Auto sync2gitlab import of scap-security-guide-0.1.63-3.el8.src.rpm
This commit is contained in:
parent
eb5e8dd735
commit
ce244d29b1
@ -0,0 +1,227 @@
|
|||||||
|
From b4291642f301c18b33ad9b722f0f26490bb55047 Mon Sep 17 00:00:00 2001
|
||||||
|
From: Matej Tyc <matyc@redhat.com>
|
||||||
|
Date: Thu, 21 Jul 2022 16:42:41 +0200
|
||||||
|
Subject: [PATCH 1/3] Add platforms for partition existence
|
||||||
|
|
||||||
|
---
|
||||||
|
shared/applicability/general.yml | 14 +++++++++++++
|
||||||
|
.../checks/oval/installed_env_mounts_tmp.xml | 10 +++++++++
|
||||||
|
.../oval/installed_env_mounts_var_tmp.xml | 10 +++++++++
|
||||||
|
shared/macros/10-ansible.jinja | 5 +++++
|
||||||
|
shared/macros/10-bash.jinja | 5 +++++
|
||||||
|
shared/macros/10-oval.jinja | 21 +++++++++++++++++++
|
||||||
|
6 files changed, 65 insertions(+)
|
||||||
|
create mode 100644 shared/checks/oval/installed_env_mounts_tmp.xml
|
||||||
|
create mode 100644 shared/checks/oval/installed_env_mounts_var_tmp.xml
|
||||||
|
|
||||||
|
diff --git a/shared/applicability/general.yml b/shared/applicability/general.yml
|
||||||
|
index 2d23d753148..e2f5d04ce00 100644
|
||||||
|
--- a/shared/applicability/general.yml
|
||||||
|
+++ b/shared/applicability/general.yml
|
||||||
|
@@ -77,6 +77,20 @@ cpes:
|
||||||
|
bash_conditional: {{{ bash_pkg_conditional("pam") }}}
|
||||||
|
ansible_conditional: {{{ ansible_pkg_conditional("pam") }}}
|
||||||
|
|
||||||
|
+ - partition-var-tmp:
|
||||||
|
+ name: "cpe:/a:partition-var-tmp"
|
||||||
|
+ title: "There is a /var/tmp partition"
|
||||||
|
+ check_id: installed_env_mounts_var_tmp
|
||||||
|
+ bash_conditional: {{{ bash_partition_conditional("/var/tmp") }}}
|
||||||
|
+ ansible_conditional: {{{ ansible_partition_conditional("/var/tmp") }}}
|
||||||
|
+
|
||||||
|
+ - partition-tmp:
|
||||||
|
+ name: "cpe:/a:partition-tmp"
|
||||||
|
+ title: "There is a /tmp partition"
|
||||||
|
+ check_id: installed_env_mounts_tmp
|
||||||
|
+ bash_conditional: {{{ bash_partition_conditional("/tmp") }}}
|
||||||
|
+ ansible_conditional: {{{ ansible_partition_conditional("/tmp") }}}
|
||||||
|
+
|
||||||
|
- polkit:
|
||||||
|
name: "cpe:/a:polkit"
|
||||||
|
title: "Package polkit is installed"
|
||||||
|
diff --git a/shared/checks/oval/installed_env_mounts_tmp.xml b/shared/checks/oval/installed_env_mounts_tmp.xml
|
||||||
|
new file mode 100644
|
||||||
|
index 00000000000..c1bcd6b2431
|
||||||
|
--- /dev/null
|
||||||
|
+++ b/shared/checks/oval/installed_env_mounts_tmp.xml
|
||||||
|
@@ -0,0 +1,10 @@
|
||||||
|
+<def-group>
|
||||||
|
+ <definition class="inventory" id="installed_env_mounts_tmp" version="1">
|
||||||
|
+ {{{ oval_metadata("", title="Partition /tmp exists", affected_platforms=[full_name]) }}}
|
||||||
|
+ <criteria>
|
||||||
|
+ {{{ partition_exists_criterion("/tmp") }}}
|
||||||
|
+ </criteria>
|
||||||
|
+ </definition>
|
||||||
|
+
|
||||||
|
+ {{{ partition_exists_tos("/tmp") }}}
|
||||||
|
+</def-group>
|
||||||
|
diff --git a/shared/checks/oval/installed_env_mounts_var_tmp.xml b/shared/checks/oval/installed_env_mounts_var_tmp.xml
|
||||||
|
new file mode 100644
|
||||||
|
index 00000000000..a72f49c8a8f
|
||||||
|
--- /dev/null
|
||||||
|
+++ b/shared/checks/oval/installed_env_mounts_var_tmp.xml
|
||||||
|
@@ -0,0 +1,10 @@
|
||||||
|
+<def-group>
|
||||||
|
+ <definition class="inventory" id="installed_env_mounts_var_tmp" version="1">
|
||||||
|
+ {{{ oval_metadata("", title="Partition /var/tmp exists", affected_platforms=[full_name]) }}}
|
||||||
|
+ <criteria>
|
||||||
|
+ {{{ partition_exists_criterion("/var/tmp") }}}
|
||||||
|
+ </criteria>
|
||||||
|
+ </definition>
|
||||||
|
+
|
||||||
|
+ {{{ partition_exists_tos("/var/tmp") }}}
|
||||||
|
+</def-group>
|
||||||
|
diff --git a/shared/macros/10-ansible.jinja b/shared/macros/10-ansible.jinja
|
||||||
|
index 2d24f730d3f..478f0072bc7 100644
|
||||||
|
--- a/shared/macros/10-ansible.jinja
|
||||||
|
+++ b/shared/macros/10-ansible.jinja
|
||||||
|
@@ -1439,3 +1439,8 @@ Part of the grub2_bootloader_argument_absent template.
|
||||||
|
when:
|
||||||
|
- result_pam_file_present.stat.exists
|
||||||
|
{{%- endmacro -%}}
|
||||||
|
+
|
||||||
|
+
|
||||||
|
+{{%- macro ansible_partition_conditional(path) -%}}
|
||||||
|
+"ansible_facts.ansible_mounts | json_query(\"[?mount=='{{{ path }}}'].mount\") | length == 1"
|
||||||
|
+{{%- endmacro -%}}
|
||||||
|
diff --git a/shared/macros/10-bash.jinja b/shared/macros/10-bash.jinja
|
||||||
|
index 94c3c6f9570..6a7fb165fd2 100644
|
||||||
|
--- a/shared/macros/10-bash.jinja
|
||||||
|
+++ b/shared/macros/10-bash.jinja
|
||||||
|
@@ -2085,3 +2085,8 @@ else
|
||||||
|
echo "{{{ pam_file }}} was not found" >&2
|
||||||
|
fi
|
||||||
|
{{%- endmacro -%}}
|
||||||
|
+
|
||||||
|
+
|
||||||
|
+{{%- macro bash_partition_conditional(path) -%}}
|
||||||
|
+'findmnt --mountpoint "{{{ path }}}" > /dev/null'
|
||||||
|
+{{%- endmacro -%}}
|
||||||
|
diff --git a/shared/macros/10-oval.jinja b/shared/macros/10-oval.jinja
|
||||||
|
index c8d7bbeffb7..1ec93b6ef7d 100644
|
||||||
|
--- a/shared/macros/10-oval.jinja
|
||||||
|
+++ b/shared/macros/10-oval.jinja
|
||||||
|
@@ -926,3 +926,24 @@ Generates the :code:`<affected>` tag for OVAL check using correct product platfo
|
||||||
|
{{%- else %}}
|
||||||
|
{{%- set user_list="nobody" %}}
|
||||||
|
{{%- endif %}}
|
||||||
|
+
|
||||||
|
+
|
||||||
|
+{{%- macro partition_exists_criterion(path) %}}
|
||||||
|
+{{%- set escaped_path = path | replace("/", "_") %}}
|
||||||
|
+ <criterion comment="The path {{{ path }}} is a partition's mount point" test_ref="test_partition_{{{ escaped_path }}}_exists" />
|
||||||
|
+{{%- endmacro %}}
|
||||||
|
+
|
||||||
|
+{{%- macro partition_exists_tos(path) %}}
|
||||||
|
+{{%- set escaped_path = path | replace("/", "_") %}}
|
||||||
|
+ <linux:partition_test check="all" check_existence="all_exist"
|
||||||
|
+ comment="Partition {{{ path }}} exists"
|
||||||
|
+ id="test_partition_{{{ escaped_path }}}_exists"
|
||||||
|
+ version="1">
|
||||||
|
+ <linux:object object_ref="object_partition_{{{ escaped_path }}}_exists" />
|
||||||
|
+ {{#- <linux:partition_state state_ref="" /> #}}
|
||||||
|
+ </linux:partition_test>
|
||||||
|
+
|
||||||
|
+ <linux:partition_object id="object_partition_{{{ escaped_path }}}_exists" version="1">
|
||||||
|
+ <linux:mount_point>{{{ path }}}</linux:mount_point>
|
||||||
|
+ </linux:partition_object>
|
||||||
|
+{{%- endmacro %}}
|
||||||
|
|
||||||
|
From 704da46c44f50c93acbfe172212f1687763013b0 Mon Sep 17 00:00:00 2001
|
||||||
|
From: Matej Tyc <matyc@redhat.com>
|
||||||
|
Date: Thu, 21 Jul 2022 16:43:21 +0200
|
||||||
|
Subject: [PATCH 2/3] Use partition exist platforms on a real rule
|
||||||
|
|
||||||
|
---
|
||||||
|
.../partitions/mount_option_var_tmp_nodev/rule.yml | 3 ++-
|
||||||
|
.../mount_option_var_tmp_nodev/tests/notapplicable.pass.sh | 5 +++++
|
||||||
|
2 files changed, 7 insertions(+), 1 deletion(-)
|
||||||
|
create mode 100644 linux_os/guide/system/permissions/partitions/mount_option_var_tmp_nodev/tests/notapplicable.pass.sh
|
||||||
|
|
||||||
|
diff --git a/linux_os/guide/system/permissions/partitions/mount_option_var_tmp_nodev/rule.yml b/linux_os/guide/system/permissions/partitions/mount_option_var_tmp_nodev/rule.yml
|
||||||
|
index 8ee8c8b12e0..741d0973283 100644
|
||||||
|
--- a/linux_os/guide/system/permissions/partitions/mount_option_var_tmp_nodev/rule.yml
|
||||||
|
+++ b/linux_os/guide/system/permissions/partitions/mount_option_var_tmp_nodev/rule.yml
|
||||||
|
@@ -38,7 +38,8 @@ references:
|
||||||
|
stigid@ol8: OL08-00-040132
|
||||||
|
stigid@rhel8: RHEL-08-040132
|
||||||
|
|
||||||
|
-platform: machine
|
||||||
|
+platforms:
|
||||||
|
+ - machine and partition-var-tmp
|
||||||
|
|
||||||
|
template:
|
||||||
|
name: mount_option
|
||||||
|
diff --git a/linux_os/guide/system/permissions/partitions/mount_option_var_tmp_nodev/tests/notapplicable.pass.sh b/linux_os/guide/system/permissions/partitions/mount_option_var_tmp_nodev/tests/notapplicable.pass.sh
|
||||||
|
new file mode 100644
|
||||||
|
index 00000000000..241c0103d82
|
||||||
|
--- /dev/null
|
||||||
|
+++ b/linux_os/guide/system/permissions/partitions/mount_option_var_tmp_nodev/tests/notapplicable.pass.sh
|
||||||
|
@@ -0,0 +1,5 @@
|
||||||
|
+#!/bin/bash
|
||||||
|
+
|
||||||
|
+. $SHARED/partition.sh
|
||||||
|
+
|
||||||
|
+clean_up_partition /var/tmp # Remove the partition from the system, and unmount it
|
||||||
|
|
||||||
|
From 7b3c9eb40d362ffcfda542cc2b267bce13e25d5a Mon Sep 17 00:00:00 2001
|
||||||
|
From: Matej Tyc <matyc@redhat.com>
|
||||||
|
Date: Wed, 10 Aug 2022 11:32:38 +0200
|
||||||
|
Subject: [PATCH 3/3] Improve code style
|
||||||
|
|
||||||
|
- Improve description of OVAL macro
|
||||||
|
- Use the escape_id filter to produce IDs
|
||||||
|
---
|
||||||
|
shared/checks/oval/installed_env_mounts_tmp.xml | 2 +-
|
||||||
|
shared/checks/oval/installed_env_mounts_var_tmp.xml | 2 +-
|
||||||
|
shared/macros/10-oval.jinja | 7 +++----
|
||||||
|
3 files changed, 5 insertions(+), 6 deletions(-)
|
||||||
|
|
||||||
|
diff --git a/shared/checks/oval/installed_env_mounts_tmp.xml b/shared/checks/oval/installed_env_mounts_tmp.xml
|
||||||
|
index c1bcd6b2431..edd8ad050f5 100644
|
||||||
|
--- a/shared/checks/oval/installed_env_mounts_tmp.xml
|
||||||
|
+++ b/shared/checks/oval/installed_env_mounts_tmp.xml
|
||||||
|
@@ -6,5 +6,5 @@
|
||||||
|
</criteria>
|
||||||
|
</definition>
|
||||||
|
|
||||||
|
- {{{ partition_exists_tos("/tmp") }}}
|
||||||
|
+ {{{ partition_exists_test_object("/tmp") }}}
|
||||||
|
</def-group>
|
||||||
|
diff --git a/shared/checks/oval/installed_env_mounts_var_tmp.xml b/shared/checks/oval/installed_env_mounts_var_tmp.xml
|
||||||
|
index a72f49c8a8f..cf9aafbdb04 100644
|
||||||
|
--- a/shared/checks/oval/installed_env_mounts_var_tmp.xml
|
||||||
|
+++ b/shared/checks/oval/installed_env_mounts_var_tmp.xml
|
||||||
|
@@ -6,5 +6,5 @@
|
||||||
|
</criteria>
|
||||||
|
</definition>
|
||||||
|
|
||||||
|
- {{{ partition_exists_tos("/var/tmp") }}}
|
||||||
|
+ {{{ partition_exists_test_object("/var/tmp") }}}
|
||||||
|
</def-group>
|
||||||
|
diff --git a/shared/macros/10-oval.jinja b/shared/macros/10-oval.jinja
|
||||||
|
index 1ec93b6ef7d..f302091f7df 100644
|
||||||
|
--- a/shared/macros/10-oval.jinja
|
||||||
|
+++ b/shared/macros/10-oval.jinja
|
||||||
|
@@ -929,18 +929,17 @@ Generates the :code:`<affected>` tag for OVAL check using correct product platfo
|
||||||
|
|
||||||
|
|
||||||
|
{{%- macro partition_exists_criterion(path) %}}
|
||||||
|
-{{%- set escaped_path = path | replace("/", "_") %}}
|
||||||
|
+{{%- set escaped_path = path | escape_id %}}
|
||||||
|
<criterion comment="The path {{{ path }}} is a partition's mount point" test_ref="test_partition_{{{ escaped_path }}}_exists" />
|
||||||
|
{{%- endmacro %}}
|
||||||
|
|
||||||
|
-{{%- macro partition_exists_tos(path) %}}
|
||||||
|
-{{%- set escaped_path = path | replace("/", "_") %}}
|
||||||
|
+{{%- macro partition_exists_test_object(path) %}}
|
||||||
|
+{{%- set escaped_path = path | escape_id %}}
|
||||||
|
<linux:partition_test check="all" check_existence="all_exist"
|
||||||
|
comment="Partition {{{ path }}} exists"
|
||||||
|
id="test_partition_{{{ escaped_path }}}_exists"
|
||||||
|
version="1">
|
||||||
|
<linux:object object_ref="object_partition_{{{ escaped_path }}}_exists" />
|
||||||
|
- {{#- <linux:partition_state state_ref="" /> #}}
|
||||||
|
</linux:partition_test>
|
||||||
|
|
||||||
|
<linux:partition_object id="object_partition_{{{ escaped_path }}}_exists" version="1">
|
@ -0,0 +1,92 @@
|
|||||||
|
From 51d7ee352dd2e90cb711d949cc59fb36c7fbe5da Mon Sep 17 00:00:00 2001
|
||||||
|
From: Matej Tyc <matyc@redhat.com>
|
||||||
|
Date: Wed, 10 Aug 2022 13:35:50 +0200
|
||||||
|
Subject: [PATCH] Add the platform applicability to relevant rules
|
||||||
|
|
||||||
|
---
|
||||||
|
.../permissions/partitions/mount_option_tmp_nodev/rule.yml | 2 +-
|
||||||
|
.../permissions/partitions/mount_option_tmp_noexec/rule.yml | 2 +-
|
||||||
|
.../permissions/partitions/mount_option_tmp_nosuid/rule.yml | 2 +-
|
||||||
|
.../permissions/partitions/mount_option_var_tmp_bind/rule.yml | 2 +-
|
||||||
|
.../permissions/partitions/mount_option_var_tmp_noexec/rule.yml | 2 +-
|
||||||
|
.../permissions/partitions/mount_option_var_tmp_nosuid/rule.yml | 2 +-
|
||||||
|
6 files changed, 6 insertions(+), 6 deletions(-)
|
||||||
|
|
||||||
|
diff --git a/linux_os/guide/system/permissions/partitions/mount_option_tmp_nodev/rule.yml b/linux_os/guide/system/permissions/partitions/mount_option_tmp_nodev/rule.yml
|
||||||
|
index 45a73e0286a..79a19a8d30b 100644
|
||||||
|
--- a/linux_os/guide/system/permissions/partitions/mount_option_tmp_nodev/rule.yml
|
||||||
|
+++ b/linux_os/guide/system/permissions/partitions/mount_option_tmp_nodev/rule.yml
|
||||||
|
@@ -45,7 +45,7 @@ references:
|
||||||
|
stigid@ol8: OL08-00-040123
|
||||||
|
stigid@rhel8: RHEL-08-040123
|
||||||
|
|
||||||
|
-platform: machine
|
||||||
|
+platform: machine and partition-tmp
|
||||||
|
|
||||||
|
template:
|
||||||
|
name: mount_option
|
||||||
|
diff --git a/linux_os/guide/system/permissions/partitions/mount_option_tmp_noexec/rule.yml b/linux_os/guide/system/permissions/partitions/mount_option_tmp_noexec/rule.yml
|
||||||
|
index 7356183bab3..d3f6d6175e5 100644
|
||||||
|
--- a/linux_os/guide/system/permissions/partitions/mount_option_tmp_noexec/rule.yml
|
||||||
|
+++ b/linux_os/guide/system/permissions/partitions/mount_option_tmp_noexec/rule.yml
|
||||||
|
@@ -44,7 +44,7 @@ references:
|
||||||
|
stigid@ol8: OL08-00-040125
|
||||||
|
stigid@rhel8: RHEL-08-040125
|
||||||
|
|
||||||
|
-platform: machine
|
||||||
|
+platform: machine and partition-tmp
|
||||||
|
|
||||||
|
template:
|
||||||
|
name: mount_option
|
||||||
|
diff --git a/linux_os/guide/system/permissions/partitions/mount_option_tmp_nosuid/rule.yml b/linux_os/guide/system/permissions/partitions/mount_option_tmp_nosuid/rule.yml
|
||||||
|
index d153b86934f..10790dc95a7 100644
|
||||||
|
--- a/linux_os/guide/system/permissions/partitions/mount_option_tmp_nosuid/rule.yml
|
||||||
|
+++ b/linux_os/guide/system/permissions/partitions/mount_option_tmp_nosuid/rule.yml
|
||||||
|
@@ -45,7 +45,7 @@ references:
|
||||||
|
stigid@ol8: OL08-00-040124
|
||||||
|
stigid@rhel8: RHEL-08-040124
|
||||||
|
|
||||||
|
-platform: machine
|
||||||
|
+platform: machine and partition-tmp
|
||||||
|
|
||||||
|
template:
|
||||||
|
name: mount_option
|
||||||
|
diff --git a/linux_os/guide/system/permissions/partitions/mount_option_var_tmp_bind/rule.yml b/linux_os/guide/system/permissions/partitions/mount_option_var_tmp_bind/rule.yml
|
||||||
|
index 133e7727ca7..05992df4b49 100644
|
||||||
|
--- a/linux_os/guide/system/permissions/partitions/mount_option_var_tmp_bind/rule.yml
|
||||||
|
+++ b/linux_os/guide/system/permissions/partitions/mount_option_var_tmp_bind/rule.yml
|
||||||
|
@@ -31,7 +31,7 @@ references:
|
||||||
|
nist: CM-7(a),CM-7(b),CM-6(a),AC-6,AC-6(1),MP-7
|
||||||
|
nist-csf: PR.IP-1,PR.PT-3
|
||||||
|
|
||||||
|
-platform: machine
|
||||||
|
+platform: machine and partition-var-tmp
|
||||||
|
|
||||||
|
template:
|
||||||
|
name: mount_option
|
||||||
|
diff --git a/linux_os/guide/system/permissions/partitions/mount_option_var_tmp_noexec/rule.yml b/linux_os/guide/system/permissions/partitions/mount_option_var_tmp_noexec/rule.yml
|
||||||
|
index 39fd458ec6b..dc00b2f2376 100644
|
||||||
|
--- a/linux_os/guide/system/permissions/partitions/mount_option_var_tmp_noexec/rule.yml
|
||||||
|
+++ b/linux_os/guide/system/permissions/partitions/mount_option_var_tmp_noexec/rule.yml
|
||||||
|
@@ -38,7 +38,7 @@ references:
|
||||||
|
stigid@ol8: OL08-00-040134
|
||||||
|
stigid@rhel8: RHEL-08-040134
|
||||||
|
|
||||||
|
-platform: machine
|
||||||
|
+platform: machine and partition-var-tmp
|
||||||
|
|
||||||
|
template:
|
||||||
|
name: mount_option
|
||||||
|
diff --git a/linux_os/guide/system/permissions/partitions/mount_option_var_tmp_nosuid/rule.yml b/linux_os/guide/system/permissions/partitions/mount_option_var_tmp_nosuid/rule.yml
|
||||||
|
index 349f3348955..f0c26b6d9c5 100644
|
||||||
|
--- a/linux_os/guide/system/permissions/partitions/mount_option_var_tmp_nosuid/rule.yml
|
||||||
|
+++ b/linux_os/guide/system/permissions/partitions/mount_option_var_tmp_nosuid/rule.yml
|
||||||
|
@@ -38,7 +38,7 @@ references:
|
||||||
|
stigid@ol8: OL08-00-040133
|
||||||
|
stigid@rhel8: RHEL-08-040133
|
||||||
|
|
||||||
|
-platform: machine
|
||||||
|
+platform: machine and partition-var-tmp
|
||||||
|
|
||||||
|
template:
|
||||||
|
name: mount_option
|
@ -0,0 +1,48 @@
|
|||||||
|
From 779ffcf0a51a1ad5a13e5b8ee29ce044d93eca55 Mon Sep 17 00:00:00 2001
|
||||||
|
From: Watson Sato <wsato@redhat.com>
|
||||||
|
Date: Mon, 15 Aug 2022 13:14:58 +0200
|
||||||
|
Subject: [PATCH 1/2] Access the mounts via ansible_mounts
|
||||||
|
|
||||||
|
It seems that the data about ansible_mounts should be accessed without
|
||||||
|
the 'ansible_facts' prefix.
|
||||||
|
---
|
||||||
|
shared/macros/10-ansible.jinja | 2 +-
|
||||||
|
1 file changed, 1 insertion(+), 1 deletion(-)
|
||||||
|
|
||||||
|
diff --git a/shared/macros/10-ansible.jinja b/shared/macros/10-ansible.jinja
|
||||||
|
index 478f0072bc7..e8bff0973f5 100644
|
||||||
|
--- a/shared/macros/10-ansible.jinja
|
||||||
|
+++ b/shared/macros/10-ansible.jinja
|
||||||
|
@@ -1442,5 +1442,5 @@ Part of the grub2_bootloader_argument_absent template.
|
||||||
|
|
||||||
|
|
||||||
|
{{%- macro ansible_partition_conditional(path) -%}}
|
||||||
|
-"ansible_facts.ansible_mounts | json_query(\"[?mount=='{{{ path }}}'].mount\") | length == 1"
|
||||||
|
+"ansible_mounts | json_query(\"[?mount=='{{{ path }}}'].mount\") | length == 1"
|
||||||
|
{{%- endmacro -%}}
|
||||||
|
|
||||||
|
From 4963d70d565919d0db6c0bc35f3fd4274d474310 Mon Sep 17 00:00:00 2001
|
||||||
|
From: Watson Sato <wsato@redhat.com>
|
||||||
|
Date: Mon, 15 Aug 2022 13:16:24 +0200
|
||||||
|
Subject: [PATCH 2/2] Avoid use of json_query and additional dependency
|
||||||
|
|
||||||
|
The json_query filter requires package jmespath to be installed.
|
||||||
|
|
||||||
|
This also avoids mismatchs in python version between ansible and
|
||||||
|
python3-jmespath. Some distros (RHEL8) don't have jmespath module
|
||||||
|
available for the same python version ansible is using.
|
||||||
|
---
|
||||||
|
shared/macros/10-ansible.jinja | 2 +-
|
||||||
|
1 file changed, 1 insertion(+), 1 deletion(-)
|
||||||
|
|
||||||
|
diff --git a/shared/macros/10-ansible.jinja b/shared/macros/10-ansible.jinja
|
||||||
|
index e8bff0973f5..beb2bc11403 100644
|
||||||
|
--- a/shared/macros/10-ansible.jinja
|
||||||
|
+++ b/shared/macros/10-ansible.jinja
|
||||||
|
@@ -1442,5 +1442,5 @@ Part of the grub2_bootloader_argument_absent template.
|
||||||
|
|
||||||
|
|
||||||
|
{{%- macro ansible_partition_conditional(path) -%}}
|
||||||
|
-"ansible_mounts | json_query(\"[?mount=='{{{ path }}}'].mount\") | length == 1"
|
||||||
|
+'"{{{ path }}}" in ansible_mounts | map(attribute="mount") | list'
|
||||||
|
{{%- endmacro -%}}
|
107
scap-security-guide-0.1.64-fix_sudoers_defaults-PR_9299.patch
Normal file
107
scap-security-guide-0.1.64-fix_sudoers_defaults-PR_9299.patch
Normal file
@ -0,0 +1,107 @@
|
|||||||
|
From 9243f7615c2656003e4a64c88076d0d660f58580 Mon Sep 17 00:00:00 2001
|
||||||
|
From: =?UTF-8?q?Jan=20=C4=8Cern=C3=BD?= <jcerny@redhat.com>
|
||||||
|
Date: Fri, 5 Aug 2022 12:45:24 +0200
|
||||||
|
Subject: [PATCH] Fix rule sudo_custom_logfile
|
||||||
|
|
||||||
|
- Allow only white space after the Default keyword to avoid
|
||||||
|
matching words that only start with Default.
|
||||||
|
- If the variable value contains slashes they need to be escaped
|
||||||
|
because the sed command uses slashes as a separator, otherwise
|
||||||
|
the sed doesn't replace the wrong line during a remediation.
|
||||||
|
|
||||||
|
Also adds 2 test scenarios.
|
||||||
|
|
||||||
|
Resolves: https://bugzilla.redhat.com/show_bug.cgi?id=2083109
|
||||||
|
---
|
||||||
|
.../guide/system/software/sudo/sudo_custom_logfile/rule.yml | 2 +-
|
||||||
|
.../sudo/sudo_custom_logfile/tests/broken_defaults.fail.sh | 4 ++++
|
||||||
|
.../sudo/sudo_custom_logfile/tests/wrong_logfile.fail.sh | 4 ++++
|
||||||
|
shared/templates/sudo_defaults_option/ansible.template | 2 +-
|
||||||
|
shared/templates/sudo_defaults_option/bash.template | 5 +++--
|
||||||
|
shared/templates/sudo_defaults_option/oval.template | 2 +-
|
||||||
|
6 files changed, 14 insertions(+), 5 deletions(-)
|
||||||
|
create mode 100644 linux_os/guide/system/software/sudo/sudo_custom_logfile/tests/broken_defaults.fail.sh
|
||||||
|
create mode 100644 linux_os/guide/system/software/sudo/sudo_custom_logfile/tests/wrong_logfile.fail.sh
|
||||||
|
|
||||||
|
diff --git a/linux_os/guide/system/software/sudo/sudo_custom_logfile/rule.yml b/linux_os/guide/system/software/sudo/sudo_custom_logfile/rule.yml
|
||||||
|
index 739f5f14936..94fbaaa33ed 100644
|
||||||
|
--- a/linux_os/guide/system/software/sudo/sudo_custom_logfile/rule.yml
|
||||||
|
+++ b/linux_os/guide/system/software/sudo/sudo_custom_logfile/rule.yml
|
||||||
|
@@ -29,7 +29,7 @@ ocil_clause: 'logfile is not enabled in sudo'
|
||||||
|
|
||||||
|
ocil: |-
|
||||||
|
To determine if <tt>logfile</tt> has been configured for sudo, run the following command:
|
||||||
|
- <pre>$ sudo grep -ri "^[\s]*Defaults.*\blogfile\b.*" /etc/sudoers /etc/sudoers.d/</pre>
|
||||||
|
+ <pre>$ sudo grep -ri "^[\s]*Defaults\s*\blogfile\b.*" /etc/sudoers /etc/sudoers.d/</pre>
|
||||||
|
The command should return a matching output.
|
||||||
|
|
||||||
|
template:
|
||||||
|
diff --git a/linux_os/guide/system/software/sudo/sudo_custom_logfile/tests/broken_defaults.fail.sh b/linux_os/guide/system/software/sudo/sudo_custom_logfile/tests/broken_defaults.fail.sh
|
||||||
|
new file mode 100644
|
||||||
|
index 00000000000..13ff4559edb
|
||||||
|
--- /dev/null
|
||||||
|
+++ b/linux_os/guide/system/software/sudo/sudo_custom_logfile/tests/broken_defaults.fail.sh
|
||||||
|
@@ -0,0 +1,4 @@
|
||||||
|
+#!/bin/bash
|
||||||
|
+# platform = multi_platform_all
|
||||||
|
+
|
||||||
|
+echo "Defaultsabc logfile=/var/log/sudo.log" >> /etc/sudoers
|
||||||
|
diff --git a/linux_os/guide/system/software/sudo/sudo_custom_logfile/tests/wrong_logfile.fail.sh b/linux_os/guide/system/software/sudo/sudo_custom_logfile/tests/wrong_logfile.fail.sh
|
||||||
|
new file mode 100644
|
||||||
|
index 00000000000..ec24854f0f9
|
||||||
|
--- /dev/null
|
||||||
|
+++ b/linux_os/guide/system/software/sudo/sudo_custom_logfile/tests/wrong_logfile.fail.sh
|
||||||
|
@@ -0,0 +1,4 @@
|
||||||
|
+#!/bin/bash
|
||||||
|
+# platform = multi_platform_all
|
||||||
|
+
|
||||||
|
+echo "Defaults logfile=/var/log/othersudologfile.log" >> /etc/sudoers
|
||||||
|
diff --git a/shared/templates/sudo_defaults_option/ansible.template b/shared/templates/sudo_defaults_option/ansible.template
|
||||||
|
index 094fa430b64..c9e344ec772 100644
|
||||||
|
--- a/shared/templates/sudo_defaults_option/ansible.template
|
||||||
|
+++ b/shared/templates/sudo_defaults_option/ansible.template
|
||||||
|
@@ -8,7 +8,7 @@
|
||||||
|
- name: Ensure {{{ OPTION }}} is enabled with the appropriate value in /etc/sudoers
|
||||||
|
lineinfile:
|
||||||
|
path: /etc/sudoers
|
||||||
|
- regexp: '^[\s]*Defaults\s(.*)\b{{{ OPTION }}}=[-]?\w+\b(.*)$'
|
||||||
|
+ regexp: '^[\s]*Defaults\s(.*)\b{{{ OPTION }}}=[-]?.+\b(.*)$'
|
||||||
|
line: 'Defaults \1{{{ OPTION }}}={{ {{{ VARIABLE_NAME }}} }}\2'
|
||||||
|
validate: /usr/sbin/visudo -cf %s
|
||||||
|
backrefs: yes
|
||||||
|
diff --git a/shared/templates/sudo_defaults_option/bash.template b/shared/templates/sudo_defaults_option/bash.template
|
||||||
|
index e3563d42db6..e7d962a668d 100644
|
||||||
|
--- a/shared/templates/sudo_defaults_option/bash.template
|
||||||
|
+++ b/shared/templates/sudo_defaults_option/bash.template
|
||||||
|
@@ -9,7 +9,7 @@
|
||||||
|
{{% endif %}}
|
||||||
|
if /usr/sbin/visudo -qcf /etc/sudoers; then
|
||||||
|
cp /etc/sudoers /etc/sudoers.bak
|
||||||
|
- if ! grep -P '^[\s]*Defaults.*\b{{{ OPTION_REGEX }}}\b.*$' /etc/sudoers; then
|
||||||
|
+ if ! grep -P '^[\s]*Defaults[\s]*\b{{{ OPTION_REGEX }}}\b.*$' /etc/sudoers; then
|
||||||
|
# sudoers file doesn't define Option {{{ OPTION }}}
|
||||||
|
echo "Defaults {{{ OPTION_VALUE }}}" >> /etc/sudoers
|
||||||
|
{{%- if not VARIABLE_NAME %}}
|
||||||
|
@@ -21,7 +21,8 @@ if /usr/sbin/visudo -qcf /etc/sudoers; then
|
||||||
|
{{% if '/' in OPTION %}}
|
||||||
|
{{{ raise("OPTION (" + OPTION + ") uses sed path separator (/) in " + rule_id) }}}
|
||||||
|
{{% endif %}}
|
||||||
|
- sed -Ei "s/(^[\s]*Defaults.*\b{{{ OPTION }}}=)[-]?\w+(\b.*$)/\1{{{ '${' ~ VARIABLE_NAME ~ '}' }}}\2/" /etc/sudoers
|
||||||
|
+ escaped_variable={{{ "${" ~ VARIABLE_NAME ~ "//$'/'/$'\/'}" }}}
|
||||||
|
+ sed -Ei "s/(^[\s]*Defaults.*\b{{{ OPTION }}}=)[-]?.+(\b.*$)/\1$escaped_variable\2/" /etc/sudoers
|
||||||
|
fi
|
||||||
|
fi
|
||||||
|
{{% endif %}}
|
||||||
|
diff --git a/shared/templates/sudo_defaults_option/oval.template b/shared/templates/sudo_defaults_option/oval.template
|
||||||
|
index c0d81c95093..a9636a7204a 100644
|
||||||
|
--- a/shared/templates/sudo_defaults_option/oval.template
|
||||||
|
+++ b/shared/templates/sudo_defaults_option/oval.template
|
||||||
|
@@ -13,7 +13,7 @@
|
||||||
|
</ind:textfilecontent54_test>
|
||||||
|
<ind:textfilecontent54_object id="object_{{{ OPTION }}}_sudoers" version="1">
|
||||||
|
<ind:filepath operation="pattern match">^/etc/sudoers(|\.d/.*)$</ind:filepath>
|
||||||
|
- <ind:pattern operation="pattern match">^[\s]*Defaults.*\b{{{ OPTION_REGEX }}}.*$</ind:pattern>
|
||||||
|
+ <ind:pattern operation="pattern match">^[\s]*Defaults[\s]*\b{{{ OPTION_REGEX }}}.*$</ind:pattern>
|
||||||
|
<ind:instance datatype="int" operation="greater than or equal" >1</ind:instance>
|
||||||
|
</ind:textfilecontent54_object>
|
||||||
|
|
@ -0,0 +1,967 @@
|
|||||||
|
From 2d22616a6223e26662c1dc81e0389349defd716a Mon Sep 17 00:00:00 2001
|
||||||
|
From: Flos Lonicerae <lonicerae@gmail.com>
|
||||||
|
Date: Wed, 13 Apr 2022 20:06:18 +0800
|
||||||
|
Subject: [PATCH 01/15] rsyslog: Fix array creation when path has wildcard
|
||||||
|
|
||||||
|
This patch fixes the issue that the array is expanded to wildcard path instead of its elements.
|
||||||
|
A simple test case as follows:
|
||||||
|
|
||||||
|
/etc/rsyslog.conf
|
||||||
|
include(file="/etc/rsyslog.d/*.conf" mode="optional")
|
||||||
|
|
||||||
|
/etc/rsyslog.d/custom1.conf
|
||||||
|
local1.* /tmp/local1.out
|
||||||
|
|
||||||
|
/etc/rsyslog.d/custom2.conf
|
||||||
|
local2.* /tmp/local2.out
|
||||||
|
---
|
||||||
|
.../rsyslog_files_permissions/bash/shared.sh | 4 ++--
|
||||||
|
1 file changed, 2 insertions(+), 2 deletions(-)
|
||||||
|
|
||||||
|
diff --git a/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_files_permissions/bash/shared.sh b/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_files_permissions/bash/shared.sh
|
||||||
|
index b794ea8db31..02b0c36d899 100644
|
||||||
|
--- a/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_files_permissions/bash/shared.sh
|
||||||
|
+++ b/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_files_permissions/bash/shared.sh
|
||||||
|
@@ -5,8 +5,8 @@
|
||||||
|
RSYSLOG_ETC_CONFIG="/etc/rsyslog.conf"
|
||||||
|
# * And also the log file paths listed after rsyslog's $IncludeConfig directive
|
||||||
|
# (store the result into array for the case there's shell glob used as value of IncludeConfig)
|
||||||
|
-readarray -t RSYSLOG_INCLUDE_CONFIG < <(grep -e "\$IncludeConfig[[:space:]]\+[^[:space:];]\+" /etc/rsyslog.conf | cut -d ' ' -f 2)
|
||||||
|
-readarray -t RSYSLOG_INCLUDE < <(awk '/)/{f=0} /include\(/{f=1} f{nf=gensub("^(include\\(|\\s*)file=\"(\\S+)\".*","\\2",1); if($0!=nf){print nf}}' /etc/rsyslog.conf)
|
||||||
|
+readarray -t RSYSLOG_INCLUDE_CONFIG < <(printf '%s\n' $(grep -e "\$IncludeConfig[[:space:]]\+[^[:space:];]\+" /etc/rsyslog.conf | cut -d ' ' -f 2))
|
||||||
|
+readarray -t RSYSLOG_INCLUDE < <(printf '%s\n' $(awk '/)/{f=0} /include\(/{f=1} f{nf=gensub("^(include\\(|\\s*)file=\"(\\S+)\".*","\\2",1); if($0!=nf){print nf}}' /etc/rsyslog.conf))
|
||||||
|
|
||||||
|
# Declare an array to hold the final list of different log file paths
|
||||||
|
declare -a LOG_FILE_PATHS
|
||||||
|
|
||||||
|
From 37a57668e98ba613d850e4c4ec4363dc7687d06d Mon Sep 17 00:00:00 2001
|
||||||
|
From: Flos Lonicerae <lonicerae@gmail.com>
|
||||||
|
Date: Thu, 14 Apr 2022 15:58:04 +0800
|
||||||
|
Subject: [PATCH 02/15] A better fix.
|
||||||
|
|
||||||
|
* Should also fixed the CI failure.
|
||||||
|
---
|
||||||
|
.../rsyslog_files_permissions/bash/shared.sh | 6 ++++--
|
||||||
|
1 file changed, 4 insertions(+), 2 deletions(-)
|
||||||
|
|
||||||
|
diff --git a/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_files_permissions/bash/shared.sh b/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_files_permissions/bash/shared.sh
|
||||||
|
index 02b0c36d899..1aebb8f9da5 100644
|
||||||
|
--- a/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_files_permissions/bash/shared.sh
|
||||||
|
+++ b/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_files_permissions/bash/shared.sh
|
||||||
|
@@ -5,8 +5,10 @@
|
||||||
|
RSYSLOG_ETC_CONFIG="/etc/rsyslog.conf"
|
||||||
|
# * And also the log file paths listed after rsyslog's $IncludeConfig directive
|
||||||
|
# (store the result into array for the case there's shell glob used as value of IncludeConfig)
|
||||||
|
-readarray -t RSYSLOG_INCLUDE_CONFIG < <(printf '%s\n' $(grep -e "\$IncludeConfig[[:space:]]\+[^[:space:];]\+" /etc/rsyslog.conf | cut -d ' ' -f 2))
|
||||||
|
-readarray -t RSYSLOG_INCLUDE < <(printf '%s\n' $(awk '/)/{f=0} /include\(/{f=1} f{nf=gensub("^(include\\(|\\s*)file=\"(\\S+)\".*","\\2",1); if($0!=nf){print nf}}' /etc/rsyslog.conf))
|
||||||
|
+readarray -t OLD_INC < <(grep -e "\$IncludeConfig[[:space:]]\+[^[:space:];]\+" /etc/rsyslog.conf | cut -d ' ' -f 2)
|
||||||
|
+readarray -t RSYSLOG_INCLUDE_CONFIG < <(for INCPATH in "${OLD_INC[@]}"; do eval printf '%s\\n' "${INCPATH}"; done)
|
||||||
|
+readarray -t NEW_INC < <(awk '/)/{f=0} /include\(/{f=1} f{nf=gensub("^(include\\(|\\s*)file=\"(\\S+)\".*","\\2",1); if($0!=nf){print nf}}' /etc/rsyslog.conf)
|
||||||
|
+readarray -t RSYSLOG_INCLUDE < <(for INCPATH in "${NEW_INC[@]}"; do eval printf '%s\\n' "${INCPATH}"; done)
|
||||||
|
|
||||||
|
# Declare an array to hold the final list of different log file paths
|
||||||
|
declare -a LOG_FILE_PATHS
|
||||||
|
|
||||||
|
From 5135fb64fb773400234c740a3feeac206ac7f42a Mon Sep 17 00:00:00 2001
|
||||||
|
From: Flos Lonicerae <lonicerae@gmail.com>
|
||||||
|
Date: Fri, 15 Apr 2022 10:47:37 +0800
|
||||||
|
Subject: [PATCH 03/15] Add test for wildcard paths used in rsyslog
|
||||||
|
|
||||||
|
---
|
||||||
|
.../include_config_syntax_perms_0600.pass.sh | 56 ++++++++++++++++++
|
||||||
|
.../include_config_syntax_perms_0601.fail.sh | 57 +++++++++++++++++++
|
||||||
|
2 files changed, 113 insertions(+)
|
||||||
|
create mode 100755 linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_files_permissions/tests/include_config_syntax_perms_0600.pass.sh
|
||||||
|
create mode 100755 linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_files_permissions/tests/include_config_syntax_perms_0601.fail.sh
|
||||||
|
|
||||||
|
diff --git a/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_files_permissions/tests/include_config_syntax_perms_0600.pass.sh b/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_files_permissions/tests/include_config_syntax_perms_0600.pass.sh
|
||||||
|
new file mode 100755
|
||||||
|
index 00000000000..7cb09128d78
|
||||||
|
--- /dev/null
|
||||||
|
+++ b/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_files_permissions/tests/include_config_syntax_perms_0600.pass.sh
|
||||||
|
@@ -0,0 +1,56 @@
|
||||||
|
+#!/bin/bash
|
||||||
|
+# platform = multi_platform_rhel,multi_platform_fedora,multi_platform_ol,multi_platform_sle
|
||||||
|
+
|
||||||
|
+# Check rsyslog.conf with log file permissions 0600 from rules and
|
||||||
|
+# log file permissions 0600 from $IncludeConfig passes.
|
||||||
|
+
|
||||||
|
+source $SHARED/rsyslog_log_utils.sh
|
||||||
|
+
|
||||||
|
+PERMS=0600
|
||||||
|
+
|
||||||
|
+# setup test data
|
||||||
|
+create_rsyslog_test_logs 3
|
||||||
|
+
|
||||||
|
+# setup test log files and permissions
|
||||||
|
+chmod $PERMS ${RSYSLOG_TEST_LOGS[0]}
|
||||||
|
+chmod $PERMS ${RSYSLOG_TEST_LOGS[1]}
|
||||||
|
+chmod $PERMS ${RSYSLOG_TEST_LOGS[2]}
|
||||||
|
+
|
||||||
|
+# create test configuration file
|
||||||
|
+conf_subdir=${RSYSLOG_TEST_DIR}/subdir
|
||||||
|
+mkdir ${conf_subdir}
|
||||||
|
+test_subdir_conf=${conf_subdir}/test_subdir.conf
|
||||||
|
+test_conf=${RSYSLOG_TEST_DIR}/test.conf
|
||||||
|
+cat << EOF > ${test_subdir_conf}
|
||||||
|
+# rsyslog configuration file
|
||||||
|
+
|
||||||
|
+#### RULES ####
|
||||||
|
+
|
||||||
|
+*.* ${RSYSLOG_TEST_LOGS[2]}
|
||||||
|
+EOF
|
||||||
|
+
|
||||||
|
+cat << EOF > ${test_conf}
|
||||||
|
+# rsyslog configuration file
|
||||||
|
+
|
||||||
|
+#### RULES ####
|
||||||
|
+
|
||||||
|
+*.* ${RSYSLOG_TEST_LOGS[1]}
|
||||||
|
+EOF
|
||||||
|
+
|
||||||
|
+# create rsyslog.conf configuration file
|
||||||
|
+cat << EOF > $RSYSLOG_CONF
|
||||||
|
+# rsyslog configuration file
|
||||||
|
+
|
||||||
|
+#### RULES ####
|
||||||
|
+
|
||||||
|
+*.* ${RSYSLOG_TEST_LOGS[0]}
|
||||||
|
+
|
||||||
|
+#### MODULES ####
|
||||||
|
+
|
||||||
|
+include(file="${RSYSLOG_TEST_DIR}/*/*.conf" mode="optional")
|
||||||
|
+include(file="${RSYSLOG_TEST_DIR}/*.conf" mode="optional")
|
||||||
|
+
|
||||||
|
+\$IncludeConfig ${RSYSLOG_TEST_DIR}/*/*.conf
|
||||||
|
+\$IncludeConfig ${RSYSLOG_TEST_DIR}/*.conf
|
||||||
|
+
|
||||||
|
+EOF
|
||||||
|
diff --git a/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_files_permissions/tests/include_config_syntax_perms_0601.fail.sh b/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_files_permissions/tests/include_config_syntax_perms_0601.fail.sh
|
||||||
|
new file mode 100755
|
||||||
|
index 00000000000..942eaf086a1
|
||||||
|
--- /dev/null
|
||||||
|
+++ b/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_files_permissions/tests/include_config_syntax_perms_0601.fail.sh
|
||||||
|
@@ -0,0 +1,57 @@
|
||||||
|
+#!/bin/bash
|
||||||
|
+# platform = multi_platform_rhel,multi_platform_fedora,multi_platform_ol
|
||||||
|
+
|
||||||
|
+# Check rsyslog.conf with log file permissions 0600 from rules and
|
||||||
|
+# log file permissions 0601 from $IncludeConfig fails.
|
||||||
|
+
|
||||||
|
+source $SHARED/rsyslog_log_utils.sh
|
||||||
|
+
|
||||||
|
+PERMS_PASS=0600
|
||||||
|
+PERMS_FAIL=0601
|
||||||
|
+
|
||||||
|
+# setup test data
|
||||||
|
+create_rsyslog_test_logs 3
|
||||||
|
+
|
||||||
|
+# setup test log files and permissions
|
||||||
|
+chmod $PERMS_PASS ${RSYSLOG_TEST_LOGS[0]}
|
||||||
|
+chmod $PERMS_FAIL ${RSYSLOG_TEST_LOGS[1]}
|
||||||
|
+chmod $PERMS_FAIL ${RSYSLOG_TEST_LOGS[2]}
|
||||||
|
+
|
||||||
|
+# create test configuration file
|
||||||
|
+conf_subdir=${RSYSLOG_TEST_DIR}/subdir
|
||||||
|
+mkdir ${conf_subdir}
|
||||||
|
+test_subdir_conf=${conf_subdir}/test_subdir.conf
|
||||||
|
+test_conf=${RSYSLOG_TEST_DIR}/test.conf
|
||||||
|
+cat << EOF > ${test_subdir_conf}
|
||||||
|
+# rsyslog configuration file
|
||||||
|
+
|
||||||
|
+#### RULES ####
|
||||||
|
+
|
||||||
|
+*.* ${RSYSLOG_TEST_LOGS[2]}
|
||||||
|
+EOF
|
||||||
|
+
|
||||||
|
+cat << EOF > ${test_conf}
|
||||||
|
+# rsyslog configuration file
|
||||||
|
+
|
||||||
|
+#### RULES ####
|
||||||
|
+
|
||||||
|
+*.* ${RSYSLOG_TEST_LOGS[1]}
|
||||||
|
+EOF
|
||||||
|
+
|
||||||
|
+# create rsyslog.conf configuration file
|
||||||
|
+cat << EOF > $RSYSLOG_CONF
|
||||||
|
+# rsyslog configuration file
|
||||||
|
+
|
||||||
|
+#### RULES ####
|
||||||
|
+
|
||||||
|
+*.* ${RSYSLOG_TEST_LOGS[0]}
|
||||||
|
+
|
||||||
|
+#### MODULES ####
|
||||||
|
+
|
||||||
|
+include(file="${RSYSLOG_TEST_DIR}/*/*.conf" mode="optional")
|
||||||
|
+include(file="${RSYSLOG_TEST_DIR}/*.conf" mode="optional")
|
||||||
|
+
|
||||||
|
+\$IncludeConfig ${RSYSLOG_TEST_DIR}/*/*.conf
|
||||||
|
+\$IncludeConfig ${RSYSLOG_TEST_DIR}/*.conf
|
||||||
|
+
|
||||||
|
+EOF
|
||||||
|
|
||||||
|
From 052558d8d5be3b8ce49067ab8c05ed9ea92bab0b Mon Sep 17 00:00:00 2001
|
||||||
|
From: Flos Lonicerae <lonicerae@gmail.com>
|
||||||
|
Date: Thu, 19 May 2022 01:22:19 +0800
|
||||||
|
Subject: [PATCH 04/15] The way using 'find' can be retired.
|
||||||
|
|
||||||
|
---
|
||||||
|
.../rsyslog_files_permissions/bash/shared.sh | 20 +++++--------------
|
||||||
|
1 file changed, 5 insertions(+), 15 deletions(-)
|
||||||
|
|
||||||
|
diff --git a/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_files_permissions/bash/shared.sh b/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_files_permissions/bash/shared.sh
|
||||||
|
index 1aebb8f9da5..cece5930ee8 100644
|
||||||
|
--- a/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_files_permissions/bash/shared.sh
|
||||||
|
+++ b/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_files_permissions/bash/shared.sh
|
||||||
|
@@ -13,22 +13,12 @@ readarray -t RSYSLOG_INCLUDE < <(for INCPATH in "${NEW_INC[@]}"; do eval printf
|
||||||
|
# Declare an array to hold the final list of different log file paths
|
||||||
|
declare -a LOG_FILE_PATHS
|
||||||
|
|
||||||
|
-RSYSLOG_CONFIGS=()
|
||||||
|
-RSYSLOG_CONFIGS=("${RSYSLOG_ETC_CONFIG}" "${RSYSLOG_INCLUDE_CONFIG[@]}" "${RSYSLOG_INCLUDE[@]}")
|
||||||
|
+declare -a RSYSLOG_CONFIGS
|
||||||
|
+RSYSLOG_CONFIGS+=("${RSYSLOG_ETC_CONFIG}" "${RSYSLOG_INCLUDE_CONFIG[@]}" "${RSYSLOG_INCLUDE[@]}")
|
||||||
|
|
||||||
|
-# Get full list of files to be checked
|
||||||
|
-# RSYSLOG_CONFIGS may contain globs such as
|
||||||
|
-# /etc/rsyslog.d/*.conf /etc/rsyslog.d/*.frule
|
||||||
|
-# So, loop over the entries in RSYSLOG_CONFIGS and use find to get the list of included files.
|
||||||
|
-RSYSLOG_FILES=()
|
||||||
|
-for ENTRY in "${RSYSLOG_CONFIGS[@]}"
|
||||||
|
-do
|
||||||
|
- mapfile -t FINDOUT < <(find "$(dirname "${ENTRY}")" -maxdepth 1 -name "$(basename "${ENTRY}")")
|
||||||
|
- RSYSLOG_FILES+=("${FINDOUT[@]}")
|
||||||
|
-done
|
||||||
|
-
|
||||||
|
-# Check file and fix if needed.
|
||||||
|
-for LOG_FILE in "${RSYSLOG_FILES[@]}"
|
||||||
|
+# Browse each file selected above as containing paths of log files
|
||||||
|
+# ('/etc/rsyslog.conf' and '/etc/rsyslog.d/*.conf' in the default configuration)
|
||||||
|
+for LOG_FILE in "${RSYSLOG_CONFIGS[@]}"
|
||||||
|
do
|
||||||
|
# From each of these files extract just particular log file path(s), thus:
|
||||||
|
# * Ignore lines starting with space (' '), comment ('#"), or variable syntax ('$') characters,
|
||||||
|
|
||||||
|
From 4f1d08642a74c0be7cd02815784a2c81b7b558ee Mon Sep 17 00:00:00 2001
|
||||||
|
From: Flos Lonicerae <lonicerae@gmail.com>
|
||||||
|
Date: Fri, 20 May 2022 01:30:37 +0800
|
||||||
|
Subject: [PATCH 05/15] Cover the include pattern '/etc/rsyslog.d/'
|
||||||
|
|
||||||
|
---
|
||||||
|
.../rsyslog_files_permissions/bash/shared.sh | 20 ++++++++++++++++++-
|
||||||
|
1 file changed, 19 insertions(+), 1 deletion(-)
|
||||||
|
|
||||||
|
diff --git a/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_files_permissions/bash/shared.sh b/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_files_permissions/bash/shared.sh
|
||||||
|
index cece5930ee8..50d36d7426f 100644
|
||||||
|
--- a/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_files_permissions/bash/shared.sh
|
||||||
|
+++ b/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_files_permissions/bash/shared.sh
|
||||||
|
@@ -13,12 +13,30 @@ readarray -t RSYSLOG_INCLUDE < <(for INCPATH in "${NEW_INC[@]}"; do eval printf
|
||||||
|
# Declare an array to hold the final list of different log file paths
|
||||||
|
declare -a LOG_FILE_PATHS
|
||||||
|
|
||||||
|
+# Array to hold all rsyslog config entries
|
||||||
|
declare -a RSYSLOG_CONFIGS
|
||||||
|
RSYSLOG_CONFIGS+=("${RSYSLOG_ETC_CONFIG}" "${RSYSLOG_INCLUDE_CONFIG[@]}" "${RSYSLOG_INCLUDE[@]}")
|
||||||
|
|
||||||
|
+# Array to hold all rsyslog config files
|
||||||
|
+declare -a RSYSLOG_CONFIG_FILES
|
||||||
|
+for ENTRY in "${RSYSLOG_CONFIGS[@]}"
|
||||||
|
+do
|
||||||
|
+ # If directory, need to include files recursively
|
||||||
|
+ if [ -d "${ENTRY}" ]
|
||||||
|
+ then
|
||||||
|
+ readarray -t FINDOUT < <(find "${ENTRY}" -type f -name '*.conf')
|
||||||
|
+ RSYSLOG_CONFIG_FILES+=("${FINDOUT[@]}")
|
||||||
|
+ elif [ -f "${ENTRY}" ]
|
||||||
|
+ then
|
||||||
|
+ RSYSLOG_CONFIG_FILES+=("${ENTRY}")
|
||||||
|
+ else
|
||||||
|
+ echo "Invalid include object: ${ENTRY}"
|
||||||
|
+ fi
|
||||||
|
+done
|
||||||
|
+
|
||||||
|
# Browse each file selected above as containing paths of log files
|
||||||
|
# ('/etc/rsyslog.conf' and '/etc/rsyslog.d/*.conf' in the default configuration)
|
||||||
|
-for LOG_FILE in "${RSYSLOG_CONFIGS[@]}"
|
||||||
|
+for LOG_FILE in "${RSYSLOG_CONFIG_FILES[@]}"
|
||||||
|
do
|
||||||
|
# From each of these files extract just particular log file path(s), thus:
|
||||||
|
# * Ignore lines starting with space (' '), comment ('#"), or variable syntax ('$') characters,
|
||||||
|
|
||||||
|
From d77551b64c4d67226627d0819dc30fff9433ac2b Mon Sep 17 00:00:00 2001
|
||||||
|
From: Flos Lonicerae <lonicerae@gmail.com>
|
||||||
|
Date: Fri, 20 May 2022 01:46:33 +0800
|
||||||
|
Subject: [PATCH 06/15] Update test files.
|
||||||
|
|
||||||
|
---
|
||||||
|
.../tests/include_config_syntax_perms_0600.pass.sh | 2 ++
|
||||||
|
.../tests/include_config_syntax_perms_0601.fail.sh | 2 ++
|
||||||
|
2 files changed, 4 insertions(+)
|
||||||
|
|
||||||
|
diff --git a/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_files_permissions/tests/include_config_syntax_perms_0600.pass.sh b/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_files_permissions/tests/include_config_syntax_perms_0600.pass.sh
|
||||||
|
index 7cb09128d78..2ddd9fcb697 100755
|
||||||
|
--- a/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_files_permissions/tests/include_config_syntax_perms_0600.pass.sh
|
||||||
|
+++ b/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_files_permissions/tests/include_config_syntax_perms_0600.pass.sh
|
||||||
|
@@ -49,8 +49,10 @@ cat << EOF > $RSYSLOG_CONF
|
||||||
|
|
||||||
|
include(file="${RSYSLOG_TEST_DIR}/*/*.conf" mode="optional")
|
||||||
|
include(file="${RSYSLOG_TEST_DIR}/*.conf" mode="optional")
|
||||||
|
+include(file="${RSYSLOG_TEST_DIR}" mode="optional")
|
||||||
|
|
||||||
|
\$IncludeConfig ${RSYSLOG_TEST_DIR}/*/*.conf
|
||||||
|
\$IncludeConfig ${RSYSLOG_TEST_DIR}/*.conf
|
||||||
|
+\$IncludeConfig ${RSYSLOG_TEST_DIR}
|
||||||
|
|
||||||
|
EOF
|
||||||
|
diff --git a/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_files_permissions/tests/include_config_syntax_perms_0601.fail.sh b/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_files_permissions/tests/include_config_syntax_perms_0601.fail.sh
|
||||||
|
index 942eaf086a1..73ff3332c6d 100755
|
||||||
|
--- a/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_files_permissions/tests/include_config_syntax_perms_0601.fail.sh
|
||||||
|
+++ b/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_files_permissions/tests/include_config_syntax_perms_0601.fail.sh
|
||||||
|
@@ -50,8 +50,10 @@ cat << EOF > $RSYSLOG_CONF
|
||||||
|
|
||||||
|
include(file="${RSYSLOG_TEST_DIR}/*/*.conf" mode="optional")
|
||||||
|
include(file="${RSYSLOG_TEST_DIR}/*.conf" mode="optional")
|
||||||
|
+include(file="${RSYSLOG_TEST_DIR}" mode="optional")
|
||||||
|
|
||||||
|
\$IncludeConfig ${RSYSLOG_TEST_DIR}/*/*.conf
|
||||||
|
\$IncludeConfig ${RSYSLOG_TEST_DIR}/*.conf
|
||||||
|
+\$IncludeConfig ${RSYSLOG_TEST_DIR}
|
||||||
|
|
||||||
|
EOF
|
||||||
|
|
||||||
|
From 9a97bfa1ca4c918a39a68131e5fbc46fa7b00961 Mon Sep 17 00:00:00 2001
|
||||||
|
From: Flos Lonicerae <lonicerae@gmail.com>
|
||||||
|
Date: Fri, 20 May 2022 10:03:32 +0800
|
||||||
|
Subject: [PATCH 07/15] Rsyslog says we should include all files
|
||||||
|
|
||||||
|
---
|
||||||
|
.../rsyslog_files_permissions/bash/shared.sh | 2 +-
|
||||||
|
.../include_config_syntax_perms_0600.pass.sh | 16 +++++++++++++++-
|
||||||
|
.../include_config_syntax_perms_0601.fail.sh | 16 +++++++++++++++-
|
||||||
|
3 files changed, 31 insertions(+), 3 deletions(-)
|
||||||
|
|
||||||
|
diff --git a/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_files_permissions/bash/shared.sh b/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_files_permissions/bash/shared.sh
|
||||||
|
index 50d36d7426f..cd5014105e9 100644
|
||||||
|
--- a/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_files_permissions/bash/shared.sh
|
||||||
|
+++ b/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_files_permissions/bash/shared.sh
|
||||||
|
@@ -24,7 +24,7 @@ do
|
||||||
|
# If directory, need to include files recursively
|
||||||
|
if [ -d "${ENTRY}" ]
|
||||||
|
then
|
||||||
|
- readarray -t FINDOUT < <(find "${ENTRY}" -type f -name '*.conf')
|
||||||
|
+ readarray -t FINDOUT < <(find "${ENTRY}" -type f)
|
||||||
|
RSYSLOG_CONFIG_FILES+=("${FINDOUT[@]}")
|
||||||
|
elif [ -f "${ENTRY}" ]
|
||||||
|
then
|
||||||
|
diff --git a/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_files_permissions/tests/include_config_syntax_perms_0600.pass.sh b/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_files_permissions/tests/include_config_syntax_perms_0600.pass.sh
|
||||||
|
index 2ddd9fcb697..755865ca522 100755
|
||||||
|
--- a/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_files_permissions/tests/include_config_syntax_perms_0600.pass.sh
|
||||||
|
+++ b/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_files_permissions/tests/include_config_syntax_perms_0600.pass.sh
|
||||||
|
@@ -9,20 +9,24 @@ source $SHARED/rsyslog_log_utils.sh
|
||||||
|
PERMS=0600
|
||||||
|
|
||||||
|
# setup test data
|
||||||
|
-create_rsyslog_test_logs 3
|
||||||
|
+create_rsyslog_test_logs 4
|
||||||
|
|
||||||
|
# setup test log files and permissions
|
||||||
|
chmod $PERMS ${RSYSLOG_TEST_LOGS[0]}
|
||||||
|
chmod $PERMS ${RSYSLOG_TEST_LOGS[1]}
|
||||||
|
chmod $PERMS ${RSYSLOG_TEST_LOGS[2]}
|
||||||
|
+chmod $PERMS ${RSYSLOG_TEST_LOGS[3]}
|
||||||
|
|
||||||
|
# create test configuration file
|
||||||
|
conf_subdir=${RSYSLOG_TEST_DIR}/subdir
|
||||||
|
mkdir ${conf_subdir}
|
||||||
|
test_subdir_conf=${conf_subdir}/test_subdir.conf
|
||||||
|
test_conf=${RSYSLOG_TEST_DIR}/test.conf
|
||||||
|
+test_bak=${RSYSLOG_TEST_DIR}/test.bak
|
||||||
|
+
|
||||||
|
cat << EOF > ${test_subdir_conf}
|
||||||
|
# rsyslog configuration file
|
||||||
|
+# test_subdir_conf
|
||||||
|
|
||||||
|
#### RULES ####
|
||||||
|
|
||||||
|
@@ -31,12 +35,22 @@ EOF
|
||||||
|
|
||||||
|
cat << EOF > ${test_conf}
|
||||||
|
# rsyslog configuration file
|
||||||
|
+# test_conf
|
||||||
|
|
||||||
|
#### RULES ####
|
||||||
|
|
||||||
|
*.* ${RSYSLOG_TEST_LOGS[1]}
|
||||||
|
EOF
|
||||||
|
|
||||||
|
+cat << EOF > ${test_bak}
|
||||||
|
+# rsyslog configuration file
|
||||||
|
+# test_bak
|
||||||
|
+
|
||||||
|
+#### RULES ####
|
||||||
|
+
|
||||||
|
+*.* ${RSYSLOG_TEST_LOGS[3]}
|
||||||
|
+EOF
|
||||||
|
+
|
||||||
|
# create rsyslog.conf configuration file
|
||||||
|
cat << EOF > $RSYSLOG_CONF
|
||||||
|
# rsyslog configuration file
|
||||||
|
diff --git a/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_files_permissions/tests/include_config_syntax_perms_0601.fail.sh b/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_files_permissions/tests/include_config_syntax_perms_0601.fail.sh
|
||||||
|
index 73ff3332c6d..063b1a0cbe5 100755
|
||||||
|
--- a/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_files_permissions/tests/include_config_syntax_perms_0601.fail.sh
|
||||||
|
+++ b/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_files_permissions/tests/include_config_syntax_perms_0601.fail.sh
|
||||||
|
@@ -10,20 +10,24 @@ PERMS_PASS=0600
|
||||||
|
PERMS_FAIL=0601
|
||||||
|
|
||||||
|
# setup test data
|
||||||
|
-create_rsyslog_test_logs 3
|
||||||
|
+create_rsyslog_test_logs 4
|
||||||
|
|
||||||
|
# setup test log files and permissions
|
||||||
|
chmod $PERMS_PASS ${RSYSLOG_TEST_LOGS[0]}
|
||||||
|
chmod $PERMS_FAIL ${RSYSLOG_TEST_LOGS[1]}
|
||||||
|
chmod $PERMS_FAIL ${RSYSLOG_TEST_LOGS[2]}
|
||||||
|
+chmod $PERMS_FAIL ${RSYSLOG_TEST_LOGS[3]}
|
||||||
|
|
||||||
|
# create test configuration file
|
||||||
|
conf_subdir=${RSYSLOG_TEST_DIR}/subdir
|
||||||
|
mkdir ${conf_subdir}
|
||||||
|
test_subdir_conf=${conf_subdir}/test_subdir.conf
|
||||||
|
test_conf=${RSYSLOG_TEST_DIR}/test.conf
|
||||||
|
+test_bak=${RSYSLOG_TEST_DIR}/test.bak
|
||||||
|
+
|
||||||
|
cat << EOF > ${test_subdir_conf}
|
||||||
|
# rsyslog configuration file
|
||||||
|
+# test_subdir_conf
|
||||||
|
|
||||||
|
#### RULES ####
|
||||||
|
|
||||||
|
@@ -32,12 +36,22 @@ EOF
|
||||||
|
|
||||||
|
cat << EOF > ${test_conf}
|
||||||
|
# rsyslog configuration file
|
||||||
|
+# test_conf
|
||||||
|
|
||||||
|
#### RULES ####
|
||||||
|
|
||||||
|
*.* ${RSYSLOG_TEST_LOGS[1]}
|
||||||
|
EOF
|
||||||
|
|
||||||
|
+cat << EOF > ${test_bak}
|
||||||
|
+# rsyslog configuration file
|
||||||
|
+# test_bak
|
||||||
|
+
|
||||||
|
+#### RULES ####
|
||||||
|
+
|
||||||
|
+*.* ${RSYSLOG_TEST_LOGS[3]}
|
||||||
|
+EOF
|
||||||
|
+
|
||||||
|
# create rsyslog.conf configuration file
|
||||||
|
cat << EOF > $RSYSLOG_CONF
|
||||||
|
# rsyslog configuration file
|
||||||
|
|
||||||
|
From fcfc7c126ed76488085ef35cd0fd497c272aa364 Mon Sep 17 00:00:00 2001
|
||||||
|
From: Flos Lonicerae <lonicerae@gmail.com>
|
||||||
|
Date: Sat, 21 May 2022 16:02:26 +0800
|
||||||
|
Subject: [PATCH 08/15] Match glob() function of rsyslog
|
||||||
|
|
||||||
|
---
|
||||||
|
.../rsyslog_files_permissions/bash/shared.sh | 5 ++-
|
||||||
|
.../include_config_syntax_perms_0600.pass.sh | 39 ++++++++++++-------
|
||||||
|
.../include_config_syntax_perms_0601.fail.sh | 39 ++++++++++++-------
|
||||||
|
3 files changed, 55 insertions(+), 28 deletions(-)
|
||||||
|
|
||||||
|
diff --git a/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_files_permissions/bash/shared.sh b/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_files_permissions/bash/shared.sh
|
||||||
|
index cd5014105e9..38105bf086b 100644
|
||||||
|
--- a/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_files_permissions/bash/shared.sh
|
||||||
|
+++ b/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_files_permissions/bash/shared.sh
|
||||||
|
@@ -21,10 +21,11 @@ RSYSLOG_CONFIGS+=("${RSYSLOG_ETC_CONFIG}" "${RSYSLOG_INCLUDE_CONFIG[@]}" "${RSYS
|
||||||
|
declare -a RSYSLOG_CONFIG_FILES
|
||||||
|
for ENTRY in "${RSYSLOG_CONFIGS[@]}"
|
||||||
|
do
|
||||||
|
- # If directory, need to include files recursively
|
||||||
|
+ # If directory, rsyslog will search for config files in recursively.
|
||||||
|
+ # However, files in hidden sub-directories or hidden files will be ignored.
|
||||||
|
if [ -d "${ENTRY}" ]
|
||||||
|
then
|
||||||
|
- readarray -t FINDOUT < <(find "${ENTRY}" -type f)
|
||||||
|
+ readarray -t FINDOUT < <(find "${ENTRY}" -not -path '*/.*' -type f)
|
||||||
|
RSYSLOG_CONFIG_FILES+=("${FINDOUT[@]}")
|
||||||
|
elif [ -f "${ENTRY}" ]
|
||||||
|
then
|
||||||
|
diff --git a/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_files_permissions/tests/include_config_syntax_perms_0600.pass.sh b/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_files_permissions/tests/include_config_syntax_perms_0600.pass.sh
|
||||||
|
index 755865ca522..a5a2f67fadc 100755
|
||||||
|
--- a/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_files_permissions/tests/include_config_syntax_perms_0600.pass.sh
|
||||||
|
+++ b/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_files_permissions/tests/include_config_syntax_perms_0600.pass.sh
|
||||||
|
@@ -9,48 +9,61 @@ source $SHARED/rsyslog_log_utils.sh
|
||||||
|
PERMS=0600
|
||||||
|
|
||||||
|
# setup test data
|
||||||
|
-create_rsyslog_test_logs 4
|
||||||
|
+create_rsyslog_test_logs 5
|
||||||
|
|
||||||
|
# setup test log files and permissions
|
||||||
|
chmod $PERMS ${RSYSLOG_TEST_LOGS[0]}
|
||||||
|
chmod $PERMS ${RSYSLOG_TEST_LOGS[1]}
|
||||||
|
chmod $PERMS ${RSYSLOG_TEST_LOGS[2]}
|
||||||
|
chmod $PERMS ${RSYSLOG_TEST_LOGS[3]}
|
||||||
|
+chmod $PERMS ${RSYSLOG_TEST_LOGS[4]}
|
||||||
|
|
||||||
|
-# create test configuration file
|
||||||
|
+# create test configuration files
|
||||||
|
conf_subdir=${RSYSLOG_TEST_DIR}/subdir
|
||||||
|
+conf_hiddir=${RSYSLOG_TEST_DIR}/.hiddir
|
||||||
|
mkdir ${conf_subdir}
|
||||||
|
-test_subdir_conf=${conf_subdir}/test_subdir.conf
|
||||||
|
-test_conf=${RSYSLOG_TEST_DIR}/test.conf
|
||||||
|
-test_bak=${RSYSLOG_TEST_DIR}/test.bak
|
||||||
|
+mkdir ${conf_hiddir}
|
||||||
|
|
||||||
|
-cat << EOF > ${test_subdir_conf}
|
||||||
|
+test_conf_in_subdir=${conf_subdir}/in_subdir.conf
|
||||||
|
+test_conf_name_bak=${RSYSLOG_TEST_DIR}/name.bak
|
||||||
|
+
|
||||||
|
+test_conf_in_hiddir=${conf_hiddir}/in_hiddir.conf
|
||||||
|
+test_conf_dot_name=${RSYSLOG_TEST_DIR}/.name.conf
|
||||||
|
+
|
||||||
|
+cat << EOF > ${test_conf_in_subdir}
|
||||||
|
# rsyslog configuration file
|
||||||
|
-# test_subdir_conf
|
||||||
|
|
||||||
|
#### RULES ####
|
||||||
|
|
||||||
|
-*.* ${RSYSLOG_TEST_LOGS[2]}
|
||||||
|
+*.* ${RSYSLOG_TEST_LOGS[1]}
|
||||||
|
EOF
|
||||||
|
|
||||||
|
-cat << EOF > ${test_conf}
|
||||||
|
+cat << EOF > ${test_conf_name_bak}
|
||||||
|
# rsyslog configuration file
|
||||||
|
-# test_conf
|
||||||
|
|
||||||
|
#### RULES ####
|
||||||
|
|
||||||
|
-*.* ${RSYSLOG_TEST_LOGS[1]}
|
||||||
|
+*.* ${RSYSLOG_TEST_LOGS[2]}
|
||||||
|
EOF
|
||||||
|
|
||||||
|
-cat << EOF > ${test_bak}
|
||||||
|
+cat << EOF > ${test_conf_in_hiddir}
|
||||||
|
# rsyslog configuration file
|
||||||
|
-# test_bak
|
||||||
|
+# not used
|
||||||
|
|
||||||
|
#### RULES ####
|
||||||
|
|
||||||
|
*.* ${RSYSLOG_TEST_LOGS[3]}
|
||||||
|
EOF
|
||||||
|
|
||||||
|
+cat << EOF > ${test_conf_dot_name}
|
||||||
|
+# rsyslog configuration file
|
||||||
|
+# not used
|
||||||
|
+
|
||||||
|
+#### RULES ####
|
||||||
|
+
|
||||||
|
+*.* ${RSYSLOG_TEST_LOGS[4]}
|
||||||
|
+EOF
|
||||||
|
+
|
||||||
|
# create rsyslog.conf configuration file
|
||||||
|
cat << EOF > $RSYSLOG_CONF
|
||||||
|
# rsyslog configuration file
|
||||||
|
diff --git a/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_files_permissions/tests/include_config_syntax_perms_0601.fail.sh b/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_files_permissions/tests/include_config_syntax_perms_0601.fail.sh
|
||||||
|
index 063b1a0cbe5..a9d0adfb727 100755
|
||||||
|
--- a/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_files_permissions/tests/include_config_syntax_perms_0601.fail.sh
|
||||||
|
+++ b/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_files_permissions/tests/include_config_syntax_perms_0601.fail.sh
|
||||||
|
@@ -10,48 +10,61 @@ PERMS_PASS=0600
|
||||||
|
PERMS_FAIL=0601
|
||||||
|
|
||||||
|
# setup test data
|
||||||
|
-create_rsyslog_test_logs 4
|
||||||
|
+create_rsyslog_test_logs 5
|
||||||
|
|
||||||
|
# setup test log files and permissions
|
||||||
|
chmod $PERMS_PASS ${RSYSLOG_TEST_LOGS[0]}
|
||||||
|
chmod $PERMS_FAIL ${RSYSLOG_TEST_LOGS[1]}
|
||||||
|
chmod $PERMS_FAIL ${RSYSLOG_TEST_LOGS[2]}
|
||||||
|
chmod $PERMS_FAIL ${RSYSLOG_TEST_LOGS[3]}
|
||||||
|
+chmod $PERMS_FAIL ${RSYSLOG_TEST_LOGS[4]}
|
||||||
|
|
||||||
|
-# create test configuration file
|
||||||
|
+# create test configuration files
|
||||||
|
conf_subdir=${RSYSLOG_TEST_DIR}/subdir
|
||||||
|
+conf_hiddir=${RSYSLOG_TEST_DIR}/.hiddir
|
||||||
|
mkdir ${conf_subdir}
|
||||||
|
-test_subdir_conf=${conf_subdir}/test_subdir.conf
|
||||||
|
-test_conf=${RSYSLOG_TEST_DIR}/test.conf
|
||||||
|
-test_bak=${RSYSLOG_TEST_DIR}/test.bak
|
||||||
|
+mkdir ${conf_hiddir}
|
||||||
|
|
||||||
|
-cat << EOF > ${test_subdir_conf}
|
||||||
|
+test_conf_in_subdir=${conf_subdir}/in_subdir.conf
|
||||||
|
+test_conf_name_bak=${RSYSLOG_TEST_DIR}/name.bak
|
||||||
|
+
|
||||||
|
+test_conf_in_hiddir=${conf_hiddir}/in_hiddir.conf
|
||||||
|
+test_conf_dot_name=${RSYSLOG_TEST_DIR}/.name.conf
|
||||||
|
+
|
||||||
|
+cat << EOF > ${test_conf_in_subdir}
|
||||||
|
# rsyslog configuration file
|
||||||
|
-# test_subdir_conf
|
||||||
|
|
||||||
|
#### RULES ####
|
||||||
|
|
||||||
|
-*.* ${RSYSLOG_TEST_LOGS[2]}
|
||||||
|
+*.* ${RSYSLOG_TEST_LOGS[1]}
|
||||||
|
EOF
|
||||||
|
|
||||||
|
-cat << EOF > ${test_conf}
|
||||||
|
+cat << EOF > ${test_conf_name_bak}
|
||||||
|
# rsyslog configuration file
|
||||||
|
-# test_conf
|
||||||
|
|
||||||
|
#### RULES ####
|
||||||
|
|
||||||
|
-*.* ${RSYSLOG_TEST_LOGS[1]}
|
||||||
|
+*.* ${RSYSLOG_TEST_LOGS[2]}
|
||||||
|
EOF
|
||||||
|
|
||||||
|
-cat << EOF > ${test_bak}
|
||||||
|
+cat << EOF > ${test_conf_in_hiddir}
|
||||||
|
# rsyslog configuration file
|
||||||
|
-# test_bak
|
||||||
|
+# not used
|
||||||
|
|
||||||
|
#### RULES ####
|
||||||
|
|
||||||
|
*.* ${RSYSLOG_TEST_LOGS[3]}
|
||||||
|
EOF
|
||||||
|
|
||||||
|
+cat << EOF > ${test_conf_dot_name}
|
||||||
|
+# rsyslog configuration file
|
||||||
|
+# not used
|
||||||
|
+
|
||||||
|
+#### RULES ####
|
||||||
|
+
|
||||||
|
+*.* ${RSYSLOG_TEST_LOGS[4]}
|
||||||
|
+EOF
|
||||||
|
+
|
||||||
|
# create rsyslog.conf configuration file
|
||||||
|
cat << EOF > $RSYSLOG_CONF
|
||||||
|
# rsyslog configuration file
|
||||||
|
|
||||||
|
From 313094b7d5c13ba38a2d02fad544cd4665c5a17d Mon Sep 17 00:00:00 2001
|
||||||
|
From: Flos Lonicerae <lonicerae@gmail.com>
|
||||||
|
Date: Sun, 22 May 2022 21:10:16 +0800
|
||||||
|
Subject: [PATCH 09/15] Fixed incorrect parsing of rules in old code
|
||||||
|
|
||||||
|
---
|
||||||
|
.../rsyslog_files_permissions/bash/shared.sh | 2 +-
|
||||||
|
1 file changed, 1 insertion(+), 1 deletion(-)
|
||||||
|
|
||||||
|
diff --git a/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_files_permissions/bash/shared.sh b/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_files_permissions/bash/shared.sh
|
||||||
|
index 38105bf086b..e1129e34c81 100644
|
||||||
|
--- a/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_files_permissions/bash/shared.sh
|
||||||
|
+++ b/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_files_permissions/bash/shared.sh
|
||||||
|
@@ -54,7 +54,7 @@ do
|
||||||
|
then
|
||||||
|
NORMALIZED_CONFIG_FILE_LINES=$(sed -e "/^[#|$]/d" "${LOG_FILE}")
|
||||||
|
LINES_WITH_PATHS=$(grep '[^/]*\s\+\S*/\S\+$' <<< "${NORMALIZED_CONFIG_FILE_LINES}")
|
||||||
|
- FILTERED_PATHS=$(sed -e 's/[^\/]*[[:space:]]*\([^:;[:space:]]*\)/\1/g' <<< "${LINES_WITH_PATHS}")
|
||||||
|
+ FILTERED_PATHS=$(awk '{if(NF>=2&&($2~/^\//||$2~/^-\//)){sub(/^-\//,"/",$2);print $2}}' <<< "${LINES_WITH_PATHS}")
|
||||||
|
CLEANED_PATHS=$(sed -e "s/[\"')]//g; /\\/etc.*\.conf/d; /\\/dev\\//d" <<< "${FILTERED_PATHS}")
|
||||||
|
MATCHED_ITEMS=$(sed -e "/^$/d" <<< "${CLEANED_PATHS}")
|
||||||
|
# Since above sed command might return more than one item (delimited by newline), split the particular
|
||||||
|
|
||||||
|
From 86f655ac79d879c1f47bda7a06cc15a64e65e5fb Mon Sep 17 00:00:00 2001
|
||||||
|
From: Flos Lonicerae <lonicerae@gmail.com>
|
||||||
|
Date: Tue, 24 May 2022 00:42:17 +0800
|
||||||
|
Subject: [PATCH 10/15] Added platform.
|
||||||
|
|
||||||
|
---
|
||||||
|
.../tests/include_config_syntax_perms_0601.fail.sh | 2 +-
|
||||||
|
1 file changed, 1 insertion(+), 1 deletion(-)
|
||||||
|
|
||||||
|
diff --git a/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_files_permissions/tests/include_config_syntax_perms_0601.fail.sh b/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_files_permissions/tests/include_config_syntax_perms_0601.fail.sh
|
||||||
|
index a9d0adfb727..fe4db0a3c91 100755
|
||||||
|
--- a/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_files_permissions/tests/include_config_syntax_perms_0601.fail.sh
|
||||||
|
+++ b/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_files_permissions/tests/include_config_syntax_perms_0601.fail.sh
|
||||||
|
@@ -1,5 +1,5 @@
|
||||||
|
#!/bin/bash
|
||||||
|
-# platform = multi_platform_rhel,multi_platform_fedora,multi_platform_ol
|
||||||
|
+# platform = multi_platform_rhel,multi_platform_fedora,multi_platform_ol,multi_platform_sle
|
||||||
|
|
||||||
|
# Check rsyslog.conf with log file permissions 0600 from rules and
|
||||||
|
# log file permissions 0601 from $IncludeConfig fails.
|
||||||
|
|
||||||
|
From e71901895f29af9a34fe81938be1332691b6f64a Mon Sep 17 00:00:00 2001
|
||||||
|
From: Watson Sato <wsato@redhat.com>
|
||||||
|
Date: Wed, 10 Aug 2022 13:56:39 +0200
|
||||||
|
Subject: [PATCH 11/15] Reset the arrays before using them
|
||||||
|
|
||||||
|
When bash remediations for a profile are generated, it can happen that a
|
||||||
|
variable with same name is used for multiple remediations.
|
||||||
|
So let's reset the array before using it.
|
||||||
|
---
|
||||||
|
.../rsyslog_files_permissions/bash/shared.sh | 11 +++++++----
|
||||||
|
1 file changed, 7 insertions(+), 4 deletions(-)
|
||||||
|
|
||||||
|
diff --git a/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_files_permissions/bash/shared.sh b/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_files_permissions/bash/shared.sh
|
||||||
|
index e1129e34c81..d1856ffbe7b 100644
|
||||||
|
--- a/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_files_permissions/bash/shared.sh
|
||||||
|
+++ b/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_files_permissions/bash/shared.sh
|
||||||
|
@@ -14,11 +14,14 @@ readarray -t RSYSLOG_INCLUDE < <(for INCPATH in "${NEW_INC[@]}"; do eval printf
|
||||||
|
declare -a LOG_FILE_PATHS
|
||||||
|
|
||||||
|
# Array to hold all rsyslog config entries
|
||||||
|
-declare -a RSYSLOG_CONFIGS
|
||||||
|
-RSYSLOG_CONFIGS+=("${RSYSLOG_ETC_CONFIG}" "${RSYSLOG_INCLUDE_CONFIG[@]}" "${RSYSLOG_INCLUDE[@]}")
|
||||||
|
+RSYSLOG_CONFIGS=()
|
||||||
|
+RSYSLOG_CONFIGS=("${RSYSLOG_ETC_CONFIG}" "${RSYSLOG_INCLUDE_CONFIG[@]}" "${RSYSLOG_INCLUDE[@]}")
|
||||||
|
|
||||||
|
-# Array to hold all rsyslog config files
|
||||||
|
-declare -a RSYSLOG_CONFIG_FILES
|
||||||
|
+# Get full list of files to be checked
|
||||||
|
+# RSYSLOG_CONFIGS may contain globs such as
|
||||||
|
+# /etc/rsyslog.d/*.conf /etc/rsyslog.d/*.frule
|
||||||
|
+# So, loop over the entries in RSYSLOG_CONFIGS and use find to get the list of included files.
|
||||||
|
+RSYSLOG_CONFIG_FILES=()
|
||||||
|
for ENTRY in "${RSYSLOG_CONFIGS[@]}"
|
||||||
|
do
|
||||||
|
# If directory, rsyslog will search for config files in recursively.
|
||||||
|
|
||||||
|
From 525dce106bf8d054c83e8d79acbb92cc16224e4c Mon Sep 17 00:00:00 2001
|
||||||
|
From: Watson Sato <wsato@redhat.com>
|
||||||
|
Date: Wed, 10 Aug 2022 14:55:37 +0200
|
||||||
|
Subject: [PATCH 12/15] Don't parse hidden config files for Includes
|
||||||
|
|
||||||
|
Let's follow rsyslog behavior and not capture process hidden config
|
||||||
|
files for includes.
|
||||||
|
---
|
||||||
|
.../rsyslog_files_permissions/oval/shared.xml | 9 ++++
|
||||||
|
...00_IncludeConfig_perms_0601_hidden.pass.sh | 53 +++++++++++++++++++
|
||||||
|
2 files changed, 62 insertions(+)
|
||||||
|
create mode 100644 linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_files_permissions/tests/include_perms_0600_IncludeConfig_perms_0601_hidden.pass.sh
|
||||||
|
|
||||||
|
diff --git a/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_files_permissions/oval/shared.xml b/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_files_permissions/oval/shared.xml
|
||||||
|
index a04e6fd8900..d13177216c3 100644
|
||||||
|
--- a/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_files_permissions/oval/shared.xml
|
||||||
|
+++ b/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_files_permissions/oval/shared.xml
|
||||||
|
@@ -17,8 +17,17 @@
|
||||||
|
<ind:filepath>/etc/rsyslog.conf</ind:filepath>
|
||||||
|
<ind:pattern operation="pattern match">^(?:include\([\n\s]*file="([^\s;]+)".*|\$IncludeConfig[\s]+([^\s;]+))$</ind:pattern>
|
||||||
|
<ind:instance datatype="int" operation="greater than or equal">1</ind:instance>
|
||||||
|
+ <filter action="exclude">state_permissions_ignore_hidden_paths</filter>
|
||||||
|
</ind:textfilecontent54_object>
|
||||||
|
|
||||||
|
+ <ind:textfilecontent54_state id="state_permissions_ignore_hidden_paths" comment="ignore hidden conf files" version="1">
|
||||||
|
+ <!-- Among the paths matched in object_rfp_rsyslog_include_config_value there can be paths from
|
||||||
|
+ include() or $IncludeConfig that point to hidden dirs or files.
|
||||||
|
+ Rsyslog ignores these conf files, so we should ignore them too.
|
||||||
|
+ -->
|
||||||
|
+ <ind:subexpression operation="pattern match">^.*\/\..*$</ind:subexpression>
|
||||||
|
+ </ind:textfilecontent54_state>
|
||||||
|
+
|
||||||
|
<!-- Turn that glob value into Perl's regex so it can be used as filepath pattern below -->
|
||||||
|
<local_variable id="var_rfp_include_config_regex" datatype="string" version="1" comment="$IncludeConfig value converted to regex">
|
||||||
|
<unique>
|
||||||
|
diff --git a/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_files_permissions/tests/include_perms_0600_IncludeConfig_perms_0601_hidden.pass.sh b/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_files_permissions/tests/include_perms_0600_IncludeConfig_perms_0601_hidden.pass.sh
|
||||||
|
new file mode 100644
|
||||||
|
index 00000000000..9b0185c6b2f
|
||||||
|
--- /dev/null
|
||||||
|
+++ b/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_files_permissions/tests/include_perms_0600_IncludeConfig_perms_0601_hidden.pass.sh
|
||||||
|
@@ -0,0 +1,53 @@
|
||||||
|
+#!/bin/bash
|
||||||
|
+# platform = Red Hat Enterprise Linux 8,multi_platform_fedora,Oracle Linux 8
|
||||||
|
+
|
||||||
|
+# Check rsyslog.conf with log file permisssions 0600 from rules and
|
||||||
|
+# log file permissions 0601 from include() fails.
|
||||||
|
+
|
||||||
|
+source $SHARED/rsyslog_log_utils.sh
|
||||||
|
+
|
||||||
|
+PERMS_PASS=0600
|
||||||
|
+PERMS_FAIL=0601
|
||||||
|
+
|
||||||
|
+# setup test data
|
||||||
|
+create_rsyslog_test_logs 3
|
||||||
|
+
|
||||||
|
+# setup test log files and permissions
|
||||||
|
+chmod $PERMS_PASS ${RSYSLOG_TEST_LOGS[0]}
|
||||||
|
+chmod $PERMS_PASS ${RSYSLOG_TEST_LOGS[1]}
|
||||||
|
+chmod $PERMS_FAIL ${RSYSLOG_TEST_LOGS[2]}
|
||||||
|
+
|
||||||
|
+# create test configuration file
|
||||||
|
+test_conf=${RSYSLOG_TEST_DIR}/test1.conf
|
||||||
|
+cat << EOF > ${test_conf}
|
||||||
|
+# rsyslog configuration file
|
||||||
|
+
|
||||||
|
+#### RULES ####
|
||||||
|
+
|
||||||
|
+*.* ${RSYSLOG_TEST_LOGS[1]}
|
||||||
|
+EOF
|
||||||
|
+
|
||||||
|
+# create hidden test2 configuration file
|
||||||
|
+test_conf2=${RSYSLOG_TEST_DIR}/.test2.conf
|
||||||
|
+cat << EOF > ${test_conf2}
|
||||||
|
+# rsyslog configuration file
|
||||||
|
+
|
||||||
|
+#### RULES ####
|
||||||
|
+
|
||||||
|
+*.* ${RSYSLOG_TEST_LOGS[2]}
|
||||||
|
+EOF
|
||||||
|
+
|
||||||
|
+# create rsyslog.conf configuration file
|
||||||
|
+cat << EOF > $RSYSLOG_CONF
|
||||||
|
+# rsyslog configuration file
|
||||||
|
+
|
||||||
|
+#### RULES ####
|
||||||
|
+
|
||||||
|
+*.* ${RSYSLOG_TEST_LOGS[0]}
|
||||||
|
+
|
||||||
|
+#### MODULES ####
|
||||||
|
+
|
||||||
|
+include(file="${test_conf}")
|
||||||
|
+
|
||||||
|
+\$IncludeConfig ${test_conf2}
|
||||||
|
+EOF
|
||||||
|
|
||||||
|
From d872c4a2cfcd3331b7aae954aacf3d0d481d1582 Mon Sep 17 00:00:00 2001
|
||||||
|
From: Watson Sato <wsato@redhat.com>
|
||||||
|
Date: Wed, 10 Aug 2022 15:49:11 +0200
|
||||||
|
Subject: [PATCH 13/15] Add test for for missing rsyslog included files
|
||||||
|
|
||||||
|
The rsyslog conf file may include other config files.
|
||||||
|
If the included missing files are missing rsyslog will generate an
|
||||||
|
error, but will still continue working.
|
||||||
|
https://www.rsyslog.com/doc/master/rainerscript/include.html#include-a-required-file
|
||||||
|
|
||||||
|
There is not a good way of ensuring that all files defined in a list of paths exist.
|
||||||
|
---
|
||||||
|
...0_IncludeConfig_perms_0601_missing.pass.sh | 45 +++++++++++++++++++
|
||||||
|
1 file changed, 45 insertions(+)
|
||||||
|
create mode 100644 linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_files_permissions/tests/include_perms_0600_IncludeConfig_perms_0601_missing.pass.sh
|
||||||
|
|
||||||
|
diff --git a/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_files_permissions/tests/include_perms_0600_IncludeConfig_perms_0601_missing.pass.sh b/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_files_permissions/tests/include_perms_0600_IncludeConfig_perms_0601_missing.pass.sh
|
||||||
|
new file mode 100644
|
||||||
|
index 00000000000..b929f2a94ab
|
||||||
|
--- /dev/null
|
||||||
|
+++ b/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_files_permissions/tests/include_perms_0600_IncludeConfig_perms_0601_missing.pass.sh
|
||||||
|
@@ -0,0 +1,45 @@
|
||||||
|
+#!/bin/bash
|
||||||
|
+# platform = Red Hat Enterprise Linux 8,multi_platform_fedora,Oracle Linux 8
|
||||||
|
+
|
||||||
|
+# Check rsyslog.conf with log file permisssions 0600 from rules and
|
||||||
|
+# log file permissions 0601 from include() fails.
|
||||||
|
+
|
||||||
|
+source $SHARED/rsyslog_log_utils.sh
|
||||||
|
+
|
||||||
|
+PERMS_PASS=0600
|
||||||
|
+PERMS_FAIL=0601
|
||||||
|
+
|
||||||
|
+# setup test data
|
||||||
|
+create_rsyslog_test_logs 3
|
||||||
|
+
|
||||||
|
+# setup test log files and permissions
|
||||||
|
+chmod $PERMS_PASS ${RSYSLOG_TEST_LOGS[0]}
|
||||||
|
+chmod $PERMS_PASS ${RSYSLOG_TEST_LOGS[1]}
|
||||||
|
+chmod $PERMS_FAIL ${RSYSLOG_TEST_LOGS[2]}
|
||||||
|
+
|
||||||
|
+# create test configuration file
|
||||||
|
+test_conf=${RSYSLOG_TEST_DIR}/test1.conf
|
||||||
|
+cat << EOF > ${test_conf}
|
||||||
|
+# rsyslog configuration file
|
||||||
|
+
|
||||||
|
+#### RULES ####
|
||||||
|
+
|
||||||
|
+*.* ${RSYSLOG_TEST_LOGS[1]}
|
||||||
|
+EOF
|
||||||
|
+
|
||||||
|
+# Skip creation test2 configuration file
|
||||||
|
+
|
||||||
|
+# create rsyslog.conf configuration file
|
||||||
|
+cat << EOF > $RSYSLOG_CONF
|
||||||
|
+# rsyslog configuration file
|
||||||
|
+
|
||||||
|
+#### RULES ####
|
||||||
|
+
|
||||||
|
+*.* ${RSYSLOG_TEST_LOGS[0]}
|
||||||
|
+
|
||||||
|
+#### MODULES ####
|
||||||
|
+
|
||||||
|
+include(file="${test_conf}")
|
||||||
|
+
|
||||||
|
+\$IncludeConfig ${test_conf2}
|
||||||
|
+EOF
|
||||||
|
|
||||||
|
From cf9eaf6e55405248731cb08268bcba6a58a93486 Mon Sep 17 00:00:00 2001
|
||||||
|
From: Watson Sato <wsato@redhat.com>
|
||||||
|
Date: Wed, 10 Aug 2022 21:47:18 +0200
|
||||||
|
Subject: [PATCH 14/15] Align Ansible remediation with Bash
|
||||||
|
|
||||||
|
The remediation now expands the glob expressions and doesn't collect
|
||||||
|
hidden files or directories to check for their permissions.
|
||||||
|
---
|
||||||
|
.../rsyslog_files_permissions/ansible/shared.yml | 15 +++++++++++----
|
||||||
|
1 file changed, 11 insertions(+), 4 deletions(-)
|
||||||
|
|
||||||
|
diff --git a/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_files_permissions/ansible/shared.yml b/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_files_permissions/ansible/shared.yml
|
||||||
|
index 635b72f7352..c558bf46c71 100644
|
||||||
|
--- a/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_files_permissions/ansible/shared.yml
|
||||||
|
+++ b/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_files_permissions/ansible/shared.yml
|
||||||
|
@@ -19,19 +19,26 @@
|
||||||
|
shell: |
|
||||||
|
set -o pipefail
|
||||||
|
grep -e '$IncludeConfig' {{ rsyslog_etc_config }} | cut -d ' ' -f 2 || true
|
||||||
|
- register: include_config_output
|
||||||
|
+ register: rsyslog_old_inc
|
||||||
|
changed_when: False
|
||||||
|
|
||||||
|
- name: "Get include files directives"
|
||||||
|
shell: |
|
||||||
|
set -o pipefail
|
||||||
|
grep -oP '^\s*include\s*\(\s*file.*' {{ rsyslog_etc_config }} |cut -d"\"" -f 2 || true
|
||||||
|
- register: include_files_output
|
||||||
|
+ register: rsyslog_new_inc
|
||||||
|
changed_when: False
|
||||||
|
|
||||||
|
+- name: "Expand glob expressions"
|
||||||
|
+ shell: |
|
||||||
|
+ set -o pipefail
|
||||||
|
+ eval printf '%s\\n' {{ item }}
|
||||||
|
+ register: include_config_output
|
||||||
|
+ loop: "{{ rsyslog_old_inc.stdout_lines + rsyslog_new_inc.stdout_lines }}"
|
||||||
|
+
|
||||||
|
- name: "List all config files"
|
||||||
|
- shell: find "$(dirname "{{ item }}" )" -maxdepth 1 -name "$(basename "{{ item }}")"
|
||||||
|
- loop: "{{ include_config_output.stdout_lines + include_files_output.stdout_lines }}"
|
||||||
|
+ shell: find {{ item }} -not -path "*/.*" -type f
|
||||||
|
+ loop: "{{ include_config_output.results|map(attribute='stdout_lines')|list|flatten }}"
|
||||||
|
register: rsyslog_config_files
|
||||||
|
changed_when: False
|
||||||
|
|
||||||
|
|
||||||
|
From 37e98ed3a86a0e56543132752c62982ff01cd3d9 Mon Sep 17 00:00:00 2001
|
||||||
|
From: Watson Sato <wsato@redhat.com>
|
||||||
|
Date: Wed, 10 Aug 2022 21:56:05 +0200
|
||||||
|
Subject: [PATCH 15/15] Ignore invalid or non existing include objects
|
||||||
|
|
||||||
|
Let's not fail the task when the find doesn't find the include object.
|
||||||
|
When the include is a glob expression that doesn't evaluate to any file
|
||||||
|
the glob itself is used in find command.
|
||||||
|
|
||||||
|
The Bash remediation prints a message for each include that is not a
|
||||||
|
file is not a directory or doesn't exist.
|
||||||
|
---
|
||||||
|
.../rsyslog_files_permissions/ansible/shared.yml | 1 +
|
||||||
|
1 file changed, 1 insertion(+)
|
||||||
|
|
||||||
|
diff --git a/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_files_permissions/ansible/shared.yml b/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_files_permissions/ansible/shared.yml
|
||||||
|
index c558bf46c71..3a9380cf13b 100644
|
||||||
|
--- a/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_files_permissions/ansible/shared.yml
|
||||||
|
+++ b/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_files_permissions/ansible/shared.yml
|
||||||
|
@@ -40,6 +40,7 @@
|
||||||
|
shell: find {{ item }} -not -path "*/.*" -type f
|
||||||
|
loop: "{{ include_config_output.results|map(attribute='stdout_lines')|list|flatten }}"
|
||||||
|
register: rsyslog_config_files
|
||||||
|
+ failed_when: False
|
||||||
|
changed_when: False
|
||||||
|
|
||||||
|
- name: "Extract log files"
|
@ -0,0 +1,90 @@
|
|||||||
|
From 4ef59d44355179b6450ac493d4417a8b29d8ccf1 Mon Sep 17 00:00:00 2001
|
||||||
|
From: Vojtech Polasek <vpolasek@redhat.com>
|
||||||
|
Date: Fri, 5 Aug 2022 11:45:15 +0200
|
||||||
|
Subject: [PATCH 1/4] fix ospp references
|
||||||
|
|
||||||
|
---
|
||||||
|
linux_os/guide/system/accounts/enable_authselect/rule.yml | 1 +
|
||||||
|
1 file changed, 1 insertion(+)
|
||||||
|
|
||||||
|
diff --git a/linux_os/guide/system/accounts/enable_authselect/rule.yml b/linux_os/guide/system/accounts/enable_authselect/rule.yml
|
||||||
|
index c151d3c4aa1..f9b46c51ddd 100644
|
||||||
|
--- a/linux_os/guide/system/accounts/enable_authselect/rule.yml
|
||||||
|
+++ b/linux_os/guide/system/accounts/enable_authselect/rule.yml
|
||||||
|
@@ -34,6 +34,7 @@ references:
|
||||||
|
disa: CCI-000213
|
||||||
|
hipaa: 164.308(a)(1)(ii)(B),164.308(a)(7)(i),164.308(a)(7)(ii)(A),164.310(a)(1),164.310(a)(2)(i),164.310(a)(2)(ii),164.310(a)(2)(iii),164.310(b),164.310(c),164.310(d)(1),164.310(d)(2)(iii) # taken from require_singleuser_auth
|
||||||
|
nist: AC-3
|
||||||
|
+ ospp: FIA_UAU.1,FIA_AFL.1
|
||||||
|
srg: SRG-OS-000480-GPOS-00227
|
||||||
|
|
||||||
|
ocil: |-
|
||||||
|
|
||||||
|
From 05a0414b565097c155d0c4a1696d8c4f2da91298 Mon Sep 17 00:00:00 2001
|
||||||
|
From: Vojtech Polasek <vpolasek@redhat.com>
|
||||||
|
Date: Fri, 5 Aug 2022 11:45:42 +0200
|
||||||
|
Subject: [PATCH 2/4] change authselect profile to minimal in rhel9 ospp
|
||||||
|
|
||||||
|
---
|
||||||
|
products/rhel9/profiles/ospp.profile | 2 +-
|
||||||
|
1 file changed, 1 insertion(+), 1 deletion(-)
|
||||||
|
|
||||||
|
diff --git a/products/rhel9/profiles/ospp.profile b/products/rhel9/profiles/ospp.profile
|
||||||
|
index b47630c62b0..dcc41970043 100644
|
||||||
|
--- a/products/rhel9/profiles/ospp.profile
|
||||||
|
+++ b/products/rhel9/profiles/ospp.profile
|
||||||
|
@@ -115,7 +115,7 @@ selections:
|
||||||
|
- coredump_disable_storage
|
||||||
|
- coredump_disable_backtraces
|
||||||
|
- service_systemd-coredump_disabled
|
||||||
|
- - var_authselect_profile=sssd
|
||||||
|
+ - var_authselect_profile=minimal
|
||||||
|
- enable_authselect
|
||||||
|
- use_pam_wheel_for_su
|
||||||
|
|
||||||
|
|
||||||
|
From 350135aa0c49a8a383103f88034acbb3925bb556 Mon Sep 17 00:00:00 2001
|
||||||
|
From: Vojtech Polasek <vpolasek@redhat.com>
|
||||||
|
Date: Fri, 5 Aug 2022 11:45:54 +0200
|
||||||
|
Subject: [PATCH 3/4] change authselect profile to minimal in rhel8 ospp
|
||||||
|
|
||||||
|
---
|
||||||
|
products/rhel8/profiles/ospp.profile | 2 +-
|
||||||
|
1 file changed, 1 insertion(+), 1 deletion(-)
|
||||||
|
|
||||||
|
diff --git a/products/rhel8/profiles/ospp.profile b/products/rhel8/profiles/ospp.profile
|
||||||
|
index 39ad1797c7a..ebec8a3a6f9 100644
|
||||||
|
--- a/products/rhel8/profiles/ospp.profile
|
||||||
|
+++ b/products/rhel8/profiles/ospp.profile
|
||||||
|
@@ -220,7 +220,7 @@ selections:
|
||||||
|
- var_accounts_max_concurrent_login_sessions=10
|
||||||
|
- accounts_max_concurrent_login_sessions
|
||||||
|
- securetty_root_login_console_only
|
||||||
|
- - var_authselect_profile=sssd
|
||||||
|
+ - var_authselect_profile=minimal
|
||||||
|
- enable_authselect
|
||||||
|
- var_password_pam_unix_remember=5
|
||||||
|
- accounts_password_pam_unix_remember
|
||||||
|
|
||||||
|
From 9d6014242b3fcda06b38ac35d73d5d4df75313a3 Mon Sep 17 00:00:00 2001
|
||||||
|
From: Vojtech Polasek <vpolasek@redhat.com>
|
||||||
|
Date: Fri, 5 Aug 2022 13:55:05 +0200
|
||||||
|
Subject: [PATCH 4/4] update profile stability test
|
||||||
|
|
||||||
|
---
|
||||||
|
tests/data/profile_stability/rhel8/ospp.profile | 2 +-
|
||||||
|
1 file changed, 1 insertion(+), 1 deletion(-)
|
||||||
|
|
||||||
|
diff --git a/tests/data/profile_stability/rhel8/ospp.profile b/tests/data/profile_stability/rhel8/ospp.profile
|
||||||
|
index 5d73a8c6fef..21e93e310d5 100644
|
||||||
|
--- a/tests/data/profile_stability/rhel8/ospp.profile
|
||||||
|
+++ b/tests/data/profile_stability/rhel8/ospp.profile
|
||||||
|
@@ -242,7 +242,7 @@ selections:
|
||||||
|
- var_slub_debug_options=P
|
||||||
|
- var_auditd_flush=incremental_async
|
||||||
|
- var_accounts_max_concurrent_login_sessions=10
|
||||||
|
-- var_authselect_profile=sssd
|
||||||
|
+- var_authselect_profile=minimal
|
||||||
|
- var_password_pam_unix_remember=5
|
||||||
|
- var_selinux_state=enforcing
|
||||||
|
- var_selinux_policy_name=targeted
|
@ -0,0 +1,50 @@
|
|||||||
|
From b36ecf8942ce8dea0c4a2b06b4607259deaf3613 Mon Sep 17 00:00:00 2001
|
||||||
|
From: Vojtech Polasek <vpolasek@redhat.com>
|
||||||
|
Date: Wed, 10 Aug 2022 09:59:57 +0200
|
||||||
|
Subject: [PATCH] switch rule grub2_disable_interactive_boot for
|
||||||
|
grub2_disable_recovery in rhel8 ospp
|
||||||
|
|
||||||
|
---
|
||||||
|
.../system/bootloader-grub2/grub2_disable_recovery/rule.yml | 1 +
|
||||||
|
products/rhel8/profiles/ospp.profile | 2 +-
|
||||||
|
tests/data/profile_stability/rhel8/ospp.profile | 2 +-
|
||||||
|
4 files changed, 3 insertions(+), 3 deletions(-)
|
||||||
|
|
||||||
|
diff --git a/linux_os/guide/system/bootloader-grub2/grub2_disable_recovery/rule.yml b/linux_os/guide/system/bootloader-grub2/grub2_disable_recovery/rule.yml
|
||||||
|
index 4f8d4ddcfde..fb126cbe7d8 100644
|
||||||
|
--- a/linux_os/guide/system/bootloader-grub2/grub2_disable_recovery/rule.yml
|
||||||
|
+++ b/linux_os/guide/system/bootloader-grub2/grub2_disable_recovery/rule.yml
|
||||||
|
@@ -17,6 +17,7 @@ rationale: |-
|
||||||
|
severity: medium
|
||||||
|
|
||||||
|
identifiers:
|
||||||
|
+ cce@rhel8: CCE-86006-4
|
||||||
|
cce@rhel9: CCE-85986-8
|
||||||
|
|
||||||
|
references:
|
||||||
|
diff --git a/products/rhel8/profiles/ospp.profile b/products/rhel8/profiles/ospp.profile
|
||||||
|
index ebec8a3a6f9..6e3b30f64bb 100644
|
||||||
|
--- a/products/rhel8/profiles/ospp.profile
|
||||||
|
+++ b/products/rhel8/profiles/ospp.profile
|
||||||
|
@@ -304,7 +304,7 @@ selections:
|
||||||
|
## Disable Unauthenticated Login (such as Guest Accounts)
|
||||||
|
## FIA_UAU.1
|
||||||
|
- require_singleuser_auth
|
||||||
|
- - grub2_disable_interactive_boot
|
||||||
|
+ - grub2_disable_recovery
|
||||||
|
- grub2_uefi_password
|
||||||
|
- no_empty_passwords
|
||||||
|
|
||||||
|
diff --git a/tests/data/profile_stability/rhel8/ospp.profile b/tests/data/profile_stability/rhel8/ospp.profile
|
||||||
|
index 21e93e310d5..267b66a4f89 100644
|
||||||
|
--- a/tests/data/profile_stability/rhel8/ospp.profile
|
||||||
|
+++ b/tests/data/profile_stability/rhel8/ospp.profile
|
||||||
|
@@ -89,7 +89,7 @@ selections:
|
||||||
|
- ensure_redhat_gpgkey_installed
|
||||||
|
- grub2_audit_argument
|
||||||
|
- grub2_audit_backlog_limit_argument
|
||||||
|
-- grub2_disable_interactive_boot
|
||||||
|
+- grub2_disable_recovery
|
||||||
|
- grub2_kernel_trust_cpu_rng
|
||||||
|
- grub2_page_poison_argument
|
||||||
|
- grub2_pti_argument
|
97
scap-security-guide-0.1.64-stig_aide-PR_9282.patch
Normal file
97
scap-security-guide-0.1.64-stig_aide-PR_9282.patch
Normal file
@ -0,0 +1,97 @@
|
|||||||
|
From 95b79ffa7e9247bd65a92311b92e37b0d83e4432 Mon Sep 17 00:00:00 2001
|
||||||
|
From: Watson Sato <wsato@redhat.com>
|
||||||
|
Date: Tue, 2 Aug 2022 15:01:42 +0200
|
||||||
|
Subject: [PATCH] Add rsyslogd to the list of tools check by aide
|
||||||
|
|
||||||
|
RHEL products will also check for integrity of /usr/sbin/rsyslogd.
|
||||||
|
---
|
||||||
|
.../aide/aide_check_audit_tools/ansible/shared.yml | 1 +
|
||||||
|
.../aide/aide_check_audit_tools/bash/shared.sh | 3 +--
|
||||||
|
.../aide/aide_check_audit_tools/oval/shared.xml | 2 +-
|
||||||
|
.../aide/aide_check_audit_tools/tests/correct.pass.sh | 2 +-
|
||||||
|
.../aide_check_audit_tools/tests/correct_with_selinux.pass.sh | 2 +-
|
||||||
|
.../aide/aide_check_audit_tools/tests/not_config.fail.sh | 2 +-
|
||||||
|
6 files changed, 6 insertions(+), 6 deletions(-)
|
||||||
|
|
||||||
|
diff --git a/linux_os/guide/system/software/integrity/software-integrity/aide/aide_check_audit_tools/ansible/shared.yml b/linux_os/guide/system/software/integrity/software-integrity/aide/aide_check_audit_tools/ansible/shared.yml
|
||||||
|
index 9d1b7b675c9..5905ea8d0e6 100644
|
||||||
|
--- a/linux_os/guide/system/software/integrity/software-integrity/aide/aide_check_audit_tools/ansible/shared.yml
|
||||||
|
+++ b/linux_os/guide/system/software/integrity/software-integrity/aide/aide_check_audit_tools/ansible/shared.yml
|
||||||
|
@@ -22,6 +22,7 @@
|
||||||
|
- /usr/sbin/aureport
|
||||||
|
- /usr/sbin/ausearch
|
||||||
|
- /usr/sbin/autrace
|
||||||
|
+ {{% if product == 'ol8' or 'rhel' in product %}}- /usr/sbin/rsyslogd{{% endif %}}
|
||||||
|
|
||||||
|
- name: Ensure existing AIDE configuration for audit tools are correct
|
||||||
|
lineinfile:
|
||||||
|
diff --git a/linux_os/guide/system/software/integrity/software-integrity/aide/aide_check_audit_tools/bash/shared.sh b/linux_os/guide/system/software/integrity/software-integrity/aide/aide_check_audit_tools/bash/shared.sh
|
||||||
|
index d0a1ba2522f..a81e25c3950 100644
|
||||||
|
--- a/linux_os/guide/system/software/integrity/software-integrity/aide/aide_check_audit_tools/bash/shared.sh
|
||||||
|
+++ b/linux_os/guide/system/software/integrity/software-integrity/aide/aide_check_audit_tools/bash/shared.sh
|
||||||
|
@@ -18,12 +18,11 @@
|
||||||
|
{{% set auditfiles = auditfiles + ["/usr/sbin/audispd"] %}}
|
||||||
|
{{% endif %}}
|
||||||
|
|
||||||
|
-{{% if product == 'ol8' %}}
|
||||||
|
+{{% if product == 'ol8' or 'rhel' in product %}}
|
||||||
|
{{% set auditfiles = auditfiles + ["/usr/sbin/rsyslogd"] %}}
|
||||||
|
{{% endif %}}
|
||||||
|
|
||||||
|
{{% for file in auditfiles %}}
|
||||||
|
-
|
||||||
|
if grep -i '^.*{{{file}}}.*$' {{{ aide_conf_path }}}; then
|
||||||
|
sed -i "s#.*{{{file}}}.*#{{{file}}} {{{ aide_string() }}}#" {{{ aide_conf_path }}}
|
||||||
|
else
|
||||||
|
diff --git a/linux_os/guide/system/software/integrity/software-integrity/aide/aide_check_audit_tools/oval/shared.xml b/linux_os/guide/system/software/integrity/software-integrity/aide/aide_check_audit_tools/oval/shared.xml
|
||||||
|
index 6ce56c1137a..ca9bf4f94d0 100644
|
||||||
|
--- a/linux_os/guide/system/software/integrity/software-integrity/aide/aide_check_audit_tools/oval/shared.xml
|
||||||
|
+++ b/linux_os/guide/system/software/integrity/software-integrity/aide/aide_check_audit_tools/oval/shared.xml
|
||||||
|
@@ -11,7 +11,7 @@
|
||||||
|
{{% if 'rhel' not in product and product != 'ol8' %}}
|
||||||
|
<criterion comment="audispd is checked in {{{ aide_conf_path }}}" test_ref="test_aide_verify_audispd" />
|
||||||
|
{{% endif %}}
|
||||||
|
- {{% if product == 'ol8' %}}
|
||||||
|
+ {{% if product == 'ol8' or 'rhel' in product %}}
|
||||||
|
<criterion comment="rsyslogd is checked in {{{ aide_conf_path }}}" test_ref="test_aide_verify_rsyslogd" />
|
||||||
|
{{% endif %}}
|
||||||
|
<criterion comment="augenrules is checked in {{{ aide_conf_path }}}" test_ref="test_aide_verify_augenrules" />
|
||||||
|
diff --git a/linux_os/guide/system/software/integrity/software-integrity/aide/aide_check_audit_tools/tests/correct.pass.sh b/linux_os/guide/system/software/integrity/software-integrity/aide/aide_check_audit_tools/tests/correct.pass.sh
|
||||||
|
index 756b88d8a23..071dde13295 100644
|
||||||
|
--- a/linux_os/guide/system/software/integrity/software-integrity/aide/aide_check_audit_tools/tests/correct.pass.sh
|
||||||
|
+++ b/linux_os/guide/system/software/integrity/software-integrity/aide/aide_check_audit_tools/tests/correct.pass.sh
|
||||||
|
@@ -7,7 +7,7 @@ aide --init
|
||||||
|
|
||||||
|
|
||||||
|
declare -a bins
|
||||||
|
-bins=('/usr/sbin/auditctl' '/usr/sbin/auditd' '/usr/sbin/augenrules' '/usr/sbin/aureport' '/usr/sbin/ausearch' '/usr/sbin/autrace')
|
||||||
|
+bins=('/usr/sbin/auditctl' '/usr/sbin/auditd' '/usr/sbin/augenrules' '/usr/sbin/aureport' '/usr/sbin/ausearch' '/usr/sbin/autrace' '/usr/sbin/rsyslogd')
|
||||||
|
|
||||||
|
for theFile in "${bins[@]}"
|
||||||
|
do
|
||||||
|
diff --git a/linux_os/guide/system/software/integrity/software-integrity/aide/aide_check_audit_tools/tests/correct_with_selinux.pass.sh b/linux_os/guide/system/software/integrity/software-integrity/aide/aide_check_audit_tools/tests/correct_with_selinux.pass.sh
|
||||||
|
index f3a2a126d3d..cb9bbfa7350 100644
|
||||||
|
--- a/linux_os/guide/system/software/integrity/software-integrity/aide/aide_check_audit_tools/tests/correct_with_selinux.pass.sh
|
||||||
|
+++ b/linux_os/guide/system/software/integrity/software-integrity/aide/aide_check_audit_tools/tests/correct_with_selinux.pass.sh
|
||||||
|
@@ -4,7 +4,7 @@
|
||||||
|
yum -y install aide
|
||||||
|
|
||||||
|
declare -a bins
|
||||||
|
-bins=('/usr/sbin/auditctl' '/usr/sbin/auditd' '/usr/sbin/augenrules' '/usr/sbin/aureport' '/usr/sbin/ausearch' '/usr/sbin/autrace')
|
||||||
|
+bins=('/usr/sbin/auditctl' '/usr/sbin/auditd' '/usr/sbin/augenrules' '/usr/sbin/aureport' '/usr/sbin/ausearch' '/usr/sbin/autrace' '/usr/sbin/rsyslogd')
|
||||||
|
|
||||||
|
for theFile in "${bins[@]}"
|
||||||
|
do
|
||||||
|
diff --git a/linux_os/guide/system/software/integrity/software-integrity/aide/aide_check_audit_tools/tests/not_config.fail.sh b/linux_os/guide/system/software/integrity/software-integrity/aide/aide_check_audit_tools/tests/not_config.fail.sh
|
||||||
|
index 4315cef2073..a22aecb0000 100644
|
||||||
|
--- a/linux_os/guide/system/software/integrity/software-integrity/aide/aide_check_audit_tools/tests/not_config.fail.sh
|
||||||
|
+++ b/linux_os/guide/system/software/integrity/software-integrity/aide/aide_check_audit_tools/tests/not_config.fail.sh
|
||||||
|
@@ -6,7 +6,7 @@ yum -y install aide
|
||||||
|
aide --init
|
||||||
|
|
||||||
|
declare -a bins
|
||||||
|
-bins=('/usr/sbin/auditctl' '/usr/sbin/auditd' '/usr/sbin/augenrules' '/usr/sbin/aureport' '/usr/sbin/ausearch' '/usr/sbin/autrace')
|
||||||
|
+bins=('/usr/sbin/auditctl' '/usr/sbin/auditd' '/usr/sbin/augenrules' '/usr/sbin/aureport' '/usr/sbin/ausearch' '/usr/sbin/autrace' '/usr/sbin/rsyslogd')
|
||||||
|
|
||||||
|
for theFile in "${bins[@]}"
|
||||||
|
do
|
4490
scap-security-guide-0.1.64-stig_bump_version-PR_9276.patch
Normal file
4490
scap-security-guide-0.1.64-stig_bump_version-PR_9276.patch
Normal file
File diff suppressed because one or more lines are too long
187
scap-security-guide-0.1.64-stig_ipv4_forwarding-PR_9277.patch
Normal file
187
scap-security-guide-0.1.64-stig_ipv4_forwarding-PR_9277.patch
Normal file
@ -0,0 +1,187 @@
|
|||||||
|
From 82012a2c80e0f0bed75586b7d93570db2121962e Mon Sep 17 00:00:00 2001
|
||||||
|
From: Watson Sato <wsato@redhat.com>
|
||||||
|
Date: Mon, 1 Aug 2022 17:50:37 +0200
|
||||||
|
Subject: [PATCH 1/2] Add rule for sysctl net.ipv4.conf.all.forwarding
|
||||||
|
|
||||||
|
This is rule is similar to sysctl_net_ipv6_conf_all_forwarding and
|
||||||
|
sysctl_net_ipv4_forward.
|
||||||
|
---
|
||||||
|
.../rule.yml | 44 +++++++++++++++++++
|
||||||
|
...ctl_net_ipv4_conf_all_forwarding_value.var | 17 +++++++
|
||||||
|
shared/references/cce-redhat-avail.txt | 1 -
|
||||||
|
3 files changed, 61 insertions(+), 1 deletion(-)
|
||||||
|
create mode 100644 linux_os/guide/system/network/network-kernel/network_host_and_router_parameters/sysctl_net_ipv4_conf_all_forwarding/rule.yml
|
||||||
|
create mode 100644 linux_os/guide/system/network/network-kernel/network_host_and_router_parameters/sysctl_net_ipv4_conf_all_forwarding_value.var
|
||||||
|
|
||||||
|
diff --git a/linux_os/guide/system/network/network-kernel/network_host_and_router_parameters/sysctl_net_ipv4_conf_all_forwarding/rule.yml b/linux_os/guide/system/network/network-kernel/network_host_and_router_parameters/sysctl_net_ipv4_conf_all_forwarding/rule.yml
|
||||||
|
new file mode 100644
|
||||||
|
index 00000000000..7b0066f7c29
|
||||||
|
--- /dev/null
|
||||||
|
+++ b/linux_os/guide/system/network/network-kernel/network_host_and_router_parameters/sysctl_net_ipv4_conf_all_forwarding/rule.yml
|
||||||
|
@@ -0,0 +1,44 @@
|
||||||
|
+documentation_complete: true
|
||||||
|
+
|
||||||
|
+prodtype: rhel8
|
||||||
|
+
|
||||||
|
+title: 'Disable Kernel Parameter for IPv4 Forwarding on all IPv4 Interfaces'
|
||||||
|
+
|
||||||
|
+description: '{{{ describe_sysctl_option_value(sysctl="net.ipv4.conf.all.forwarding", value="0") }}}'
|
||||||
|
+
|
||||||
|
+rationale: |-
|
||||||
|
+ IP forwarding permits the kernel to forward packets from one network
|
||||||
|
+ interface to another. The ability to forward packets between two networks is
|
||||||
|
+ only appropriate for systems acting as routers.
|
||||||
|
+
|
||||||
|
+severity: medium
|
||||||
|
+
|
||||||
|
+identifiers:
|
||||||
|
+ cce@rhel8: CCE-86220-1
|
||||||
|
+
|
||||||
|
+references:
|
||||||
|
+ disa: CCI-000366
|
||||||
|
+ nist: CM-6(b)
|
||||||
|
+ srg: SRG-OS-000480-GPOS-00227
|
||||||
|
+ stigid@rhel8: RHEL-08-040259
|
||||||
|
+
|
||||||
|
+ocil_clause: 'IP forwarding value is "1" and the system is not router'
|
||||||
|
+
|
||||||
|
+ocil: |-
|
||||||
|
+ {{{ ocil_sysctl_option_value(sysctl="net.ipv4.conf.all.forwarding", value="0") }}}
|
||||||
|
+ The ability to forward packets is only appropriate for routers.
|
||||||
|
+
|
||||||
|
+fixtext: |-
|
||||||
|
+ Configure {{{ full_name }}} to not allow packet forwarding unless the system is a router with the following commands:
|
||||||
|
+ {{{ fixtext_sysctl(sysctl="net.ipv4.conf.all.forwarding", value="0") | indent(4) }}}
|
||||||
|
+
|
||||||
|
+srg_requirement: '{{{ full_name }}} must not perform packet forwarding unless the system is a router.'
|
||||||
|
+
|
||||||
|
+platform: machine
|
||||||
|
+
|
||||||
|
+template:
|
||||||
|
+ name: sysctl
|
||||||
|
+ vars:
|
||||||
|
+ sysctlvar: net.ipv4.conf.all.forwarding
|
||||||
|
+ datatype: int
|
||||||
|
+
|
||||||
|
diff --git a/linux_os/guide/system/network/network-kernel/network_host_and_router_parameters/sysctl_net_ipv4_conf_all_forwarding_value.var b/linux_os/guide/system/network/network-kernel/network_host_and_router_parameters/sysctl_net_ipv4_conf_all_forwarding_value.var
|
||||||
|
new file mode 100644
|
||||||
|
index 00000000000..2aedd6e6432
|
||||||
|
--- /dev/null
|
||||||
|
+++ b/linux_os/guide/system/network/network-kernel/network_host_and_router_parameters/sysctl_net_ipv4_conf_all_forwarding_value.var
|
||||||
|
@@ -0,0 +1,17 @@
|
||||||
|
+documentation_complete: true
|
||||||
|
+
|
||||||
|
+title: net.ipv4.conf.all.forwarding
|
||||||
|
+
|
||||||
|
+description: 'Toggle IPv4 Forwarding'
|
||||||
|
+
|
||||||
|
+type: number
|
||||||
|
+
|
||||||
|
+operator: equals
|
||||||
|
+
|
||||||
|
+interactive: false
|
||||||
|
+
|
||||||
|
+options:
|
||||||
|
+ default: "0"
|
||||||
|
+ disabled: "0"
|
||||||
|
+ enabled: 1
|
||||||
|
+
|
||||||
|
diff --git a/shared/references/cce-redhat-avail.txt b/shared/references/cce-redhat-avail.txt
|
||||||
|
index 914233f06bf..3e14b73dd71 100644
|
||||||
|
--- a/shared/references/cce-redhat-avail.txt
|
||||||
|
+++ b/shared/references/cce-redhat-avail.txt
|
||||||
|
@@ -168,7 +168,6 @@ CCE-86216-9
|
||||||
|
CCE-86217-7
|
||||||
|
CCE-86218-5
|
||||||
|
CCE-86219-3
|
||||||
|
-CCE-86220-1
|
||||||
|
CCE-86221-9
|
||||||
|
CCE-86222-7
|
||||||
|
CCE-86223-5
|
||||||
|
|
||||||
|
From 0e2be2dfb7c185ac15e69e110c2e7a76f6896df7 Mon Sep 17 00:00:00 2001
|
||||||
|
From: Watson Sato <wsato@redhat.com>
|
||||||
|
Date: Mon, 1 Aug 2022 17:53:32 +0200
|
||||||
|
Subject: [PATCH 2/2] Better align with RHEL-08-040259
|
||||||
|
|
||||||
|
The item is about net.ipv4.conf.all.forwarding
|
||||||
|
The update to V1R7 made brought this misalignment to light.
|
||||||
|
---
|
||||||
|
.../sysctl_net_ipv4_ip_forward/rule.yml | 1 -
|
||||||
|
products/rhel8/profiles/stig.profile | 2 +-
|
||||||
|
tests/data/profile_stability/rhel8/stig.profile | 4 ++--
|
||||||
|
tests/data/profile_stability/rhel8/stig_gui.profile | 2 +-
|
||||||
|
4 files changed, 4 insertions(+), 5 deletions(-)
|
||||||
|
|
||||||
|
diff --git a/linux_os/guide/system/network/network-kernel/network_host_parameters/sysctl_net_ipv4_ip_forward/rule.yml b/linux_os/guide/system/network/network-kernel/network_host_parameters/sysctl_net_ipv4_ip_forward/rule.yml
|
||||||
|
index 5c449db7f3a..7acfc0b05b6 100644
|
||||||
|
--- a/linux_os/guide/system/network/network-kernel/network_host_parameters/sysctl_net_ipv4_ip_forward/rule.yml
|
||||||
|
+++ b/linux_os/guide/system/network/network-kernel/network_host_parameters/sysctl_net_ipv4_ip_forward/rule.yml
|
||||||
|
@@ -45,7 +45,6 @@ references:
|
||||||
|
stigid@ol7: OL07-00-040740
|
||||||
|
stigid@ol8: OL08-00-040260
|
||||||
|
stigid@rhel7: RHEL-07-040740
|
||||||
|
- stigid@rhel8: RHEL-08-040259
|
||||||
|
stigid@sle12: SLES-12-030430
|
||||||
|
stigid@sle15: SLES-15-040380
|
||||||
|
|
||||||
|
diff --git a/products/rhel8/profiles/stig.profile b/products/rhel8/profiles/stig.profile
|
||||||
|
index 4b480bd2c11..6b44436a2b1 100644
|
||||||
|
--- a/products/rhel8/profiles/stig.profile
|
||||||
|
+++ b/products/rhel8/profiles/stig.profile
|
||||||
|
@@ -1127,7 +1127,7 @@ selections:
|
||||||
|
- sysctl_net_ipv6_conf_default_accept_source_route
|
||||||
|
|
||||||
|
# RHEL-08-040259
|
||||||
|
- - sysctl_net_ipv4_ip_forward
|
||||||
|
+ - sysctl_net_ipv4_conf_all_forwarding
|
||||||
|
|
||||||
|
# RHEL-08-040260
|
||||||
|
- sysctl_net_ipv6_conf_all_forwarding
|
||||||
|
diff --git a/tests/data/profile_stability/rhel8/stig.profile b/tests/data/profile_stability/rhel8/stig.profile
|
||||||
|
index 4bee72830d0..47f53a9d023 100644
|
||||||
|
--- a/tests/data/profile_stability/rhel8/stig.profile
|
||||||
|
+++ b/tests/data/profile_stability/rhel8/stig.profile
|
||||||
|
@@ -1,7 +1,7 @@
|
||||||
|
title: DISA STIG for Red Hat Enterprise Linux 8
|
||||||
|
description: 'This profile contains configuration checks that align to the
|
||||||
|
|
||||||
|
- DISA STIG for Red Hat Enterprise Linux 8 V1R7
|
||||||
|
+ DISA STIG for Red Hat Enterprise Linux 8 V1R7.
|
||||||
|
|
||||||
|
|
||||||
|
In addition to being applicable to Red Hat Enterprise Linux 8, DISA recognizes
|
||||||
|
@@ -395,13 +395,13 @@ selections:
|
||||||
|
- sysctl_net_core_bpf_jit_harden
|
||||||
|
- sysctl_net_ipv4_conf_all_accept_redirects
|
||||||
|
- sysctl_net_ipv4_conf_all_accept_source_route
|
||||||
|
+- sysctl_net_ipv4_conf_all_forwarding
|
||||||
|
- sysctl_net_ipv4_conf_all_rp_filter
|
||||||
|
- sysctl_net_ipv4_conf_all_send_redirects
|
||||||
|
- sysctl_net_ipv4_conf_default_accept_redirects
|
||||||
|
- sysctl_net_ipv4_conf_default_accept_source_route
|
||||||
|
- sysctl_net_ipv4_conf_default_send_redirects
|
||||||
|
- sysctl_net_ipv4_icmp_echo_ignore_broadcasts
|
||||||
|
-- sysctl_net_ipv4_ip_forward
|
||||||
|
- sysctl_net_ipv6_conf_all_accept_ra
|
||||||
|
- sysctl_net_ipv6_conf_all_accept_redirects
|
||||||
|
- sysctl_net_ipv6_conf_all_accept_source_route
|
||||||
|
diff --git a/tests/data/profile_stability/rhel8/stig_gui.profile b/tests/data/profile_stability/rhel8/stig_gui.profile
|
||||||
|
index ece32d06a6f..c4e60ddcde5 100644
|
||||||
|
--- a/tests/data/profile_stability/rhel8/stig_gui.profile
|
||||||
|
+++ b/tests/data/profile_stability/rhel8/stig_gui.profile
|
||||||
|
@@ -405,13 +405,13 @@ selections:
|
||||||
|
- sysctl_net_core_bpf_jit_harden
|
||||||
|
- sysctl_net_ipv4_conf_all_accept_redirects
|
||||||
|
- sysctl_net_ipv4_conf_all_accept_source_route
|
||||||
|
+- sysctl_net_ipv4_conf_all_forwarding
|
||||||
|
- sysctl_net_ipv4_conf_all_rp_filter
|
||||||
|
- sysctl_net_ipv4_conf_all_send_redirects
|
||||||
|
- sysctl_net_ipv4_conf_default_accept_redirects
|
||||||
|
- sysctl_net_ipv4_conf_default_accept_source_route
|
||||||
|
- sysctl_net_ipv4_conf_default_send_redirects
|
||||||
|
- sysctl_net_ipv4_icmp_echo_ignore_broadcasts
|
||||||
|
-- sysctl_net_ipv4_ip_forward
|
||||||
|
- sysctl_net_ipv6_conf_all_accept_ra
|
||||||
|
- sysctl_net_ipv6_conf_all_accept_redirects
|
||||||
|
- sysctl_net_ipv6_conf_all_accept_source_route
|
@ -0,0 +1,89 @@
|
|||||||
|
From e368a515911cd09727d8cd1c7e8b46dc7bdff4fa Mon Sep 17 00:00:00 2001
|
||||||
|
From: Gabriel Becker <ggasparb@redhat.com>
|
||||||
|
Date: Tue, 9 Aug 2022 17:28:33 +0200
|
||||||
|
Subject: [PATCH] Reintroduce back the sshd timeout rules in RHEL8 STIG
|
||||||
|
profile.
|
||||||
|
|
||||||
|
---
|
||||||
|
.../ssh/ssh_server/sshd_set_idle_timeout/rule.yml | 1 +
|
||||||
|
.../ssh/ssh_server/sshd_set_keepalive_0/rule.yml | 1 +
|
||||||
|
products/rhel8/profiles/stig.profile | 14 +++++++-------
|
||||||
|
tests/data/profile_stability/rhel8/stig.profile | 2 ++
|
||||||
|
.../data/profile_stability/rhel8/stig_gui.profile | 2 ++
|
||||||
|
5 files changed, 13 insertions(+), 7 deletions(-)
|
||||||
|
|
||||||
|
diff --git a/linux_os/guide/services/ssh/ssh_server/sshd_set_idle_timeout/rule.yml b/linux_os/guide/services/ssh/ssh_server/sshd_set_idle_timeout/rule.yml
|
||||||
|
index 46ea0558a42..1e9c6172758 100644
|
||||||
|
--- a/linux_os/guide/services/ssh/ssh_server/sshd_set_idle_timeout/rule.yml
|
||||||
|
+++ b/linux_os/guide/services/ssh/ssh_server/sshd_set_idle_timeout/rule.yml
|
||||||
|
@@ -57,6 +57,7 @@ references:
|
||||||
|
stigid@ol7: OL07-00-040320
|
||||||
|
stigid@ol8: OL08-00-010201
|
||||||
|
stigid@rhel7: RHEL-07-040320
|
||||||
|
+ stigid@rhel8: RHEL-08-010201
|
||||||
|
stigid@sle12: SLES-12-030190
|
||||||
|
stigid@sle15: SLES-15-010280
|
||||||
|
stigid@ubuntu2004: UBTU-20-010037
|
||||||
|
diff --git a/linux_os/guide/services/ssh/ssh_server/sshd_set_keepalive_0/rule.yml b/linux_os/guide/services/ssh/ssh_server/sshd_set_keepalive_0/rule.yml
|
||||||
|
index 0f0693ddc6c..f6e98a61d9a 100644
|
||||||
|
--- a/linux_os/guide/services/ssh/ssh_server/sshd_set_keepalive_0/rule.yml
|
||||||
|
+++ b/linux_os/guide/services/ssh/ssh_server/sshd_set_keepalive_0/rule.yml
|
||||||
|
@@ -53,6 +53,7 @@ references:
|
||||||
|
stigid@ol7: OL07-00-040340
|
||||||
|
stigid@ol8: OL08-00-010200
|
||||||
|
stigid@rhel7: RHEL-07-040340
|
||||||
|
+ stigid@rhel8: RHEL-08-010200
|
||||||
|
stigid@sle12: SLES-12-030191
|
||||||
|
stigid@sle15: SLES-15-010320
|
||||||
|
vmmsrg: SRG-OS-000480-VMM-002000
|
||||||
|
diff --git a/products/rhel8/profiles/stig.profile b/products/rhel8/profiles/stig.profile
|
||||||
|
index 6b44436a2b1..124b7520d3a 100644
|
||||||
|
--- a/products/rhel8/profiles/stig.profile
|
||||||
|
+++ b/products/rhel8/profiles/stig.profile
|
||||||
|
@@ -170,13 +170,13 @@ selections:
|
||||||
|
# RHEL-08-010190
|
||||||
|
- dir_perms_world_writable_sticky_bits
|
||||||
|
|
||||||
|
- # These two items don't behave as they used to in RHEL8.6 and RHEL9
|
||||||
|
- # anymore. They will be disabled for now until an alternative
|
||||||
|
- # solution is found.
|
||||||
|
- # # RHEL-08-010200
|
||||||
|
- # - sshd_set_keepalive_0
|
||||||
|
- # # RHEL-08-010201
|
||||||
|
- # - sshd_set_idle_timeout
|
||||||
|
+ # Although these rules have a different behavior in RHEL>=8.6
|
||||||
|
+ # they still need to be selected so it follows exactly what STIG
|
||||||
|
+ # states.
|
||||||
|
+ # RHEL-08-010200
|
||||||
|
+ - sshd_set_keepalive_0
|
||||||
|
+ # RHEL-08-010201
|
||||||
|
+ - sshd_set_idle_timeout
|
||||||
|
|
||||||
|
# RHEL-08-010210
|
||||||
|
- file_permissions_var_log_messages
|
||||||
|
diff --git a/tests/data/profile_stability/rhel8/stig.profile b/tests/data/profile_stability/rhel8/stig.profile
|
||||||
|
index 47f53a9d023..6c75d0ae1b1 100644
|
||||||
|
--- a/tests/data/profile_stability/rhel8/stig.profile
|
||||||
|
+++ b/tests/data/profile_stability/rhel8/stig.profile
|
||||||
|
@@ -369,6 +369,8 @@ selections:
|
||||||
|
- sshd_enable_warning_banner
|
||||||
|
- sshd_print_last_log
|
||||||
|
- sshd_rekey_limit
|
||||||
|
+- sshd_set_idle_timeout
|
||||||
|
+- sshd_set_keepalive_0
|
||||||
|
- sshd_use_strong_rng
|
||||||
|
- sshd_x11_use_localhost
|
||||||
|
- sssd_certificate_verification
|
||||||
|
diff --git a/tests/data/profile_stability/rhel8/stig_gui.profile b/tests/data/profile_stability/rhel8/stig_gui.profile
|
||||||
|
index c4e60ddcde5..8a7a469b940 100644
|
||||||
|
--- a/tests/data/profile_stability/rhel8/stig_gui.profile
|
||||||
|
+++ b/tests/data/profile_stability/rhel8/stig_gui.profile
|
||||||
|
@@ -379,6 +379,8 @@ selections:
|
||||||
|
- sshd_enable_warning_banner
|
||||||
|
- sshd_print_last_log
|
||||||
|
- sshd_rekey_limit
|
||||||
|
+- sshd_set_idle_timeout
|
||||||
|
+- sshd_set_keepalive_0
|
||||||
|
- sshd_use_strong_rng
|
||||||
|
- sshd_x11_use_localhost
|
||||||
|
- sssd_certificate_verification
|
113
scap-security-guide-0.1.64-stig_sudoers_includes-PR_9283.patch
Normal file
113
scap-security-guide-0.1.64-stig_sudoers_includes-PR_9283.patch
Normal file
@ -0,0 +1,113 @@
|
|||||||
|
From 7e46b59d2227dea50ca173d799bce7fa14b57ab1 Mon Sep 17 00:00:00 2001
|
||||||
|
From: Watson Sato <wsato@redhat.com>
|
||||||
|
Date: Tue, 2 Aug 2022 15:57:52 +0200
|
||||||
|
Subject: [PATCH 1/2] Accept sudoers files without includes as compliant
|
||||||
|
|
||||||
|
Update rule sudoers_default_includedir to accept as compliant sudoers
|
||||||
|
files that don't have any #include or #includedir directive
|
||||||
|
---
|
||||||
|
.../oval/shared.xml | 24 +++++++++++++++----
|
||||||
|
.../sudo/sudoers_default_includedir/rule.yml | 8 ++++---
|
||||||
|
...cludedir.fail.sh => no_includedir.pass.sh} | 2 +-
|
||||||
|
3 files changed, 26 insertions(+), 8 deletions(-)
|
||||||
|
rename linux_os/guide/system/software/sudo/sudoers_default_includedir/tests/{no_includedir.fail.sh => no_includedir.pass.sh} (51%)
|
||||||
|
|
||||||
|
diff --git a/linux_os/guide/system/software/sudo/sudoers_default_includedir/oval/shared.xml b/linux_os/guide/system/software/sudo/sudoers_default_includedir/oval/shared.xml
|
||||||
|
index 59cab0b89de..629fbe8c6d2 100644
|
||||||
|
--- a/linux_os/guide/system/software/sudo/sudoers_default_includedir/oval/shared.xml
|
||||||
|
+++ b/linux_os/guide/system/software/sudo/sudoers_default_includedir/oval/shared.xml
|
||||||
|
@@ -1,10 +1,16 @@
|
||||||
|
<def-group>
|
||||||
|
<definition class="compliance" id="{{{ rule_id }}}" version="1">
|
||||||
|
{{{ oval_metadata("Check if sudo includes only the default includedir") }}}
|
||||||
|
- <criteria operator="AND">
|
||||||
|
- <criterion comment="Check /etc/sudoers for #includedir" test_ref="test_sudoers_default_includedir" />
|
||||||
|
- <criterion comment="Check /etc/sudoers for #include" test_ref="test_sudoers_without_include" />
|
||||||
|
- <criterion comment="Check /etc/sudoers.d for includes" test_ref="test_sudoersd_without_includes" />
|
||||||
|
+ <criteria operator="OR">
|
||||||
|
+ <criteria operator="AND">
|
||||||
|
+ <criterion comment="Check /etc/sudoers doesn't have any #include" test_ref="test_sudoers_without_include" />
|
||||||
|
+ <criterion comment="Check /etc/sudoers doesn't have any #includedir" test_ref="test_sudoers_without_includedir" />
|
||||||
|
+ </criteria>
|
||||||
|
+ <criteria operator="AND">
|
||||||
|
+ <criterion comment="Check /etc/sudoers for #includedir" test_ref="test_sudoers_default_includedir" />
|
||||||
|
+ <criterion comment="Check /etc/sudoers for #include" test_ref="test_sudoers_without_include" />
|
||||||
|
+ <criterion comment="Check /etc/sudoers.d for includes" test_ref="test_sudoersd_without_includes" />
|
||||||
|
+ </criteria>
|
||||||
|
</criteria>
|
||||||
|
</definition>
|
||||||
|
|
||||||
|
@@ -32,6 +38,16 @@
|
||||||
|
<ind:instance operation="greater than or equal" datatype="int">1</ind:instance>
|
||||||
|
</ind:textfilecontent54_object>
|
||||||
|
|
||||||
|
+ <ind:textfilecontent54_test check="all" check_existence="none_exist"
|
||||||
|
+ comment="audit augenrules rmmod" id="test_sudoers_without_includedir" version="1">
|
||||||
|
+ <ind:object object_ref="object_sudoers_without_includedir" />
|
||||||
|
+ </ind:textfilecontent54_test>
|
||||||
|
+ <ind:textfilecontent54_object id="object_sudoers_without_includedir" version="1">
|
||||||
|
+ <ind:filepath>/etc/sudoers</ind:filepath>
|
||||||
|
+ <ind:pattern operation="pattern match">^#includedir[\s]+.*$</ind:pattern>
|
||||||
|
+ <ind:instance operation="greater than or equal" datatype="int">1</ind:instance>
|
||||||
|
+ </ind:textfilecontent54_object>
|
||||||
|
+
|
||||||
|
<ind:textfilecontent54_test check="all" check_existence="none_exist"
|
||||||
|
comment="audit augenrules rmmod" id="test_sudoersd_without_includes" version="1">
|
||||||
|
<ind:object object_ref="object_sudoersd_without_includes" />
|
||||||
|
diff --git a/linux_os/guide/system/software/sudo/sudoers_default_includedir/rule.yml b/linux_os/guide/system/software/sudo/sudoers_default_includedir/rule.yml
|
||||||
|
index aa2aaee19f8..83bfb0183bd 100644
|
||||||
|
--- a/linux_os/guide/system/software/sudo/sudoers_default_includedir/rule.yml
|
||||||
|
+++ b/linux_os/guide/system/software/sudo/sudoers_default_includedir/rule.yml
|
||||||
|
@@ -8,9 +8,11 @@ description: |-
|
||||||
|
Administrators can configure authorized <tt>sudo</tt> users via drop-in files, and it is possible to include
|
||||||
|
other directories and configuration files from the file currently being parsed.
|
||||||
|
|
||||||
|
- Make sure that <tt>/etc/sudoers</tt> only includes drop-in configuration files from <tt>/etc/sudoers.d</tt>.
|
||||||
|
- The <tt>/etc/sudoers</tt> should contain only one <tt>#includedir</tt> directive pointing to
|
||||||
|
- <tt>/etc/sudoers.d</tt>, and no file in <tt>/etc/sudoers.d/</tt> should include other files or directories.
|
||||||
|
+ Make sure that <tt>/etc/sudoers</tt> only includes drop-in configuration files from <tt>/etc/sudoers.d</tt>,
|
||||||
|
+ or that no drop-in file is included.
|
||||||
|
+ Either the <tt>/etc/sudoers</tt> should contain only one <tt>#includedir</tt> directive pointing to
|
||||||
|
+ <tt>/etc/sudoers.d</tt>, and no file in <tt>/etc/sudoers.d/</tt> should include other files or directories;
|
||||||
|
+ Or the <tt>/etc/sudoers</tt> should not contain any <tt>#include</tt> or <tt>#includedir</tt> directives.
|
||||||
|
Note that the '#' character doesn't denote a comment in the configuration file.
|
||||||
|
|
||||||
|
rationale: |-
|
||||||
|
diff --git a/linux_os/guide/system/software/sudo/sudoers_default_includedir/tests/no_includedir.fail.sh b/linux_os/guide/system/software/sudo/sudoers_default_includedir/tests/no_includedir.pass.sh
|
||||||
|
similarity index 51%
|
||||||
|
rename from linux_os/guide/system/software/sudo/sudoers_default_includedir/tests/no_includedir.fail.sh
|
||||||
|
rename to linux_os/guide/system/software/sudo/sudoers_default_includedir/tests/no_includedir.pass.sh
|
||||||
|
index 1e0ab8aea92..fe73cb25076 100644
|
||||||
|
--- a/linux_os/guide/system/software/sudo/sudoers_default_includedir/tests/no_includedir.fail.sh
|
||||||
|
+++ b/linux_os/guide/system/software/sudo/sudoers_default_includedir/tests/no_includedir.pass.sh
|
||||||
|
@@ -1,4 +1,4 @@
|
||||||
|
#!/bin/bash
|
||||||
|
# platform = multi_platform_all
|
||||||
|
|
||||||
|
-sed -i "/#includedir.*/d" /etc/sudoers
|
||||||
|
+sed -i "/#include(dir)?.*/d" /etc/sudoers
|
||||||
|
|
||||||
|
From 28967d81eeea19f172ad0fd43ad3f58b203e1411 Mon Sep 17 00:00:00 2001
|
||||||
|
From: Watson Sato <wsato@redhat.com>
|
||||||
|
Date: Wed, 3 Aug 2022 12:01:12 +0200
|
||||||
|
Subject: [PATCH 2/2] Improve definition's comments
|
||||||
|
|
||||||
|
---
|
||||||
|
.../software/sudo/sudoers_default_includedir/oval/shared.xml | 4 ++--
|
||||||
|
1 file changed, 2 insertions(+), 2 deletions(-)
|
||||||
|
|
||||||
|
diff --git a/linux_os/guide/system/software/sudo/sudoers_default_includedir/oval/shared.xml b/linux_os/guide/system/software/sudo/sudoers_default_includedir/oval/shared.xml
|
||||||
|
index 629fbe8c6d2..82095acc6ed 100644
|
||||||
|
--- a/linux_os/guide/system/software/sudo/sudoers_default_includedir/oval/shared.xml
|
||||||
|
+++ b/linux_os/guide/system/software/sudo/sudoers_default_includedir/oval/shared.xml
|
||||||
|
@@ -8,8 +8,8 @@
|
||||||
|
</criteria>
|
||||||
|
<criteria operator="AND">
|
||||||
|
<criterion comment="Check /etc/sudoers for #includedir" test_ref="test_sudoers_default_includedir" />
|
||||||
|
- <criterion comment="Check /etc/sudoers for #include" test_ref="test_sudoers_without_include" />
|
||||||
|
- <criterion comment="Check /etc/sudoers.d for includes" test_ref="test_sudoersd_without_includes" />
|
||||||
|
+ <criterion comment="Check /etc/sudoers doesn't have any #include" test_ref="test_sudoers_without_include" />
|
||||||
|
+ <criterion comment="Check /etc/sudoers.d doesn't have any #include or #includedir" test_ref="test_sudoersd_without_includes" />
|
||||||
|
</criteria>
|
||||||
|
</criteria>
|
||||||
|
</definition>
|
@ -0,0 +1,358 @@
|
|||||||
|
From f647d546d03b9296861f18673b0ac9efaa0db3ab Mon Sep 17 00:00:00 2001
|
||||||
|
From: Watson Sato <wsato@redhat.com>
|
||||||
|
Date: Wed, 3 Aug 2022 09:57:33 +0200
|
||||||
|
Subject: [PATCH 1/5] Make rule sysctl ipv4 rp_filter accept two values
|
||||||
|
|
||||||
|
This also removes value '0' from the list of possible configurations.
|
||||||
|
This change aligns the rule better with STIG.
|
||||||
|
---
|
||||||
|
.../sysctl_net_ipv4_conf_all_rp_filter/rule.yml | 4 ++++
|
||||||
|
.../tests/value_1.pass.sh | 10 ++++++++++
|
||||||
|
.../tests/value_2.pass.sh | 10 ++++++++++
|
||||||
|
.../sysctl_net_ipv4_conf_all_rp_filter_value.var | 2 +-
|
||||||
|
4 files changed, 25 insertions(+), 1 deletion(-)
|
||||||
|
create mode 100644 linux_os/guide/system/network/network-kernel/network_host_and_router_parameters/sysctl_net_ipv4_conf_all_rp_filter/tests/value_1.pass.sh
|
||||||
|
create mode 100644 linux_os/guide/system/network/network-kernel/network_host_and_router_parameters/sysctl_net_ipv4_conf_all_rp_filter/tests/value_2.pass.sh
|
||||||
|
|
||||||
|
diff --git a/linux_os/guide/system/network/network-kernel/network_host_and_router_parameters/sysctl_net_ipv4_conf_all_rp_filter/rule.yml b/linux_os/guide/system/network/network-kernel/network_host_and_router_parameters/sysctl_net_ipv4_conf_all_rp_filter/rule.yml
|
||||||
|
index 496a8491f32..697f79fa872 100644
|
||||||
|
--- a/linux_os/guide/system/network/network-kernel/network_host_and_router_parameters/sysctl_net_ipv4_conf_all_rp_filter/rule.yml
|
||||||
|
+++ b/linux_os/guide/system/network/network-kernel/network_host_and_router_parameters/sysctl_net_ipv4_conf_all_rp_filter/rule.yml
|
||||||
|
@@ -59,4 +59,8 @@ template:
|
||||||
|
name: sysctl
|
||||||
|
vars:
|
||||||
|
sysctlvar: net.ipv4.conf.all.rp_filter
|
||||||
|
+ sysctlval:
|
||||||
|
+ - '1'
|
||||||
|
+ - '2'
|
||||||
|
+ wrong_sysctlval_for_testing: "0"
|
||||||
|
datatype: int
|
||||||
|
diff --git a/linux_os/guide/system/network/network-kernel/network_host_and_router_parameters/sysctl_net_ipv4_conf_all_rp_filter/tests/value_1.pass.sh b/linux_os/guide/system/network/network-kernel/network_host_and_router_parameters/sysctl_net_ipv4_conf_all_rp_filter/tests/value_1.pass.sh
|
||||||
|
new file mode 100644
|
||||||
|
index 00000000000..516bfaf1369
|
||||||
|
--- /dev/null
|
||||||
|
+++ b/linux_os/guide/system/network/network-kernel/network_host_and_router_parameters/sysctl_net_ipv4_conf_all_rp_filter/tests/value_1.pass.sh
|
||||||
|
@@ -0,0 +1,10 @@
|
||||||
|
+#!/bin/bash
|
||||||
|
+
|
||||||
|
+# Clean sysctl config directories
|
||||||
|
+rm -rf /usr/lib/sysctl.d/* /run/sysctl.d/* /etc/sysctl.d/*
|
||||||
|
+
|
||||||
|
+sed -i "/net.ipv4.conf.all.rp_filter/d" /etc/sysctl.conf
|
||||||
|
+echo "net.ipv4.conf.all.rp_filter = 1" >> /etc/sysctl.conf
|
||||||
|
+
|
||||||
|
+# set correct runtime value to check if the filesystem configuration is evaluated properly
|
||||||
|
+sysctl -w net.ipv4.conf.all.rp_filter="1"
|
||||||
|
diff --git a/linux_os/guide/system/network/network-kernel/network_host_and_router_parameters/sysctl_net_ipv4_conf_all_rp_filter/tests/value_2.pass.sh b/linux_os/guide/system/network/network-kernel/network_host_and_router_parameters/sysctl_net_ipv4_conf_all_rp_filter/tests/value_2.pass.sh
|
||||||
|
new file mode 100644
|
||||||
|
index 00000000000..ef1b8da0479
|
||||||
|
--- /dev/null
|
||||||
|
+++ b/linux_os/guide/system/network/network-kernel/network_host_and_router_parameters/sysctl_net_ipv4_conf_all_rp_filter/tests/value_2.pass.sh
|
||||||
|
@@ -0,0 +1,10 @@
|
||||||
|
+#!/bin/bash
|
||||||
|
+
|
||||||
|
+# Clean sysctl config directories
|
||||||
|
+rm -rf /usr/lib/sysctl.d/* /run/sysctl.d/* /etc/sysctl.d/*
|
||||||
|
+
|
||||||
|
+sed -i "/net.ipv4.conf.all.rp_filter/d" /etc/sysctl.conf
|
||||||
|
+echo "net.ipv4.conf.all.rp_filter = 2" >> /etc/sysctl.conf
|
||||||
|
+
|
||||||
|
+# set correct runtime value to check if the filesystem configuration is evaluated properly
|
||||||
|
+sysctl -w net.ipv4.conf.all.rp_filter="2"
|
||||||
|
diff --git a/linux_os/guide/system/network/network-kernel/network_host_and_router_parameters/sysctl_net_ipv4_conf_all_rp_filter_value.var b/linux_os/guide/system/network/network-kernel/network_host_and_router_parameters/sysctl_net_ipv4_conf_all_rp_filter_value.var
|
||||||
|
index e3fc78e3f05..1eae854f6b0 100644
|
||||||
|
--- a/linux_os/guide/system/network/network-kernel/network_host_and_router_parameters/sysctl_net_ipv4_conf_all_rp_filter_value.var
|
||||||
|
+++ b/linux_os/guide/system/network/network-kernel/network_host_and_router_parameters/sysctl_net_ipv4_conf_all_rp_filter_value.var
|
||||||
|
@@ -17,5 +17,5 @@ interactive: false
|
||||||
|
|
||||||
|
options:
|
||||||
|
default: 1
|
||||||
|
- disabled: "0"
|
||||||
|
enabled: 1
|
||||||
|
+ loose: 2
|
||||||
|
|
||||||
|
From f903b6b257659cfe79bfd17a13ae72d1a48f40d9 Mon Sep 17 00:00:00 2001
|
||||||
|
From: Watson Sato <wsato@redhat.com>
|
||||||
|
Date: Wed, 3 Aug 2022 10:53:40 +0200
|
||||||
|
Subject: [PATCH 2/5] Make rule for kptr_restrict accept two values
|
||||||
|
|
||||||
|
This also removes value '0' from the list of possible configurations.
|
||||||
|
This change aligns the rule better with STIG.
|
||||||
|
---
|
||||||
|
.../sysctl_kernel_kptr_restrict/rule.yml | 4 ++++
|
||||||
|
.../sysctl_kernel_kptr_restrict/tests/value_1.pass.sh | 10 ++++++++++
|
||||||
|
.../sysctl_kernel_kptr_restrict/tests/value_2.pass.sh | 10 ++++++++++
|
||||||
|
.../sysctl_kernel_kptr_restrict_value.var | 1 -
|
||||||
|
4 files changed, 24 insertions(+), 1 deletion(-)
|
||||||
|
create mode 100644 linux_os/guide/system/permissions/restrictions/enable_execshield_settings/sysctl_kernel_kptr_restrict/tests/value_1.pass.sh
|
||||||
|
create mode 100644 linux_os/guide/system/permissions/restrictions/enable_execshield_settings/sysctl_kernel_kptr_restrict/tests/value_2.pass.sh
|
||||||
|
|
||||||
|
diff --git a/linux_os/guide/system/permissions/restrictions/enable_execshield_settings/sysctl_kernel_kptr_restrict/rule.yml b/linux_os/guide/system/permissions/restrictions/enable_execshield_settings/sysctl_kernel_kptr_restrict/rule.yml
|
||||||
|
index 1984b3c8691..5706eee0a0a 100644
|
||||||
|
--- a/linux_os/guide/system/permissions/restrictions/enable_execshield_settings/sysctl_kernel_kptr_restrict/rule.yml
|
||||||
|
+++ b/linux_os/guide/system/permissions/restrictions/enable_execshield_settings/sysctl_kernel_kptr_restrict/rule.yml
|
||||||
|
@@ -42,6 +42,10 @@ template:
|
||||||
|
name: sysctl
|
||||||
|
vars:
|
||||||
|
sysctlvar: kernel.kptr_restrict
|
||||||
|
+ sysctlval:
|
||||||
|
+ - '1'
|
||||||
|
+ - '2'
|
||||||
|
+ wrong_sysctlval_for_testing: "0"
|
||||||
|
datatype: int
|
||||||
|
|
||||||
|
fixtext: |-
|
||||||
|
diff --git a/linux_os/guide/system/permissions/restrictions/enable_execshield_settings/sysctl_kernel_kptr_restrict/tests/value_1.pass.sh b/linux_os/guide/system/permissions/restrictions/enable_execshield_settings/sysctl_kernel_kptr_restrict/tests/value_1.pass.sh
|
||||||
|
new file mode 100644
|
||||||
|
index 00000000000..e6efae48b25
|
||||||
|
--- /dev/null
|
||||||
|
+++ b/linux_os/guide/system/permissions/restrictions/enable_execshield_settings/sysctl_kernel_kptr_restrict/tests/value_1.pass.sh
|
||||||
|
@@ -0,0 +1,10 @@
|
||||||
|
+#!/bin/bash
|
||||||
|
+
|
||||||
|
+# Clean sysctl config directories
|
||||||
|
+rm -rf /usr/lib/sysctl.d/* /run/sysctl.d/* /etc/sysctl.d/*
|
||||||
|
+
|
||||||
|
+sed -i "/kernel.kptr_restrict/d" /etc/sysctl.conf
|
||||||
|
+echo "kernel.kptr_restrict = 1" >> /etc/sysctl.conf
|
||||||
|
+
|
||||||
|
+# set correct runtime value to check if the filesystem configuration is evaluated properly
|
||||||
|
+sysctl -w kernel.kptr_restrict="1"
|
||||||
|
diff --git a/linux_os/guide/system/permissions/restrictions/enable_execshield_settings/sysctl_kernel_kptr_restrict/tests/value_2.pass.sh b/linux_os/guide/system/permissions/restrictions/enable_execshield_settings/sysctl_kernel_kptr_restrict/tests/value_2.pass.sh
|
||||||
|
new file mode 100644
|
||||||
|
index 00000000000..be3f2b743ef
|
||||||
|
--- /dev/null
|
||||||
|
+++ b/linux_os/guide/system/permissions/restrictions/enable_execshield_settings/sysctl_kernel_kptr_restrict/tests/value_2.pass.sh
|
||||||
|
@@ -0,0 +1,10 @@
|
||||||
|
+#!/bin/bash
|
||||||
|
+
|
||||||
|
+# Clean sysctl config directories
|
||||||
|
+rm -rf /usr/lib/sysctl.d/* /run/sysctl.d/* /etc/sysctl.d/*
|
||||||
|
+
|
||||||
|
+sed -i "/kernel.kptr_restrict/d" /etc/sysctl.conf
|
||||||
|
+echo "kernel.kptr_restrict = 2" >> /etc/sysctl.conf
|
||||||
|
+
|
||||||
|
+# set correct runtime value to check if the filesystem configuration is evaluated properly
|
||||||
|
+sysctl -w kernel.kptr_restrict="2"
|
||||||
|
diff --git a/linux_os/guide/system/permissions/restrictions/enable_execshield_settings/sysctl_kernel_kptr_restrict_value.var b/linux_os/guide/system/permissions/restrictions/enable_execshield_settings/sysctl_kernel_kptr_restrict_value.var
|
||||||
|
index 452328e3efd..268550de53d 100644
|
||||||
|
--- a/linux_os/guide/system/permissions/restrictions/enable_execshield_settings/sysctl_kernel_kptr_restrict_value.var
|
||||||
|
+++ b/linux_os/guide/system/permissions/restrictions/enable_execshield_settings/sysctl_kernel_kptr_restrict_value.var
|
||||||
|
@@ -12,6 +12,5 @@ interactive: false
|
||||||
|
|
||||||
|
options:
|
||||||
|
default: 1
|
||||||
|
- 0: 0
|
||||||
|
1: 1
|
||||||
|
2: 2
|
||||||
|
|
||||||
|
From 932d00c370c8dc1c964354dd4bc111fbc18b9303 Mon Sep 17 00:00:00 2001
|
||||||
|
From: Watson Sato <wsato@redhat.com>
|
||||||
|
Date: Wed, 3 Aug 2022 11:08:34 +0200
|
||||||
|
Subject: [PATCH 3/5] Remove variable selector that will result in error
|
||||||
|
|
||||||
|
The rule only accepts values 1 or 2 as compliant, the XCCDF Variable
|
||||||
|
cannot have the value 0, it will never result in pass.
|
||||||
|
---
|
||||||
|
.../sysctl_kernel_unprivileged_bpf_disabled_value.var | 1 -
|
||||||
|
1 file changed, 1 deletion(-)
|
||||||
|
|
||||||
|
diff --git a/linux_os/guide/system/permissions/restrictions/sysctl_kernel_unprivileged_bpf_disabled_value.var b/linux_os/guide/system/permissions/restrictions/sysctl_kernel_unprivileged_bpf_disabled_value.var
|
||||||
|
index b8bf965a255..cbfd9bafa91 100644
|
||||||
|
--- a/linux_os/guide/system/permissions/restrictions/sysctl_kernel_unprivileged_bpf_disabled_value.var
|
||||||
|
+++ b/linux_os/guide/system/permissions/restrictions/sysctl_kernel_unprivileged_bpf_disabled_value.var
|
||||||
|
@@ -13,6 +13,5 @@ interactive: false
|
||||||
|
|
||||||
|
options:
|
||||||
|
default: 2
|
||||||
|
- 0: "0"
|
||||||
|
1: "1"
|
||||||
|
2: "2"
|
||||||
|
|
||||||
|
From 7127380e294a7e112fc427d0a46c21f15404aaa5 Mon Sep 17 00:00:00 2001
|
||||||
|
From: Watson Sato <wsato@redhat.com>
|
||||||
|
Date: Wed, 3 Aug 2022 11:33:03 +0200
|
||||||
|
Subject: [PATCH 4/5] Restrict sysctl multivalue compliance to rhel and ol
|
||||||
|
|
||||||
|
For now, the only STIGs I see that adopted this change were RHEL's and
|
||||||
|
OL's.
|
||||||
|
---
|
||||||
|
.../sysctl_net_ipv4_conf_all_rp_filter/rule.yml | 2 ++
|
||||||
|
.../sysctl_net_ipv4_conf_all_rp_filter/tests/value_1.pass.sh | 1 +
|
||||||
|
.../sysctl_net_ipv4_conf_all_rp_filter/tests/value_2.pass.sh | 1 +
|
||||||
|
.../sysctl_kernel_kptr_restrict/rule.yml | 2 ++
|
||||||
|
.../sysctl_kernel_kptr_restrict/tests/value_1.pass.sh | 1 +
|
||||||
|
.../sysctl_kernel_kptr_restrict/tests/value_2.pass.sh | 1 +
|
||||||
|
6 files changed, 8 insertions(+)
|
||||||
|
|
||||||
|
diff --git a/linux_os/guide/system/network/network-kernel/network_host_and_router_parameters/sysctl_net_ipv4_conf_all_rp_filter/rule.yml b/linux_os/guide/system/network/network-kernel/network_host_and_router_parameters/sysctl_net_ipv4_conf_all_rp_filter/rule.yml
|
||||||
|
index 697f79fa872..f04ae37c13d 100644
|
||||||
|
--- a/linux_os/guide/system/network/network-kernel/network_host_and_router_parameters/sysctl_net_ipv4_conf_all_rp_filter/rule.yml
|
||||||
|
+++ b/linux_os/guide/system/network/network-kernel/network_host_and_router_parameters/sysctl_net_ipv4_conf_all_rp_filter/rule.yml
|
||||||
|
@@ -59,8 +59,10 @@ template:
|
||||||
|
name: sysctl
|
||||||
|
vars:
|
||||||
|
sysctlvar: net.ipv4.conf.all.rp_filter
|
||||||
|
+ {{% if 'ol' in product or 'rhel' in product %}}
|
||||||
|
sysctlval:
|
||||||
|
- '1'
|
||||||
|
- '2'
|
||||||
|
wrong_sysctlval_for_testing: "0"
|
||||||
|
+ {{% endif %}}
|
||||||
|
datatype: int
|
||||||
|
diff --git a/linux_os/guide/system/network/network-kernel/network_host_and_router_parameters/sysctl_net_ipv4_conf_all_rp_filter/tests/value_1.pass.sh b/linux_os/guide/system/network/network-kernel/network_host_and_router_parameters/sysctl_net_ipv4_conf_all_rp_filter/tests/value_1.pass.sh
|
||||||
|
index 516bfaf1369..583b70a3b97 100644
|
||||||
|
--- a/linux_os/guide/system/network/network-kernel/network_host_and_router_parameters/sysctl_net_ipv4_conf_all_rp_filter/tests/value_1.pass.sh
|
||||||
|
+++ b/linux_os/guide/system/network/network-kernel/network_host_and_router_parameters/sysctl_net_ipv4_conf_all_rp_filter/tests/value_1.pass.sh
|
||||||
|
@@ -1,4 +1,5 @@
|
||||||
|
#!/bin/bash
|
||||||
|
+# platform = multi_platform_ol,multi_platform_rhel
|
||||||
|
|
||||||
|
# Clean sysctl config directories
|
||||||
|
rm -rf /usr/lib/sysctl.d/* /run/sysctl.d/* /etc/sysctl.d/*
|
||||||
|
diff --git a/linux_os/guide/system/network/network-kernel/network_host_and_router_parameters/sysctl_net_ipv4_conf_all_rp_filter/tests/value_2.pass.sh b/linux_os/guide/system/network/network-kernel/network_host_and_router_parameters/sysctl_net_ipv4_conf_all_rp_filter/tests/value_2.pass.sh
|
||||||
|
index ef1b8da0479..ef545976dc6 100644
|
||||||
|
--- a/linux_os/guide/system/network/network-kernel/network_host_and_router_parameters/sysctl_net_ipv4_conf_all_rp_filter/tests/value_2.pass.sh
|
||||||
|
+++ b/linux_os/guide/system/network/network-kernel/network_host_and_router_parameters/sysctl_net_ipv4_conf_all_rp_filter/tests/value_2.pass.sh
|
||||||
|
@@ -1,4 +1,5 @@
|
||||||
|
#!/bin/bash
|
||||||
|
+# platform = multi_platform_ol,multi_platform_rhel
|
||||||
|
|
||||||
|
# Clean sysctl config directories
|
||||||
|
rm -rf /usr/lib/sysctl.d/* /run/sysctl.d/* /etc/sysctl.d/*
|
||||||
|
diff --git a/linux_os/guide/system/permissions/restrictions/enable_execshield_settings/sysctl_kernel_kptr_restrict/rule.yml b/linux_os/guide/system/permissions/restrictions/enable_execshield_settings/sysctl_kernel_kptr_restrict/rule.yml
|
||||||
|
index 5706eee0a0a..f53e035effa 100644
|
||||||
|
--- a/linux_os/guide/system/permissions/restrictions/enable_execshield_settings/sysctl_kernel_kptr_restrict/rule.yml
|
||||||
|
+++ b/linux_os/guide/system/permissions/restrictions/enable_execshield_settings/sysctl_kernel_kptr_restrict/rule.yml
|
||||||
|
@@ -42,10 +42,12 @@ template:
|
||||||
|
name: sysctl
|
||||||
|
vars:
|
||||||
|
sysctlvar: kernel.kptr_restrict
|
||||||
|
+ {{% if 'ol' in product or 'rhel' in product %}}
|
||||||
|
sysctlval:
|
||||||
|
- '1'
|
||||||
|
- '2'
|
||||||
|
wrong_sysctlval_for_testing: "0"
|
||||||
|
+ {{% endif %}}
|
||||||
|
datatype: int
|
||||||
|
|
||||||
|
fixtext: |-
|
||||||
|
diff --git a/linux_os/guide/system/permissions/restrictions/enable_execshield_settings/sysctl_kernel_kptr_restrict/tests/value_1.pass.sh b/linux_os/guide/system/permissions/restrictions/enable_execshield_settings/sysctl_kernel_kptr_restrict/tests/value_1.pass.sh
|
||||||
|
index e6efae48b25..70189666c16 100644
|
||||||
|
--- a/linux_os/guide/system/permissions/restrictions/enable_execshield_settings/sysctl_kernel_kptr_restrict/tests/value_1.pass.sh
|
||||||
|
+++ b/linux_os/guide/system/permissions/restrictions/enable_execshield_settings/sysctl_kernel_kptr_restrict/tests/value_1.pass.sh
|
||||||
|
@@ -1,4 +1,5 @@
|
||||||
|
#!/bin/bash
|
||||||
|
+# platform = multi_platform_ol,multi_platform_rhel
|
||||||
|
|
||||||
|
# Clean sysctl config directories
|
||||||
|
rm -rf /usr/lib/sysctl.d/* /run/sysctl.d/* /etc/sysctl.d/*
|
||||||
|
diff --git a/linux_os/guide/system/permissions/restrictions/enable_execshield_settings/sysctl_kernel_kptr_restrict/tests/value_2.pass.sh b/linux_os/guide/system/permissions/restrictions/enable_execshield_settings/sysctl_kernel_kptr_restrict/tests/value_2.pass.sh
|
||||||
|
index be3f2b743ef..209395fa9a1 100644
|
||||||
|
--- a/linux_os/guide/system/permissions/restrictions/enable_execshield_settings/sysctl_kernel_kptr_restrict/tests/value_2.pass.sh
|
||||||
|
+++ b/linux_os/guide/system/permissions/restrictions/enable_execshield_settings/sysctl_kernel_kptr_restrict/tests/value_2.pass.sh
|
||||||
|
@@ -1,4 +1,5 @@
|
||||||
|
#!/bin/bash
|
||||||
|
+# platform = multi_platform_ol,multi_platform_rhel
|
||||||
|
|
||||||
|
# Clean sysctl config directories
|
||||||
|
rm -rf /usr/lib/sysctl.d/* /run/sysctl.d/* /etc/sysctl.d/*
|
||||||
|
|
||||||
|
From a159f7d62b200c79b6ec2b47ffa643ed6219f35b Mon Sep 17 00:00:00 2001
|
||||||
|
From: Watson Sato <wsato@redhat.com>
|
||||||
|
Date: Wed, 3 Aug 2022 14:01:40 +0200
|
||||||
|
Subject: [PATCH 5/5] Update OCIL check along with the rule
|
||||||
|
|
||||||
|
The OCIL should should mention both compliant values.
|
||||||
|
---
|
||||||
|
.../rule.yml | 29 +++++++++++++++++--
|
||||||
|
.../sysctl_kernel_kptr_restrict/rule.yml | 29 ++++++++++++++++++-
|
||||||
|
2 files changed, 55 insertions(+), 3 deletions(-)
|
||||||
|
|
||||||
|
diff --git a/linux_os/guide/system/network/network-kernel/network_host_and_router_parameters/sysctl_net_ipv4_conf_all_rp_filter/rule.yml b/linux_os/guide/system/network/network-kernel/network_host_and_router_parameters/sysctl_net_ipv4_conf_all_rp_filter/rule.yml
|
||||||
|
index f04ae37c13d..4d31c6c3ebd 100644
|
||||||
|
--- a/linux_os/guide/system/network/network-kernel/network_host_and_router_parameters/sysctl_net_ipv4_conf_all_rp_filter/rule.yml
|
||||||
|
+++ b/linux_os/guide/system/network/network-kernel/network_host_and_router_parameters/sysctl_net_ipv4_conf_all_rp_filter/rule.yml
|
||||||
|
@@ -47,11 +47,36 @@ references:
|
||||||
|
stigid@rhel7: RHEL-07-040611
|
||||||
|
stigid@rhel8: RHEL-08-040285
|
||||||
|
|
||||||
|
-{{{ complete_ocil_entry_sysctl_option_value(sysctl="net.ipv4.conf.all.rp_filter", value="1") }}}
|
||||||
|
+ocil: |-
|
||||||
|
+ The runtime status of the <code>net.ipv4.conf.all.rp_filter</code> parameter can be queried
|
||||||
|
+ by running the following command:
|
||||||
|
+ <pre>$ sysctl net.ipv4.conf.all.rp_filter</pre>
|
||||||
|
+ The output of the command should indicate either:
|
||||||
|
+ <code>net.ipv4.conf.all.rp_filter = 1</code>
|
||||||
|
+ or:
|
||||||
|
+ <code>net.ipv4.conf.all.rp_filter = 2</code>
|
||||||
|
+ The output of the command should not indicate:
|
||||||
|
+ <code>net.ipv4.conf.all.rp_filter = 0</code>
|
||||||
|
+
|
||||||
|
+ The preferable way how to assure the runtime compliance is to have
|
||||||
|
+ correct persistent configuration, and rebooting the system.
|
||||||
|
+
|
||||||
|
+ The persistent sysctl parameter configuration is performed by specifying the appropriate
|
||||||
|
+ assignment in any file located in the <pre>/etc/sysctl.d</pre> directory.
|
||||||
|
+ Verify that there is not any existing incorrect configuration by executing the following command:
|
||||||
|
+ <pre>$ grep -r '^\s*net.ipv4.conf.all.rp_filter\s*=' /etc/sysctl.conf /etc/sysctl.d</pre>
|
||||||
|
+ The command should not find any assignments other than:
|
||||||
|
+ net.ipv4.conf.all.rp_filter = 1
|
||||||
|
+ or:
|
||||||
|
+ net.ipv4.conf.all.rp_filter = 2
|
||||||
|
+
|
||||||
|
+ Conflicting assignments are not allowed.
|
||||||
|
+
|
||||||
|
+ocil_clause: "the net.ipv4.conf.all.rp_filter is not set to 1 or 2 or is configured to be 0"
|
||||||
|
|
||||||
|
fixtext: |-
|
||||||
|
Configure {{{ full_name }}} to use reverse path filtering on all IPv4 interfaces.
|
||||||
|
- {{{ fixtext_sysctl(sysctl="net.ipv4.conf.all.rp_filter", value="1") | indent(4) }}}
|
||||||
|
+ {{{ fixtext_sysctl(sysctl="net.ipv4.conf.all.rp_filter", value=xccdf_value("sysctl_net_ipv4_conf_all_rp_filter_value")) | indent(4) }}}
|
||||||
|
|
||||||
|
srg_requirement: '{{{ full_name }}} must use reverse path filtering on all IPv4 interfaces.'
|
||||||
|
|
||||||
|
diff --git a/linux_os/guide/system/permissions/restrictions/enable_execshield_settings/sysctl_kernel_kptr_restrict/rule.yml b/linux_os/guide/system/permissions/restrictions/enable_execshield_settings/sysctl_kernel_kptr_restrict/rule.yml
|
||||||
|
index f53e035effa..367934b5672 100644
|
||||||
|
--- a/linux_os/guide/system/permissions/restrictions/enable_execshield_settings/sysctl_kernel_kptr_restrict/rule.yml
|
||||||
|
+++ b/linux_os/guide/system/permissions/restrictions/enable_execshield_settings/sysctl_kernel_kptr_restrict/rule.yml
|
||||||
|
@@ -34,6 +34,33 @@ references:
|
||||||
|
|
||||||
|
{{{ complete_ocil_entry_sysctl_option_value(sysctl="kernel.kptr_restrict", value="1") }}}
|
||||||
|
|
||||||
|
+ocil: |-
|
||||||
|
+ The runtime status of the <code>kernel.kptr_restrict</code> kernel parameter can be queried
|
||||||
|
+ by running the following command:
|
||||||
|
+ <pre>$ sysctl kernel.kptr_restrict</pre>
|
||||||
|
+ The output of the command should indicate either:
|
||||||
|
+ <code>kernel.kptr_restrict = 1</code>
|
||||||
|
+ or:
|
||||||
|
+ <code>kernel.kptr_restrict = 2</code>
|
||||||
|
+ The output of the command should not indicate:
|
||||||
|
+ <code>kernel.kptr_restrict = 0</code>
|
||||||
|
+
|
||||||
|
+ The preferable way how to assure the runtime compliance is to have
|
||||||
|
+ correct persistent configuration, and rebooting the system.
|
||||||
|
+
|
||||||
|
+ The persistent kernel parameter configuration is performed by specifying the appropriate
|
||||||
|
+ assignment in any file located in the <pre>/etc/sysctl.d</pre> directory.
|
||||||
|
+ Verify that there is not any existing incorrect configuration by executing the following command:
|
||||||
|
+ <pre>$ grep -r '^\s*kernel.kptr_restrict\s*=' /etc/sysctl.conf /etc/sysctl.d</pre>
|
||||||
|
+ The command should not find any assignments other than:
|
||||||
|
+ kernel.kptr_restrict = 1
|
||||||
|
+ or:
|
||||||
|
+ kernel.kptr_restrict = 2
|
||||||
|
+
|
||||||
|
+ Conflicting assignments are not allowed.
|
||||||
|
+
|
||||||
|
+ocil_clause: "the kernel.kptr_restrict is not set to 1 or 2 or is configured to be 0"
|
||||||
|
+
|
||||||
|
srg_requirement: '{{{ full_name }}} must restrict exposed kernel pointer addresses access.'
|
||||||
|
|
||||||
|
platform: machine
|
||||||
|
@@ -52,4 +79,4 @@ template:
|
||||||
|
|
||||||
|
fixtext: |-
|
||||||
|
Configure {{{ full_name }}} to restrict exposed kernel pointer addresses access.
|
||||||
|
- {{{ fixtext_sysctl("kernel.kptr_restrict", "1") | indent(4) }}}
|
||||||
|
+ {{{ fixtext_sysctl("kernel.kptr_restrict", value=xccdf_value("sysctl_kernel_kptr_restrict_value")) | indent(4) }}}
|
1888
scap-security-guide-0.1.64-sysctl_template_multivalue-PR_9147.patch
Normal file
1888
scap-security-guide-0.1.64-sysctl_template_multivalue-PR_9147.patch
Normal file
File diff suppressed because it is too large
Load Diff
@ -0,0 +1,92 @@
|
|||||||
|
From 245d4e04318bcac20f15e680cf1b33a35b94067a Mon Sep 17 00:00:00 2001
|
||||||
|
From: Vojtech Polasek <vpolasek@redhat.com>
|
||||||
|
Date: Mon, 8 Aug 2022 14:34:34 +0200
|
||||||
|
Subject: [PATCH 1/3] add warning to the rsyslog_remote_loghost rule about
|
||||||
|
configuring queues
|
||||||
|
|
||||||
|
---
|
||||||
|
.../rsyslog_remote_loghost/rule.yml | 17 +++++++++++++++++
|
||||||
|
1 file changed, 17 insertions(+)
|
||||||
|
|
||||||
|
diff --git a/linux_os/guide/system/logging/rsyslog_sending_messages/rsyslog_remote_loghost/rule.yml b/linux_os/guide/system/logging/rsyslog_sending_messages/rsyslog_remote_loghost/rule.yml
|
||||||
|
index 4ce56d2e6a5..c73d9ec95a6 100644
|
||||||
|
--- a/linux_os/guide/system/logging/rsyslog_sending_messages/rsyslog_remote_loghost/rule.yml
|
||||||
|
+++ b/linux_os/guide/system/logging/rsyslog_sending_messages/rsyslog_remote_loghost/rule.yml
|
||||||
|
@@ -90,3 +90,20 @@ fixtext: |-
|
||||||
|
*.* @@[remoteloggingserver]:[port]"
|
||||||
|
|
||||||
|
srg_requirement: 'The {{{ full_name }}} audit records must be off-loaded onto a different system or storage media from the system being audited.'
|
||||||
|
+
|
||||||
|
+warnings:
|
||||||
|
+ - functionality: |-
|
||||||
|
+ It is important to configure queues in case the client is sending log
|
||||||
|
+ messages to a remote server. If queues are not configured, there is a
|
||||||
|
+ danger that the system will stop functioning in case that the connection
|
||||||
|
+ to the remote server is not available. Please consult Rsyslog
|
||||||
|
+ documentation for more information about configuration of queues. The
|
||||||
|
+ example configuration which should go into <tt>/etc/rsyslog.conf</tt>
|
||||||
|
+ can look like the following lines:
|
||||||
|
+ <pre>
|
||||||
|
+ $ActionQueueType LinkedList
|
||||||
|
+ $ActionQueueFileName somenameforprefix
|
||||||
|
+ $ActionQueueMaxDiskSpace 1g
|
||||||
|
+ $ActionQueueSaveOnShutdown on
|
||||||
|
+ $ActionResumeRetryCount -1
|
||||||
|
+ </pre>
|
||||||
|
|
||||||
|
From 10fbd1665513284fbb82cf1af96b92774301f8e5 Mon Sep 17 00:00:00 2001
|
||||||
|
From: vojtapolasek <krecoun@gmail.com>
|
||||||
|
Date: Tue, 9 Aug 2022 09:41:00 +0200
|
||||||
|
Subject: [PATCH 2/3] Apply suggestions from code review
|
||||||
|
|
||||||
|
Co-authored-by: Watson Yuuma Sato <wsato@redhat.com>
|
||||||
|
---
|
||||||
|
.../rsyslog_sending_messages/rsyslog_remote_loghost/rule.yml | 4 ++--
|
||||||
|
1 file changed, 2 insertions(+), 2 deletions(-)
|
||||||
|
|
||||||
|
diff --git a/linux_os/guide/system/logging/rsyslog_sending_messages/rsyslog_remote_loghost/rule.yml b/linux_os/guide/system/logging/rsyslog_sending_messages/rsyslog_remote_loghost/rule.yml
|
||||||
|
index c73d9ec95a6..706d3265a08 100644
|
||||||
|
--- a/linux_os/guide/system/logging/rsyslog_sending_messages/rsyslog_remote_loghost/rule.yml
|
||||||
|
+++ b/linux_os/guide/system/logging/rsyslog_sending_messages/rsyslog_remote_loghost/rule.yml
|
||||||
|
@@ -95,14 +95,14 @@ warnings:
|
||||||
|
- functionality: |-
|
||||||
|
It is important to configure queues in case the client is sending log
|
||||||
|
messages to a remote server. If queues are not configured, there is a
|
||||||
|
- danger that the system will stop functioning in case that the connection
|
||||||
|
+ the system will stop functioning when the connection
|
||||||
|
to the remote server is not available. Please consult Rsyslog
|
||||||
|
documentation for more information about configuration of queues. The
|
||||||
|
example configuration which should go into <tt>/etc/rsyslog.conf</tt>
|
||||||
|
can look like the following lines:
|
||||||
|
<pre>
|
||||||
|
$ActionQueueType LinkedList
|
||||||
|
- $ActionQueueFileName somenameforprefix
|
||||||
|
+ $ActionQueueFileName queuefilename
|
||||||
|
$ActionQueueMaxDiskSpace 1g
|
||||||
|
$ActionQueueSaveOnShutdown on
|
||||||
|
$ActionResumeRetryCount -1
|
||||||
|
|
||||||
|
From e2abf4f8a1bcc0dd02ad4af6f9575797abdd332e Mon Sep 17 00:00:00 2001
|
||||||
|
From: vojtapolasek <krecoun@gmail.com>
|
||||||
|
Date: Tue, 9 Aug 2022 10:55:04 +0200
|
||||||
|
Subject: [PATCH 3/3] Update
|
||||||
|
linux_os/guide/system/logging/rsyslog_sending_messages/rsyslog_remote_loghost/rule.yml
|
||||||
|
|
||||||
|
Co-authored-by: Watson Yuuma Sato <wsato@redhat.com>
|
||||||
|
---
|
||||||
|
.../rsyslog_sending_messages/rsyslog_remote_loghost/rule.yml | 2 +-
|
||||||
|
1 file changed, 1 insertion(+), 1 deletion(-)
|
||||||
|
|
||||||
|
diff --git a/linux_os/guide/system/logging/rsyslog_sending_messages/rsyslog_remote_loghost/rule.yml b/linux_os/guide/system/logging/rsyslog_sending_messages/rsyslog_remote_loghost/rule.yml
|
||||||
|
index 706d3265a08..cce4d5cac1d 100644
|
||||||
|
--- a/linux_os/guide/system/logging/rsyslog_sending_messages/rsyslog_remote_loghost/rule.yml
|
||||||
|
+++ b/linux_os/guide/system/logging/rsyslog_sending_messages/rsyslog_remote_loghost/rule.yml
|
||||||
|
@@ -94,7 +94,7 @@ srg_requirement: 'The {{{ full_name }}} audit records must be off-loaded onto a
|
||||||
|
warnings:
|
||||||
|
- functionality: |-
|
||||||
|
It is important to configure queues in case the client is sending log
|
||||||
|
- messages to a remote server. If queues are not configured, there is a
|
||||||
|
+ messages to a remote server. If queues are not configured,
|
||||||
|
the system will stop functioning when the connection
|
||||||
|
to the remote server is not available. Please consult Rsyslog
|
||||||
|
documentation for more information about configuration of queues. The
|
@ -6,7 +6,7 @@
|
|||||||
|
|
||||||
Name: scap-security-guide
|
Name: scap-security-guide
|
||||||
Version: 0.1.63
|
Version: 0.1.63
|
||||||
Release: 1%{?dist}
|
Release: 3%{?dist}
|
||||||
Summary: Security guidance and baselines in SCAP formats
|
Summary: Security guidance and baselines in SCAP formats
|
||||||
License: BSD-3-Clause
|
License: BSD-3-Clause
|
||||||
Group: Applications/System
|
Group: Applications/System
|
||||||
@ -19,6 +19,21 @@ BuildArch: noarch
|
|||||||
|
|
||||||
# Patch allows only OSPP, PCI-DSS, E8 and STIG profiles in RHEL8 datastream
|
# Patch allows only OSPP, PCI-DSS, E8 and STIG profiles in RHEL8 datastream
|
||||||
Patch0: disable-not-in-good-shape-profiles.patch
|
Patch0: disable-not-in-good-shape-profiles.patch
|
||||||
|
Patch1: scap-security-guide-0.1.64-stig_bump_version-PR_9276.patch
|
||||||
|
Patch2: scap-security-guide-0.1.64-stig_ipv4_forwarding-PR_9277.patch
|
||||||
|
Patch3: scap-security-guide-0.1.64-stig_aide-PR_9282.patch
|
||||||
|
Patch4: scap-security-guide-0.1.64-stig_sudoers_includes-PR_9283.patch
|
||||||
|
Patch5: scap-security-guide-0.1.64-sysctl_template_multivalue-PR_9147.patch
|
||||||
|
Patch6: scap-security-guide-0.1.64-stig_sysctl_multivalue_rules-PR_9286.patch
|
||||||
|
Patch7: scap-security-guide-0.1.64-stig_readd_ssh_rules-PR_9318.patch
|
||||||
|
Patch8: scap-security-guide-0.1.64-ospp_autselect_minimal-PR_9298.patch
|
||||||
|
Patch9: scap-security-guide-0.1.64-ospp_grub_disable_recovery-PR_9321.patch
|
||||||
|
Patch10: scap-security-guide-0.1.64-warning_about_queues_for_rsyslog_remote_loghost-PR_9305.patch
|
||||||
|
Patch11: scap-security-guide-0.1.64-fix_sudoers_defaults-PR_9299.patch
|
||||||
|
Patch12: scap-security-guide-0.1.64-add_platform_for_partition_existence-PR_9204.patch
|
||||||
|
Patch13: scap-security-guide-0.1.64-apply_partition_platform_to_rules-PR_9324.patch
|
||||||
|
Patch14: scap-security-guide-0.1.64-improve_handling_of_rsyslog_includes-PR_9326.patch
|
||||||
|
Patch15: scap-security-guide-0.1.64-fix_ansible_partition_conditional-PR_9339.patch
|
||||||
|
|
||||||
BuildRequires: libxslt
|
BuildRequires: libxslt
|
||||||
BuildRequires: expat
|
BuildRequires: expat
|
||||||
@ -123,6 +138,18 @@ cp -r %{_builddir}/%{_static_rhel6_content}/guides %{buildroot}%{_docdir}/%{name
|
|||||||
%endif
|
%endif
|
||||||
|
|
||||||
%changelog
|
%changelog
|
||||||
|
* Mon Aug 15 2022 Watson Sato <wsato@redhat.com> - 0.1.63-3
|
||||||
|
- Fix Ansible partition conditional (RHBZ#2032403)
|
||||||
|
|
||||||
|
* Wed Aug 10 2022 Vojtech Polasek <vpolasek@redhat.com> - 0.1.63-2
|
||||||
|
- aligning with the latest STIG update (RHBZ#2112937)
|
||||||
|
- OSPP: use Authselect minimal profile (RHBZ#2117192)
|
||||||
|
- OSPP: change rules for protecting of boot (RHBZ#2116440)
|
||||||
|
- add warning about configuring of TCP queues to rsyslog_remote_loghost (RHBZ#2078974)
|
||||||
|
- fix handling of Defaults clause in sudoers (RHBZ#2083109)
|
||||||
|
- make rules checking for mount options of /tmp and /var/tmp applicable only when the partition really exists (RHBZ#2032403)
|
||||||
|
- fix handling of Rsyslog include directives (RHBZ#2075384)
|
||||||
|
|
||||||
* Mon Aug 01 2022 Vojtech Polasek <vpolasek@redhat.com> - 0.1.63-1
|
* Mon Aug 01 2022 Vojtech Polasek <vpolasek@redhat.com> - 0.1.63-1
|
||||||
- Rebase to a new upstream release 0.1.63 (RHBZ#2070564)
|
- Rebase to a new upstream release 0.1.63 (RHBZ#2070564)
|
||||||
|
|
||||||
|
Loading…
Reference in New Issue
Block a user