From 179cf6b43b8f10b4907267d976cb503066710e6f Mon Sep 17 00:00:00 2001 From: Watson Sato Date: Thu, 14 May 2020 01:20:53 +0200 Subject: [PATCH 1/4] Do not take paths from include or IncludeConfig All paths in /etc/rsyslog.conf were taken as log files, but paths in lines containing "include" or "$IncludeConfig" are config files. Let's not take them in as log files --- .../rsyslog_files_permissions/oval/shared.xml | 10 ++++++++++ 1 file changed, 10 insertions(+) diff --git a/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_files_permissions/oval/shared.xml b/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_files_permissions/oval/shared.xml index a78cd69df2..c74f3da3f5 100644 --- a/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_files_permissions/oval/shared.xml +++ b/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_files_permissions/oval/shared.xml @@ -87,8 +87,18 @@ --> ^[^\s#\$]+[\s]+.*[\s]+-?(/+[^:;\s]+);*.*$ 1 + state_ignore_include_paths + + + (?:file="[^\s;]+"|\$IncludeConfig[\s]+[^\s;]+) + + From 4a408d29313d8ea5aed4fa65cacad86f8078159c Mon Sep 17 00:00:00 2001 From: Watson Sato Date: Thu, 14 May 2020 00:16:37 +0200 Subject: [PATCH 2/4] Fix permissions of files referenced by include() The remediation script also needs to parse the files included via "include()". The awk also takes into consideration the multiline aspect. --- .../rsyslog_files_permissions/bash/shared.sh | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_files_permissions/bash/shared.sh b/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_files_permissions/bash/shared.sh index 6cbf0c6a24..dca35301e7 100644 --- a/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_files_permissions/bash/shared.sh +++ b/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_files_permissions/bash/shared.sh @@ -6,12 +6,14 @@ RSYSLOG_ETC_CONFIG="/etc/rsyslog.conf" # * And also the log file paths listed after rsyslog's $IncludeConfig directive # (store the result into array for the case there's shell glob used as value of IncludeConfig) readarray -t RSYSLOG_INCLUDE_CONFIG < <(grep -e "\$IncludeConfig[[:space:]]\+[^[:space:];]\+" /etc/rsyslog.conf | cut -d ' ' -f 2) +readarray -t RSYSLOG_INCLUDE < <(awk '/)/{f=0} /include\(/{f=1} f{nf=gensub(".*file=\"(\\S+)\".*","\\1",1); if($0!=nf){print nf}}' /etc/rsyslog.conf) + # Declare an array to hold the final list of different log file paths declare -a LOG_FILE_PATHS # Browse each file selected above as containing paths of log files # ('/etc/rsyslog.conf' and '/etc/rsyslog.d/*.conf' in the default configuration) -for LOG_FILE in "${RSYSLOG_ETC_CONFIG}" "${RSYSLOG_INCLUDE_CONFIG[@]}" +for LOG_FILE in "${RSYSLOG_ETC_CONFIG}" "${RSYSLOG_INCLUDE_CONFIG[@]}" "${RSYSLOG_INCLUDE[@]}" do # From each of these files extract just particular log file path(s), thus: # * Ignore lines starting with space (' '), comment ('#"), or variable syntax ('$') characters, From 812e9b487e3c11a18e5e3a965ac23ec1a0d64e91 Mon Sep 17 00:00:00 2001 From: Watson Sato Date: Fri, 15 May 2020 15:53:58 +0200 Subject: [PATCH 3/4] Make regex for include file more strict For some reason gensub in awk doesn't support non capturing group. So the group with OR is capturing and we substitute everyting with the second group, witch matches the file path. --- .../rsyslog_files_permissions/bash/shared.sh | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_files_permissions/bash/shared.sh b/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_files_permissions/bash/shared.sh index dca35301e7..99d2d0e794 100644 --- a/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_files_permissions/bash/shared.sh +++ b/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_files_permissions/bash/shared.sh @@ -6,7 +6,7 @@ RSYSLOG_ETC_CONFIG="/etc/rsyslog.conf" # * And also the log file paths listed after rsyslog's $IncludeConfig directive # (store the result into array for the case there's shell glob used as value of IncludeConfig) readarray -t RSYSLOG_INCLUDE_CONFIG < <(grep -e "\$IncludeConfig[[:space:]]\+[^[:space:];]\+" /etc/rsyslog.conf | cut -d ' ' -f 2) -readarray -t RSYSLOG_INCLUDE < <(awk '/)/{f=0} /include\(/{f=1} f{nf=gensub(".*file=\"(\\S+)\".*","\\1",1); if($0!=nf){print nf}}' /etc/rsyslog.conf) +readarray -t RSYSLOG_INCLUDE < <(awk '/)/{f=0} /include\(/{f=1} f{nf=gensub("^(include\\(|\\s*)file=\"(\\S+)\".*","\\2",1); if($0!=nf){print nf}}' /etc/rsyslog.conf) # Declare an array to hold the final list of different log file paths declare -a LOG_FILE_PATHS From c49f8aaf717313a41bbdfca188dd491a13d1133e Mon Sep 17 00:00:00 2001 From: Watson Sato Date: Fri, 15 May 2020 16:55:02 +0200 Subject: [PATCH 4/4] Extend OVAL fix to groupownership and ownership These three files basically work the same way --- .../rsyslog_files_groupownership/oval/shared.xml | 10 ++++++++++ .../rsyslog_files_ownership/oval/shared.xml | 10 ++++++++++ .../rsyslog_files_permissions/oval/shared.xml | 4 ++-- 3 files changed, 22 insertions(+), 2 deletions(-) diff --git a/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_files_groupownership/oval/shared.xml b/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_files_groupownership/oval/shared.xml index 5828f25321..9941e2b94f 100644 --- a/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_files_groupownership/oval/shared.xml +++ b/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_files_groupownership/oval/shared.xml @@ -86,8 +86,18 @@ --> ^[^(\s|#|\$)]+[\s]+.*[\s]+-?(/+[^:;\s]+);*.*$ 1 + state_groupownership_ignore_include_paths + + + (?:file="[^\s;]+"|\$IncludeConfig[\s]+[^\s;]+) + + diff --git a/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_files_ownership/oval/shared.xml b/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_files_ownership/oval/shared.xml index 3c46eab6d6..29dd1a989e 100644 --- a/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_files_ownership/oval/shared.xml +++ b/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_files_ownership/oval/shared.xml @@ -83,8 +83,18 @@ --> ^[^(\s|#|\$)]+[\s]+.*[\s]+-?(/+[^:;\s]+);*.*$ 1 + state_owner_ignore_include_paths + + + (?:file="[^\s;]+"|\$IncludeConfig[\s]+[^\s;]+) + + diff --git a/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_files_permissions/oval/shared.xml b/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_files_permissions/oval/shared.xml index c74f3da3f5..da37a15b8c 100644 --- a/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_files_permissions/oval/shared.xml +++ b/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_files_permissions/oval/shared.xml @@ -87,10 +87,10 @@ --> ^[^\s#\$]+[\s]+.*[\s]+-?(/+[^:;\s]+);*.*$ 1 - state_ignore_include_paths + state_permissions_ignore_include_paths - +