From fbaa0ae639fbb001e4c9e92d9e35f9dd9309d605 Mon Sep 17 00:00:00 2001 From: Matthew Burket Date: Mon, 9 Aug 2021 10:56:36 -0500 Subject: [PATCH 1/2] Allow set_config_file bash macro and lineinfile to set a custom sed path separator So that if the text has '/' in it the sed path separator can be changed. --- .../developer/06_contributing_with_content.md | 3 +++ shared/macros-bash.jinja | 23 ++++++++++--------- shared/templates/lineinfile/bash.template | 6 ++++- 3 files changed, 20 insertions(+), 12 deletions(-) diff --git a/docs/manual/developer/06_contributing_with_content.md b/docs/manual/developer/06_contributing_with_content.md index 245db1550de..c0d62bef5ca 100644 --- a/docs/manual/developer/06_contributing_with_content.md +++ b/docs/manual/developer/06_contributing_with_content.md @@ -1572,6 +1572,9 @@ the following to `rule.yml`: - **oval_extend_definitions** - optional, list of additional OVAL definitions that have to pass along the generated check. + **sed_path_separator** - optional, default is `/`, sets the sed path separator. Set this + to a character like `#` if `/` is in use in your text. + - Languages: Ansible, Bash, OVAL diff --git a/shared/macros-bash.jinja b/shared/macros-bash.jinja index d654a0e0e89..7af8038a783 100644 --- a/shared/macros-bash.jinja +++ b/shared/macros-bash.jinja @@ -444,11 +444,12 @@ printf '%s\n' "{{{ message | replace('"', '\\"') }}}" >&2 # separator_regex: regular expression that describes the separator and surrounding whitespace # prefix_regex: regular expression describing allowed leading characters at each line #}} -{{%- macro set_config_file(path, parameter, value, create, insert_after, insert_before, insensitive=true, separator=" ", separator_regex="\s\+", prefix_regex="^\s*") -%}} - {{%- set line_regex = prefix_regex + ((parameter | escape_regex) | replace("/", "\/")) + separator_regex -%}} + +{{%- macro set_config_file(path, parameter, value, create, insert_after, insert_before, insensitive=true, separator=" ", separator_regex="\s\+", prefix_regex="^\s*", sed_path_separator="/") -%}} {{%- set new_line = parameter+separator+value -%}} + {{%- set line_regex = prefix_regex + ((parameter | escape_regex) | replace("/", "\/")) + separator_regex -%}} if [ -e "{{{ path }}}" ] ; then - {{{ lineinfile_absent(path, line_regex, insensitive) | indent(4) }}} + {{{ lineinfile_absent(path, line_regex, insensitive, sed_path_separator=sed_path_separator) | indent(4) }}} else {{%- if create %}} touch "{{{ path }}}" @@ -456,19 +457,19 @@ else {{{ die("Path '" + path + "' wasn't found on this system. Refusing to continue.", action="return") | indent(4) }}} {{%- endif %}} fi -{{{ lineinfile_present(path, new_line, insert_after, insert_before, insensitive) }}} +{{{ lineinfile_present(path, new_line, insert_after, insert_before, insensitive, sed_path_separator=sed_path_separator) }}} {{%- endmacro -%}} -{{%- macro lineinfile_absent(path, regex, insensitive=true) -%}} +{{%- macro lineinfile_absent(path, regex, insensitive=true, sed_path_separator="/") -%}} {{%- if insensitive -%}} {{%- set modifier="Id" -%}} {{%- else -%}} {{%- set modifier="d" -%}} {{%- endif -%}} - {{% if '/' in regex %}} - {{{ raise("regex (" + regex + ") uses sed path separator (/) in " + rule_id) }}} + {{% if sed_path_separator in regex %}} + {{{ raise("regex (" + regex + ") uses sed path separator (" + sed_path_separator + ") in " + rule_id) }}} {{% endif %}} -LC_ALL=C sed -i "/{{{ regex }}}/{{{ modifier }}}" "{{{ path }}}" +LC_ALL=C sed -i "{{{ sed_path_separator }}}{{{ regex }}}{{{ sed_path_separator }}}{{{ modifier }}}" "{{{ path }}}" {{%- endmacro -%}} {{%- macro lineinfile_absent_in_directory(dirname, regex, insensitive=true) -%}} @@ -480,7 +481,7 @@ LC_ALL=C sed -i "/{{{ regex }}}/{{{ modifier }}}" "{{{ path }}}" LC_ALL=C sed -i "/{{{ regex }}}/{{{ modifier }}}" "{{{ dirname }}}"/* {{%- endmacro -%}} -{{%- macro lineinfile_present(path, line, insert_after="", insert_before="", insensitive=true) -%}} +{{%- macro lineinfile_present(path, line, insert_after="", insert_before="", insensitive=true, sed_path_separator="/") -%}} {{%- if insensitive -%}} {{%- set grep_args="-q -m 1 -i" -%}} {{%- else -%}} @@ -496,7 +497,7 @@ printf '%s\n' "{{{ line }}}" > "{{{ path }}}" cat "{{{ path }}}.bak" >> "{{{ path }}}" {{%- elif insert_after %}} # Insert after the line matching the regex '{{{ insert_after }}}' -line_number="$(LC_ALL=C grep -n "{{{ insert_after }}}" "{{{ path }}}.bak" | LC_ALL=C sed 's/:.*//g')" +line_number="$(LC_ALL=C grep -n "{{{ insert_after }}}" "{{{ path }}}.bak" | LC_ALL=C sed 's{{{sed_path_separator}}}:.*{{{sed_path_separator}}}{{{sed_path_separator}}}g')" if [ -z "$line_number" ]; then # There was no match of '{{{ insert_after }}}', insert at # the end of the file. @@ -508,7 +509,7 @@ else fi {{%- elif insert_before %}} # Insert before the line matching the regex '{{{ insert_before }}}'. -line_number="$(LC_ALL=C grep -n "{{{ insert_before }}}" "{{{ path }}}.bak" | LC_ALL=C sed 's/:.*//g')" +line_number="$(LC_ALL=C grep -n "{{{ insert_before }}}" "{{{ path }}}.bak" | LC_ALL=C sed 's{{{sed_path_separator}}}:.*{{{sed_path_separator}}}{{{sed_path_separator}}}g')" if [ -z "$line_number" ]; then # There was no match of '{{{ insert_before }}}', insert at # the end of the file. diff --git a/shared/templates/lineinfile/bash.template b/shared/templates/lineinfile/bash.template index 0e43e88842a..6d1ca349268 100644 --- a/shared/templates/lineinfile/bash.template +++ b/shared/templates/lineinfile/bash.template @@ -4,4 +4,8 @@ # complexity = low # disruption = low -{{{ set_config_file(PATH, TEXT, value="", create='yes', insert_after="", insert_before="", separator="", separator_regex="", prefix_regex="^\s*") -}}} +{{% if SED_PATH_SEPARATOR %}} + {{{ set_config_file(PATH, TEXT, value="", create='yes', insert_after="", insert_before="", separator="", separator_regex="", prefix_regex="^\s*", sed_path_separator=SED_PATH_SEPARATOR) -}}} +{{% else %}} + {{{ set_config_file(PATH, TEXT, value="", create='yes', insert_after="", insert_before="", separator="", separator_regex="", prefix_regex="^\s*") -}}} +{{% endif %}} From 4b3182bd5d5308fed16f58da9656aa76a4275569 Mon Sep 17 00:00:00 2001 From: Matthew Burket Date: Mon, 9 Aug 2021 13:56:32 -0500 Subject: [PATCH 2/2] Add new rule for RHEL-08-030720 --- .../ansible/shared.yml | 9 ++++ .../bash/shared.sh | 11 +++++ .../oval/shared.xml | 43 +++++++++++++++++++ .../rule.yml | 40 +++++++++++++++++ .../tests/default_no_pass.fail.sh | 7 +++ .../tests/rsyslog.pass.sh | 4 ++ .../tests/rsyslog_wrong_value.fail.sh | 4 ++ .../tests/rsyslogd.pass.sh | 4 ++ .../tests/rsyslogd_wrong_value.fail.sh | 4 ++ .../tests/setup.sh | 9 ++++ products/rhel8/profiles/stig.profile | 1 + shared/references/cce-redhat-avail.txt | 1 - .../data/profile_stability/rhel8/stig.profile | 1 + .../profile_stability/rhel8/stig_gui.profile | 1 + 14 files changed, 138 insertions(+), 1 deletion(-) create mode 100644 linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_encrypt_offload_actionsendstreamdriverauthmode/ansible/shared.yml create mode 100644 linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_encrypt_offload_actionsendstreamdriverauthmode/bash/shared.sh create mode 100644 linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_encrypt_offload_actionsendstreamdriverauthmode/oval/shared.xml create mode 100644 linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_encrypt_offload_actionsendstreamdriverauthmode/rule.yml create mode 100644 linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_encrypt_offload_actionsendstreamdriverauthmode/tests/default_no_pass.fail.sh create mode 100644 linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_encrypt_offload_actionsendstreamdriverauthmode/tests/rsyslog.pass.sh create mode 100644 linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_encrypt_offload_actionsendstreamdriverauthmode/tests/rsyslog_wrong_value.fail.sh create mode 100644 linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_encrypt_offload_actionsendstreamdriverauthmode/tests/rsyslogd.pass.sh create mode 100644 linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_encrypt_offload_actionsendstreamdriverauthmode/tests/rsyslogd_wrong_value.fail.sh create mode 100644 linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_encrypt_offload_actionsendstreamdriverauthmode/tests/setup.sh diff --git a/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_encrypt_offload_actionsendstreamdriverauthmode/ansible/shared.yml b/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_encrypt_offload_actionsendstreamdriverauthmode/ansible/shared.yml new file mode 100644 index 00000000000..637f90003b2 --- /dev/null +++ b/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_encrypt_offload_actionsendstreamdriverauthmode/ansible/shared.yml @@ -0,0 +1,9 @@ +# platform = Red Hat Virtualization 4,multi_platform_fedora,multi_platform_rhel +# reboot = false +# strategy = configure +# complexity = low +# disruption = low + +{{{ ansible_set_config_file_dir(msg, "/etc/rsyslog.conf", "/etc/rsyslog.d", "/etc/rsyslog.conf", + "$ActionSendStreamDriverAuthMode", separator=' ', separator_regex='\s', + value="x509/name", create='yes') }}} diff --git a/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_encrypt_offload_actionsendstreamdriverauthmode/bash/shared.sh b/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_encrypt_offload_actionsendstreamdriverauthmode/bash/shared.sh new file mode 100644 index 00000000000..71d312f332f --- /dev/null +++ b/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_encrypt_offload_actionsendstreamdriverauthmode/bash/shared.sh @@ -0,0 +1,11 @@ +# platform = Red Hat Virtualization 4,multi_platform_fedora,multi_platform_rhel +# reboot = false +# strategy = configure +# complexity = low +# disruption = low + +if ! grep -s "\$ActionSendStreamDriverAuthMode\s*x509/name" /etc/rsyslog.conf /etc/rsyslog.d/*.conf; then + mkdir -p /etc/rsyslog.d + sed -i '/^.*\$ActionSendStreamDriverAuthMode.*/d' /etc/rsyslog.conf /etc/rsyslog.d/*.conf + echo "\$ActionSendStreamDriverAuthMode x509/name" > /etc/rsyslog.d/stream_driver_auth.conf +fi diff --git a/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_encrypt_offload_actionsendstreamdriverauthmode/oval/shared.xml b/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_encrypt_offload_actionsendstreamdriverauthmode/oval/shared.xml new file mode 100644 index 00000000000..8e1ec48a974 --- /dev/null +++ b/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_encrypt_offload_actionsendstreamdriverauthmode/oval/shared.xml @@ -0,0 +1,43 @@ + + + {{{ oval_metadata("Rsyslogd must authenticate remote system its sending logs to.") }}} + + + + + + + + + + + + + + + /etc/rsyslog.conf + ^\$ActionSendStreamDriverAuthMode x509/name$ + 1 + + + + + + + + /etc/rsyslog.d + ^.*conf$ + ^\$ActionSendStreamDriverAuthMode x509/name$ + 1 + + diff --git a/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_encrypt_offload_actionsendstreamdriverauthmode/rule.yml b/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_encrypt_offload_actionsendstreamdriverauthmode/rule.yml new file mode 100644 index 00000000000..beaf8ce96da --- /dev/null +++ b/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_encrypt_offload_actionsendstreamdriverauthmode/rule.yml @@ -0,0 +1,40 @@ +documentation_complete: true + +title: Ensure Rsyslog Authenticates Off-Loaded Audit Records + +description: |- + Rsyslogd is a system utility providing support for message logging. Support + for both internet and UNIX domain sockets enables this utility to support both local + and remote logging. Couple this utility with gnutls (which is a secure communications + library implementing the SSL, TLS and DTLS protocols), and you have a method to securely + encrypt and off-load auditing. + + When using rsyslogd to off-load logs the remote system must be authenticated. + +rationale: |- + The audit records generated by Rsyslog contain valuable information regarding system + configuration, user authentication, and other such information. Audit records should be + protected from unauthorized access. + +severity: medium + +identifiers: + cce@rhel8: CCE-86339-9 + +references: + disa: CCI-001851 + nist: AU-4(1) + srg: SRG-OS-000342-GPOS-00133,SRG-OS-000479-GPOS-00224 + stigid@rhel8: RHEL-08-030720 + + +ocil_clause: '$ActionSendStreamDriverAuthMode in /etc/rsyslog.conf is not set to x509/name' + +ocil: |- + Verify the operating system authenticates the remote logging server for off-loading audit logs with the following command: + +
$ sudo grep -i '$ActionSendStreamDriverAuthMode' /etc/rsyslog.conf /etc/rsyslog.d/*.conf
+ The output should be +
$/etc/rsyslog.conf:$ActionSendStreamDriverAuthMode x509/name
+ + diff --git a/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_encrypt_offload_actionsendstreamdriverauthmode/tests/default_no_pass.fail.sh b/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_encrypt_offload_actionsendstreamdriverauthmode/tests/default_no_pass.fail.sh new file mode 100644 index 00000000000..54d70f6b85f --- /dev/null +++ b/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_encrypt_offload_actionsendstreamdriverauthmode/tests/default_no_pass.fail.sh @@ -0,0 +1,7 @@ +#!/bin/bash +bash -x setup.sh + +if [[ -f encrypt.conf ]]; then + sed -i "/^\$ActionSendStreamDriverMod.*/d" /etc/rsyslog.conf +fi + sed -i "/^\$ActionSendStreamDriverMod.*/d" /etc/rsyslog.conf diff --git a/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_encrypt_offload_actionsendstreamdriverauthmode/tests/rsyslog.pass.sh b/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_encrypt_offload_actionsendstreamdriverauthmode/tests/rsyslog.pass.sh new file mode 100644 index 00000000000..fe3db6f9c41 --- /dev/null +++ b/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_encrypt_offload_actionsendstreamdriverauthmode/tests/rsyslog.pass.sh @@ -0,0 +1,4 @@ +#!/bin/bash +bash -x setup.sh + +echo "\$ActionSendStreamDriverAuthMode x509/name" >> /etc/rsyslog.conf diff --git a/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_encrypt_offload_actionsendstreamdriverauthmode/tests/rsyslog_wrong_value.fail.sh b/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_encrypt_offload_actionsendstreamdriverauthmode/tests/rsyslog_wrong_value.fail.sh new file mode 100644 index 00000000000..bad06fba0e9 --- /dev/null +++ b/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_encrypt_offload_actionsendstreamdriverauthmode/tests/rsyslog_wrong_value.fail.sh @@ -0,0 +1,4 @@ +#!/bin/bash +bash -x setup.sh + +echo "\$ActionSendStreamDriverAuthMode 0" >> /etc/rsyslog.conf diff --git a/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_encrypt_offload_actionsendstreamdriverauthmode/tests/rsyslogd.pass.sh b/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_encrypt_offload_actionsendstreamdriverauthmode/tests/rsyslogd.pass.sh new file mode 100644 index 00000000000..ab511daecc7 --- /dev/null +++ b/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_encrypt_offload_actionsendstreamdriverauthmode/tests/rsyslogd.pass.sh @@ -0,0 +1,4 @@ +#!/bin/bash +bash -x setup.sh + +echo "\$ActionSendStreamDriverAuthMode x509/name" >> /etc/rsyslog.d/encrypt.conf diff --git a/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_encrypt_offload_actionsendstreamdriverauthmode/tests/rsyslogd_wrong_value.fail.sh b/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_encrypt_offload_actionsendstreamdriverauthmode/tests/rsyslogd_wrong_value.fail.sh new file mode 100644 index 00000000000..02bf64747a7 --- /dev/null +++ b/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_encrypt_offload_actionsendstreamdriverauthmode/tests/rsyslogd_wrong_value.fail.sh @@ -0,0 +1,4 @@ +#!/bin/bash +bash -x setup.sh + +echo "\$ActionSendStreamDriverAuthMode x509/certvalid" >> /etc/rsyslog.d/encrypt.conf diff --git a/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_encrypt_offload_actionsendstreamdriverauthmode/tests/setup.sh b/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_encrypt_offload_actionsendstreamdriverauthmode/tests/setup.sh new file mode 100644 index 00000000000..9686f16bcc9 --- /dev/null +++ b/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_encrypt_offload_actionsendstreamdriverauthmode/tests/setup.sh @@ -0,0 +1,9 @@ +#!/bin/bash +# Use this script to ensure the rsyslog directory structure and rsyslog conf file +# exist in the test env. +config_file=/etc/rsyslog.conf + +# Ensure directory structure exists (useful for container based testing) +test -f $config_file || touch $config_file + +test -d /etc/rsyslog.d/ || mkdir /etc/rsyslog.d/ diff --git a/products/rhel8/profiles/stig.profile b/products/rhel8/profiles/stig.profile index ec0a3b17537..382247057cd 100644 --- a/products/rhel8/profiles/stig.profile +++ b/products/rhel8/profiles/stig.profile @@ -854,6 +854,7 @@ selections: - rsyslog_encrypt_offload_actionsendstreamdrivermode # RHEL-08-030720 + - rsyslog_encrypt_offload_actionsendstreamdriverauthmode # RHEL-08-030730 # this rule expects configuration in MB instead percentage as how STIG demands diff --git a/shared/references/cce-redhat-avail.txt b/shared/references/cce-redhat-avail.txt index 61384c108a0..03211442aba 100644 --- a/shared/references/cce-redhat-avail.txt +++ b/shared/references/cce-redhat-avail.txt @@ -460,7 +460,6 @@ CCE-86335-7 CCE-86336-5 CCE-86337-3 CCE-86338-1 -CCE-86339-9 CCE-86340-7 CCE-86341-5 CCE-86342-3 diff --git a/tests/data/profile_stability/rhel8/stig.profile b/tests/data/profile_stability/rhel8/stig.profile index bffa509b698..481e7b28228 100644 --- a/tests/data/profile_stability/rhel8/stig.profile +++ b/tests/data/profile_stability/rhel8/stig.profile @@ -238,6 +238,7 @@ selections: - require_singleuser_auth - root_permissions_syslibrary_files - rsyslog_cron_logging +- rsyslog_encrypt_offload_actionsendstreamdriverauthmode - rsyslog_encrypt_offload_actionsendstreamdrivermode - rsyslog_encrypt_offload_defaultnetstreamdriver - rsyslog_remote_access_monitoring diff --git a/tests/data/profile_stability/rhel8/stig_gui.profile b/tests/data/profile_stability/rhel8/stig_gui.profile index c84ac75c7bf..7fb3d892a30 100644 --- a/tests/data/profile_stability/rhel8/stig_gui.profile +++ b/tests/data/profile_stability/rhel8/stig_gui.profile @@ -249,6 +249,7 @@ selections: - require_singleuser_auth - root_permissions_syslibrary_files - rsyslog_cron_logging +- rsyslog_encrypt_offload_actionsendstreamdriverauthmode - rsyslog_encrypt_offload_actionsendstreamdrivermode - rsyslog_encrypt_offload_defaultnetstreamdriver - rsyslog_remote_access_monitoring