rpms/scap-security-guide
7
0
Fork 0
Code Issues Pull Requests Releases Activity
1d4339f8b0
scap-security-guide/SOURCES/scap-security-guide-0.1.64-improve_handling_of_rsyslog_includes-PR_9326.patch
CentOS Sources 1d4339f8b0 import scap-security-guide-0.1.63-4.el8
2022-11-08 06:45:18 +00:00

968 lines
40 KiB
Diff
Raw Blame History

From 2d22616a6223e26662c1dc81e0389349defd716a Mon Sep 17 00:00:00 2001
From: Flos Lonicerae <lonicerae@gmail.com>
Date: Wed, 13 Apr 2022 20:06:18 +0800
Subject: [PATCH 01/15] rsyslog: Fix array creation when path has wildcard
This patch fixes the issue that the array is expanded to wildcard path instead of its elements.
A simple test case as follows:
/etc/rsyslog.conf
include(file="/etc/rsyslog.d/*.conf" mode="optional")
/etc/rsyslog.d/custom1.conf
local1.* /tmp/local1.out
/etc/rsyslog.d/custom2.conf
local2.* /tmp/local2.out
---
.../rsyslog_files_permissions/bash/shared.sh | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_files_permissions/bash/shared.sh b/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_files_permissions/bash/shared.sh
index b794ea8db31..02b0c36d899 100644
--- a/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_files_permissions/bash/shared.sh
+++ b/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_files_permissions/bash/shared.sh
@@ -5,8 +5,8 @@
RSYSLOG_ETC_CONFIG="/etc/rsyslog.conf"
# * And also the log file paths listed after rsyslog's $IncludeConfig directive
# (store the result into array for the case there's shell glob used as value of IncludeConfig)
-readarray -t RSYSLOG_INCLUDE_CONFIG < <(grep -e "\$IncludeConfig[[:space:]]\+[^[:space:];]\+" /etc/rsyslog.conf | cut -d ' ' -f 2)
-readarray -t RSYSLOG_INCLUDE < <(awk '/)/{f=0} /include\(/{f=1} f{nf=gensub("^(include\\(|\\s*)file=\"(\\S+)\".*","\\2",1); if($0!=nf){print nf}}' /etc/rsyslog.conf)
+readarray -t RSYSLOG_INCLUDE_CONFIG < <(printf '%s\n' $(grep -e "\$IncludeConfig[[:space:]]\+[^[:space:];]\+" /etc/rsyslog.conf | cut -d ' ' -f 2))
+readarray -t RSYSLOG_INCLUDE < <(printf '%s\n' $(awk '/)/{f=0} /include\(/{f=1} f{nf=gensub("^(include\\(|\\s*)file=\"(\\S+)\".*","\\2",1); if($0!=nf){print nf}}' /etc/rsyslog.conf))
# Declare an array to hold the final list of different log file paths
declare -a LOG_FILE_PATHS
From 37a57668e98ba613d850e4c4ec4363dc7687d06d Mon Sep 17 00:00:00 2001
From: Flos Lonicerae <lonicerae@gmail.com>
Date: Thu, 14 Apr 2022 15:58:04 +0800
Subject: [PATCH 02/15] A better fix.
* Should also fixed the CI failure.
---
.../rsyslog_files_permissions/bash/shared.sh | 6 ++++--
1 file changed, 4 insertions(+), 2 deletions(-)
diff --git a/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_files_permissions/bash/shared.sh b/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_files_permissions/bash/shared.sh
index 02b0c36d899..1aebb8f9da5 100644
--- a/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_files_permissions/bash/shared.sh
+++ b/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_files_permissions/bash/shared.sh
@@ -5,8 +5,10 @@
RSYSLOG_ETC_CONFIG="/etc/rsyslog.conf"
# * And also the log file paths listed after rsyslog's $IncludeConfig directive
# (store the result into array for the case there's shell glob used as value of IncludeConfig)
-readarray -t RSYSLOG_INCLUDE_CONFIG < <(printf '%s\n' $(grep -e "\$IncludeConfig[[:space:]]\+[^[:space:];]\+" /etc/rsyslog.conf | cut -d ' ' -f 2))
-readarray -t RSYSLOG_INCLUDE < <(printf '%s\n' $(awk '/)/{f=0} /include\(/{f=1} f{nf=gensub("^(include\\(|\\s*)file=\"(\\S+)\".*","\\2",1); if($0!=nf){print nf}}' /etc/rsyslog.conf))
+readarray -t OLD_INC < <(grep -e "\$IncludeConfig[[:space:]]\+[^[:space:];]\+" /etc/rsyslog.conf | cut -d ' ' -f 2)
+readarray -t RSYSLOG_INCLUDE_CONFIG < <(for INCPATH in "${OLD_INC[@]}"; do eval printf '%s\\n' "${INCPATH}"; done)
+readarray -t NEW_INC < <(awk '/)/{f=0} /include\(/{f=1} f{nf=gensub("^(include\\(|\\s*)file=\"(\\S+)\".*","\\2",1); if($0!=nf){print nf}}' /etc/rsyslog.conf)
+readarray -t RSYSLOG_INCLUDE < <(for INCPATH in "${NEW_INC[@]}"; do eval printf '%s\\n' "${INCPATH}"; done)
# Declare an array to hold the final list of different log file paths
declare -a LOG_FILE_PATHS
From 5135fb64fb773400234c740a3feeac206ac7f42a Mon Sep 17 00:00:00 2001
From: Flos Lonicerae <lonicerae@gmail.com>
Date: Fri, 15 Apr 2022 10:47:37 +0800
Subject: [PATCH 03/15] Add test for wildcard paths used in rsyslog
---
.../include_config_syntax_perms_0600.pass.sh | 56 ++++++++++++++++++
.../include_config_syntax_perms_0601.fail.sh | 57 +++++++++++++++++++
2 files changed, 113 insertions(+)
create mode 100755 linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_files_permissions/tests/include_config_syntax_perms_0600.pass.sh
create mode 100755 linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_files_permissions/tests/include_config_syntax_perms_0601.fail.sh
diff --git a/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_files_permissions/tests/include_config_syntax_perms_0600.pass.sh b/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_files_permissions/tests/include_config_syntax_perms_0600.pass.sh
new file mode 100755
index 00000000000..7cb09128d78
--- /dev/null
+++ b/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_files_permissions/tests/include_config_syntax_perms_0600.pass.sh
@@ -0,0 +1,56 @@
+#!/bin/bash
+# platform = multi_platform_rhel,multi_platform_fedora,multi_platform_ol,multi_platform_sle
+
+# Check rsyslog.conf with log file permissions 0600 from rules and
+# log file permissions 0600 from $IncludeConfig passes.
+
+source $SHARED/rsyslog_log_utils.sh
+
+PERMS=0600
+
+# setup test data
+create_rsyslog_test_logs 3
+
+# setup test log files and permissions
+chmod $PERMS ${RSYSLOG_TEST_LOGS[0]}
+chmod $PERMS ${RSYSLOG_TEST_LOGS[1]}
+chmod $PERMS ${RSYSLOG_TEST_LOGS[2]}
+
+# create test configuration file
+conf_subdir=${RSYSLOG_TEST_DIR}/subdir
+mkdir ${conf_subdir}
+test_subdir_conf=${conf_subdir}/test_subdir.conf
+test_conf=${RSYSLOG_TEST_DIR}/test.conf
+cat << EOF > ${test_subdir_conf}
+# rsyslog configuration file
+
+#### RULES ####
+
+*.* ${RSYSLOG_TEST_LOGS[2]}
+EOF
+
+cat << EOF > ${test_conf}
+# rsyslog configuration file
+
+#### RULES ####
+
+*.* ${RSYSLOG_TEST_LOGS[1]}
+EOF
+
+# create rsyslog.conf configuration file
+cat << EOF > $RSYSLOG_CONF
+# rsyslog configuration file
+
+#### RULES ####
+
+*.* ${RSYSLOG_TEST_LOGS[0]}
+
+#### MODULES ####
+
+include(file="${RSYSLOG_TEST_DIR}/*/*.conf" mode="optional")
+include(file="${RSYSLOG_TEST_DIR}/*.conf" mode="optional")
+
+\$IncludeConfig ${RSYSLOG_TEST_DIR}/*/*.conf
+\$IncludeConfig ${RSYSLOG_TEST_DIR}/*.conf
+
+EOF
diff --git a/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_files_permissions/tests/include_config_syntax_perms_0601.fail.sh b/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_files_permissions/tests/include_config_syntax_perms_0601.fail.sh
new file mode 100755
index 00000000000..942eaf086a1
--- /dev/null
+++ b/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_files_permissions/tests/include_config_syntax_perms_0601.fail.sh
@@ -0,0 +1,57 @@
+#!/bin/bash
+# platform = multi_platform_rhel,multi_platform_fedora,multi_platform_ol
+
+# Check rsyslog.conf with log file permissions 0600 from rules and
+# log file permissions 0601 from $IncludeConfig fails.
+
+source $SHARED/rsyslog_log_utils.sh
+
+PERMS_PASS=0600
+PERMS_FAIL=0601
+
+# setup test data
+create_rsyslog_test_logs 3
+
+# setup test log files and permissions
+chmod $PERMS_PASS ${RSYSLOG_TEST_LOGS[0]}
+chmod $PERMS_FAIL ${RSYSLOG_TEST_LOGS[1]}
+chmod $PERMS_FAIL ${RSYSLOG_TEST_LOGS[2]}
+
+# create test configuration file
+conf_subdir=${RSYSLOG_TEST_DIR}/subdir
+mkdir ${conf_subdir}
+test_subdir_conf=${conf_subdir}/test_subdir.conf
+test_conf=${RSYSLOG_TEST_DIR}/test.conf
+cat << EOF > ${test_subdir_conf}
+# rsyslog configuration file
+
+#### RULES ####
+
+*.* ${RSYSLOG_TEST_LOGS[2]}
+EOF
+
+cat << EOF > ${test_conf}
+# rsyslog configuration file
+
+#### RULES ####
+
+*.* ${RSYSLOG_TEST_LOGS[1]}
+EOF
+
+# create rsyslog.conf configuration file
+cat << EOF > $RSYSLOG_CONF
+# rsyslog configuration file
+
+#### RULES ####
+
+*.* ${RSYSLOG_TEST_LOGS[0]}
+
+#### MODULES ####
+
+include(file="${RSYSLOG_TEST_DIR}/*/*.conf" mode="optional")
+include(file="${RSYSLOG_TEST_DIR}/*.conf" mode="optional")
+
+\$IncludeConfig ${RSYSLOG_TEST_DIR}/*/*.conf
+\$IncludeConfig ${RSYSLOG_TEST_DIR}/*.conf
+
+EOF
From 052558d8d5be3b8ce49067ab8c05ed9ea92bab0b Mon Sep 17 00:00:00 2001
From: Flos Lonicerae <lonicerae@gmail.com>
Date: Thu, 19 May 2022 01:22:19 +0800
Subject: [PATCH 04/15] The way using 'find' can be retired.
---
.../rsyslog_files_permissions/bash/shared.sh | 20 +++++--------------
1 file changed, 5 insertions(+), 15 deletions(-)
diff --git a/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_files_permissions/bash/shared.sh b/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_files_permissions/bash/shared.sh
index 1aebb8f9da5..cece5930ee8 100644
--- a/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_files_permissions/bash/shared.sh
+++ b/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_files_permissions/bash/shared.sh
@@ -13,22 +13,12 @@ readarray -t RSYSLOG_INCLUDE < <(for INCPATH in "${NEW_INC[@]}"; do eval printf
# Declare an array to hold the final list of different log file paths
declare -a LOG_FILE_PATHS
-RSYSLOG_CONFIGS=()
-RSYSLOG_CONFIGS=("${RSYSLOG_ETC_CONFIG}" "${RSYSLOG_INCLUDE_CONFIG[@]}" "${RSYSLOG_INCLUDE[@]}")
+declare -a RSYSLOG_CONFIGS
+RSYSLOG_CONFIGS+=("${RSYSLOG_ETC_CONFIG}" "${RSYSLOG_INCLUDE_CONFIG[@]}" "${RSYSLOG_INCLUDE[@]}")
-# Get full list of files to be checked
-# RSYSLOG_CONFIGS may contain globs such as
-# /etc/rsyslog.d/*.conf /etc/rsyslog.d/*.frule
-# So, loop over the entries in RSYSLOG_CONFIGS and use find to get the list of included files.
-RSYSLOG_FILES=()
-for ENTRY in "${RSYSLOG_CONFIGS[@]}"
-do
- mapfile -t FINDOUT < <(find "$(dirname "${ENTRY}")" -maxdepth 1 -name "$(basename "${ENTRY}")")
- RSYSLOG_FILES+=("${FINDOUT[@]}")
-done
-
-# Check file and fix if needed.
-for LOG_FILE in "${RSYSLOG_FILES[@]}"
+# Browse each file selected above as containing paths of log files
+# ('/etc/rsyslog.conf' and '/etc/rsyslog.d/*.conf' in the default configuration)
+for LOG_FILE in "${RSYSLOG_CONFIGS[@]}"
do
# From each of these files extract just particular log file path(s), thus:
# * Ignore lines starting with space (' '), comment ('#"), or variable syntax ('$') characters,
From 4f1d08642a74c0be7cd02815784a2c81b7b558ee Mon Sep 17 00:00:00 2001
From: Flos Lonicerae <lonicerae@gmail.com>
Date: Fri, 20 May 2022 01:30:37 +0800
Subject: [PATCH 05/15] Cover the include pattern '/etc/rsyslog.d/'
---
.../rsyslog_files_permissions/bash/shared.sh | 20 ++++++++++++++++++-
1 file changed, 19 insertions(+), 1 deletion(-)
diff --git a/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_files_permissions/bash/shared.sh b/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_files_permissions/bash/shared.sh
index cece5930ee8..50d36d7426f 100644
--- a/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_files_permissions/bash/shared.sh
+++ b/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_files_permissions/bash/shared.sh
@@ -13,12 +13,30 @@ readarray -t RSYSLOG_INCLUDE < <(for INCPATH in "${NEW_INC[@]}"; do eval printf
# Declare an array to hold the final list of different log file paths
declare -a LOG_FILE_PATHS
+# Array to hold all rsyslog config entries
declare -a RSYSLOG_CONFIGS
RSYSLOG_CONFIGS+=("${RSYSLOG_ETC_CONFIG}" "${RSYSLOG_INCLUDE_CONFIG[@]}" "${RSYSLOG_INCLUDE[@]}")
+# Array to hold all rsyslog config files
+declare -a RSYSLOG_CONFIG_FILES
+for ENTRY in "${RSYSLOG_CONFIGS[@]}"
+do
+ # If directory, need to include files recursively
+ if [ -d "${ENTRY}" ]
+ then
+ readarray -t FINDOUT < <(find "${ENTRY}" -type f -name '*.conf')
+ RSYSLOG_CONFIG_FILES+=("${FINDOUT[@]}")
+ elif [ -f "${ENTRY}" ]
+ then
+ RSYSLOG_CONFIG_FILES+=("${ENTRY}")
+ else
+ echo "Invalid include object: ${ENTRY}"
+ fi
+done
+
# Browse each file selected above as containing paths of log files
# ('/etc/rsyslog.conf' and '/etc/rsyslog.d/*.conf' in the default configuration)
-for LOG_FILE in "${RSYSLOG_CONFIGS[@]}"
+for LOG_FILE in "${RSYSLOG_CONFIG_FILES[@]}"
do
# From each of these files extract just particular log file path(s), thus:
# * Ignore lines starting with space (' '), comment ('#"), or variable syntax ('$') characters,
From d77551b64c4d67226627d0819dc30fff9433ac2b Mon Sep 17 00:00:00 2001
From: Flos Lonicerae <lonicerae@gmail.com>
Date: Fri, 20 May 2022 01:46:33 +0800
Subject: [PATCH 06/15] Update test files.
---
.../tests/include_config_syntax_perms_0600.pass.sh | 2 ++
.../tests/include_config_syntax_perms_0601.fail.sh | 2 ++
2 files changed, 4 insertions(+)
diff --git a/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_files_permissions/tests/include_config_syntax_perms_0600.pass.sh b/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_files_permissions/tests/include_config_syntax_perms_0600.pass.sh
index 7cb09128d78..2ddd9fcb697 100755
--- a/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_files_permissions/tests/include_config_syntax_perms_0600.pass.sh
+++ b/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_files_permissions/tests/include_config_syntax_perms_0600.pass.sh
@@ -49,8 +49,10 @@ cat << EOF > $RSYSLOG_CONF
include(file="${RSYSLOG_TEST_DIR}/*/*.conf" mode="optional")
include(file="${RSYSLOG_TEST_DIR}/*.conf" mode="optional")
+include(file="${RSYSLOG_TEST_DIR}" mode="optional")
\$IncludeConfig ${RSYSLOG_TEST_DIR}/*/*.conf
\$IncludeConfig ${RSYSLOG_TEST_DIR}/*.conf
+\$IncludeConfig ${RSYSLOG_TEST_DIR}
EOF
diff --git a/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_files_permissions/tests/include_config_syntax_perms_0601.fail.sh b/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_files_permissions/tests/include_config_syntax_perms_0601.fail.sh
index 942eaf086a1..73ff3332c6d 100755
--- a/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_files_permissions/tests/include_config_syntax_perms_0601.fail.sh
+++ b/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_files_permissions/tests/include_config_syntax_perms_0601.fail.sh
@@ -50,8 +50,10 @@ cat << EOF > $RSYSLOG_CONF
include(file="${RSYSLOG_TEST_DIR}/*/*.conf" mode="optional")
include(file="${RSYSLOG_TEST_DIR}/*.conf" mode="optional")
+include(file="${RSYSLOG_TEST_DIR}" mode="optional")
\$IncludeConfig ${RSYSLOG_TEST_DIR}/*/*.conf
\$IncludeConfig ${RSYSLOG_TEST_DIR}/*.conf
+\$IncludeConfig ${RSYSLOG_TEST_DIR}
EOF
From 9a97bfa1ca4c918a39a68131e5fbc46fa7b00961 Mon Sep 17 00:00:00 2001
From: Flos Lonicerae <lonicerae@gmail.com>
Date: Fri, 20 May 2022 10:03:32 +0800
Subject: [PATCH 07/15] Rsyslog says we should include all files
---
.../rsyslog_files_permissions/bash/shared.sh | 2 +-
.../include_config_syntax_perms_0600.pass.sh | 16 +++++++++++++++-
.../include_config_syntax_perms_0601.fail.sh | 16 +++++++++++++++-
3 files changed, 31 insertions(+), 3 deletions(-)
diff --git a/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_files_permissions/bash/shared.sh b/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_files_permissions/bash/shared.sh
index 50d36d7426f..cd5014105e9 100644
--- a/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_files_permissions/bash/shared.sh
+++ b/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_files_permissions/bash/shared.sh
@@ -24,7 +24,7 @@ do
# If directory, need to include files recursively
if [ -d "${ENTRY}" ]
then
- readarray -t FINDOUT < <(find "${ENTRY}" -type f -name '*.conf')
+ readarray -t FINDOUT < <(find "${ENTRY}" -type f)
RSYSLOG_CONFIG_FILES+=("${FINDOUT[@]}")
elif [ -f "${ENTRY}" ]
then
diff --git a/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_files_permissions/tests/include_config_syntax_perms_0600.pass.sh b/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_files_permissions/tests/include_config_syntax_perms_0600.pass.sh
index 2ddd9fcb697..755865ca522 100755
--- a/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_files_permissions/tests/include_config_syntax_perms_0600.pass.sh
+++ b/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_files_permissions/tests/include_config_syntax_perms_0600.pass.sh
@@ -9,20 +9,24 @@ source $SHARED/rsyslog_log_utils.sh
PERMS=0600
# setup test data
-create_rsyslog_test_logs 3
+create_rsyslog_test_logs 4
# setup test log files and permissions
chmod $PERMS ${RSYSLOG_TEST_LOGS[0]}
chmod $PERMS ${RSYSLOG_TEST_LOGS[1]}
chmod $PERMS ${RSYSLOG_TEST_LOGS[2]}
+chmod $PERMS ${RSYSLOG_TEST_LOGS[3]}
# create test configuration file
conf_subdir=${RSYSLOG_TEST_DIR}/subdir
mkdir ${conf_subdir}
test_subdir_conf=${conf_subdir}/test_subdir.conf
test_conf=${RSYSLOG_TEST_DIR}/test.conf
+test_bak=${RSYSLOG_TEST_DIR}/test.bak
+
cat << EOF > ${test_subdir_conf}
# rsyslog configuration file
+# test_subdir_conf
#### RULES ####
@@ -31,12 +35,22 @@ EOF
cat << EOF > ${test_conf}
# rsyslog configuration file
+# test_conf
#### RULES ####
*.* ${RSYSLOG_TEST_LOGS[1]}
EOF
+cat << EOF > ${test_bak}
+# rsyslog configuration file
+# test_bak
+
+#### RULES ####
+
+*.* ${RSYSLOG_TEST_LOGS[3]}
+EOF
+
# create rsyslog.conf configuration file
cat << EOF > $RSYSLOG_CONF
# rsyslog configuration file
diff --git a/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_files_permissions/tests/include_config_syntax_perms_0601.fail.sh b/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_files_permissions/tests/include_config_syntax_perms_0601.fail.sh
index 73ff3332c6d..063b1a0cbe5 100755
--- a/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_files_permissions/tests/include_config_syntax_perms_0601.fail.sh
+++ b/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_files_permissions/tests/include_config_syntax_perms_0601.fail.sh
@@ -10,20 +10,24 @@ PERMS_PASS=0600
PERMS_FAIL=0601
# setup test data
-create_rsyslog_test_logs 3
+create_rsyslog_test_logs 4
# setup test log files and permissions
chmod $PERMS_PASS ${RSYSLOG_TEST_LOGS[0]}
chmod $PERMS_FAIL ${RSYSLOG_TEST_LOGS[1]}
chmod $PERMS_FAIL ${RSYSLOG_TEST_LOGS[2]}
+chmod $PERMS_FAIL ${RSYSLOG_TEST_LOGS[3]}
# create test configuration file
conf_subdir=${RSYSLOG_TEST_DIR}/subdir
mkdir ${conf_subdir}
test_subdir_conf=${conf_subdir}/test_subdir.conf
test_conf=${RSYSLOG_TEST_DIR}/test.conf
+test_bak=${RSYSLOG_TEST_DIR}/test.bak
+
cat << EOF > ${test_subdir_conf}
# rsyslog configuration file
+# test_subdir_conf
#### RULES ####
@@ -32,12 +36,22 @@ EOF
cat << EOF > ${test_conf}
# rsyslog configuration file
+# test_conf
#### RULES ####
*.* ${RSYSLOG_TEST_LOGS[1]}
EOF
+cat << EOF > ${test_bak}
+# rsyslog configuration file
+# test_bak
+
+#### RULES ####
+
+*.* ${RSYSLOG_TEST_LOGS[3]}
+EOF
+
# create rsyslog.conf configuration file
cat << EOF > $RSYSLOG_CONF
# rsyslog configuration file
From fcfc7c126ed76488085ef35cd0fd497c272aa364 Mon Sep 17 00:00:00 2001
From: Flos Lonicerae <lonicerae@gmail.com>
Date: Sat, 21 May 2022 16:02:26 +0800
Subject: [PATCH 08/15] Match glob() function of rsyslog
---
.../rsyslog_files_permissions/bash/shared.sh | 5 ++-
.../include_config_syntax_perms_0600.pass.sh | 39 ++++++++++++-------
.../include_config_syntax_perms_0601.fail.sh | 39 ++++++++++++-------
3 files changed, 55 insertions(+), 28 deletions(-)
diff --git a/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_files_permissions/bash/shared.sh b/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_files_permissions/bash/shared.sh
index cd5014105e9..38105bf086b 100644
--- a/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_files_permissions/bash/shared.sh
+++ b/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_files_permissions/bash/shared.sh
@@ -21,10 +21,11 @@ RSYSLOG_CONFIGS+=("${RSYSLOG_ETC_CONFIG}" "${RSYSLOG_INCLUDE_CONFIG[@]}" "${RSYS
declare -a RSYSLOG_CONFIG_FILES
for ENTRY in "${RSYSLOG_CONFIGS[@]}"
do
- # If directory, need to include files recursively
+ # If directory, rsyslog will search for config files in recursively.
+ # However, files in hidden sub-directories or hidden files will be ignored.
if [ -d "${ENTRY}" ]
then
- readarray -t FINDOUT < <(find "${ENTRY}" -type f)
+ readarray -t FINDOUT < <(find "${ENTRY}" -not -path '*/.*' -type f)
RSYSLOG_CONFIG_FILES+=("${FINDOUT[@]}")
elif [ -f "${ENTRY}" ]
then
diff --git a/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_files_permissions/tests/include_config_syntax_perms_0600.pass.sh b/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_files_permissions/tests/include_config_syntax_perms_0600.pass.sh
index 755865ca522..a5a2f67fadc 100755
--- a/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_files_permissions/tests/include_config_syntax_perms_0600.pass.sh
+++ b/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_files_permissions/tests/include_config_syntax_perms_0600.pass.sh
@@ -9,48 +9,61 @@ source $SHARED/rsyslog_log_utils.sh
PERMS=0600
# setup test data
-create_rsyslog_test_logs 4
+create_rsyslog_test_logs 5
# setup test log files and permissions
chmod $PERMS ${RSYSLOG_TEST_LOGS[0]}
chmod $PERMS ${RSYSLOG_TEST_LOGS[1]}
chmod $PERMS ${RSYSLOG_TEST_LOGS[2]}
chmod $PERMS ${RSYSLOG_TEST_LOGS[3]}
+chmod $PERMS ${RSYSLOG_TEST_LOGS[4]}
-# create test configuration file
+# create test configuration files
conf_subdir=${RSYSLOG_TEST_DIR}/subdir
+conf_hiddir=${RSYSLOG_TEST_DIR}/.hiddir
mkdir ${conf_subdir}
-test_subdir_conf=${conf_subdir}/test_subdir.conf
-test_conf=${RSYSLOG_TEST_DIR}/test.conf
-test_bak=${RSYSLOG_TEST_DIR}/test.bak
+mkdir ${conf_hiddir}
-cat << EOF > ${test_subdir_conf}
+test_conf_in_subdir=${conf_subdir}/in_subdir.conf
+test_conf_name_bak=${RSYSLOG_TEST_DIR}/name.bak
+
+test_conf_in_hiddir=${conf_hiddir}/in_hiddir.conf
+test_conf_dot_name=${RSYSLOG_TEST_DIR}/.name.conf
+
+cat << EOF > ${test_conf_in_subdir}
# rsyslog configuration file
-# test_subdir_conf
#### RULES ####
-*.* ${RSYSLOG_TEST_LOGS[2]}
+*.* ${RSYSLOG_TEST_LOGS[1]}
EOF
-cat << EOF > ${test_conf}
+cat << EOF > ${test_conf_name_bak}
# rsyslog configuration file
-# test_conf
#### RULES ####
-*.* ${RSYSLOG_TEST_LOGS[1]}
+*.* ${RSYSLOG_TEST_LOGS[2]}
EOF
-cat << EOF > ${test_bak}
+cat << EOF > ${test_conf_in_hiddir}
# rsyslog configuration file
-# test_bak
+# not used
#### RULES ####
*.* ${RSYSLOG_TEST_LOGS[3]}
EOF
+cat << EOF > ${test_conf_dot_name}
+# rsyslog configuration file
+# not used
+
+#### RULES ####
+
+*.* ${RSYSLOG_TEST_LOGS[4]}
+EOF
+
# create rsyslog.conf configuration file
cat << EOF > $RSYSLOG_CONF
# rsyslog configuration file
diff --git a/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_files_permissions/tests/include_config_syntax_perms_0601.fail.sh b/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_files_permissions/tests/include_config_syntax_perms_0601.fail.sh
index 063b1a0cbe5..a9d0adfb727 100755
--- a/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_files_permissions/tests/include_config_syntax_perms_0601.fail.sh
+++ b/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_files_permissions/tests/include_config_syntax_perms_0601.fail.sh
@@ -10,48 +10,61 @@ PERMS_PASS=0600
PERMS_FAIL=0601
# setup test data
-create_rsyslog_test_logs 4
+create_rsyslog_test_logs 5
# setup test log files and permissions
chmod $PERMS_PASS ${RSYSLOG_TEST_LOGS[0]}
chmod $PERMS_FAIL ${RSYSLOG_TEST_LOGS[1]}
chmod $PERMS_FAIL ${RSYSLOG_TEST_LOGS[2]}
chmod $PERMS_FAIL ${RSYSLOG_TEST_LOGS[3]}
+chmod $PERMS_FAIL ${RSYSLOG_TEST_LOGS[4]}
-# create test configuration file
+# create test configuration files
conf_subdir=${RSYSLOG_TEST_DIR}/subdir
+conf_hiddir=${RSYSLOG_TEST_DIR}/.hiddir
mkdir ${conf_subdir}
-test_subdir_conf=${conf_subdir}/test_subdir.conf
-test_conf=${RSYSLOG_TEST_DIR}/test.conf
-test_bak=${RSYSLOG_TEST_DIR}/test.bak
+mkdir ${conf_hiddir}
-cat << EOF > ${test_subdir_conf}
+test_conf_in_subdir=${conf_subdir}/in_subdir.conf
+test_conf_name_bak=${RSYSLOG_TEST_DIR}/name.bak
+
+test_conf_in_hiddir=${conf_hiddir}/in_hiddir.conf
+test_conf_dot_name=${RSYSLOG_TEST_DIR}/.name.conf
+
+cat << EOF > ${test_conf_in_subdir}
# rsyslog configuration file
-# test_subdir_conf
#### RULES ####
-*.* ${RSYSLOG_TEST_LOGS[2]}
+*.* ${RSYSLOG_TEST_LOGS[1]}
EOF
-cat << EOF > ${test_conf}
+cat << EOF > ${test_conf_name_bak}
# rsyslog configuration file
-# test_conf
#### RULES ####
-*.* ${RSYSLOG_TEST_LOGS[1]}
+*.* ${RSYSLOG_TEST_LOGS[2]}
EOF
-cat << EOF > ${test_bak}
+cat << EOF > ${test_conf_in_hiddir}
# rsyslog configuration file
-# test_bak
+# not used
#### RULES ####
*.* ${RSYSLOG_TEST_LOGS[3]}
EOF
+cat << EOF > ${test_conf_dot_name}
+# rsyslog configuration file
+# not used
+
+#### RULES ####
+
+*.* ${RSYSLOG_TEST_LOGS[4]}
+EOF
+
# create rsyslog.conf configuration file
cat << EOF > $RSYSLOG_CONF
# rsyslog configuration file
From 313094b7d5c13ba38a2d02fad544cd4665c5a17d Mon Sep 17 00:00:00 2001
From: Flos Lonicerae <lonicerae@gmail.com>
Date: Sun, 22 May 2022 21:10:16 +0800
Subject: [PATCH 09/15] Fixed incorrect parsing of rules in old code
---
.../rsyslog_files_permissions/bash/shared.sh | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_files_permissions/bash/shared.sh b/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_files_permissions/bash/shared.sh
index 38105bf086b..e1129e34c81 100644
--- a/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_files_permissions/bash/shared.sh
+++ b/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_files_permissions/bash/shared.sh
@@ -54,7 +54,7 @@ do
then
NORMALIZED_CONFIG_FILE_LINES=$(sed -e "/^[#|$]/d" "${LOG_FILE}")
LINES_WITH_PATHS=$(grep '[^/]*\s\+\S*/\S\+$' <<< "${NORMALIZED_CONFIG_FILE_LINES}")
- FILTERED_PATHS=$(sed -e 's/[^\/]*[[:space:]]*\([^:;[:space:]]*\)/\1/g' <<< "${LINES_WITH_PATHS}")
+ FILTERED_PATHS=$(awk '{if(NF>=2&&($2~/^\//||$2~/^-\//)){sub(/^-\//,"/",$2);print $2}}' <<< "${LINES_WITH_PATHS}")
CLEANED_PATHS=$(sed -e "s/[\"')]//g; /\\/etc.*\.conf/d; /\\/dev\\//d" <<< "${FILTERED_PATHS}")
MATCHED_ITEMS=$(sed -e "/^$/d" <<< "${CLEANED_PATHS}")
# Since above sed command might return more than one item (delimited by newline), split the particular
From 86f655ac79d879c1f47bda7a06cc15a64e65e5fb Mon Sep 17 00:00:00 2001
From: Flos Lonicerae <lonicerae@gmail.com>
Date: Tue, 24 May 2022 00:42:17 +0800
Subject: [PATCH 10/15] Added platform.
---
.../tests/include_config_syntax_perms_0601.fail.sh | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_files_permissions/tests/include_config_syntax_perms_0601.fail.sh b/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_files_permissions/tests/include_config_syntax_perms_0601.fail.sh
index a9d0adfb727..fe4db0a3c91 100755
--- a/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_files_permissions/tests/include_config_syntax_perms_0601.fail.sh
+++ b/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_files_permissions/tests/include_config_syntax_perms_0601.fail.sh
@@ -1,5 +1,5 @@
#!/bin/bash
-# platform = multi_platform_rhel,multi_platform_fedora,multi_platform_ol
+# platform = multi_platform_rhel,multi_platform_fedora,multi_platform_ol,multi_platform_sle
# Check rsyslog.conf with log file permissions 0600 from rules and
# log file permissions 0601 from $IncludeConfig fails.
From e71901895f29af9a34fe81938be1332691b6f64a Mon Sep 17 00:00:00 2001
From: Watson Sato <wsato@redhat.com>
Date: Wed, 10 Aug 2022 13:56:39 +0200
Subject: [PATCH 11/15] Reset the arrays before using them
When bash remediations for a profile are generated, it can happen that a
variable with same name is used for multiple remediations.
So let's reset the array before using it.
---
.../rsyslog_files_permissions/bash/shared.sh | 11 +++++++----
1 file changed, 7 insertions(+), 4 deletions(-)
diff --git a/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_files_permissions/bash/shared.sh b/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_files_permissions/bash/shared.sh
index e1129e34c81..d1856ffbe7b 100644
--- a/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_files_permissions/bash/shared.sh
+++ b/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_files_permissions/bash/shared.sh
@@ -14,11 +14,14 @@ readarray -t RSYSLOG_INCLUDE < <(for INCPATH in "${NEW_INC[@]}"; do eval printf
declare -a LOG_FILE_PATHS
# Array to hold all rsyslog config entries
-declare -a RSYSLOG_CONFIGS
-RSYSLOG_CONFIGS+=("${RSYSLOG_ETC_CONFIG}" "${RSYSLOG_INCLUDE_CONFIG[@]}" "${RSYSLOG_INCLUDE[@]}")
+RSYSLOG_CONFIGS=()
+RSYSLOG_CONFIGS=("${RSYSLOG_ETC_CONFIG}" "${RSYSLOG_INCLUDE_CONFIG[@]}" "${RSYSLOG_INCLUDE[@]}")
-# Array to hold all rsyslog config files
-declare -a RSYSLOG_CONFIG_FILES
+# Get full list of files to be checked
+# RSYSLOG_CONFIGS may contain globs such as
+# /etc/rsyslog.d/*.conf /etc/rsyslog.d/*.frule
+# So, loop over the entries in RSYSLOG_CONFIGS and use find to get the list of included files.
+RSYSLOG_CONFIG_FILES=()
for ENTRY in "${RSYSLOG_CONFIGS[@]}"
do
# If directory, rsyslog will search for config files in recursively.
From 525dce106bf8d054c83e8d79acbb92cc16224e4c Mon Sep 17 00:00:00 2001
From: Watson Sato <wsato@redhat.com>
Date: Wed, 10 Aug 2022 14:55:37 +0200
Subject: [PATCH 12/15] Don't parse hidden config files for Includes
Let's follow rsyslog behavior and not capture process hidden config
files for includes.
---
.../rsyslog_files_permissions/oval/shared.xml | 9 ++++
...00_IncludeConfig_perms_0601_hidden.pass.sh | 53 +++++++++++++++++++
2 files changed, 62 insertions(+)
create mode 100644 linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_files_permissions/tests/include_perms_0600_IncludeConfig_perms_0601_hidden.pass.sh
diff --git a/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_files_permissions/oval/shared.xml b/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_files_permissions/oval/shared.xml
index a04e6fd8900..d13177216c3 100644
--- a/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_files_permissions/oval/shared.xml
+++ b/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_files_permissions/oval/shared.xml
@@ -17,8 +17,17 @@
<ind:filepath>/etc/rsyslog.conf</ind:filepath>
<ind:pattern operation="pattern match">^(?:include\([\n\s]*file="([^\s;]+)".*|\$IncludeConfig[\s]+([^\s;]+))$</ind:pattern>
<ind:instance datatype="int" operation="greater than or equal">1</ind:instance>
+ <filter action="exclude">state_permissions_ignore_hidden_paths</filter>
</ind:textfilecontent54_object>
+ <ind:textfilecontent54_state id="state_permissions_ignore_hidden_paths" comment="ignore hidden conf files" version="1">
+ <!-- Among the paths matched in object_rfp_rsyslog_include_config_value there can be paths from
+ include() or $IncludeConfig that point to hidden dirs or files.
+ Rsyslog ignores these conf files, so we should ignore them too.
+ -->
+ <ind:subexpression operation="pattern match">^.*\/\..*$</ind:subexpression>
+ </ind:textfilecontent54_state>
+
<!-- Turn that glob value into Perl's regex so it can be used as filepath pattern below -->
<local_variable id="var_rfp_include_config_regex" datatype="string" version="1" comment="$IncludeConfig value converted to regex">
<unique>
diff --git a/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_files_permissions/tests/include_perms_0600_IncludeConfig_perms_0601_hidden.pass.sh b/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_files_permissions/tests/include_perms_0600_IncludeConfig_perms_0601_hidden.pass.sh
new file mode 100644
index 00000000000..9b0185c6b2f
--- /dev/null
+++ b/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_files_permissions/tests/include_perms_0600_IncludeConfig_perms_0601_hidden.pass.sh
@@ -0,0 +1,53 @@
+#!/bin/bash
+# platform = Red Hat Enterprise Linux 8,multi_platform_fedora,Oracle Linux 8
+
+# Check rsyslog.conf with log file permisssions 0600 from rules and
+# log file permissions 0601 from include() fails.
+
+source $SHARED/rsyslog_log_utils.sh
+
+PERMS_PASS=0600
+PERMS_FAIL=0601
+
+# setup test data
+create_rsyslog_test_logs 3
+
+# setup test log files and permissions
+chmod $PERMS_PASS ${RSYSLOG_TEST_LOGS[0]}
+chmod $PERMS_PASS ${RSYSLOG_TEST_LOGS[1]}
+chmod $PERMS_FAIL ${RSYSLOG_TEST_LOGS[2]}
+
+# create test configuration file
+test_conf=${RSYSLOG_TEST_DIR}/test1.conf
+cat << EOF > ${test_conf}
+# rsyslog configuration file
+
+#### RULES ####
+
+*.* ${RSYSLOG_TEST_LOGS[1]}
+EOF
+
+# create hidden test2 configuration file
+test_conf2=${RSYSLOG_TEST_DIR}/.test2.conf
+cat << EOF > ${test_conf2}
+# rsyslog configuration file
+
+#### RULES ####
+
+*.* ${RSYSLOG_TEST_LOGS[2]}
+EOF
+
+# create rsyslog.conf configuration file
+cat << EOF > $RSYSLOG_CONF
+# rsyslog configuration file
+
+#### RULES ####
+
+*.* ${RSYSLOG_TEST_LOGS[0]}
+
+#### MODULES ####
+
+include(file="${test_conf}")
+
+\$IncludeConfig ${test_conf2}
+EOF
From d872c4a2cfcd3331b7aae954aacf3d0d481d1582 Mon Sep 17 00:00:00 2001
From: Watson Sato <wsato@redhat.com>
Date: Wed, 10 Aug 2022 15:49:11 +0200
Subject: [PATCH 13/15] Add test for for missing rsyslog included files
The rsyslog conf file may include other config files.
If the included missing files are missing rsyslog will generate an
error, but will still continue working.
https://www.rsyslog.com/doc/master/rainerscript/include.html#include-a-required-file
There is not a good way of ensuring that all files defined in a list of paths exist.
---
...0_IncludeConfig_perms_0601_missing.pass.sh | 45 +++++++++++++++++++
1 file changed, 45 insertions(+)
create mode 100644 linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_files_permissions/tests/include_perms_0600_IncludeConfig_perms_0601_missing.pass.sh
diff --git a/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_files_permissions/tests/include_perms_0600_IncludeConfig_perms_0601_missing.pass.sh b/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_files_permissions/tests/include_perms_0600_IncludeConfig_perms_0601_missing.pass.sh
new file mode 100644
index 00000000000..b929f2a94ab
--- /dev/null
+++ b/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_files_permissions/tests/include_perms_0600_IncludeConfig_perms_0601_missing.pass.sh
@@ -0,0 +1,45 @@
+#!/bin/bash
+# platform = Red Hat Enterprise Linux 8,multi_platform_fedora,Oracle Linux 8
+
+# Check rsyslog.conf with log file permisssions 0600 from rules and
+# log file permissions 0601 from include() fails.
+
+source $SHARED/rsyslog_log_utils.sh
+
+PERMS_PASS=0600
+PERMS_FAIL=0601
+
+# setup test data
+create_rsyslog_test_logs 3
+
+# setup test log files and permissions
+chmod $PERMS_PASS ${RSYSLOG_TEST_LOGS[0]}
+chmod $PERMS_PASS ${RSYSLOG_TEST_LOGS[1]}
+chmod $PERMS_FAIL ${RSYSLOG_TEST_LOGS[2]}
+
+# create test configuration file
+test_conf=${RSYSLOG_TEST_DIR}/test1.conf
+cat << EOF > ${test_conf}
+# rsyslog configuration file
+
+#### RULES ####
+
+*.* ${RSYSLOG_TEST_LOGS[1]}
+EOF
+
+# Skip creation test2 configuration file
+
+# create rsyslog.conf configuration file
+cat << EOF > $RSYSLOG_CONF
+# rsyslog configuration file
+
+#### RULES ####
+
+*.* ${RSYSLOG_TEST_LOGS[0]}
+
+#### MODULES ####
+
+include(file="${test_conf}")
+
+\$IncludeConfig ${test_conf2}
+EOF
From cf9eaf6e55405248731cb08268bcba6a58a93486 Mon Sep 17 00:00:00 2001
From: Watson Sato <wsato@redhat.com>
Date: Wed, 10 Aug 2022 21:47:18 +0200
Subject: [PATCH 14/15] Align Ansible remediation with Bash
The remediation now expands the glob expressions and doesn't collect
hidden files or directories to check for their permissions.
---
.../rsyslog_files_permissions/ansible/shared.yml | 15 +++++++++++----
1 file changed, 11 insertions(+), 4 deletions(-)
diff --git a/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_files_permissions/ansible/shared.yml b/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_files_permissions/ansible/shared.yml
index 635b72f7352..c558bf46c71 100644
--- a/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_files_permissions/ansible/shared.yml
+++ b/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_files_permissions/ansible/shared.yml
@@ -19,19 +19,26 @@
shell: |
set -o pipefail
grep -e '$IncludeConfig' {{ rsyslog_etc_config }} | cut -d ' ' -f 2 || true
- register: include_config_output
+ register: rsyslog_old_inc
changed_when: False
- name: "Get include files directives"
shell: |
set -o pipefail
grep -oP '^\s*include\s*\(\s*file.*' {{ rsyslog_etc_config }} |cut -d"\"" -f 2 || true
- register: include_files_output
+ register: rsyslog_new_inc
changed_when: False
+- name: "Expand glob expressions"
+ shell: |
+ set -o pipefail
+ eval printf '%s\\n' {{ item }}
+ register: include_config_output
+ loop: "{{ rsyslog_old_inc.stdout_lines + rsyslog_new_inc.stdout_lines }}"
+
- name: "List all config files"
- shell: find "$(dirname "{{ item }}" )" -maxdepth 1 -name "$(basename "{{ item }}")"
- loop: "{{ include_config_output.stdout_lines + include_files_output.stdout_lines }}"
+ shell: find {{ item }} -not -path "*/.*" -type f
+ loop: "{{ include_config_output.results|map(attribute='stdout_lines')|list|flatten }}"
register: rsyslog_config_files
changed_when: False
From 37e98ed3a86a0e56543132752c62982ff01cd3d9 Mon Sep 17 00:00:00 2001
From: Watson Sato <wsato@redhat.com>
Date: Wed, 10 Aug 2022 21:56:05 +0200
Subject: [PATCH 15/15] Ignore invalid or non existing include objects
Let's not fail the task when the find doesn't find the include object.
When the include is a glob expression that doesn't evaluate to any file
the glob itself is used in find command.
The Bash remediation prints a message for each include that is not a
file is not a directory or doesn't exist.
---
.../rsyslog_files_permissions/ansible/shared.yml | 1 +
1 file changed, 1 insertion(+)
diff --git a/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_files_permissions/ansible/shared.yml b/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_files_permissions/ansible/shared.yml
index c558bf46c71..3a9380cf13b 100644
--- a/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_files_permissions/ansible/shared.yml
+++ b/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_files_permissions/ansible/shared.yml
@@ -40,6 +40,7 @@
shell: find {{ item }} -not -path "*/.*" -type f
loop: "{{ include_config_output.results|map(attribute='stdout_lines')|list|flatten }}"
register: rsyslog_config_files
+ failed_when: False
changed_when: False
- name: "Extract log files"
Reference in New Issue View Git Blame Copy Permalink