()
for ENTRY in "${RSYSLOG_CONFIGS[@]}"
do
# If directory, rsyslog will search for config files in recursively.
From 525dce106bf8d054c83e8d79acbb92cc16224e4c Mon Sep 17 00:00:00 2001
From: Watson Sato <wsato@redhat.com>
Date: Wed, 10 Aug 2022 14:55:37 +0200
Subject: [PATCH 12/15] Don't parse hidden config files for Includes
Let's follow rsyslog behavior and not capture process hidden config
files for includes.
---
.../rsyslog_files_permissions/oval/shared.xml | 9 ++++
...00_IncludeConfig_perms_0601_hidden.pass.sh | 53 +++++++++++++++++++
2 files changed, 62 insertions(+)
create mode 100644 linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_files_permissions/tests/include_perms_0600_IncludeConfig_perms_0601_hidden.pass.sh
diff --git a/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_files_permissions/oval/shared.xml b/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_files_permissions/oval/shared.xml
index a04e6fd8900..d13177216c3 100644
--- a/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_files_permissions/oval/shared.xml
+++ b/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_files_permissions/oval/shared.xml
@@ -17,8 +17,17 @@
<ind:filepath>/etc/rsyslog.conf</ind:filepath>
<ind:pattern operation="pattern match">^(?:include\([\n\s]*file="([^\s;]+)".*|\$IncludeConfig[\s]+([^\s;]+))$</ind:pattern>
<ind:instance datatype="int" operation="greater than or equal">1</ind:instance>
+ <filter action="exclude">state_permissions_ignore_hidden_paths</filter>
</ind:textfilecontent54_object>
+ <ind:textfilecontent54_state id="state_permissions_ignore_hidden_paths" comment="ignore hidden conf files" version="1">
+ <!-- Among the paths matched in object_rfp_rsyslog_include_config_value there can be paths from
+ include() or $IncludeConfig that point to hidden dirs or files.
+ Rsyslog ignores these conf files, so we should ignore them too.
+ -->
+ <ind:subexpression operation="pattern match">^.*\/\..*$</ind:subexpression>
+ </ind:textfilecontent54_state>
+
<!-- Turn that glob value into Perl's regex so it can be used as filepath pattern below -->
<local_variable id="var_rfp_include_config_regex" datatype="string" version="1" comment="$IncludeConfig value converted to regex">
<unique>
diff --git a/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_files_permissions/tests/include_perms_0600_IncludeConfig_perms_0601_hidden.pass.sh b/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_files_permissions/tests/include_perms_0600_IncludeConfig_perms_0601_hidden.pass.sh
new file mode 100644
index 00000000000..9b0185c6b2f
--- /dev/null
+++ b/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_files_permissions/tests/include_perms_0600_IncludeConfig_perms_0601_hidden.pass.sh
@@ -0,0 +1,53 @@
+#!/bin/bash
+# platform = Red Hat Enterprise Linux 8,multi_platform_fedora,Oracle Linux 8
+
+# Check rsyslog.conf with log file permisssions 0600 from rules and
+# log file permissions 0601 from include() fails.
+
+source $SHARED/rsyslog_log_utils.sh
+
+PERMS_PASS=0600
+PERMS_FAIL=0601
+
+# setup test data
+create_rsyslog_test_logs 3
+
+# setup test log files and permissions
+chmod $PERMS_PASS ${RSYSLOG_TEST_LOGS[0]}
+chmod $PERMS_PASS ${RSYSLOG_TEST_LOGS[1]}
+chmod $PERMS_FAIL ${RSYSLOG_TEST_LOGS[2]}
+
+# create test configuration file
+test_conf=${RSYSLOG_TEST_DIR}/test1.conf
+cat << EOF > ${test_conf}
+# rsyslog configuration file
+
+#### RULES ####
+
+*.* ${RSYSLOG_TEST_LOGS[1]}
+EOF
+
+# create hidden test2 configuration file
+test_conf2=${RSYSLOG_TEST_DIR}/.test2.conf
+cat << EOF > ${test_conf2}
+# rsyslog configuration file
+
+#### RULES ####
+
+*.* ${RSYSLOG_TEST_LOGS[2]}
+EOF
+
+# create rsyslog.conf configuration file
+cat << EOF > $RSYSLOG_CONF
+# rsyslog configuration file
+
+#### RULES ####
+
+*.* ${RSYSLOG_TEST_LOGS[0]}
+
+#### MODULES ####
+
+include(file="${test_conf}")
+
+\$IncludeConfig ${test_conf2}
+EOF
From d872c4a2cfcd3331b7aae954aacf3d0d481d1582 Mon Sep 17 00:00:00 2001
From: Watson Sato <wsato@redhat.com>
Date: Wed, 10 Aug 2022 15:49:11 +0200
Subject: [PATCH 13/15] Add test for for missing rsyslog included files
The rsyslog conf file may include other config files.
If the included missing files are missing rsyslog will generate an
error, but will still continue working.
https://www.rsyslog.com/doc/master/rainerscript/include.html#include-a-required-file
There is not a good way of ensuring that all files defined in a list of paths exist.
---
...0_IncludeConfig_perms_0601_missing.pass.sh | 45 +++++++++++++++++++
1 file changed, 45 insertions(+)
create mode 100644 linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_files_permissions/tests/include_perms_0600_IncludeConfig_perms_0601_missing.pass.sh
diff --git a/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_files_permissions/tests/include_perms_0600_IncludeConfig_perms_0601_missing.pass.sh b/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_files_permissions/tests/include_perms_0600_IncludeConfig_perms_0601_missing.pass.sh
new file mode 100644
index 00000000000..b929f2a94ab
--- /dev/null
+++ b/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_files_permissions/tests/include_perms_0600_IncludeConfig_perms_0601_missing.pass.sh
@@ -0,0 +1,45 @@
+#!/bin/bash
+# platform = Red Hat Enterprise Linux 8,multi_platform_fedora,Oracle Linux 8
+
+# Check rsyslog.conf with log file permisssions 0600 from rules and
+# log file permissions 0601 from include() fails.
+
+source $SHARED/rsyslog_log_utils.sh
+
+PERMS_PASS=0600
+PERMS_FAIL=0601
+
+# setup test data
+create_rsyslog_test_logs 3
+
+# setup test log files and permissions
+chmod $PERMS_PASS ${RSYSLOG_TEST_LOGS[0]}
+chmod $PERMS_PASS ${RSYSLOG_TEST_LOGS[1]}
+chmod $PERMS_FAIL ${RSYSLOG_TEST_LOGS[2]}
+
+# create test configuration file
+test_conf=${RSYSLOG_TEST_DIR}/test1.conf
+cat << EOF > ${test_conf}
+# rsyslog configuration file
+
+#### RULES ####
+
+*.* ${RSYSLOG_TEST_LOGS[1]}
+EOF
+
+# Skip creation test2 configuration file
+
+# create rsyslog.conf configuration file
+cat << EOF > $RSYSLOG_CONF
+# rsyslog configuration file
+
+#### RULES ####
+
+*.* ${RSYSLOG_TEST_LOGS[0]}
+
+#### MODULES ####
+
+include(file="${test_conf}")
+
+\$IncludeConfig ${test_conf2}
+EOF
From cf9eaf6e55405248731cb08268bcba6a58a93486 Mon Sep 17 00:00:00 2001
From: Watson Sato <wsato@redhat.com>
Date: Wed, 10 Aug 2022 21:47:18 +0200
Subject: [PATCH 14/15] Align Ansible remediation with Bash
The remediation now expands the glob expressions and doesn't collect
hidden files or directories to check for their permissions.
---
.../rsyslog_files_permissions/ansible/shared.yml | 15 +++++++++++----
1 file changed, 11 insertions(+), 4 deletions(-)
diff --git a/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_files_permissions/ansible/shared.yml b/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_files_permissions/ansible/shared.yml
index 635b72f7352..c558bf46c71 100644
--- a/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_files_permissions/ansible/shared.yml
+++ b/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_files_permissions/ansible/shared.yml
@@ -19,19 +19,26 @@
shell: |
set -o pipefail
grep -e '$IncludeConfig' {{ rsyslog_etc_config }} | cut -d ' ' -f 2 || true
- register: include_config_output
+ register: rsyslog_old_inc
changed_when: False
- name: "Get include files directives"
shell: |
set -o pipefail
grep -oP '^\s*include\s*\(\s*file.*' {{ rsyslog_etc_config }} |cut -d"\"" -f 2 || true
- register: include_files_output
+ register: rsyslog_new_inc
changed_when: False
+- name: "Expand glob expressions"
+ shell: |
+ set -o pipefail
+ eval printf '%s\\n' {{ item }}
+ register: include_config_output
+ loop: "{{ rsyslog_old_inc.stdout_lines + rsyslog_new_inc.stdout_lines }}"
+
- name: "List all config files"
- shell: find "$(dirname "{{ item }}" )" -maxdepth 1 -name "$(basename "{{ item }}")"
- loop: "{{ include_config_output.stdout_lines + include_files_output.stdout_lines }}"
+ shell: find {{ item }} -not -path "*/.*" -type f
+ loop: "{{ include_config_output.results|map(attribute='stdout_lines')|list|flatten }}"
register: rsyslog_config_files
changed_when: False
From 37e98ed3a86a0e56543132752c62982ff01cd3d9 Mon Sep 17 00:00:00 2001
From: Watson Sato <wsato@redhat.com>
Date: Wed, 10 Aug 2022 21:56:05 +0200
Subject: [PATCH 15/15] Ignore invalid or non existing include objects
Let's not fail the task when the find doesn't find the include object.
When the include is a glob expression that doesn't evaluate to any file
the glob itself is used in find command.
The Bash remediation prints a message for each include that is not a
file is not a directory or doesn't exist.
---
.../rsyslog_files_permissions/ansible/shared.yml | 1 +
1 file changed, 1 insertion(+)
diff --git a/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_files_permissions/ansible/shared.yml b/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_files_permissions/ansible/shared.yml
index c558bf46c71..3a9380cf13b 100644
--- a/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_files_permissions/ansible/shared.yml
+++ b/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_files_permissions/ansible/shared.yml
@@ -40,6 +40,7 @@
shell: find {{ item }} -not -path "*/.*" -type f
loop: "{{ include_config_output.results|map(attribute='stdout_lines')|list|flatten }}"
register: rsyslog_config_files
+ failed_when: False
changed_when: False
- name: "Extract log files"

View File

@ -0,0 +1,90 @@
From 4ef59d44355179b6450ac493d4417a8b29d8ccf1 Mon Sep 17 00:00:00 2001
From: Vojtech Polasek <vpolasek@redhat.com>
Date: Fri, 5 Aug 2022 11:45:15 +0200
Subject: [PATCH 1/4] fix ospp references
---
linux_os/guide/system/accounts/enable_authselect/rule.yml | 1 +
1 file changed, 1 insertion(+)
diff --git a/linux_os/guide/system/accounts/enable_authselect/rule.yml b/linux_os/guide/system/accounts/enable_authselect/rule.yml
index c151d3c4aa1..f9b46c51ddd 100644
--- a/linux_os/guide/system/accounts/enable_authselect/rule.yml
+++ b/linux_os/guide/system/accounts/enable_authselect/rule.yml
@@ -34,6 +34,7 @@ references:
disa: CCI-000213
hipaa: 164.308(a)(1)(ii)(B),164.308(a)(7)(i),164.308(a)(7)(ii)(A),164.310(a)(1),164.310(a)(2)(i),164.310(a)(2)(ii),164.310(a)(2)(iii),164.310(b),164.310(c),164.310(d)(1),164.310(d)(2)(iii) # taken from require_singleuser_auth
nist: AC-3
+ ospp: FIA_UAU.1,FIA_AFL.1
srg: SRG-OS-000480-GPOS-00227
ocil: |-
From 05a0414b565097c155d0c4a1696d8c4f2da91298 Mon Sep 17 00:00:00 2001
From: Vojtech Polasek <vpolasek@redhat.com>
Date: Fri, 5 Aug 2022 11:45:42 +0200
Subject: [PATCH 2/4] change authselect profile to minimal in rhel9 ospp
---
products/rhel9/profiles/ospp.profile | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/products/rhel9/profiles/ospp.profile b/products/rhel9/profiles/ospp.profile
index b47630c62b0..dcc41970043 100644
--- a/products/rhel9/profiles/ospp.profile
+++ b/products/rhel9/profiles/ospp.profile
@@ -115,7 +115,7 @@ selections:
- coredump_disable_storage
- coredump_disable_backtraces
- service_systemd-coredump_disabled
- - var_authselect_profile=sssd
+ - var_authselect_profile=minimal
- enable_authselect
- use_pam_wheel_for_su
From 350135aa0c49a8a383103f88034acbb3925bb556 Mon Sep 17 00:00:00 2001
From: Vojtech Polasek <vpolasek@redhat.com>
Date: Fri, 5 Aug 2022 11:45:54 +0200
Subject: [PATCH 3/4] change authselect profile to minimal in rhel8 ospp
---
products/rhel8/profiles/ospp.profile | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/products/rhel8/profiles/ospp.profile b/products/rhel8/profiles/ospp.profile
index 39ad1797c7a..ebec8a3a6f9 100644
--- a/products/rhel8/profiles/ospp.profile
+++ b/products/rhel8/profiles/ospp.profile
@@ -220,7 +220,7 @@ selections:
- var_accounts_max_concurrent_login_sessions=10
- accounts_max_concurrent_login_sessions
- securetty_root_login_console_only
- - var_authselect_profile=sssd
+ - var_authselect_profile=minimal
- enable_authselect
- var_password_pam_unix_remember=5
- accounts_password_pam_unix_remember
From 9d6014242b3fcda06b38ac35d73d5d4df75313a3 Mon Sep 17 00:00:00 2001
From: Vojtech Polasek <vpolasek@redhat.com>
Date: Fri, 5 Aug 2022 13:55:05 +0200
Subject: [PATCH 4/4] update profile stability test
---
tests/data/profile_stability/rhel8/ospp.profile | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/tests/data/profile_stability/rhel8/ospp.profile b/tests/data/profile_stability/rhel8/ospp.profile
index 5d73a8c6fef..21e93e310d5 100644
--- a/tests/data/profile_stability/rhel8/ospp.profile
+++ b/tests/data/profile_stability/rhel8/ospp.profile
@@ -242,7 +242,7 @@ selections:
- var_slub_debug_options=P
- var_auditd_flush=incremental_async
- var_accounts_max_concurrent_login_sessions=10
-- var_authselect_profile=sssd
+- var_authselect_profile=minimal
- var_password_pam_unix_remember=5
- var_selinux_state=enforcing
- var_selinux_policy_name=targeted

View File

@ -0,0 +1,50 @@
From b36ecf8942ce8dea0c4a2b06b4607259deaf3613 Mon Sep 17 00:00:00 2001
From: Vojtech Polasek <vpolasek@redhat.com>
Date: Wed, 10 Aug 2022 09:59:57 +0200
Subject: [PATCH] switch rule grub2_disable_interactive_boot for
grub2_disable_recovery in rhel8 ospp
---
.../system/bootloader-grub2/grub2_disable_recovery/rule.yml | 1 +
products/rhel8/profiles/ospp.profile | 2 +-
tests/data/profile_stability/rhel8/ospp.profile | 2 +-
4 files changed, 3 insertions(+), 3 deletions(-)
diff --git a/linux_os/guide/system/bootloader-grub2/grub2_disable_recovery/rule.yml b/linux_os/guide/system/bootloader-grub2/grub2_disable_recovery/rule.yml
index 4f8d4ddcfde..fb126cbe7d8 100644
--- a/linux_os/guide/system/bootloader-grub2/grub2_disable_recovery/rule.yml
+++ b/linux_os/guide/system/bootloader-grub2/grub2_disable_recovery/rule.yml
@@ -17,6 +17,7 @@ rationale: |-
severity: medium
identifiers:
+ cce@rhel8: CCE-86006-4
cce@rhel9: CCE-85986-8
references:
diff --git a/products/rhel8/profiles/ospp.profile b/products/rhel8/profiles/ospp.profile
index ebec8a3a6f9..6e3b30f64bb 100644
--- a/products/rhel8/profiles/ospp.profile
+++ b/products/rhel8/profiles/ospp.profile
@@ -304,7 +304,7 @@ selections:
## Disable Unauthenticated Login (such as Guest Accounts)
## FIA_UAU.1
- require_singleuser_auth
- - grub2_disable_interactive_boot
+ - grub2_disable_recovery
- grub2_uefi_password
- no_empty_passwords
diff --git a/tests/data/profile_stability/rhel8/ospp.profile b/tests/data/profile_stability/rhel8/ospp.profile
index 21e93e310d5..267b66a4f89 100644
--- a/tests/data/profile_stability/rhel8/ospp.profile
+++ b/tests/data/profile_stability/rhel8/ospp.profile
@@ -89,7 +89,7 @@ selections:
- ensure_redhat_gpgkey_installed
- grub2_audit_argument
- grub2_audit_backlog_limit_argument
-- grub2_disable_interactive_boot
+- grub2_disable_recovery
- grub2_kernel_trust_cpu_rng
- grub2_page_poison_argument
- grub2_pti_argument

View File

@ -0,0 +1,97 @@
From 95b79ffa7e9247bd65a92311b92e37b0d83e4432 Mon Sep 17 00:00:00 2001
From: Watson Sato <wsato@redhat.com>
Date: Tue, 2 Aug 2022 15:01:42 +0200
Subject: [PATCH] Add rsyslogd to the list of tools check by aide
RHEL products will also check for integrity of /usr/sbin/rsyslogd.
---
.../aide/aide_check_audit_tools/ansible/shared.yml | 1 +
.../aide/aide_check_audit_tools/bash/shared.sh | 3 +--
.../aide/aide_check_audit_tools/oval/shared.xml | 2 +-
.../aide/aide_check_audit_tools/tests/correct.pass.sh | 2 +-
.../aide_check_audit_tools/tests/correct_with_selinux.pass.sh | 2 +-
.../aide/aide_check_audit_tools/tests/not_config.fail.sh | 2 +-
6 files changed, 6 insertions(+), 6 deletions(-)
diff --git a/linux_os/guide/system/software/integrity/software-integrity/aide/aide_check_audit_tools/ansible/shared.yml b/linux_os/guide/system/software/integrity/software-integrity/aide/aide_check_audit_tools/ansible/shared.yml
index 9d1b7b675c9..5905ea8d0e6 100644
--- a/linux_os/guide/system/software/integrity/software-integrity/aide/aide_check_audit_tools/ansible/shared.yml
+++ b/linux_os/guide/system/software/integrity/software-integrity/aide/aide_check_audit_tools/ansible/shared.yml
@@ -22,6 +22,7 @@
- /usr/sbin/aureport
- /usr/sbin/ausearch
- /usr/sbin/autrace
+ {{% if product == 'ol8' or 'rhel' in product %}}- /usr/sbin/rsyslogd{{% endif %}}
- name: Ensure existing AIDE configuration for audit tools are correct
lineinfile:
diff --git a/linux_os/guide/system/software/integrity/software-integrity/aide/aide_check_audit_tools/bash/shared.sh b/linux_os/guide/system/software/integrity/software-integrity/aide/aide_check_audit_tools/bash/shared.sh
index d0a1ba2522f..a81e25c3950 100644
--- a/linux_os/guide/system/software/integrity/software-integrity/aide/aide_check_audit_tools/bash/shared.sh
+++ b/linux_os/guide/system/software/integrity/software-integrity/aide/aide_check_audit_tools/bash/shared.sh
@@ -18,12 +18,11 @@
{{% set auditfiles = auditfiles + ["/usr/sbin/audispd"] %}}
{{% endif %}}
-{{% if product == 'ol8' %}}
+{{% if product == 'ol8' or 'rhel' in product %}}
{{% set auditfiles = auditfiles + ["/usr/sbin/rsyslogd"] %}}
{{% endif %}}
{{% for file in auditfiles %}}
-
if grep -i '^.*{{{file}}}.*$' {{{ aide_conf_path }}}; then
sed -i "s#.*{{{file}}}.*#{{{file}}} {{{ aide_string() }}}#" {{{ aide_conf_path }}}
else
diff --git a/linux_os/guide/system/software/integrity/software-integrity/aide/aide_check_audit_tools/oval/shared.xml b/linux_os/guide/system/software/integrity/software-integrity/aide/aide_check_audit_tools/oval/shared.xml
index 6ce56c1137a..ca9bf4f94d0 100644
--- a/linux_os/guide/system/software/integrity/software-integrity/aide/aide_check_audit_tools/oval/shared.xml
+++ b/linux_os/guide/system/software/integrity/software-integrity/aide/aide_check_audit_tools/oval/shared.xml
@@ -11,7 +11,7 @@
{{% if 'rhel' not in product and product != 'ol8' %}}
<criterion comment="audispd is checked in {{{ aide_conf_path }}}" test_ref="test_aide_verify_audispd" />
{{% endif %}}
- {{% if product == 'ol8' %}}
+ {{% if product == 'ol8' or 'rhel' in product %}}
<criterion comment="rsyslogd is checked in {{{ aide_conf_path }}}" test_ref="test_aide_verify_rsyslogd" />
{{% endif %}}
<criterion comment="augenrules is checked in {{{ aide_conf_path }}}" test_ref="test_aide_verify_augenrules" />
diff --git a/linux_os/guide/system/software/integrity/software-integrity/aide/aide_check_audit_tools/tests/correct.pass.sh b/linux_os/guide/system/software/integrity/software-integrity/aide/aide_check_audit_tools/tests/correct.pass.sh
index 756b88d8a23..071dde13295 100644
--- a/linux_os/guide/system/software/integrity/software-integrity/aide/aide_check_audit_tools/tests/correct.pass.sh
+++ b/linux_os/guide/system/software/integrity/software-integrity/aide/aide_check_audit_tools/tests/correct.pass.sh
@@ -7,7 +7,7 @@ aide --init
declare -a bins
-bins=('/usr/sbin/auditctl' '/usr/sbin/auditd' '/usr/sbin/augenrules' '/usr/sbin/aureport' '/usr/sbin/ausearch' '/usr/sbin/autrace')
+bins=('/usr/sbin/auditctl' '/usr/sbin/auditd' '/usr/sbin/augenrules' '/usr/sbin/aureport' '/usr/sbin/ausearch' '/usr/sbin/autrace' '/usr/sbin/rsyslogd')
for theFile in "${bins[@]}"
do
diff --git a/linux_os/guide/system/software/integrity/software-integrity/aide/aide_check_audit_tools/tests/correct_with_selinux.pass.sh b/linux_os/guide/system/software/integrity/software-integrity/aide/aide_check_audit_tools/tests/correct_with_selinux.pass.sh
index f3a2a126d3d..cb9bbfa7350 100644
--- a/linux_os/guide/system/software/integrity/software-integrity/aide/aide_check_audit_tools/tests/correct_with_selinux.pass.sh
+++ b/linux_os/guide/system/software/integrity/software-integrity/aide/aide_check_audit_tools/tests/correct_with_selinux.pass.sh
@@ -4,7 +4,7 @@
yum -y install aide
declare -a bins
-bins=('/usr/sbin/auditctl' '/usr/sbin/auditd' '/usr/sbin/augenrules' '/usr/sbin/aureport' '/usr/sbin/ausearch' '/usr/sbin/autrace')
+bins=('/usr/sbin/auditctl' '/usr/sbin/auditd' '/usr/sbin/augenrules' '/usr/sbin/aureport' '/usr/sbin/ausearch' '/usr/sbin/autrace' '/usr/sbin/rsyslogd')
for theFile in "${bins[@]}"
do
diff --git a/linux_os/guide/system/software/integrity/software-integrity/aide/aide_check_audit_tools/tests/not_config.fail.sh b/linux_os/guide/system/software/integrity/software-integrity/aide/aide_check_audit_tools/tests/not_config.fail.sh
index 4315cef2073..a22aecb0000 100644
--- a/linux_os/guide/system/software/integrity/software-integrity/aide/aide_check_audit_tools/tests/not_config.fail.sh
+++ b/linux_os/guide/system/software/integrity/software-integrity/aide/aide_check_audit_tools/tests/not_config.fail.sh
@@ -6,7 +6,7 @@ yum -y install aide
aide --init
declare -a bins
-bins=('/usr/sbin/auditctl' '/usr/sbin/auditd' '/usr/sbin/augenrules' '/usr/sbin/aureport' '/usr/sbin/ausearch' '/usr/sbin/autrace')
+bins=('/usr/sbin/auditctl' '/usr/sbin/auditd' '/usr/sbin/augenrules' '/usr/sbin/aureport' '/usr/sbin/ausearch' '/usr/sbin/autrace' '/usr/sbin/rsyslogd')
for theFile in "${bins[@]}"
do

File diff suppressed because one or more lines are too long

View File

@ -0,0 +1,187 @@
From 82012a2c80e0f0bed75586b7d93570db2121962e Mon Sep 17 00:00:00 2001
From: Watson Sato <wsato@redhat.com>
Date: Mon, 1 Aug 2022 17:50:37 +0200
Subject: [PATCH 1/2] Add rule for sysctl net.ipv4.conf.all.forwarding
This is rule is similar to sysctl_net_ipv6_conf_all_forwarding and
sysctl_net_ipv4_forward.
---
.../rule.yml | 44 +++++++++++++++++++
...ctl_net_ipv4_conf_all_forwarding_value.var | 17 +++++++
shared/references/cce-redhat-avail.txt | 1 -
3 files changed, 61 insertions(+), 1 deletion(-)
create mode 100644 linux_os/guide/system/network/network-kernel/network_host_and_router_parameters/sysctl_net_ipv4_conf_all_forwarding/rule.yml
create mode 100644 linux_os/guide/system/network/network-kernel/network_host_and_router_parameters/sysctl_net_ipv4_conf_all_forwarding_value.var
diff --git a/linux_os/guide/system/network/network-kernel/network_host_and_router_parameters/sysctl_net_ipv4_conf_all_forwarding/rule.yml b/linux_os/guide/system/network/network-kernel/network_host_and_router_parameters/sysctl_net_ipv4_conf_all_forwarding/rule.yml
new file mode 100644
index 00000000000..7b0066f7c29
--- /dev/null
+++ b/linux_os/guide/system/network/network-kernel/network_host_and_router_parameters/sysctl_net_ipv4_conf_all_forwarding/rule.yml
@@ -0,0 +1,44 @@
+documentation_complete: true
+
+prodtype: rhel8
+
+title: 'Disable Kernel Parameter for IPv4 Forwarding on all IPv4 Interfaces'
+
+description: '{{{ describe_sysctl_option_value(sysctl="net.ipv4.conf.all.forwarding", value="0") }}}'
+
+rationale: |-
+ IP forwarding permits the kernel to forward packets from one network
+ interface to another. The ability to forward packets between two networks is
+ only appropriate for systems acting as routers.
+
+severity: medium
+
+identifiers:
+ cce@rhel8: CCE-86220-1
+
+references:
+ disa: CCI-000366
+ nist: CM-6(b)
+ srg: SRG-OS-000480-GPOS-00227
+ stigid@rhel8: RHEL-08-040259
+
+ocil_clause: 'IP forwarding value is "1" and the system is not router'
+
+ocil: |-
+ {{{ ocil_sysctl_option_value(sysctl="net.ipv4.conf.all.forwarding", value="0") }}}
+ The ability to forward packets is only appropriate for routers.
+
+fixtext: |-
+ Configure {{{ full_name }}} to not allow packet forwarding unless the system is a router with the following commands:
+ {{{ fixtext_sysctl(sysctl="net.ipv4.conf.all.forwarding", value="0") | indent(4) }}}
+
+srg_requirement: '{{{ full_name }}} must not perform packet forwarding unless the system is a router.'
+
+platform: machine
+
+template:
+ name: sysctl
+ vars:
+ sysctlvar: net.ipv4.conf.all.forwarding
+ datatype: int
+
diff --git a/linux_os/guide/system/network/network-kernel/network_host_and_router_parameters/sysctl_net_ipv4_conf_all_forwarding_value.var b/linux_os/guide/system/network/network-kernel/network_host_and_router_parameters/sysctl_net_ipv4_conf_all_forwarding_value.var
new file mode 100644
index 00000000000..2aedd6e6432
--- /dev/null
+++ b/linux_os/guide/system/network/network-kernel/network_host_and_router_parameters/sysctl_net_ipv4_conf_all_forwarding_value.var
@@ -0,0 +1,17 @@
+documentation_complete: true
+
+title: net.ipv4.conf.all.forwarding
+
+description: 'Toggle IPv4 Forwarding'
+
+type: number
+
+operator: equals
+
+interactive: false
+
+options:
+ default: "0"
+ disabled: "0"
+ enabled: 1
+
diff --git a/shared/references/cce-redhat-avail.txt b/shared/references/cce-redhat-avail.txt
index 914233f06bf..3e14b73dd71 100644
--- a/shared/references/cce-redhat-avail.txt
+++ b/shared/references/cce-redhat-avail.txt
@@ -168,7 +168,6 @@ CCE-86216-9
CCE-86217-7
CCE-86218-5
CCE-86219-3
-CCE-86220-1
CCE-86221-9
CCE-86222-7
CCE-86223-5
From 0e2be2dfb7c185ac15e69e110c2e7a76f6896df7 Mon Sep 17 00:00:00 2001
From: Watson Sato <wsato@redhat.com>
Date: Mon, 1 Aug 2022 17:53:32 +0200
Subject: [PATCH 2/2] Better align with RHEL-08-040259
The item is about net.ipv4.conf.all.forwarding
The update to V1R7 made brought this misalignment to light.
---
.../sysctl_net_ipv4_ip_forward/rule.yml | 1 -
products/rhel8/profiles/stig.profile | 2 +-
tests/data/profile_stability/rhel8/stig.profile | 4 ++--
tests/data/profile_stability/rhel8/stig_gui.profile | 2 +-
4 files changed, 4 insertions(+), 5 deletions(-)
diff --git a/linux_os/guide/system/network/network-kernel/network_host_parameters/sysctl_net_ipv4_ip_forward/rule.yml b/linux_os/guide/system/network/network-kernel/network_host_parameters/sysctl_net_ipv4_ip_forward/rule.yml
index 5c449db7f3a..7acfc0b05b6 100644
--- a/linux_os/guide/system/network/network-kernel/network_host_parameters/sysctl_net_ipv4_ip_forward/rule.yml
+++ b/linux_os/guide/system/network/network-kernel/network_host_parameters/sysctl_net_ipv4_ip_forward/rule.yml
@@ -45,7 +45,6 @@ references:
stigid@ol7: OL07-00-040740
stigid@ol8: OL08-00-040260
stigid@rhel7: RHEL-07-040740
- stigid@rhel8: RHEL-08-040259
stigid@sle12: SLES-12-030430
stigid@sle15: SLES-15-040380
diff --git a/products/rhel8/profiles/stig.profile b/products/rhel8/profiles/stig.profile
index 4b480bd2c11..6b44436a2b1 100644
--- a/products/rhel8/profiles/stig.profile
+++ b/products/rhel8/profiles/stig.profile
@@ -1127,7 +1127,7 @@ selections:
- sysctl_net_ipv6_conf_default_accept_source_route
# RHEL-08-040259
- - sysctl_net_ipv4_ip_forward
+ - sysctl_net_ipv4_conf_all_forwarding
# RHEL-08-040260
- sysctl_net_ipv6_conf_all_forwarding
diff --git a/tests/data/profile_stability/rhel8/stig.profile b/tests/data/profile_stability/rhel8/stig.profile
index 4bee72830d0..47f53a9d023 100644
--- a/tests/data/profile_stability/rhel8/stig.profile
+++ b/tests/data/profile_stability/rhel8/stig.profile
@@ -1,7 +1,7 @@
title: DISA STIG for Red Hat Enterprise Linux 8
description: 'This profile contains configuration checks that align to the
- DISA STIG for Red Hat Enterprise Linux 8 V1R7
+ DISA STIG for Red Hat Enterprise Linux 8 V1R7.
In addition to being applicable to Red Hat Enterprise Linux 8, DISA recognizes
@@ -395,13 +395,13 @@ selections:
- sysctl_net_core_bpf_jit_harden
- sysctl_net_ipv4_conf_all_accept_redirects
- sysctl_net_ipv4_conf_all_accept_source_route
+- sysctl_net_ipv4_conf_all_forwarding
- sysctl_net_ipv4_conf_all_rp_filter
- sysctl_net_ipv4_conf_all_send_redirects
- sysctl_net_ipv4_conf_default_accept_redirects
- sysctl_net_ipv4_conf_default_accept_source_route
- sysctl_net_ipv4_conf_default_send_redirects
- sysctl_net_ipv4_icmp_echo_ignore_broadcasts
-- sysctl_net_ipv4_ip_forward
- sysctl_net_ipv6_conf_all_accept_ra
- sysctl_net_ipv6_conf_all_accept_redirects
- sysctl_net_ipv6_conf_all_accept_source_route
diff --git a/tests/data/profile_stability/rhel8/stig_gui.profile b/tests/data/profile_stability/rhel8/stig_gui.profile
index ece32d06a6f..c4e60ddcde5 100644
--- a/tests/data/profile_stability/rhel8/stig_gui.profile
+++ b/tests/data/profile_stability/rhel8/stig_gui.profile
@@ -405,13 +405,13 @@ selections:
- sysctl_net_core_bpf_jit_harden
- sysctl_net_ipv4_conf_all_accept_redirects
- sysctl_net_ipv4_conf_all_accept_source_route
+- sysctl_net_ipv4_conf_all_forwarding
- sysctl_net_ipv4_conf_all_rp_filter
- sysctl_net_ipv4_conf_all_send_redirects
- sysctl_net_ipv4_conf_default_accept_redirects
- sysctl_net_ipv4_conf_default_accept_source_route
- sysctl_net_ipv4_conf_default_send_redirects
- sysctl_net_ipv4_icmp_echo_ignore_broadcasts
-- sysctl_net_ipv4_ip_forward
- sysctl_net_ipv6_conf_all_accept_ra
- sysctl_net_ipv6_conf_all_accept_redirects
- sysctl_net_ipv6_conf_all_accept_source_route

View File

@ -0,0 +1,89 @@
From e368a515911cd09727d8cd1c7e8b46dc7bdff4fa Mon Sep 17 00:00:00 2001
From: Gabriel Becker <ggasparb@redhat.com>
Date: Tue, 9 Aug 2022 17:28:33 +0200
Subject: [PATCH] Reintroduce back the sshd timeout rules in RHEL8 STIG
profile.
---
.../ssh/ssh_server/sshd_set_idle_timeout/rule.yml | 1 +
.../ssh/ssh_server/sshd_set_keepalive_0/rule.yml | 1 +
products/rhel8/profiles/stig.profile | 14 +++++++-------
tests/data/profile_stability/rhel8/stig.profile | 2 ++
.../data/profile_stability/rhel8/stig_gui.profile | 2 ++
5 files changed, 13 insertions(+), 7 deletions(-)
diff --git a/linux_os/guide/services/ssh/ssh_server/sshd_set_idle_timeout/rule.yml b/linux_os/guide/services/ssh/ssh_server/sshd_set_idle_timeout/rule.yml
index 46ea0558a42..1e9c6172758 100644
--- a/linux_os/guide/services/ssh/ssh_server/sshd_set_idle_timeout/rule.yml
+++ b/linux_os/guide/services/ssh/ssh_server/sshd_set_idle_timeout/rule.yml
@@ -57,6 +57,7 @@ references:
stigid@ol7: OL07-00-040320
stigid@ol8: OL08-00-010201
stigid@rhel7: RHEL-07-040320
+ stigid@rhel8: RHEL-08-010201
stigid@sle12: SLES-12-030190
stigid@sle15: SLES-15-010280
stigid@ubuntu2004: UBTU-20-010037
diff --git a/linux_os/guide/services/ssh/ssh_server/sshd_set_keepalive_0/rule.yml b/linux_os/guide/services/ssh/ssh_server/sshd_set_keepalive_0/rule.yml
index 0f0693ddc6c..f6e98a61d9a 100644
--- a/linux_os/guide/services/ssh/ssh_server/sshd_set_keepalive_0/rule.yml
+++ b/linux_os/guide/services/ssh/ssh_server/sshd_set_keepalive_0/rule.yml
@@ -53,6 +53,7 @@ references:
stigid@ol7: OL07-00-040340
stigid@ol8: OL08-00-010200
stigid@rhel7: RHEL-07-040340
+ stigid@rhel8: RHEL-08-010200
stigid@sle12: SLES-12-030191
stigid@sle15: SLES-15-010320
vmmsrg: SRG-OS-000480-VMM-002000
diff --git a/products/rhel8/profiles/stig.profile b/products/rhel8/profiles/stig.profile
index 6b44436a2b1..124b7520d3a 100644
--- a/products/rhel8/profiles/stig.profile
+++ b/products/rhel8/profiles/stig.profile
@@ -170,13 +170,13 @@ selections:
# RHEL-08-010190
- dir_perms_world_writable_sticky_bits
- # These two items don't behave as they used to in RHEL8.6 and RHEL9
- # anymore. They will be disabled for now until an alternative
- # solution is found.
- # # RHEL-08-010200
- # - sshd_set_keepalive_0
- # # RHEL-08-010201
- # - sshd_set_idle_timeout
+ # Although these rules have a different behavior in RHEL>=8.6
+ # they still need to be selected so it follows exactly what STIG
+ # states.
+ # RHEL-08-010200
+ - sshd_set_keepalive_0
+ # RHEL-08-010201
+ - sshd_set_idle_timeout
# RHEL-08-010210
- file_permissions_var_log_messages
diff --git a/tests/data/profile_stability/rhel8/stig.profile b/tests/data/profile_stability/rhel8/stig.profile
index 47f53a9d023..6c75d0ae1b1 100644
--- a/tests/data/profile_stability/rhel8/stig.profile
+++ b/tests/data/profile_stability/rhel8/stig.profile
@@ -369,6 +369,8 @@ selections:
- sshd_enable_warning_banner
- sshd_print_last_log
- sshd_rekey_limit
+- sshd_set_idle_timeout
+- sshd_set_keepalive_0
- sshd_use_strong_rng
- sshd_x11_use_localhost
- sssd_certificate_verification
diff --git a/tests/data/profile_stability/rhel8/stig_gui.profile b/tests/data/profile_stability/rhel8/stig_gui.profile
index c4e60ddcde5..8a7a469b940 100644
--- a/tests/data/profile_stability/rhel8/stig_gui.profile
+++ b/tests/data/profile_stability/rhel8/stig_gui.profile
@@ -379,6 +379,8 @@ selections:
- sshd_enable_warning_banner
- sshd_print_last_log
- sshd_rekey_limit
+- sshd_set_idle_timeout
+- sshd_set_keepalive_0
- sshd_use_strong_rng
- sshd_x11_use_localhost
- sssd_certificate_verification

View File

@ -0,0 +1,113 @@
From 7e46b59d2227dea50ca173d799bce7fa14b57ab1 Mon Sep 17 00:00:00 2001
From: Watson Sato <wsato@redhat.com>
Date: Tue, 2 Aug 2022 15:57:52 +0200
Subject: [PATCH 1/2] Accept sudoers files without includes as compliant
Update rule sudoers_default_includedir to accept as compliant sudoers
files that don't have any #include or #includedir directive
---
.../oval/shared.xml | 24 +++++++++++++++----
.../sudo/sudoers_default_includedir/rule.yml | 8 ++++---
...cludedir.fail.sh => no_includedir.pass.sh} | 2 +-
3 files changed, 26 insertions(+), 8 deletions(-)
rename linux_os/guide/system/software/sudo/sudoers_default_includedir/tests/{no_includedir.fail.sh => no_includedir.pass.sh} (51%)
diff --git a/linux_os/guide/system/software/sudo/sudoers_default_includedir/oval/shared.xml b/linux_os/guide/system/software/sudo/sudoers_default_includedir/oval/shared.xml
index 59cab0b89de..629fbe8c6d2 100644
--- a/linux_os/guide/system/software/sudo/sudoers_default_includedir/oval/shared.xml
+++ b/linux_os/guide/system/software/sudo/sudoers_default_includedir/oval/shared.xml
@@ -1,10 +1,16 @@
<def-group>
<definition class="compliance" id="{{{ rule_id }}}" version="1">
{{{ oval_metadata("Check if sudo includes only the default includedir") }}}
- <criteria operator="AND">
- <criterion comment="Check /etc/sudoers for #includedir" test_ref="test_sudoers_default_includedir" />
- <criterion comment="Check /etc/sudoers for #include" test_ref="test_sudoers_without_include" />
- <criterion comment="Check /etc/sudoers.d for includes" test_ref="test_sudoersd_without_includes" />
+ <criteria operator="OR">
+ <criteria operator="AND">
+ <criterion comment="Check /etc/sudoers doesn't have any #include" test_ref="test_sudoers_without_include" />
+ <criterion comment="Check /etc/sudoers doesn't have any #includedir" test_ref="test_sudoers_without_includedir" />
+ </criteria>
+ <criteria operator="AND">
+ <criterion comment="Check /etc/sudoers for #includedir" test_ref="test_sudoers_default_includedir" />
+ <criterion comment="Check /etc/sudoers for #include" test_ref="test_sudoers_without_include" />
+ <criterion comment="Check /etc/sudoers.d for includes" test_ref="test_sudoersd_without_includes" />
+ </criteria>
</criteria>
</definition>
@@ -32,6 +38,16 @@
<ind:instance operation="greater than or equal" datatype="int">1</ind:instance>
</ind:textfilecontent54_object>
+ <ind:textfilecontent54_test check="all" check_existence="none_exist"
+ comment="audit augenrules rmmod" id="test_sudoers_without_includedir" version="1">
+ <ind:object object_ref="object_sudoers_without_includedir" />
+ </ind:textfilecontent54_test>
+ <ind:textfilecontent54_object id="object_sudoers_without_includedir" version="1">
+ <ind:filepath>/etc/sudoers</ind:filepath>
+ <ind:pattern operation="pattern match">^#includedir[\s]+.*$</ind:pattern>
+ <ind:instance operation="greater than or equal" datatype="int">1</ind:instance>
+ </ind:textfilecontent54_object>
+
<ind:textfilecontent54_test check="all" check_existence="none_exist"
comment="audit augenrules rmmod" id="test_sudoersd_without_includes" version="1">
<ind:object object_ref="object_sudoersd_without_includes" />
diff --git a/linux_os/guide/system/software/sudo/sudoers_default_includedir/rule.yml b/linux_os/guide/system/software/sudo/sudoers_default_includedir/rule.yml
index aa2aaee19f8..83bfb0183bd 100644
--- a/linux_os/guide/system/software/sudo/sudoers_default_includedir/rule.yml
+++ b/linux_os/guide/system/software/sudo/sudoers_default_includedir/rule.yml
@@ -8,9 +8,11 @@ description: |-
Administrators can configure authorized <tt>sudo</tt> users via drop-in files, and it is possible to include
other directories and configuration files from the file currently being parsed.
- Make sure that <tt>/etc/sudoers</tt> only includes drop-in configuration files from <tt>/etc/sudoers.d</tt>.
- The <tt>/etc/sudoers</tt> should contain only one <tt>#includedir</tt> directive pointing to
- <tt>/etc/sudoers.d</tt>, and no file in <tt>/etc/sudoers.d/</tt> should include other files or directories.
+ Make sure that <tt>/etc/sudoers</tt> only includes drop-in configuration files from <tt>/etc/sudoers.d</tt>,
+ or that no drop-in file is included.
+ Either the <tt>/etc/sudoers</tt> should contain only one <tt>#includedir</tt> directive pointing to
+ <tt>/etc/sudoers.d</tt>, and no file in <tt>/etc/sudoers.d/</tt> should include other files or directories;
+ Or the <tt>/etc/sudoers</tt> should not contain any <tt>#include</tt> or <tt>#includedir</tt> directives.
Note that the '#' character doesn't denote a comment in the configuration file.
rationale: |-
diff --git a/linux_os/guide/system/software/sudo/sudoers_default_includedir/tests/no_includedir.fail.sh b/linux_os/guide/system/software/sudo/sudoers_default_includedir/tests/no_includedir.pass.sh
similarity index 51%
rename from linux_os/guide/system/software/sudo/sudoers_default_includedir/tests/no_includedir.fail.sh
rename to linux_os/guide/system/software/sudo/sudoers_default_includedir/tests/no_includedir.pass.sh
index 1e0ab8aea92..fe73cb25076 100644
--- a/linux_os/guide/system/software/sudo/sudoers_default_includedir/tests/no_includedir.fail.sh
+++ b/linux_os/guide/system/software/sudo/sudoers_default_includedir/tests/no_includedir.pass.sh
@@ -1,4 +1,4 @@
#!/bin/bash
# platform = multi_platform_all
-sed -i "/#includedir.*/d" /etc/sudoers
+sed -i "/#include(dir)?.*/d" /etc/sudoers
From 28967d81eeea19f172ad0fd43ad3f58b203e1411 Mon Sep 17 00:00:00 2001
From: Watson Sato <wsato@redhat.com>
Date: Wed, 3 Aug 2022 12:01:12 +0200
Subject: [PATCH 2/2] Improve definition's comments
---
.../software/sudo/sudoers_default_includedir/oval/shared.xml | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/linux_os/guide/system/software/sudo/sudoers_default_includedir/oval/shared.xml b/linux_os/guide/system/software/sudo/sudoers_default_includedir/oval/shared.xml
index 629fbe8c6d2..82095acc6ed 100644
--- a/linux_os/guide/system/software/sudo/sudoers_default_includedir/oval/shared.xml
+++ b/linux_os/guide/system/software/sudo/sudoers_default_includedir/oval/shared.xml
@@ -8,8 +8,8 @@
</criteria>
<criteria operator="AND">
<criterion comment="Check /etc/sudoers for #includedir" test_ref="test_sudoers_default_includedir" />
- <criterion comment="Check /etc/sudoers for #include" test_ref="test_sudoers_without_include" />
- <criterion comment="Check /etc/sudoers.d for includes" test_ref="test_sudoersd_without_includes" />
+ <criterion comment="Check /etc/sudoers doesn't have any #include" test_ref="test_sudoers_without_include" />
+ <criterion comment="Check /etc/sudoers.d doesn't have any #include or #includedir" test_ref="test_sudoersd_without_includes" />
</criteria>
</criteria>
</definition>

View File

@ -0,0 +1,358 @@
From f647d546d03b9296861f18673b0ac9efaa0db3ab Mon Sep 17 00:00:00 2001
From: Watson Sato <wsato@redhat.com>
Date: Wed, 3 Aug 2022 09:57:33 +0200
Subject: [PATCH 1/5] Make rule sysctl ipv4 rp_filter accept two values
This also removes value '0' from the list of possible configurations.
This change aligns the rule better with STIG.
---
.../sysctl_net_ipv4_conf_all_rp_filter/rule.yml | 4 ++++
.../tests/value_1.pass.sh | 10 ++++++++++
.../tests/value_2.pass.sh | 10 ++++++++++
.../sysctl_net_ipv4_conf_all_rp_filter_value.var | 2 +-
4 files changed, 25 insertions(+), 1 deletion(-)
create mode 100644 linux_os/guide/system/network/network-kernel/network_host_and_router_parameters/sysctl_net_ipv4_conf_all_rp_filter/tests/value_1.pass.sh
create mode 100644 linux_os/guide/system/network/network-kernel/network_host_and_router_parameters/sysctl_net_ipv4_conf_all_rp_filter/tests/value_2.pass.sh
diff --git a/linux_os/guide/system/network/network-kernel/network_host_and_router_parameters/sysctl_net_ipv4_conf_all_rp_filter/rule.yml b/linux_os/guide/system/network/network-kernel/network_host_and_router_parameters/sysctl_net_ipv4_conf_all_rp_filter/rule.yml
index 496a8491f32..697f79fa872 100644
--- a/linux_os/guide/system/network/network-kernel/network_host_and_router_parameters/sysctl_net_ipv4_conf_all_rp_filter/rule.yml
+++ b/linux_os/guide/system/network/network-kernel/network_host_and_router_parameters/sysctl_net_ipv4_conf_all_rp_filter/rule.yml
@@ -59,4 +59,8 @@ template:
name: sysctl
vars:
sysctlvar: net.ipv4.conf.all.rp_filter
+ sysctlval:
+ - '1'
+ - '2'
+ wrong_sysctlval_for_testing: "0"
datatype: int
diff --git a/linux_os/guide/system/network/network-kernel/network_host_and_router_parameters/sysctl_net_ipv4_conf_all_rp_filter/tests/value_1.pass.sh b/linux_os/guide/system/network/network-kernel/network_host_and_router_parameters/sysctl_net_ipv4_conf_all_rp_filter/tests/value_1.pass.sh
new file mode 100644
index 00000000000..516bfaf1369
--- /dev/null
+++ b/linux_os/guide/system/network/network-kernel/network_host_and_router_parameters/sysctl_net_ipv4_conf_all_rp_filter/tests/value_1.pass.sh
@@ -0,0 +1,10 @@
+#!/bin/bash
+
+# Clean sysctl config directories
+rm -rf /usr/lib/sysctl.d/* /run/sysctl.d/* /etc/sysctl.d/*
+
+sed -i "/net.ipv4.conf.all.rp_filter/d" /etc/sysctl.conf
+echo "net.ipv4.conf.all.rp_filter = 1" >> /etc/sysctl.conf
+
+# set correct runtime value to check if the filesystem configuration is evaluated properly
+sysctl -w net.ipv4.conf.all.rp_filter="1"
diff --git a/linux_os/guide/system/network/network-kernel/network_host_and_router_parameters/sysctl_net_ipv4_conf_all_rp_filter/tests/value_2.pass.sh b/linux_os/guide/system/network/network-kernel/network_host_and_router_parameters/sysctl_net_ipv4_conf_all_rp_filter/tests/value_2.pass.sh
new file mode 100644
index 00000000000..ef1b8da0479
--- /dev/null
+++ b/linux_os/guide/system/network/network-kernel/network_host_and_router_parameters/sysctl_net_ipv4_conf_all_rp_filter/tests/value_2.pass.sh
@@ -0,0 +1,10 @@
+#!/bin/bash
+
+# Clean sysctl config directories
+rm -rf /usr/lib/sysctl.d/* /run/sysctl.d/* /etc/sysctl.d/*
+
+sed -i "/net.ipv4.conf.all.rp_filter/d" /etc/sysctl.conf
+echo "net.ipv4.conf.all.rp_filter = 2" >> /etc/sysctl.conf
+
+# set correct runtime value to check if the filesystem configuration is evaluated properly
+sysctl -w net.ipv4.conf.all.rp_filter="2"
diff --git a/linux_os/guide/system/network/network-kernel/network_host_and_router_parameters/sysctl_net_ipv4_conf_all_rp_filter_value.var b/linux_os/guide/system/network/network-kernel/network_host_and_router_parameters/sysctl_net_ipv4_conf_all_rp_filter_value.var
index e3fc78e3f05..1eae854f6b0 100644
--- a/linux_os/guide/system/network/network-kernel/network_host_and_router_parameters/sysctl_net_ipv4_conf_all_rp_filter_value.var
+++ b/linux_os/guide/system/network/network-kernel/network_host_and_router_parameters/sysctl_net_ipv4_conf_all_rp_filter_value.var
@@ -17,5 +17,5 @@ interactive: false
options:
default: 1
- disabled: "0"
enabled: 1
+ loose: 2
From f903b6b257659cfe79bfd17a13ae72d1a48f40d9 Mon Sep 17 00:00:00 2001
From: Watson Sato <wsato@redhat.com>
Date: Wed, 3 Aug 2022 10:53:40 +0200
Subject: [PATCH 2/5] Make rule for kptr_restrict accept two values
This also removes value '0' from the list of possible configurations.
This change aligns the rule better with STIG.
---
.../sysctl_kernel_kptr_restrict/rule.yml | 4 ++++
.../sysctl_kernel_kptr_restrict/tests/value_1.pass.sh | 10 ++++++++++
.../sysctl_kernel_kptr_restrict/tests/value_2.pass.sh | 10 ++++++++++
.../sysctl_kernel_kptr_restrict_value.var | 1 -
4 files changed, 24 insertions(+), 1 deletion(-)
create mode 100644 linux_os/guide/system/permissions/restrictions/enable_execshield_settings/sysctl_kernel_kptr_restrict/tests/value_1.pass.sh
create mode 100644 linux_os/guide/system/permissions/restrictions/enable_execshield_settings/sysctl_kernel_kptr_restrict/tests/value_2.pass.sh
diff --git a/linux_os/guide/system/permissions/restrictions/enable_execshield_settings/sysctl_kernel_kptr_restrict/rule.yml b/linux_os/guide/system/permissions/restrictions/enable_execshield_settings/sysctl_kernel_kptr_restrict/rule.yml
index 1984b3c8691..5706eee0a0a 100644
--- a/linux_os/guide/system/permissions/restrictions/enable_execshield_settings/sysctl_kernel_kptr_restrict/rule.yml
+++ b/linux_os/guide/system/permissions/restrictions/enable_execshield_settings/sysctl_kernel_kptr_restrict/rule.yml
@@ -42,6 +42,10 @@ template:
name: sysctl
vars:
sysctlvar: kernel.kptr_restrict
+ sysctlval:
+ - '1'
+ - '2'
+ wrong_sysctlval_for_testing: "0"
datatype: int
fixtext: |-
diff --git a/linux_os/guide/system/permissions/restrictions/enable_execshield_settings/sysctl_kernel_kptr_restrict/tests/value_1.pass.sh b/linux_os/guide/system/permissions/restrictions/enable_execshield_settings/sysctl_kernel_kptr_restrict/tests/value_1.pass.sh
new file mode 100644
index 00000000000..e6efae48b25
--- /dev/null
+++ b/linux_os/guide/system/permissions/restrictions/enable_execshield_settings/sysctl_kernel_kptr_restrict/tests/value_1.pass.sh
@@ -0,0 +1,10 @@
+#!/bin/bash
+
+# Clean sysctl config directories
+rm -rf /usr/lib/sysctl.d/* /run/sysctl.d/* /etc/sysctl.d/*
+
+sed -i "/kernel.kptr_restrict/d" /etc/sysctl.conf
+echo "kernel.kptr_restrict = 1" >> /etc/sysctl.conf
+
+# set correct runtime value to check if the filesystem configuration is evaluated properly
+sysctl -w kernel.kptr_restrict="1"
diff --git a/linux_os/guide/system/permissions/restrictions/enable_execshield_settings/sysctl_kernel_kptr_restrict/tests/value_2.pass.sh b/linux_os/guide/system/permissions/restrictions/enable_execshield_settings/sysctl_kernel_kptr_restrict/tests/value_2.pass.sh
new file mode 100644
index 00000000000..be3f2b743ef
--- /dev/null
+++ b/linux_os/guide/system/permissions/restrictions/enable_execshield_settings/sysctl_kernel_kptr_restrict/tests/value_2.pass.sh
@@ -0,0 +1,10 @@
+#!/bin/bash
+
+# Clean sysctl config directories
+rm -rf /usr/lib/sysctl.d/* /run/sysctl.d/* /etc/sysctl.d/*
+
+sed -i "/kernel.kptr_restrict/d" /etc/sysctl.conf
+echo "kernel.kptr_restrict = 2" >> /etc/sysctl.conf
+
+# set correct runtime value to check if the filesystem configuration is evaluated properly
+sysctl -w kernel.kptr_restrict="2"
diff --git a/linux_os/guide/system/permissions/restrictions/enable_execshield_settings/sysctl_kernel_kptr_restrict_value.var b/linux_os/guide/system/permissions/restrictions/enable_execshield_settings/sysctl_kernel_kptr_restrict_value.var
index 452328e3efd..268550de53d 100644
--- a/linux_os/guide/system/permissions/restrictions/enable_execshield_settings/sysctl_kernel_kptr_restrict_value.var
+++ b/linux_os/guide/system/permissions/restrictions/enable_execshield_settings/sysctl_kernel_kptr_restrict_value.var
@@ -12,6 +12,5 @@ interactive: false
options:
default: 1
- 0: 0
1: 1
2: 2
From 932d00c370c8dc1c964354dd4bc111fbc18b9303 Mon Sep 17 00:00:00 2001
From: Watson Sato <wsato@redhat.com>
Date: Wed, 3 Aug 2022 11:08:34 +0200
Subject: [PATCH 3/5] Remove variable selector that will result in error
The rule only accepts values 1 or 2 as compliant, the XCCDF Variable
cannot have the value 0, it will never result in pass.
---
.../sysctl_kernel_unprivileged_bpf_disabled_value.var | 1 -
1 file changed, 1 deletion(-)
diff --git a/linux_os/guide/system/permissions/restrictions/sysctl_kernel_unprivileged_bpf_disabled_value.var b/linux_os/guide/system/permissions/restrictions/sysctl_kernel_unprivileged_bpf_disabled_value.var
index b8bf965a255..cbfd9bafa91 100644
--- a/linux_os/guide/system/permissions/restrictions/sysctl_kernel_unprivileged_bpf_disabled_value.var
+++ b/linux_os/guide/system/permissions/restrictions/sysctl_kernel_unprivileged_bpf_disabled_value.var
@@ -13,6 +13,5 @@ interactive: false
options:
default: 2
- 0: "0"
1: "1"
2: "2"
From 7127380e294a7e112fc427d0a46c21f15404aaa5 Mon Sep 17 00:00:00 2001
From: Watson Sato <wsato@redhat.com>
Date: Wed, 3 Aug 2022 11:33:03 +0200
Subject: [PATCH 4/5] Restrict sysctl multivalue compliance to rhel and ol
For now, the only STIGs I see that adopted this change were RHEL's and
OL's.
---
.../sysctl_net_ipv4_conf_all_rp_filter/rule.yml | 2 ++
.../sysctl_net_ipv4_conf_all_rp_filter/tests/value_1.pass.sh | 1 +
.../sysctl_net_ipv4_conf_all_rp_filter/tests/value_2.pass.sh | 1 +
.../sysctl_kernel_kptr_restrict/rule.yml | 2 ++
.../sysctl_kernel_kptr_restrict/tests/value_1.pass.sh | 1 +
.../sysctl_kernel_kptr_restrict/tests/value_2.pass.sh | 1 +
6 files changed, 8 insertions(+)
diff --git a/linux_os/guide/system/network/network-kernel/network_host_and_router_parameters/sysctl_net_ipv4_conf_all_rp_filter/rule.yml b/linux_os/guide/system/network/network-kernel/network_host_and_router_parameters/sysctl_net_ipv4_conf_all_rp_filter/rule.yml
index 697f79fa872..f04ae37c13d 100644
--- a/linux_os/guide/system/network/network-kernel/network_host_and_router_parameters/sysctl_net_ipv4_conf_all_rp_filter/rule.yml
+++ b/linux_os/guide/system/network/network-kernel/network_host_and_router_parameters/sysctl_net_ipv4_conf_all_rp_filter/rule.yml
@@ -59,8 +59,10 @@ template:
name: sysctl
vars:
sysctlvar: net.ipv4.conf.all.rp_filter
+ {{% if 'ol' in product or 'rhel' in product %}}
sysctlval:
- '1'
- '2'
wrong_sysctlval_for_testing: "0"
+ {{% endif %}}
datatype: int
diff --git a/linux_os/guide/system/network/network-kernel/network_host_and_router_parameters/sysctl_net_ipv4_conf_all_rp_filter/tests/value_1.pass.sh b/linux_os/guide/system/network/network-kernel/network_host_and_router_parameters/sysctl_net_ipv4_conf_all_rp_filter/tests/value_1.pass.sh
index 516bfaf1369..583b70a3b97 100644
--- a/linux_os/guide/system/network/network-kernel/network_host_and_router_parameters/sysctl_net_ipv4_conf_all_rp_filter/tests/value_1.pass.sh
+++ b/linux_os/guide/system/network/network-kernel/network_host_and_router_parameters/sysctl_net_ipv4_conf_all_rp_filter/tests/value_1.pass.sh
@@ -1,4 +1,5 @@
#!/bin/bash
+# platform = multi_platform_ol,multi_platform_rhel
# Clean sysctl config directories
rm -rf /usr/lib/sysctl.d/* /run/sysctl.d/* /etc/sysctl.d/*
diff --git a/linux_os/guide/system/network/network-kernel/network_host_and_router_parameters/sysctl_net_ipv4_conf_all_rp_filter/tests/value_2.pass.sh b/linux_os/guide/system/network/network-kernel/network_host_and_router_parameters/sysctl_net_ipv4_conf_all_rp_filter/tests/value_2.pass.sh
index ef1b8da0479..ef545976dc6 100644
--- a/linux_os/guide/system/network/network-kernel/network_host_and_router_parameters/sysctl_net_ipv4_conf_all_rp_filter/tests/value_2.pass.sh
+++ b/linux_os/guide/system/network/network-kernel/network_host_and_router_parameters/sysctl_net_ipv4_conf_all_rp_filter/tests/value_2.pass.sh
@@ -1,4 +1,5 @@
#!/bin/bash
+# platform = multi_platform_ol,multi_platform_rhel
# Clean sysctl config directories
rm -rf /usr/lib/sysctl.d/* /run/sysctl.d/* /etc/sysctl.d/*
diff --git a/linux_os/guide/system/permissions/restrictions/enable_execshield_settings/sysctl_kernel_kptr_restrict/rule.yml b/linux_os/guide/system/permissions/restrictions/enable_execshield_settings/sysctl_kernel_kptr_restrict/rule.yml
index 5706eee0a0a..f53e035effa 100644
--- a/linux_os/guide/system/permissions/restrictions/enable_execshield_settings/sysctl_kernel_kptr_restrict/rule.yml
+++ b/linux_os/guide/system/permissions/restrictions/enable_execshield_settings/sysctl_kernel_kptr_restrict/rule.yml
@@ -42,10 +42,12 @@ template:
name: sysctl
vars:
sysctlvar: kernel.kptr_restrict
+ {{% if 'ol' in product or 'rhel' in product %}}
sysctlval:
- '1'
- '2'
wrong_sysctlval_for_testing: "0"
+ {{% endif %}}
datatype: int
fixtext: |-
diff --git a/linux_os/guide/system/permissions/restrictions/enable_execshield_settings/sysctl_kernel_kptr_restrict/tests/value_1.pass.sh b/linux_os/guide/system/permissions/restrictions/enable_execshield_settings/sysctl_kernel_kptr_restrict/tests/value_1.pass.sh
index e6efae48b25..70189666c16 100644
--- a/linux_os/guide/system/permissions/restrictions/enable_execshield_settings/sysctl_kernel_kptr_restrict/tests/value_1.pass.sh
+++ b/linux_os/guide/system/permissions/restrictions/enable_execshield_settings/sysctl_kernel_kptr_restrict/tests/value_1.pass.sh
@@ -1,4 +1,5 @@
#!/bin/bash
+# platform = multi_platform_ol,multi_platform_rhel
# Clean sysctl config directories
rm -rf /usr/lib/sysctl.d/* /run/sysctl.d/* /etc/sysctl.d/*
diff --git a/linux_os/guide/system/permissions/restrictions/enable_execshield_settings/sysctl_kernel_kptr_restrict/tests/value_2.pass.sh b/linux_os/guide/system/permissions/restrictions/enable_execshield_settings/sysctl_kernel_kptr_restrict/tests/value_2.pass.sh
index be3f2b743ef..209395fa9a1 100644
--- a/linux_os/guide/system/permissions/restrictions/enable_execshield_settings/sysctl_kernel_kptr_restrict/tests/value_2.pass.sh
+++ b/linux_os/guide/system/permissions/restrictions/enable_execshield_settings/sysctl_kernel_kptr_restrict/tests/value_2.pass.sh
@@ -1,4 +1,5 @@
#!/bin/bash
+# platform = multi_platform_ol,multi_platform_rhel
# Clean sysctl config directories
rm -rf /usr/lib/sysctl.d/* /run/sysctl.d/* /etc/sysctl.d/*
From a159f7d62b200c79b6ec2b47ffa643ed6219f35b Mon Sep 17 00:00:00 2001
From: Watson Sato <wsato@redhat.com>
Date: Wed, 3 Aug 2022 14:01:40 +0200
Subject: [PATCH 5/5] Update OCIL check along with the rule
The OCIL should should mention both compliant values.
---
.../rule.yml | 29 +++++++++++++++++--
.../sysctl_kernel_kptr_restrict/rule.yml | 29 ++++++++++++++++++-
2 files changed, 55 insertions(+), 3 deletions(-)
diff --git a/linux_os/guide/system/network/network-kernel/network_host_and_router_parameters/sysctl_net_ipv4_conf_all_rp_filter/rule.yml b/linux_os/guide/system/network/network-kernel/network_host_and_router_parameters/sysctl_net_ipv4_conf_all_rp_filter/rule.yml
index f04ae37c13d..4d31c6c3ebd 100644
--- a/linux_os/guide/system/network/network-kernel/network_host_and_router_parameters/sysctl_net_ipv4_conf_all_rp_filter/rule.yml
+++ b/linux_os/guide/system/network/network-kernel/network_host_and_router_parameters/sysctl_net_ipv4_conf_all_rp_filter/rule.yml
@@ -47,11 +47,36 @@ references:
stigid@rhel7: RHEL-07-040611
stigid@rhel8: RHEL-08-040285
-{{{ complete_ocil_entry_sysctl_option_value(sysctl="net.ipv4.conf.all.rp_filter", value="1") }}}
+ocil: |-
+ The runtime status of the <code>net.ipv4.conf.all.rp_filter</code> parameter can be queried
+ by running the following command:
+ <pre>$ sysctl net.ipv4.conf.all.rp_filter</pre>
+ The output of the command should indicate either:
+ <code>net.ipv4.conf.all.rp_filter = 1</code>
+ or:
+ <code>net.ipv4.conf.all.rp_filter = 2</code>
+ The output of the command should not indicate:
+ <code>net.ipv4.conf.all.rp_filter = 0</code>
+
+ The preferable way how to assure the runtime compliance is to have
+ correct persistent configuration, and rebooting the system.
+
+ The persistent sysctl parameter configuration is performed by specifying the appropriate
+ assignment in any file located in the <pre>/etc/sysctl.d</pre> directory.
+ Verify that there is not any existing incorrect configuration by executing the following command:
+ <pre>$ grep -r '^\s*net.ipv4.conf.all.rp_filter\s*=' /etc/sysctl.conf /etc/sysctl.d</pre>
+ The command should not find any assignments other than:
+ net.ipv4.conf.all.rp_filter = 1
+ or:
+ net.ipv4.conf.all.rp_filter = 2
+
+ Conflicting assignments are not allowed.
+
+ocil_clause: "the net.ipv4.conf.all.rp_filter is not set to 1 or 2 or is configured to be 0"
fixtext: |-
Configure {{{ full_name }}} to use reverse path filtering on all IPv4 interfaces.
- {{{ fixtext_sysctl(sysctl="net.ipv4.conf.all.rp_filter", value="1") | indent(4) }}}
+ {{{ fixtext_sysctl(sysctl="net.ipv4.conf.all.rp_filter", value=xccdf_value("sysctl_net_ipv4_conf_all_rp_filter_value")) | indent(4) }}}
srg_requirement: '{{{ full_name }}} must use reverse path filtering on all IPv4 interfaces.'
diff --git a/linux_os/guide/system/permissions/restrictions/enable_execshield_settings/sysctl_kernel_kptr_restrict/rule.yml b/linux_os/guide/system/permissions/restrictions/enable_execshield_settings/sysctl_kernel_kptr_restrict/rule.yml
index f53e035effa..367934b5672 100644
--- a/linux_os/guide/system/permissions/restrictions/enable_execshield_settings/sysctl_kernel_kptr_restrict/rule.yml
+++ b/linux_os/guide/system/permissions/restrictions/enable_execshield_settings/sysctl_kernel_kptr_restrict/rule.yml
@@ -34,6 +34,33 @@ references:
{{{ complete_ocil_entry_sysctl_option_value(sysctl="kernel.kptr_restrict", value="1") }}}
+ocil: |-
+ The runtime status of the <code>kernel.kptr_restrict</code> kernel parameter can be queried
+ by running the following command:
+ <pre>$ sysctl kernel.kptr_restrict</pre>
+ The output of the command should indicate either:
+ <code>kernel.kptr_restrict = 1</code>
+ or:
+ <code>kernel.kptr_restrict = 2</code>
+ The output of the command should not indicate:
+ <code>kernel.kptr_restrict = 0</code>
+
+ The preferable way how to assure the runtime compliance is to have
+ correct persistent configuration, and rebooting the system.
+
+ The persistent kernel parameter configuration is performed by specifying the appropriate
+ assignment in any file located in the <pre>/etc/sysctl.d</pre> directory.
+ Verify that there is not any existing incorrect configuration by executing the following command:
+ <pre>$ grep -r '^\s*kernel.kptr_restrict\s*=' /etc/sysctl.conf /etc/sysctl.d</pre>
+ The command should not find any assignments other than:
+ kernel.kptr_restrict = 1
+ or:
+ kernel.kptr_restrict = 2
+
+ Conflicting assignments are not allowed.
+
+ocil_clause: "the kernel.kptr_restrict is not set to 1 or 2 or is configured to be 0"
+
srg_requirement: '{{{ full_name }}} must restrict exposed kernel pointer addresses access.'
platform: machine
@@ -52,4 +79,4 @@ template:
fixtext: |-
Configure {{{ full_name }}} to restrict exposed kernel pointer addresses access.
- {{{ fixtext_sysctl("kernel.kptr_restrict", "1") | indent(4) }}}
+ {{{ fixtext_sysctl("kernel.kptr_restrict", value=xccdf_value("sysctl_kernel_kptr_restrict_value")) | indent(4) }}}

File diff suppressed because it is too large Load Diff

View File

@ -0,0 +1,92 @@
From 245d4e04318bcac20f15e680cf1b33a35b94067a Mon Sep 17 00:00:00 2001
From: Vojtech Polasek <vpolasek@redhat.com>
Date: Mon, 8 Aug 2022 14:34:34 +0200
Subject: [PATCH 1/3] add warning to the rsyslog_remote_loghost rule about
configuring queues
---
.../rsyslog_remote_loghost/rule.yml | 17 +++++++++++++++++
1 file changed, 17 insertions(+)
diff --git a/linux_os/guide/system/logging/rsyslog_sending_messages/rsyslog_remote_loghost/rule.yml b/linux_os/guide/system/logging/rsyslog_sending_messages/rsyslog_remote_loghost/rule.yml
index 4ce56d2e6a5..c73d9ec95a6 100644
--- a/linux_os/guide/system/logging/rsyslog_sending_messages/rsyslog_remote_loghost/rule.yml
+++ b/linux_os/guide/system/logging/rsyslog_sending_messages/rsyslog_remote_loghost/rule.yml
@@ -90,3 +90,20 @@ fixtext: |-
*.* @@[remoteloggingserver]:[port]"
srg_requirement: 'The {{{ full_name }}} audit records must be off-loaded onto a different system or storage media from the system being audited.'
+
+warnings:
+ - functionality: |-
+ It is important to configure queues in case the client is sending log
+ messages to a remote server. If queues are not configured, there is a
+ danger that the system will stop functioning in case that the connection
+ to the remote server is not available. Please consult Rsyslog
+ documentation for more information about configuration of queues. The
+ example configuration which should go into <tt>/etc/rsyslog.conf</tt>
+ can look like the following lines:
+ <pre>
+ $ActionQueueType LinkedList
+ $ActionQueueFileName somenameforprefix
+ $ActionQueueMaxDiskSpace 1g
+ $ActionQueueSaveOnShutdown on
+ $ActionResumeRetryCount -1
+ </pre>
From 10fbd1665513284fbb82cf1af96b92774301f8e5 Mon Sep 17 00:00:00 2001
From: vojtapolasek <krecoun@gmail.com>
Date: Tue, 9 Aug 2022 09:41:00 +0200
Subject: [PATCH 2/3] Apply suggestions from code review
Co-authored-by: Watson Yuuma Sato <wsato@redhat.com>
---
.../rsyslog_sending_messages/rsyslog_remote_loghost/rule.yml | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/linux_os/guide/system/logging/rsyslog_sending_messages/rsyslog_remote_loghost/rule.yml b/linux_os/guide/system/logging/rsyslog_sending_messages/rsyslog_remote_loghost/rule.yml
index c73d9ec95a6..706d3265a08 100644
--- a/linux_os/guide/system/logging/rsyslog_sending_messages/rsyslog_remote_loghost/rule.yml
+++ b/linux_os/guide/system/logging/rsyslog_sending_messages/rsyslog_remote_loghost/rule.yml
@@ -95,14 +95,14 @@ warnings:
- functionality: |-
It is important to configure queues in case the client is sending log
messages to a remote server. If queues are not configured, there is a
- danger that the system will stop functioning in case that the connection
+ the system will stop functioning when the connection
to the remote server is not available. Please consult Rsyslog
documentation for more information about configuration of queues. The
example configuration which should go into <tt>/etc/rsyslog.conf</tt>
can look like the following lines:
<pre>
$ActionQueueType LinkedList
- $ActionQueueFileName somenameforprefix
+ $ActionQueueFileName queuefilename
$ActionQueueMaxDiskSpace 1g
$ActionQueueSaveOnShutdown on
$ActionResumeRetryCount -1
From e2abf4f8a1bcc0dd02ad4af6f9575797abdd332e Mon Sep 17 00:00:00 2001
From: vojtapolasek <krecoun@gmail.com>
Date: Tue, 9 Aug 2022 10:55:04 +0200
Subject: [PATCH 3/3] Update
linux_os/guide/system/logging/rsyslog_sending_messages/rsyslog_remote_loghost/rule.yml
Co-authored-by: Watson Yuuma Sato <wsato@redhat.com>
---
.../rsyslog_sending_messages/rsyslog_remote_loghost/rule.yml | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/linux_os/guide/system/logging/rsyslog_sending_messages/rsyslog_remote_loghost/rule.yml b/linux_os/guide/system/logging/rsyslog_sending_messages/rsyslog_remote_loghost/rule.yml
index 706d3265a08..cce4d5cac1d 100644
--- a/linux_os/guide/system/logging/rsyslog_sending_messages/rsyslog_remote_loghost/rule.yml
+++ b/linux_os/guide/system/logging/rsyslog_sending_messages/rsyslog_remote_loghost/rule.yml
@@ -94,7 +94,7 @@ srg_requirement: 'The {{{ full_name }}} audit records must be off-loaded onto a
warnings:
- functionality: |-
It is important to configure queues in case the client is sending log
- messages to a remote server. If queues are not configured, there is a
+ messages to a remote server. If queues are not configured,
the system will stop functioning when the connection
to the remote server is not available. Please consult Rsyslog
documentation for more information about configuration of queues. The

View File

@ -6,7 +6,7 @@
Name: scap-security-guide
Version: 0.1.63
Release: 1%{?dist}
Release: 3%{?dist}
Summary: Security guidance and baselines in SCAP formats
License: BSD-3-Clause
Group: Applications/System
@ -19,6 +19,21 @@ BuildArch: noarch
# Patch allows only OSPP, PCI-DSS, E8 and STIG profiles in RHEL8 datastream
Patch0: disable-not-in-good-shape-profiles.patch
Patch1: scap-security-guide-0.1.64-stig_bump_version-PR_9276.patch
Patch2: scap-security-guide-0.1.64-stig_ipv4_forwarding-PR_9277.patch
Patch3: scap-security-guide-0.1.64-stig_aide-PR_9282.patch
Patch4: scap-security-guide-0.1.64-stig_sudoers_includes-PR_9283.patch
Patch5: scap-security-guide-0.1.64-sysctl_template_multivalue-PR_9147.patch
Patch6: scap-security-guide-0.1.64-stig_sysctl_multivalue_rules-PR_9286.patch
Patch7: scap-security-guide-0.1.64-stig_readd_ssh_rules-PR_9318.patch
Patch8: scap-security-guide-0.1.64-ospp_autselect_minimal-PR_9298.patch
Patch9: scap-security-guide-0.1.64-ospp_grub_disable_recovery-PR_9321.patch
Patch10: scap-security-guide-0.1.64-warning_about_queues_for_rsyslog_remote_loghost-PR_9305.patch
Patch11: scap-security-guide-0.1.64-fix_sudoers_defaults-PR_9299.patch
Patch12: scap-security-guide-0.1.64-add_platform_for_partition_existence-PR_9204.patch
Patch13: scap-security-guide-0.1.64-apply_partition_platform_to_rules-PR_9324.patch
Patch14: scap-security-guide-0.1.64-improve_handling_of_rsyslog_includes-PR_9326.patch
Patch15: scap-security-guide-0.1.64-fix_ansible_partition_conditional-PR_9339.patch
BuildRequires: libxslt
BuildRequires: expat
@ -123,6 +138,18 @@ cp -r %{_builddir}/%{_static_rhel6_content}/guides %{buildroot}%{_docdir}/%{name
%endif
%changelog
* Mon Aug 15 2022 Watson Sato <wsato@redhat.com> - 0.1.63-3
- Fix Ansible partition conditional (RHBZ#2032403)
* Wed Aug 10 2022 Vojtech Polasek <vpolasek@redhat.com> - 0.1.63-2
- aligning with the latest STIG update (RHBZ#2112937)
- OSPP: use Authselect minimal profile (RHBZ#2117192)
- OSPP: change rules for protecting of boot (RHBZ#2116440)
- add warning about configuring of TCP queues to rsyslog_remote_loghost (RHBZ#2078974)
- fix handling of Defaults clause in sudoers (RHBZ#2083109)
- make rules checking for mount options of /tmp and /var/tmp applicable only when the partition really exists (RHBZ#2032403)
- fix handling of Rsyslog include directives (RHBZ#2075384)
* Mon Aug 01 2022 Vojtech Polasek <vpolasek@redhat.com> - 0.1.63-1
- Rebase to a new upstream release 0.1.63 (RHBZ#2070564)