From 2d22616a6223e26662c1dc81e0389349defd716a Mon Sep 17 00:00:00 2001 From: Flos Lonicerae Date: Wed, 13 Apr 2022 20:06:18 +0800 Subject: [PATCH 01/15] rsyslog: Fix array creation when path has wildcard This patch fixes the issue that the array is expanded to wildcard path instead of its elements. A simple test case as follows: /etc/rsyslog.conf include(file="/etc/rsyslog.d/*.conf" mode="optional") /etc/rsyslog.d/custom1.conf local1.* /tmp/local1.out /etc/rsyslog.d/custom2.conf local2.* /tmp/local2.out --- .../rsyslog_files_permissions/bash/shared.sh | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_files_permissions/bash/shared.sh b/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_files_permissions/bash/shared.sh index b794ea8db31..02b0c36d899 100644 --- a/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_files_permissions/bash/shared.sh +++ b/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_files_permissions/bash/shared.sh @@ -5,8 +5,8 @@ RSYSLOG_ETC_CONFIG="/etc/rsyslog.conf" # * And also the log file paths listed after rsyslog's $IncludeConfig directive # (store the result into array for the case there's shell glob used as value of IncludeConfig) -readarray -t RSYSLOG_INCLUDE_CONFIG < <(grep -e "\$IncludeConfig[[:space:]]\+[^[:space:];]\+" /etc/rsyslog.conf | cut -d ' ' -f 2) -readarray -t RSYSLOG_INCLUDE < <(awk '/)/{f=0} /include\(/{f=1} f{nf=gensub("^(include\\(|\\s*)file=\"(\\S+)\".*","\\2",1); if($0!=nf){print nf}}' /etc/rsyslog.conf) +readarray -t RSYSLOG_INCLUDE_CONFIG < <(printf '%s\n' $(grep -e "\$IncludeConfig[[:space:]]\+[^[:space:];]\+" /etc/rsyslog.conf | cut -d ' ' -f 2)) +readarray -t RSYSLOG_INCLUDE < <(printf '%s\n' $(awk '/)/{f=0} /include\(/{f=1} f{nf=gensub("^(include\\(|\\s*)file=\"(\\S+)\".*","\\2",1); if($0!=nf){print nf}}' /etc/rsyslog.conf)) # Declare an array to hold the final list of different log file paths declare -a LOG_FILE_PATHS From 37a57668e98ba613d850e4c4ec4363dc7687d06d Mon Sep 17 00:00:00 2001 From: Flos Lonicerae Date: Thu, 14 Apr 2022 15:58:04 +0800 Subject: [PATCH 02/15] A better fix. * Should also fixed the CI failure. --- .../rsyslog_files_permissions/bash/shared.sh | 6 ++++-- 1 file changed, 4 insertions(+), 2 deletions(-) diff --git a/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_files_permissions/bash/shared.sh b/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_files_permissions/bash/shared.sh index 02b0c36d899..1aebb8f9da5 100644 --- a/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_files_permissions/bash/shared.sh +++ b/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_files_permissions/bash/shared.sh @@ -5,8 +5,10 @@ RSYSLOG_ETC_CONFIG="/etc/rsyslog.conf" # * And also the log file paths listed after rsyslog's $IncludeConfig directive # (store the result into array for the case there's shell glob used as value of IncludeConfig) -readarray -t RSYSLOG_INCLUDE_CONFIG < <(printf '%s\n' $(grep -e "\$IncludeConfig[[:space:]]\+[^[:space:];]\+" /etc/rsyslog.conf | cut -d ' ' -f 2)) -readarray -t RSYSLOG_INCLUDE < <(printf '%s\n' $(awk '/)/{f=0} /include\(/{f=1} f{nf=gensub("^(include\\(|\\s*)file=\"(\\S+)\".*","\\2",1); if($0!=nf){print nf}}' /etc/rsyslog.conf)) +readarray -t OLD_INC < <(grep -e "\$IncludeConfig[[:space:]]\+[^[:space:];]\+" /etc/rsyslog.conf | cut -d ' ' -f 2) +readarray -t RSYSLOG_INCLUDE_CONFIG < <(for INCPATH in "${OLD_INC[@]}"; do eval printf '%s\\n' "${INCPATH}"; done) +readarray -t NEW_INC < <(awk '/)/{f=0} /include\(/{f=1} f{nf=gensub("^(include\\(|\\s*)file=\"(\\S+)\".*","\\2",1); if($0!=nf){print nf}}' /etc/rsyslog.conf) +readarray -t RSYSLOG_INCLUDE < <(for INCPATH in "${NEW_INC[@]}"; do eval printf '%s\\n' "${INCPATH}"; done) # Declare an array to hold the final list of different log file paths declare -a LOG_FILE_PATHS From 5135fb64fb773400234c740a3feeac206ac7f42a Mon Sep 17 00:00:00 2001 From: Flos Lonicerae Date: Fri, 15 Apr 2022 10:47:37 +0800 Subject: [PATCH 03/15] Add test for wildcard paths used in rsyslog --- .../include_config_syntax_perms_0600.pass.sh | 56 ++++++++++++++++++ .../include_config_syntax_perms_0601.fail.sh | 57 +++++++++++++++++++ 2 files changed, 113 insertions(+) create mode 100755 linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_files_permissions/tests/include_config_syntax_perms_0600.pass.sh create mode 100755 linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_files_permissions/tests/include_config_syntax_perms_0601.fail.sh diff --git a/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_files_permissions/tests/include_config_syntax_perms_0600.pass.sh b/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_files_permissions/tests/include_config_syntax_perms_0600.pass.sh new file mode 100755 index 00000000000..7cb09128d78 --- /dev/null +++ b/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_files_permissions/tests/include_config_syntax_perms_0600.pass.sh @@ -0,0 +1,56 @@ +#!/bin/bash +# platform = multi_platform_rhel,multi_platform_fedora,multi_platform_ol,multi_platform_sle + +# Check rsyslog.conf with log file permissions 0600 from rules and +# log file permissions 0600 from $IncludeConfig passes. + +source $SHARED/rsyslog_log_utils.sh + +PERMS=0600 + +# setup test data +create_rsyslog_test_logs 3 + +# setup test log files and permissions +chmod $PERMS ${RSYSLOG_TEST_LOGS[0]} +chmod $PERMS ${RSYSLOG_TEST_LOGS[1]} +chmod $PERMS ${RSYSLOG_TEST_LOGS[2]} + +# create test configuration file +conf_subdir=${RSYSLOG_TEST_DIR}/subdir +mkdir ${conf_subdir} +test_subdir_conf=${conf_subdir}/test_subdir.conf +test_conf=${RSYSLOG_TEST_DIR}/test.conf +cat << EOF > ${test_subdir_conf} +# rsyslog configuration file + +#### RULES #### + +*.* ${RSYSLOG_TEST_LOGS[2]} +EOF + +cat << EOF > ${test_conf} +# rsyslog configuration file + +#### RULES #### + +*.* ${RSYSLOG_TEST_LOGS[1]} +EOF + +# create rsyslog.conf configuration file +cat << EOF > $RSYSLOG_CONF +# rsyslog configuration file + +#### RULES #### + +*.* ${RSYSLOG_TEST_LOGS[0]} + +#### MODULES #### + +include(file="${RSYSLOG_TEST_DIR}/*/*.conf" mode="optional") +include(file="${RSYSLOG_TEST_DIR}/*.conf" mode="optional") + +\$IncludeConfig ${RSYSLOG_TEST_DIR}/*/*.conf +\$IncludeConfig ${RSYSLOG_TEST_DIR}/*.conf + +EOF diff --git a/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_files_permissions/tests/include_config_syntax_perms_0601.fail.sh b/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_files_permissions/tests/include_config_syntax_perms_0601.fail.sh new file mode 100755 index 00000000000..942eaf086a1 --- /dev/null +++ b/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_files_permissions/tests/include_config_syntax_perms_0601.fail.sh @@ -0,0 +1,57 @@ +#!/bin/bash +# platform = multi_platform_rhel,multi_platform_fedora,multi_platform_ol + +# Check rsyslog.conf with log file permissions 0600 from rules and +# log file permissions 0601 from $IncludeConfig fails. + +source $SHARED/rsyslog_log_utils.sh + +PERMS_PASS=0600 +PERMS_FAIL=0601 + +# setup test data +create_rsyslog_test_logs 3 + +# setup test log files and permissions +chmod $PERMS_PASS ${RSYSLOG_TEST_LOGS[0]} +chmod $PERMS_FAIL ${RSYSLOG_TEST_LOGS[1]} +chmod $PERMS_FAIL ${RSYSLOG_TEST_LOGS[2]} + +# create test configuration file +conf_subdir=${RSYSLOG_TEST_DIR}/subdir +mkdir ${conf_subdir} +test_subdir_conf=${conf_subdir}/test_subdir.conf +test_conf=${RSYSLOG_TEST_DIR}/test.conf +cat << EOF > ${test_subdir_conf} +# rsyslog configuration file + +#### RULES #### + +*.* ${RSYSLOG_TEST_LOGS[2]} +EOF + +cat << EOF > ${test_conf} +# rsyslog configuration file + +#### RULES #### + +*.* ${RSYSLOG_TEST_LOGS[1]} +EOF + +# create rsyslog.conf configuration file +cat << EOF > $RSYSLOG_CONF +# rsyslog configuration file + +#### RULES #### + +*.* ${RSYSLOG_TEST_LOGS[0]} + +#### MODULES #### + +include(file="${RSYSLOG_TEST_DIR}/*/*.conf" mode="optional") +include(file="${RSYSLOG_TEST_DIR}/*.conf" mode="optional") + +\$IncludeConfig ${RSYSLOG_TEST_DIR}/*/*.conf +\$IncludeConfig ${RSYSLOG_TEST_DIR}/*.conf + +EOF From 052558d8d5be3b8ce49067ab8c05ed9ea92bab0b Mon Sep 17 00:00:00 2001 From: Flos Lonicerae Date: Thu, 19 May 2022 01:22:19 +0800 Subject: [PATCH 04/15] The way using 'find' can be retired. --- .../rsyslog_files_permissions/bash/shared.sh | 20 +++++-------------- 1 file changed, 5 insertions(+), 15 deletions(-) diff --git a/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_files_permissions/bash/shared.sh b/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_files_permissions/bash/shared.sh index 1aebb8f9da5..cece5930ee8 100644 --- a/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_files_permissions/bash/shared.sh +++ b/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_files_permissions/bash/shared.sh @@ -13,22 +13,12 @@ readarray -t RSYSLOG_INCLUDE < <(for INCPATH in "${NEW_INC[@]}"; do eval printf # Declare an array to hold the final list of different log file paths declare -a LOG_FILE_PATHS -RSYSLOG_CONFIGS=() -RSYSLOG_CONFIGS=("${RSYSLOG_ETC_CONFIG}" "${RSYSLOG_INCLUDE_CONFIG[@]}" "${RSYSLOG_INCLUDE[@]}") +declare -a RSYSLOG_CONFIGS +RSYSLOG_CONFIGS+=("${RSYSLOG_ETC_CONFIG}" "${RSYSLOG_INCLUDE_CONFIG[@]}" "${RSYSLOG_INCLUDE[@]}") -# Get full list of files to be checked -# RSYSLOG_CONFIGS may contain globs such as -# /etc/rsyslog.d/*.conf /etc/rsyslog.d/*.frule -# So, loop over the entries in RSYSLOG_CONFIGS and use find to get the list of included files. -RSYSLOG_FILES=() -for ENTRY in "${RSYSLOG_CONFIGS[@]}" -do - mapfile -t FINDOUT < <(find "$(dirname "${ENTRY}")" -maxdepth 1 -name "$(basename "${ENTRY}")") - RSYSLOG_FILES+=("${FINDOUT[@]}") -done - -# Check file and fix if needed. -for LOG_FILE in "${RSYSLOG_FILES[@]}" +# Browse each file selected above as containing paths of log files +# ('/etc/rsyslog.conf' and '/etc/rsyslog.d/*.conf' in the default configuration) +for LOG_FILE in "${RSYSLOG_CONFIGS[@]}" do # From each of these files extract just particular log file path(s), thus: # * Ignore lines starting with space (' '), comment ('#"), or variable syntax ('$') characters, From 4f1d08642a74c0be7cd02815784a2c81b7b558ee Mon Sep 17 00:00:00 2001 From: Flos Lonicerae Date: Fri, 20 May 2022 01:30:37 +0800 Subject: [PATCH 05/15] Cover the include pattern '/etc/rsyslog.d/' --- .../rsyslog_files_permissions/bash/shared.sh | 20 ++++++++++++++++++- 1 file changed, 19 insertions(+), 1 deletion(-) diff --git a/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_files_permissions/bash/shared.sh b/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_files_permissions/bash/shared.sh index cece5930ee8..50d36d7426f 100644 --- a/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_files_permissions/bash/shared.sh +++ b/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_files_permissions/bash/shared.sh @@ -13,12 +13,30 @@ readarray -t RSYSLOG_INCLUDE < <(for INCPATH in "${NEW_INC[@]}"; do eval printf # Declare an array to hold the final list of different log file paths declare -a LOG_FILE_PATHS +# Array to hold all rsyslog config entries declare -a RSYSLOG_CONFIGS RSYSLOG_CONFIGS+=("${RSYSLOG_ETC_CONFIG}" "${RSYSLOG_INCLUDE_CONFIG[@]}" "${RSYSLOG_INCLUDE[@]}") +# Array to hold all rsyslog config files +declare -a RSYSLOG_CONFIG_FILES +for ENTRY in "${RSYSLOG_CONFIGS[@]}" +do + # If directory, need to include files recursively + if [ -d "${ENTRY}" ] + then + readarray -t FINDOUT < <(find "${ENTRY}" -type f -name '*.conf') + RSYSLOG_CONFIG_FILES+=("${FINDOUT[@]}") + elif [ -f "${ENTRY}" ] + then + RSYSLOG_CONFIG_FILES+=("${ENTRY}") + else + echo "Invalid include object: ${ENTRY}" + fi +done + # Browse each file selected above as containing paths of log files # ('/etc/rsyslog.conf' and '/etc/rsyslog.d/*.conf' in the default configuration) -for LOG_FILE in "${RSYSLOG_CONFIGS[@]}" +for LOG_FILE in "${RSYSLOG_CONFIG_FILES[@]}" do # From each of these files extract just particular log file path(s), thus: # * Ignore lines starting with space (' '), comment ('#"), or variable syntax ('$') characters, From d77551b64c4d67226627d0819dc30fff9433ac2b Mon Sep 17 00:00:00 2001 From: Flos Lonicerae Date: Fri, 20 May 2022 01:46:33 +0800 Subject: [PATCH 06/15] Update test files. --- .../tests/include_config_syntax_perms_0600.pass.sh | 2 ++ .../tests/include_config_syntax_perms_0601.fail.sh | 2 ++ 2 files changed, 4 insertions(+) diff --git a/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_files_permissions/tests/include_config_syntax_perms_0600.pass.sh b/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_files_permissions/tests/include_config_syntax_perms_0600.pass.sh index 7cb09128d78..2ddd9fcb697 100755 --- a/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_files_permissions/tests/include_config_syntax_perms_0600.pass.sh +++ b/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_files_permissions/tests/include_config_syntax_perms_0600.pass.sh @@ -49,8 +49,10 @@ cat << EOF > $RSYSLOG_CONF include(file="${RSYSLOG_TEST_DIR}/*/*.conf" mode="optional") include(file="${RSYSLOG_TEST_DIR}/*.conf" mode="optional") +include(file="${RSYSLOG_TEST_DIR}" mode="optional") \$IncludeConfig ${RSYSLOG_TEST_DIR}/*/*.conf \$IncludeConfig ${RSYSLOG_TEST_DIR}/*.conf +\$IncludeConfig ${RSYSLOG_TEST_DIR} EOF diff --git a/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_files_permissions/tests/include_config_syntax_perms_0601.fail.sh b/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_files_permissions/tests/include_config_syntax_perms_0601.fail.sh index 942eaf086a1..73ff3332c6d 100755 --- a/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_files_permissions/tests/include_config_syntax_perms_0601.fail.sh +++ b/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_files_permissions/tests/include_config_syntax_perms_0601.fail.sh @@ -50,8 +50,10 @@ cat << EOF > $RSYSLOG_CONF include(file="${RSYSLOG_TEST_DIR}/*/*.conf" mode="optional") include(file="${RSYSLOG_TEST_DIR}/*.conf" mode="optional") +include(file="${RSYSLOG_TEST_DIR}" mode="optional") \$IncludeConfig ${RSYSLOG_TEST_DIR}/*/*.conf \$IncludeConfig ${RSYSLOG_TEST_DIR}/*.conf +\$IncludeConfig ${RSYSLOG_TEST_DIR} EOF From 9a97bfa1ca4c918a39a68131e5fbc46fa7b00961 Mon Sep 17 00:00:00 2001 From: Flos Lonicerae Date: Fri, 20 May 2022 10:03:32 +0800 Subject: [PATCH 07/15] Rsyslog says we should include all files --- .../rsyslog_files_permissions/bash/shared.sh | 2 +- .../include_config_syntax_perms_0600.pass.sh | 16 +++++++++++++++- .../include_config_syntax_perms_0601.fail.sh | 16 +++++++++++++++- 3 files changed, 31 insertions(+), 3 deletions(-) diff --git a/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_files_permissions/bash/shared.sh b/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_files_permissions/bash/shared.sh index 50d36d7426f..cd5014105e9 100644 --- a/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_files_permissions/bash/shared.sh +++ b/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_files_permissions/bash/shared.sh @@ -24,7 +24,7 @@ do # If directory, need to include files recursively if [ -d "${ENTRY}" ] then - readarray -t FINDOUT < <(find "${ENTRY}" -type f -name '*.conf') + readarray -t FINDOUT < <(find "${ENTRY}" -type f) RSYSLOG_CONFIG_FILES+=("${FINDOUT[@]}") elif [ -f "${ENTRY}" ] then diff --git a/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_files_permissions/tests/include_config_syntax_perms_0600.pass.sh b/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_files_permissions/tests/include_config_syntax_perms_0600.pass.sh index 2ddd9fcb697..755865ca522 100755 --- a/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_files_permissions/tests/include_config_syntax_perms_0600.pass.sh +++ b/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_files_permissions/tests/include_config_syntax_perms_0600.pass.sh @@ -9,20 +9,24 @@ source $SHARED/rsyslog_log_utils.sh PERMS=0600 # setup test data -create_rsyslog_test_logs 3 +create_rsyslog_test_logs 4 # setup test log files and permissions chmod $PERMS ${RSYSLOG_TEST_LOGS[0]} chmod $PERMS ${RSYSLOG_TEST_LOGS[1]} chmod $PERMS ${RSYSLOG_TEST_LOGS[2]} +chmod $PERMS ${RSYSLOG_TEST_LOGS[3]} # create test configuration file conf_subdir=${RSYSLOG_TEST_DIR}/subdir mkdir ${conf_subdir} test_subdir_conf=${conf_subdir}/test_subdir.conf test_conf=${RSYSLOG_TEST_DIR}/test.conf +test_bak=${RSYSLOG_TEST_DIR}/test.bak + cat << EOF > ${test_subdir_conf} # rsyslog configuration file +# test_subdir_conf #### RULES #### @@ -31,12 +35,22 @@ EOF cat << EOF > ${test_conf} # rsyslog configuration file +# test_conf #### RULES #### *.* ${RSYSLOG_TEST_LOGS[1]} EOF +cat << EOF > ${test_bak} +# rsyslog configuration file +# test_bak + +#### RULES #### + +*.* ${RSYSLOG_TEST_LOGS[3]} +EOF + # create rsyslog.conf configuration file cat << EOF > $RSYSLOG_CONF # rsyslog configuration file diff --git a/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_files_permissions/tests/include_config_syntax_perms_0601.fail.sh b/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_files_permissions/tests/include_config_syntax_perms_0601.fail.sh index 73ff3332c6d..063b1a0cbe5 100755 --- a/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_files_permissions/tests/include_config_syntax_perms_0601.fail.sh +++ b/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_files_permissions/tests/include_config_syntax_perms_0601.fail.sh @@ -10,20 +10,24 @@ PERMS_PASS=0600 PERMS_FAIL=0601 # setup test data -create_rsyslog_test_logs 3 +create_rsyslog_test_logs 4 # setup test log files and permissions chmod $PERMS_PASS ${RSYSLOG_TEST_LOGS[0]} chmod $PERMS_FAIL ${RSYSLOG_TEST_LOGS[1]} chmod $PERMS_FAIL ${RSYSLOG_TEST_LOGS[2]} +chmod $PERMS_FAIL ${RSYSLOG_TEST_LOGS[3]} # create test configuration file conf_subdir=${RSYSLOG_TEST_DIR}/subdir mkdir ${conf_subdir} test_subdir_conf=${conf_subdir}/test_subdir.conf test_conf=${RSYSLOG_TEST_DIR}/test.conf +test_bak=${RSYSLOG_TEST_DIR}/test.bak + cat << EOF > ${test_subdir_conf} # rsyslog configuration file +# test_subdir_conf #### RULES #### @@ -32,12 +36,22 @@ EOF cat << EOF > ${test_conf} # rsyslog configuration file +# test_conf #### RULES #### *.* ${RSYSLOG_TEST_LOGS[1]} EOF +cat << EOF > ${test_bak} +# rsyslog configuration file +# test_bak + +#### RULES #### + +*.* ${RSYSLOG_TEST_LOGS[3]} +EOF + # create rsyslog.conf configuration file cat << EOF > $RSYSLOG_CONF # rsyslog configuration file From fcfc7c126ed76488085ef35cd0fd497c272aa364 Mon Sep 17 00:00:00 2001 From: Flos Lonicerae Date: Sat, 21 May 2022 16:02:26 +0800 Subject: [PATCH 08/15] Match glob() function of rsyslog --- .../rsyslog_files_permissions/bash/shared.sh | 5 ++- .../include_config_syntax_perms_0600.pass.sh | 39 ++++++++++++------- .../include_config_syntax_perms_0601.fail.sh | 39 ++++++++++++------- 3 files changed, 55 insertions(+), 28 deletions(-) diff --git a/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_files_permissions/bash/shared.sh b/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_files_permissions/bash/shared.sh index cd5014105e9..38105bf086b 100644 --- a/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_files_permissions/bash/shared.sh +++ b/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_files_permissions/bash/shared.sh @@ -21,10 +21,11 @@ RSYSLOG_CONFIGS+=("${RSYSLOG_ETC_CONFIG}" "${RSYSLOG_INCLUDE_CONFIG[@]}" "${RSYS declare -a RSYSLOG_CONFIG_FILES for ENTRY in "${RSYSLOG_CONFIGS[@]}" do - # If directory, need to include files recursively + # If directory, rsyslog will search for config files in recursively. + # However, files in hidden sub-directories or hidden files will be ignored. if [ -d "${ENTRY}" ] then - readarray -t FINDOUT < <(find "${ENTRY}" -type f) + readarray -t FINDOUT < <(find "${ENTRY}" -not -path '*/.*' -type f) RSYSLOG_CONFIG_FILES+=("${FINDOUT[@]}") elif [ -f "${ENTRY}" ] then diff --git a/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_files_permissions/tests/include_config_syntax_perms_0600.pass.sh b/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_files_permissions/tests/include_config_syntax_perms_0600.pass.sh index 755865ca522..a5a2f67fadc 100755 --- a/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_files_permissions/tests/include_config_syntax_perms_0600.pass.sh +++ b/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_files_permissions/tests/include_config_syntax_perms_0600.pass.sh @@ -9,48 +9,61 @@ source $SHARED/rsyslog_log_utils.sh PERMS=0600 # setup test data -create_rsyslog_test_logs 4 +create_rsyslog_test_logs 5 # setup test log files and permissions chmod $PERMS ${RSYSLOG_TEST_LOGS[0]} chmod $PERMS ${RSYSLOG_TEST_LOGS[1]} chmod $PERMS ${RSYSLOG_TEST_LOGS[2]} chmod $PERMS ${RSYSLOG_TEST_LOGS[3]} +chmod $PERMS ${RSYSLOG_TEST_LOGS[4]} -# create test configuration file +# create test configuration files conf_subdir=${RSYSLOG_TEST_DIR}/subdir +conf_hiddir=${RSYSLOG_TEST_DIR}/.hiddir mkdir ${conf_subdir} -test_subdir_conf=${conf_subdir}/test_subdir.conf -test_conf=${RSYSLOG_TEST_DIR}/test.conf -test_bak=${RSYSLOG_TEST_DIR}/test.bak +mkdir ${conf_hiddir} -cat << EOF > ${test_subdir_conf} +test_conf_in_subdir=${conf_subdir}/in_subdir.conf +test_conf_name_bak=${RSYSLOG_TEST_DIR}/name.bak + +test_conf_in_hiddir=${conf_hiddir}/in_hiddir.conf +test_conf_dot_name=${RSYSLOG_TEST_DIR}/.name.conf + +cat << EOF > ${test_conf_in_subdir} # rsyslog configuration file -# test_subdir_conf #### RULES #### -*.* ${RSYSLOG_TEST_LOGS[2]} +*.* ${RSYSLOG_TEST_LOGS[1]} EOF -cat << EOF > ${test_conf} +cat << EOF > ${test_conf_name_bak} # rsyslog configuration file -# test_conf #### RULES #### -*.* ${RSYSLOG_TEST_LOGS[1]} +*.* ${RSYSLOG_TEST_LOGS[2]} EOF -cat << EOF > ${test_bak} +cat << EOF > ${test_conf_in_hiddir} # rsyslog configuration file -# test_bak +# not used #### RULES #### *.* ${RSYSLOG_TEST_LOGS[3]} EOF +cat << EOF > ${test_conf_dot_name} +# rsyslog configuration file +# not used + +#### RULES #### + +*.* ${RSYSLOG_TEST_LOGS[4]} +EOF + # create rsyslog.conf configuration file cat << EOF > $RSYSLOG_CONF # rsyslog configuration file diff --git a/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_files_permissions/tests/include_config_syntax_perms_0601.fail.sh b/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_files_permissions/tests/include_config_syntax_perms_0601.fail.sh index 063b1a0cbe5..a9d0adfb727 100755 --- a/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_files_permissions/tests/include_config_syntax_perms_0601.fail.sh +++ b/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_files_permissions/tests/include_config_syntax_perms_0601.fail.sh @@ -10,48 +10,61 @@ PERMS_PASS=0600 PERMS_FAIL=0601 # setup test data -create_rsyslog_test_logs 4 +create_rsyslog_test_logs 5 # setup test log files and permissions chmod $PERMS_PASS ${RSYSLOG_TEST_LOGS[0]} chmod $PERMS_FAIL ${RSYSLOG_TEST_LOGS[1]} chmod $PERMS_FAIL ${RSYSLOG_TEST_LOGS[2]} chmod $PERMS_FAIL ${RSYSLOG_TEST_LOGS[3]} +chmod $PERMS_FAIL ${RSYSLOG_TEST_LOGS[4]} -# create test configuration file +# create test configuration files conf_subdir=${RSYSLOG_TEST_DIR}/subdir +conf_hiddir=${RSYSLOG_TEST_DIR}/.hiddir mkdir ${conf_subdir} -test_subdir_conf=${conf_subdir}/test_subdir.conf -test_conf=${RSYSLOG_TEST_DIR}/test.conf -test_bak=${RSYSLOG_TEST_DIR}/test.bak +mkdir ${conf_hiddir} -cat << EOF > ${test_subdir_conf} +test_conf_in_subdir=${conf_subdir}/in_subdir.conf +test_conf_name_bak=${RSYSLOG_TEST_DIR}/name.bak + +test_conf_in_hiddir=${conf_hiddir}/in_hiddir.conf +test_conf_dot_name=${RSYSLOG_TEST_DIR}/.name.conf + +cat << EOF > ${test_conf_in_subdir} # rsyslog configuration file -# test_subdir_conf #### RULES #### -*.* ${RSYSLOG_TEST_LOGS[2]} +*.* ${RSYSLOG_TEST_LOGS[1]} EOF -cat << EOF > ${test_conf} +cat << EOF > ${test_conf_name_bak} # rsyslog configuration file -# test_conf #### RULES #### -*.* ${RSYSLOG_TEST_LOGS[1]} +*.* ${RSYSLOG_TEST_LOGS[2]} EOF -cat << EOF > ${test_bak} +cat << EOF > ${test_conf_in_hiddir} # rsyslog configuration file -# test_bak +# not used #### RULES #### *.* ${RSYSLOG_TEST_LOGS[3]} EOF +cat << EOF > ${test_conf_dot_name} +# rsyslog configuration file +# not used + +#### RULES #### + +*.* ${RSYSLOG_TEST_LOGS[4]} +EOF + # create rsyslog.conf configuration file cat << EOF > $RSYSLOG_CONF # rsyslog configuration file From 313094b7d5c13ba38a2d02fad544cd4665c5a17d Mon Sep 17 00:00:00 2001 From: Flos Lonicerae Date: Sun, 22 May 2022 21:10:16 +0800 Subject: [PATCH 09/15] Fixed incorrect parsing of rules in old code --- .../rsyslog_files_permissions/bash/shared.sh | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_files_permissions/bash/shared.sh b/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_files_permissions/bash/shared.sh index 38105bf086b..e1129e34c81 100644 --- a/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_files_permissions/bash/shared.sh +++ b/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_files_permissions/bash/shared.sh @@ -54,7 +54,7 @@ do then NORMALIZED_CONFIG_FILE_LINES=$(sed -e "/^[#|$]/d" "${LOG_FILE}") LINES_WITH_PATHS=$(grep '[^/]*\s\+\S*/\S\+$' <<< "${NORMALIZED_CONFIG_FILE_LINES}") - FILTERED_PATHS=$(sed -e 's/[^\/]*[[:space:]]*\([^:;[:space:]]*\)/\1/g' <<< "${LINES_WITH_PATHS}") + FILTERED_PATHS=$(awk '{if(NF>=2&&($2~/^\//||$2~/^-\//)){sub(/^-\//,"/",$2);print $2}}' <<< "${LINES_WITH_PATHS}") CLEANED_PATHS=$(sed -e "s/[\"')]//g; /\\/etc.*\.conf/d; /\\/dev\\//d" <<< "${FILTERED_PATHS}") MATCHED_ITEMS=$(sed -e "/^$/d" <<< "${CLEANED_PATHS}") # Since above sed command might return more than one item (delimited by newline), split the particular From 86f655ac79d879c1f47bda7a06cc15a64e65e5fb Mon Sep 17 00:00:00 2001 From: Flos Lonicerae Date: Tue, 24 May 2022 00:42:17 +0800 Subject: [PATCH 10/15] Added platform. --- .../tests/include_config_syntax_perms_0601.fail.sh | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_files_permissions/tests/include_config_syntax_perms_0601.fail.sh b/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_files_permissions/tests/include_config_syntax_perms_0601.fail.sh index a9d0adfb727..fe4db0a3c91 100755 --- a/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_files_permissions/tests/include_config_syntax_perms_0601.fail.sh +++ b/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_files_permissions/tests/include_config_syntax_perms_0601.fail.sh @@ -1,5 +1,5 @@ #!/bin/bash -# platform = multi_platform_rhel,multi_platform_fedora,multi_platform_ol +# platform = multi_platform_rhel,multi_platform_fedora,multi_platform_ol,multi_platform_sle # Check rsyslog.conf with log file permissions 0600 from rules and # log file permissions 0601 from $IncludeConfig fails. From e71901895f29af9a34fe81938be1332691b6f64a Mon Sep 17 00:00:00 2001 From: Watson Sato Date: Wed, 10 Aug 2022 13:56:39 +0200 Subject: [PATCH 11/15] Reset the arrays before using them When bash remediations for a profile are generated, it can happen that a variable with same name is used for multiple remediations. So let's reset the array before using it. --- .../rsyslog_files_permissions/bash/shared.sh | 11 +++++++---- 1 file changed, 7 insertions(+), 4 deletions(-) diff --git a/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_files_permissions/bash/shared.sh b/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_files_permissions/bash/shared.sh index e1129e34c81..d1856ffbe7b 100644 --- a/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_files_permissions/bash/shared.sh +++ b/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_files_permissions/bash/shared.sh @@ -14,11 +14,14 @@ readarray -t RSYSLOG_INCLUDE < <(for INCPATH in "${NEW_INC[@]}"; do eval printf declare -a LOG_FILE_PATHS # Array to hold all rsyslog config entries -declare -a RSYSLOG_CONFIGS -RSYSLOG_CONFIGS+=("${RSYSLOG_ETC_CONFIG}" "${RSYSLOG_INCLUDE_CONFIG[@]}" "${RSYSLOG_INCLUDE[@]}") +RSYSLOG_CONFIGS=() +RSYSLOG_CONFIGS=("${RSYSLOG_ETC_CONFIG}" "${RSYSLOG_INCLUDE_CONFIG[@]}" "${RSYSLOG_INCLUDE[@]}") -# Array to hold all rsyslog config files -declare -a RSYSLOG_CONFIG_FILES +# Get full list of files to be checked +# RSYSLOG_CONFIGS may contain globs such as +# /etc/rsyslog.d/*.conf /etc/rsyslog.d/*.frule +# So, loop over the entries in RSYSLOG_CONFIGS and use find to get the list of included files. +RSYSLOG_CONFIG_FILES=() for ENTRY in "${RSYSLOG_CONFIGS[@]}" do # If directory, rsyslog will search for config files in recursively. From 525dce106bf8d054c83e8d79acbb92cc16224e4c Mon Sep 17 00:00:00 2001 From: Watson Sato Date: Wed, 10 Aug 2022 14:55:37 +0200 Subject: [PATCH 12/15] Don't parse hidden config files for Includes Let's follow rsyslog behavior and not capture process hidden config files for includes. --- .../rsyslog_files_permissions/oval/shared.xml | 9 ++++ ...00_IncludeConfig_perms_0601_hidden.pass.sh | 53 +++++++++++++++++++ 2 files changed, 62 insertions(+) create mode 100644 linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_files_permissions/tests/include_perms_0600_IncludeConfig_perms_0601_hidden.pass.sh diff --git a/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_files_permissions/oval/shared.xml b/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_files_permissions/oval/shared.xml index a04e6fd8900..d13177216c3 100644 --- a/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_files_permissions/oval/shared.xml +++ b/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_files_permissions/oval/shared.xml @@ -17,8 +17,17 @@ /etc/rsyslog.conf ^(?:include\([\n\s]*file="([^\s;]+)".*|\$IncludeConfig[\s]+([^\s;]+))$ 1 + state_permissions_ignore_hidden_paths + + + ^.*\/\..*$ + + diff --git a/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_files_permissions/tests/include_perms_0600_IncludeConfig_perms_0601_hidden.pass.sh b/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_files_permissions/tests/include_perms_0600_IncludeConfig_perms_0601_hidden.pass.sh new file mode 100644 index 00000000000..9b0185c6b2f --- /dev/null +++ b/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_files_permissions/tests/include_perms_0600_IncludeConfig_perms_0601_hidden.pass.sh @@ -0,0 +1,53 @@ +#!/bin/bash +# platform = Red Hat Enterprise Linux 8,multi_platform_fedora,Oracle Linux 8 + +# Check rsyslog.conf with log file permisssions 0600 from rules and +# log file permissions 0601 from include() fails. + +source $SHARED/rsyslog_log_utils.sh + +PERMS_PASS=0600 +PERMS_FAIL=0601 + +# setup test data +create_rsyslog_test_logs 3 + +# setup test log files and permissions +chmod $PERMS_PASS ${RSYSLOG_TEST_LOGS[0]} +chmod $PERMS_PASS ${RSYSLOG_TEST_LOGS[1]} +chmod $PERMS_FAIL ${RSYSLOG_TEST_LOGS[2]} + +# create test configuration file +test_conf=${RSYSLOG_TEST_DIR}/test1.conf +cat << EOF > ${test_conf} +# rsyslog configuration file + +#### RULES #### + +*.* ${RSYSLOG_TEST_LOGS[1]} +EOF + +# create hidden test2 configuration file +test_conf2=${RSYSLOG_TEST_DIR}/.test2.conf +cat << EOF > ${test_conf2} +# rsyslog configuration file + +#### RULES #### + +*.* ${RSYSLOG_TEST_LOGS[2]} +EOF + +# create rsyslog.conf configuration file +cat << EOF > $RSYSLOG_CONF +# rsyslog configuration file + +#### RULES #### + +*.* ${RSYSLOG_TEST_LOGS[0]} + +#### MODULES #### + +include(file="${test_conf}") + +\$IncludeConfig ${test_conf2} +EOF From d872c4a2cfcd3331b7aae954aacf3d0d481d1582 Mon Sep 17 00:00:00 2001 From: Watson Sato Date: Wed, 10 Aug 2022 15:49:11 +0200 Subject: [PATCH 13/15] Add test for for missing rsyslog included files The rsyslog conf file may include other config files. If the included missing files are missing rsyslog will generate an error, but will still continue working. https://www.rsyslog.com/doc/master/rainerscript/include.html#include-a-required-file There is not a good way of ensuring that all files defined in a list of paths exist. --- ...0_IncludeConfig_perms_0601_missing.pass.sh | 45 +++++++++++++++++++ 1 file changed, 45 insertions(+) create mode 100644 linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_files_permissions/tests/include_perms_0600_IncludeConfig_perms_0601_missing.pass.sh diff --git a/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_files_permissions/tests/include_perms_0600_IncludeConfig_perms_0601_missing.pass.sh b/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_files_permissions/tests/include_perms_0600_IncludeConfig_perms_0601_missing.pass.sh new file mode 100644 index 00000000000..b929f2a94ab --- /dev/null +++ b/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_files_permissions/tests/include_perms_0600_IncludeConfig_perms_0601_missing.pass.sh @@ -0,0 +1,45 @@ +#!/bin/bash +# platform = Red Hat Enterprise Linux 8,multi_platform_fedora,Oracle Linux 8 + +# Check rsyslog.conf with log file permisssions 0600 from rules and +# log file permissions 0601 from include() fails. + +source $SHARED/rsyslog_log_utils.sh + +PERMS_PASS=0600 +PERMS_FAIL=0601 + +# setup test data +create_rsyslog_test_logs 3 + +# setup test log files and permissions +chmod $PERMS_PASS ${RSYSLOG_TEST_LOGS[0]} +chmod $PERMS_PASS ${RSYSLOG_TEST_LOGS[1]} +chmod $PERMS_FAIL ${RSYSLOG_TEST_LOGS[2]} + +# create test configuration file +test_conf=${RSYSLOG_TEST_DIR}/test1.conf +cat << EOF > ${test_conf} +# rsyslog configuration file + +#### RULES #### + +*.* ${RSYSLOG_TEST_LOGS[1]} +EOF + +# Skip creation test2 configuration file + +# create rsyslog.conf configuration file +cat << EOF > $RSYSLOG_CONF +# rsyslog configuration file + +#### RULES #### + +*.* ${RSYSLOG_TEST_LOGS[0]} + +#### MODULES #### + +include(file="${test_conf}") + +\$IncludeConfig ${test_conf2} +EOF From cf9eaf6e55405248731cb08268bcba6a58a93486 Mon Sep 17 00:00:00 2001 From: Watson Sato Date: Wed, 10 Aug 2022 21:47:18 +0200 Subject: [PATCH 14/15] Align Ansible remediation with Bash The remediation now expands the glob expressions and doesn't collect hidden files or directories to check for their permissions. --- .../rsyslog_files_permissions/ansible/shared.yml | 15 +++++++++++---- 1 file changed, 11 insertions(+), 4 deletions(-) diff --git a/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_files_permissions/ansible/shared.yml b/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_files_permissions/ansible/shared.yml index 635b72f7352..c558bf46c71 100644 --- a/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_files_permissions/ansible/shared.yml +++ b/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_files_permissions/ansible/shared.yml @@ -19,19 +19,26 @@ shell: | set -o pipefail grep -e '$IncludeConfig' {{ rsyslog_etc_config }} | cut -d ' ' -f 2 || true - register: include_config_output + register: rsyslog_old_inc changed_when: False - name: "Get include files directives" shell: | set -o pipefail grep -oP '^\s*include\s*\(\s*file.*' {{ rsyslog_etc_config }} |cut -d"\"" -f 2 || true - register: include_files_output + register: rsyslog_new_inc changed_when: False +- name: "Expand glob expressions" + shell: | + set -o pipefail + eval printf '%s\\n' {{ item }} + register: include_config_output + loop: "{{ rsyslog_old_inc.stdout_lines + rsyslog_new_inc.stdout_lines }}" + - name: "List all config files" - shell: find "$(dirname "{{ item }}" )" -maxdepth 1 -name "$(basename "{{ item }}")" - loop: "{{ include_config_output.stdout_lines + include_files_output.stdout_lines }}" + shell: find {{ item }} -not -path "*/.*" -type f + loop: "{{ include_config_output.results|map(attribute='stdout_lines')|list|flatten }}" register: rsyslog_config_files changed_when: False From 37e98ed3a86a0e56543132752c62982ff01cd3d9 Mon Sep 17 00:00:00 2001 From: Watson Sato Date: Wed, 10 Aug 2022 21:56:05 +0200 Subject: [PATCH 15/15] Ignore invalid or non existing include objects Let's not fail the task when the find doesn't find the include object. When the include is a glob expression that doesn't evaluate to any file the glob itself is used in find command. The Bash remediation prints a message for each include that is not a file is not a directory or doesn't exist. --- .../rsyslog_files_permissions/ansible/shared.yml | 1 + 1 file changed, 1 insertion(+) diff --git a/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_files_permissions/ansible/shared.yml b/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_files_permissions/ansible/shared.yml index c558bf46c71..3a9380cf13b 100644 --- a/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_files_permissions/ansible/shared.yml +++ b/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_files_permissions/ansible/shared.yml @@ -40,6 +40,7 @@ shell: find {{ item }} -not -path "*/.*" -type f loop: "{{ include_config_output.results|map(attribute='stdout_lines')|list|flatten }}" register: rsyslog_config_files + failed_when: False changed_when: False - name: "Extract log files"