968 lines
40 KiB
Diff
968 lines
40 KiB
Diff
From 2d22616a6223e26662c1dc81e0389349defd716a Mon Sep 17 00:00:00 2001
|
|
From: Flos Lonicerae <lonicerae@gmail.com>
|
|
Date: Wed, 13 Apr 2022 20:06:18 +0800
|
|
Subject: [PATCH 01/15] rsyslog: Fix array creation when path has wildcard
|
|
|
|
This patch fixes the issue that the array is expanded to wildcard path instead of its elements.
|
|
A simple test case as follows:
|
|
|
|
/etc/rsyslog.conf
|
|
include(file="/etc/rsyslog.d/*.conf" mode="optional")
|
|
|
|
/etc/rsyslog.d/custom1.conf
|
|
local1.* /tmp/local1.out
|
|
|
|
/etc/rsyslog.d/custom2.conf
|
|
local2.* /tmp/local2.out
|
|
---
|
|
.../rsyslog_files_permissions/bash/shared.sh | 4 ++--
|
|
1 file changed, 2 insertions(+), 2 deletions(-)
|
|
|
|
diff --git a/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_files_permissions/bash/shared.sh b/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_files_permissions/bash/shared.sh
|
|
index b794ea8db31..02b0c36d899 100644
|
|
--- a/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_files_permissions/bash/shared.sh
|
|
+++ b/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_files_permissions/bash/shared.sh
|
|
@@ -5,8 +5,8 @@
|
|
RSYSLOG_ETC_CONFIG="/etc/rsyslog.conf"
|
|
# * And also the log file paths listed after rsyslog's $IncludeConfig directive
|
|
# (store the result into array for the case there's shell glob used as value of IncludeConfig)
|
|
-readarray -t RSYSLOG_INCLUDE_CONFIG < <(grep -e "\$IncludeConfig[[:space:]]\+[^[:space:];]\+" /etc/rsyslog.conf | cut -d ' ' -f 2)
|
|
-readarray -t RSYSLOG_INCLUDE < <(awk '/)/{f=0} /include\(/{f=1} f{nf=gensub("^(include\\(|\\s*)file=\"(\\S+)\".*","\\2",1); if($0!=nf){print nf}}' /etc/rsyslog.conf)
|
|
+readarray -t RSYSLOG_INCLUDE_CONFIG < <(printf '%s\n' $(grep -e "\$IncludeConfig[[:space:]]\+[^[:space:];]\+" /etc/rsyslog.conf | cut -d ' ' -f 2))
|
|
+readarray -t RSYSLOG_INCLUDE < <(printf '%s\n' $(awk '/)/{f=0} /include\(/{f=1} f{nf=gensub("^(include\\(|\\s*)file=\"(\\S+)\".*","\\2",1); if($0!=nf){print nf}}' /etc/rsyslog.conf))
|
|
|
|
# Declare an array to hold the final list of different log file paths
|
|
declare -a LOG_FILE_PATHS
|
|
|
|
From 37a57668e98ba613d850e4c4ec4363dc7687d06d Mon Sep 17 00:00:00 2001
|
|
From: Flos Lonicerae <lonicerae@gmail.com>
|
|
Date: Thu, 14 Apr 2022 15:58:04 +0800
|
|
Subject: [PATCH 02/15] A better fix.
|
|
|
|
* Should also fixed the CI failure.
|
|
---
|
|
.../rsyslog_files_permissions/bash/shared.sh | 6 ++++--
|
|
1 file changed, 4 insertions(+), 2 deletions(-)
|
|
|
|
diff --git a/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_files_permissions/bash/shared.sh b/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_files_permissions/bash/shared.sh
|
|
index 02b0c36d899..1aebb8f9da5 100644
|
|
--- a/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_files_permissions/bash/shared.sh
|
|
+++ b/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_files_permissions/bash/shared.sh
|
|
@@ -5,8 +5,10 @@
|
|
RSYSLOG_ETC_CONFIG="/etc/rsyslog.conf"
|
|
# * And also the log file paths listed after rsyslog's $IncludeConfig directive
|
|
# (store the result into array for the case there's shell glob used as value of IncludeConfig)
|
|
-readarray -t RSYSLOG_INCLUDE_CONFIG < <(printf '%s\n' $(grep -e "\$IncludeConfig[[:space:]]\+[^[:space:];]\+" /etc/rsyslog.conf | cut -d ' ' -f 2))
|
|
-readarray -t RSYSLOG_INCLUDE < <(printf '%s\n' $(awk '/)/{f=0} /include\(/{f=1} f{nf=gensub("^(include\\(|\\s*)file=\"(\\S+)\".*","\\2",1); if($0!=nf){print nf}}' /etc/rsyslog.conf))
|
|
+readarray -t OLD_INC < <(grep -e "\$IncludeConfig[[:space:]]\+[^[:space:];]\+" /etc/rsyslog.conf | cut -d ' ' -f 2)
|
|
+readarray -t RSYSLOG_INCLUDE_CONFIG < <(for INCPATH in "${OLD_INC[@]}"; do eval printf '%s\\n' "${INCPATH}"; done)
|
|
+readarray -t NEW_INC < <(awk '/)/{f=0} /include\(/{f=1} f{nf=gensub("^(include\\(|\\s*)file=\"(\\S+)\".*","\\2",1); if($0!=nf){print nf}}' /etc/rsyslog.conf)
|
|
+readarray -t RSYSLOG_INCLUDE < <(for INCPATH in "${NEW_INC[@]}"; do eval printf '%s\\n' "${INCPATH}"; done)
|
|
|
|
# Declare an array to hold the final list of different log file paths
|
|
declare -a LOG_FILE_PATHS
|
|
|
|
From 5135fb64fb773400234c740a3feeac206ac7f42a Mon Sep 17 00:00:00 2001
|
|
From: Flos Lonicerae <lonicerae@gmail.com>
|
|
Date: Fri, 15 Apr 2022 10:47:37 +0800
|
|
Subject: [PATCH 03/15] Add test for wildcard paths used in rsyslog
|
|
|
|
---
|
|
.../include_config_syntax_perms_0600.pass.sh | 56 ++++++++++++++++++
|
|
.../include_config_syntax_perms_0601.fail.sh | 57 +++++++++++++++++++
|
|
2 files changed, 113 insertions(+)
|
|
create mode 100755 linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_files_permissions/tests/include_config_syntax_perms_0600.pass.sh
|
|
create mode 100755 linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_files_permissions/tests/include_config_syntax_perms_0601.fail.sh
|
|
|
|
diff --git a/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_files_permissions/tests/include_config_syntax_perms_0600.pass.sh b/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_files_permissions/tests/include_config_syntax_perms_0600.pass.sh
|
|
new file mode 100755
|
|
index 00000000000..7cb09128d78
|
|
--- /dev/null
|
|
+++ b/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_files_permissions/tests/include_config_syntax_perms_0600.pass.sh
|
|
@@ -0,0 +1,56 @@
|
|
+#!/bin/bash
|
|
+# platform = multi_platform_rhel,multi_platform_fedora,multi_platform_ol,multi_platform_sle
|
|
+
|
|
+# Check rsyslog.conf with log file permissions 0600 from rules and
|
|
+# log file permissions 0600 from $IncludeConfig passes.
|
|
+
|
|
+source $SHARED/rsyslog_log_utils.sh
|
|
+
|
|
+PERMS=0600
|
|
+
|
|
+# setup test data
|
|
+create_rsyslog_test_logs 3
|
|
+
|
|
+# setup test log files and permissions
|
|
+chmod $PERMS ${RSYSLOG_TEST_LOGS[0]}
|
|
+chmod $PERMS ${RSYSLOG_TEST_LOGS[1]}
|
|
+chmod $PERMS ${RSYSLOG_TEST_LOGS[2]}
|
|
+
|
|
+# create test configuration file
|
|
+conf_subdir=${RSYSLOG_TEST_DIR}/subdir
|
|
+mkdir ${conf_subdir}
|
|
+test_subdir_conf=${conf_subdir}/test_subdir.conf
|
|
+test_conf=${RSYSLOG_TEST_DIR}/test.conf
|
|
+cat << EOF > ${test_subdir_conf}
|
|
+# rsyslog configuration file
|
|
+
|
|
+#### RULES ####
|
|
+
|
|
+*.* ${RSYSLOG_TEST_LOGS[2]}
|
|
+EOF
|
|
+
|
|
+cat << EOF > ${test_conf}
|
|
+# rsyslog configuration file
|
|
+
|
|
+#### RULES ####
|
|
+
|
|
+*.* ${RSYSLOG_TEST_LOGS[1]}
|
|
+EOF
|
|
+
|
|
+# create rsyslog.conf configuration file
|
|
+cat << EOF > $RSYSLOG_CONF
|
|
+# rsyslog configuration file
|
|
+
|
|
+#### RULES ####
|
|
+
|
|
+*.* ${RSYSLOG_TEST_LOGS[0]}
|
|
+
|
|
+#### MODULES ####
|
|
+
|
|
+include(file="${RSYSLOG_TEST_DIR}/*/*.conf" mode="optional")
|
|
+include(file="${RSYSLOG_TEST_DIR}/*.conf" mode="optional")
|
|
+
|
|
+\$IncludeConfig ${RSYSLOG_TEST_DIR}/*/*.conf
|
|
+\$IncludeConfig ${RSYSLOG_TEST_DIR}/*.conf
|
|
+
|
|
+EOF
|
|
diff --git a/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_files_permissions/tests/include_config_syntax_perms_0601.fail.sh b/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_files_permissions/tests/include_config_syntax_perms_0601.fail.sh
|
|
new file mode 100755
|
|
index 00000000000..942eaf086a1
|
|
--- /dev/null
|
|
+++ b/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_files_permissions/tests/include_config_syntax_perms_0601.fail.sh
|
|
@@ -0,0 +1,57 @@
|
|
+#!/bin/bash
|
|
+# platform = multi_platform_rhel,multi_platform_fedora,multi_platform_ol
|
|
+
|
|
+# Check rsyslog.conf with log file permissions 0600 from rules and
|
|
+# log file permissions 0601 from $IncludeConfig fails.
|
|
+
|
|
+source $SHARED/rsyslog_log_utils.sh
|
|
+
|
|
+PERMS_PASS=0600
|
|
+PERMS_FAIL=0601
|
|
+
|
|
+# setup test data
|
|
+create_rsyslog_test_logs 3
|
|
+
|
|
+# setup test log files and permissions
|
|
+chmod $PERMS_PASS ${RSYSLOG_TEST_LOGS[0]}
|
|
+chmod $PERMS_FAIL ${RSYSLOG_TEST_LOGS[1]}
|
|
+chmod $PERMS_FAIL ${RSYSLOG_TEST_LOGS[2]}
|
|
+
|
|
+# create test configuration file
|
|
+conf_subdir=${RSYSLOG_TEST_DIR}/subdir
|
|
+mkdir ${conf_subdir}
|
|
+test_subdir_conf=${conf_subdir}/test_subdir.conf
|
|
+test_conf=${RSYSLOG_TEST_DIR}/test.conf
|
|
+cat << EOF > ${test_subdir_conf}
|
|
+# rsyslog configuration file
|
|
+
|
|
+#### RULES ####
|
|
+
|
|
+*.* ${RSYSLOG_TEST_LOGS[2]}
|
|
+EOF
|
|
+
|
|
+cat << EOF > ${test_conf}
|
|
+# rsyslog configuration file
|
|
+
|
|
+#### RULES ####
|
|
+
|
|
+*.* ${RSYSLOG_TEST_LOGS[1]}
|
|
+EOF
|
|
+
|
|
+# create rsyslog.conf configuration file
|
|
+cat << EOF > $RSYSLOG_CONF
|
|
+# rsyslog configuration file
|
|
+
|
|
+#### RULES ####
|
|
+
|
|
+*.* ${RSYSLOG_TEST_LOGS[0]}
|
|
+
|
|
+#### MODULES ####
|
|
+
|
|
+include(file="${RSYSLOG_TEST_DIR}/*/*.conf" mode="optional")
|
|
+include(file="${RSYSLOG_TEST_DIR}/*.conf" mode="optional")
|
|
+
|
|
+\$IncludeConfig ${RSYSLOG_TEST_DIR}/*/*.conf
|
|
+\$IncludeConfig ${RSYSLOG_TEST_DIR}/*.conf
|
|
+
|
|
+EOF
|
|
|
|
From 052558d8d5be3b8ce49067ab8c05ed9ea92bab0b Mon Sep 17 00:00:00 2001
|
|
From: Flos Lonicerae <lonicerae@gmail.com>
|
|
Date: Thu, 19 May 2022 01:22:19 +0800
|
|
Subject: [PATCH 04/15] The way using 'find' can be retired.
|
|
|
|
---
|
|
.../rsyslog_files_permissions/bash/shared.sh | 20 +++++--------------
|
|
1 file changed, 5 insertions(+), 15 deletions(-)
|
|
|
|
diff --git a/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_files_permissions/bash/shared.sh b/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_files_permissions/bash/shared.sh
|
|
index 1aebb8f9da5..cece5930ee8 100644
|
|
--- a/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_files_permissions/bash/shared.sh
|
|
+++ b/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_files_permissions/bash/shared.sh
|
|
@@ -13,22 +13,12 @@ readarray -t RSYSLOG_INCLUDE < <(for INCPATH in "${NEW_INC[@]}"; do eval printf
|
|
# Declare an array to hold the final list of different log file paths
|
|
declare -a LOG_FILE_PATHS
|
|
|
|
-RSYSLOG_CONFIGS=()
|
|
-RSYSLOG_CONFIGS=("${RSYSLOG_ETC_CONFIG}" "${RSYSLOG_INCLUDE_CONFIG[@]}" "${RSYSLOG_INCLUDE[@]}")
|
|
+declare -a RSYSLOG_CONFIGS
|
|
+RSYSLOG_CONFIGS+=("${RSYSLOG_ETC_CONFIG}" "${RSYSLOG_INCLUDE_CONFIG[@]}" "${RSYSLOG_INCLUDE[@]}")
|
|
|
|
-# Get full list of files to be checked
|
|
-# RSYSLOG_CONFIGS may contain globs such as
|
|
-# /etc/rsyslog.d/*.conf /etc/rsyslog.d/*.frule
|
|
-# So, loop over the entries in RSYSLOG_CONFIGS and use find to get the list of included files.
|
|
-RSYSLOG_FILES=()
|
|
-for ENTRY in "${RSYSLOG_CONFIGS[@]}"
|
|
-do
|
|
- mapfile -t FINDOUT < <(find "$(dirname "${ENTRY}")" -maxdepth 1 -name "$(basename "${ENTRY}")")
|
|
- RSYSLOG_FILES+=("${FINDOUT[@]}")
|
|
-done
|
|
-
|
|
-# Check file and fix if needed.
|
|
-for LOG_FILE in "${RSYSLOG_FILES[@]}"
|
|
+# Browse each file selected above as containing paths of log files
|
|
+# ('/etc/rsyslog.conf' and '/etc/rsyslog.d/*.conf' in the default configuration)
|
|
+for LOG_FILE in "${RSYSLOG_CONFIGS[@]}"
|
|
do
|
|
# From each of these files extract just particular log file path(s), thus:
|
|
# * Ignore lines starting with space (' '), comment ('#"), or variable syntax ('$') characters,
|
|
|
|
From 4f1d08642a74c0be7cd02815784a2c81b7b558ee Mon Sep 17 00:00:00 2001
|
|
From: Flos Lonicerae <lonicerae@gmail.com>
|
|
Date: Fri, 20 May 2022 01:30:37 +0800
|
|
Subject: [PATCH 05/15] Cover the include pattern '/etc/rsyslog.d/'
|
|
|
|
---
|
|
.../rsyslog_files_permissions/bash/shared.sh | 20 ++++++++++++++++++-
|
|
1 file changed, 19 insertions(+), 1 deletion(-)
|
|
|
|
diff --git a/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_files_permissions/bash/shared.sh b/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_files_permissions/bash/shared.sh
|
|
index cece5930ee8..50d36d7426f 100644
|
|
--- a/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_files_permissions/bash/shared.sh
|
|
+++ b/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_files_permissions/bash/shared.sh
|
|
@@ -13,12 +13,30 @@ readarray -t RSYSLOG_INCLUDE < <(for INCPATH in "${NEW_INC[@]}"; do eval printf
|
|
# Declare an array to hold the final list of different log file paths
|
|
declare -a LOG_FILE_PATHS
|
|
|
|
+# Array to hold all rsyslog config entries
|
|
declare -a RSYSLOG_CONFIGS
|
|
RSYSLOG_CONFIGS+=("${RSYSLOG_ETC_CONFIG}" "${RSYSLOG_INCLUDE_CONFIG[@]}" "${RSYSLOG_INCLUDE[@]}")
|
|
|
|
+# Array to hold all rsyslog config files
|
|
+declare -a RSYSLOG_CONFIG_FILES
|
|
+for ENTRY in "${RSYSLOG_CONFIGS[@]}"
|
|
+do
|
|
+ # If directory, need to include files recursively
|
|
+ if [ -d "${ENTRY}" ]
|
|
+ then
|
|
+ readarray -t FINDOUT < <(find "${ENTRY}" -type f -name '*.conf')
|
|
+ RSYSLOG_CONFIG_FILES+=("${FINDOUT[@]}")
|
|
+ elif [ -f "${ENTRY}" ]
|
|
+ then
|
|
+ RSYSLOG_CONFIG_FILES+=("${ENTRY}")
|
|
+ else
|
|
+ echo "Invalid include object: ${ENTRY}"
|
|
+ fi
|
|
+done
|
|
+
|
|
# Browse each file selected above as containing paths of log files
|
|
# ('/etc/rsyslog.conf' and '/etc/rsyslog.d/*.conf' in the default configuration)
|
|
-for LOG_FILE in "${RSYSLOG_CONFIGS[@]}"
|
|
+for LOG_FILE in "${RSYSLOG_CONFIG_FILES[@]}"
|
|
do
|
|
# From each of these files extract just particular log file path(s), thus:
|
|
# * Ignore lines starting with space (' '), comment ('#"), or variable syntax ('$') characters,
|
|
|
|
From d77551b64c4d67226627d0819dc30fff9433ac2b Mon Sep 17 00:00:00 2001
|
|
From: Flos Lonicerae <lonicerae@gmail.com>
|
|
Date: Fri, 20 May 2022 01:46:33 +0800
|
|
Subject: [PATCH 06/15] Update test files.
|
|
|
|
---
|
|
.../tests/include_config_syntax_perms_0600.pass.sh | 2 ++
|
|
.../tests/include_config_syntax_perms_0601.fail.sh | 2 ++
|
|
2 files changed, 4 insertions(+)
|
|
|
|
diff --git a/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_files_permissions/tests/include_config_syntax_perms_0600.pass.sh b/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_files_permissions/tests/include_config_syntax_perms_0600.pass.sh
|
|
index 7cb09128d78..2ddd9fcb697 100755
|
|
--- a/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_files_permissions/tests/include_config_syntax_perms_0600.pass.sh
|
|
+++ b/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_files_permissions/tests/include_config_syntax_perms_0600.pass.sh
|
|
@@ -49,8 +49,10 @@ cat << EOF > $RSYSLOG_CONF
|
|
|
|
include(file="${RSYSLOG_TEST_DIR}/*/*.conf" mode="optional")
|
|
include(file="${RSYSLOG_TEST_DIR}/*.conf" mode="optional")
|
|
+include(file="${RSYSLOG_TEST_DIR}" mode="optional")
|
|
|
|
\$IncludeConfig ${RSYSLOG_TEST_DIR}/*/*.conf
|
|
\$IncludeConfig ${RSYSLOG_TEST_DIR}/*.conf
|
|
+\$IncludeConfig ${RSYSLOG_TEST_DIR}
|
|
|
|
EOF
|
|
diff --git a/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_files_permissions/tests/include_config_syntax_perms_0601.fail.sh b/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_files_permissions/tests/include_config_syntax_perms_0601.fail.sh
|
|
index 942eaf086a1..73ff3332c6d 100755
|
|
--- a/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_files_permissions/tests/include_config_syntax_perms_0601.fail.sh
|
|
+++ b/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_files_permissions/tests/include_config_syntax_perms_0601.fail.sh
|
|
@@ -50,8 +50,10 @@ cat << EOF > $RSYSLOG_CONF
|
|
|
|
include(file="${RSYSLOG_TEST_DIR}/*/*.conf" mode="optional")
|
|
include(file="${RSYSLOG_TEST_DIR}/*.conf" mode="optional")
|
|
+include(file="${RSYSLOG_TEST_DIR}" mode="optional")
|
|
|
|
\$IncludeConfig ${RSYSLOG_TEST_DIR}/*/*.conf
|
|
\$IncludeConfig ${RSYSLOG_TEST_DIR}/*.conf
|
|
+\$IncludeConfig ${RSYSLOG_TEST_DIR}
|
|
|
|
EOF
|
|
|
|
From 9a97bfa1ca4c918a39a68131e5fbc46fa7b00961 Mon Sep 17 00:00:00 2001
|
|
From: Flos Lonicerae <lonicerae@gmail.com>
|
|
Date: Fri, 20 May 2022 10:03:32 +0800
|
|
Subject: [PATCH 07/15] Rsyslog says we should include all files
|
|
|
|
---
|
|
.../rsyslog_files_permissions/bash/shared.sh | 2 +-
|
|
.../include_config_syntax_perms_0600.pass.sh | 16 +++++++++++++++-
|
|
.../include_config_syntax_perms_0601.fail.sh | 16 +++++++++++++++-
|
|
3 files changed, 31 insertions(+), 3 deletions(-)
|
|
|
|
diff --git a/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_files_permissions/bash/shared.sh b/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_files_permissions/bash/shared.sh
|
|
index 50d36d7426f..cd5014105e9 100644
|
|
--- a/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_files_permissions/bash/shared.sh
|
|
+++ b/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_files_permissions/bash/shared.sh
|
|
@@ -24,7 +24,7 @@ do
|
|
# If directory, need to include files recursively
|
|
if [ -d "${ENTRY}" ]
|
|
then
|
|
- readarray -t FINDOUT < <(find "${ENTRY}" -type f -name '*.conf')
|
|
+ readarray -t FINDOUT < <(find "${ENTRY}" -type f)
|
|
RSYSLOG_CONFIG_FILES+=("${FINDOUT[@]}")
|
|
elif [ -f "${ENTRY}" ]
|
|
then
|
|
diff --git a/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_files_permissions/tests/include_config_syntax_perms_0600.pass.sh b/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_files_permissions/tests/include_config_syntax_perms_0600.pass.sh
|
|
index 2ddd9fcb697..755865ca522 100755
|
|
--- a/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_files_permissions/tests/include_config_syntax_perms_0600.pass.sh
|
|
+++ b/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_files_permissions/tests/include_config_syntax_perms_0600.pass.sh
|
|
@@ -9,20 +9,24 @@ source $SHARED/rsyslog_log_utils.sh
|
|
PERMS=0600
|
|
|
|
# setup test data
|
|
-create_rsyslog_test_logs 3
|
|
+create_rsyslog_test_logs 4
|
|
|
|
# setup test log files and permissions
|
|
chmod $PERMS ${RSYSLOG_TEST_LOGS[0]}
|
|
chmod $PERMS ${RSYSLOG_TEST_LOGS[1]}
|
|
chmod $PERMS ${RSYSLOG_TEST_LOGS[2]}
|
|
+chmod $PERMS ${RSYSLOG_TEST_LOGS[3]}
|
|
|
|
# create test configuration file
|
|
conf_subdir=${RSYSLOG_TEST_DIR}/subdir
|
|
mkdir ${conf_subdir}
|
|
test_subdir_conf=${conf_subdir}/test_subdir.conf
|
|
test_conf=${RSYSLOG_TEST_DIR}/test.conf
|
|
+test_bak=${RSYSLOG_TEST_DIR}/test.bak
|
|
+
|
|
cat << EOF > ${test_subdir_conf}
|
|
# rsyslog configuration file
|
|
+# test_subdir_conf
|
|
|
|
#### RULES ####
|
|
|
|
@@ -31,12 +35,22 @@ EOF
|
|
|
|
cat << EOF > ${test_conf}
|
|
# rsyslog configuration file
|
|
+# test_conf
|
|
|
|
#### RULES ####
|
|
|
|
*.* ${RSYSLOG_TEST_LOGS[1]}
|
|
EOF
|
|
|
|
+cat << EOF > ${test_bak}
|
|
+# rsyslog configuration file
|
|
+# test_bak
|
|
+
|
|
+#### RULES ####
|
|
+
|
|
+*.* ${RSYSLOG_TEST_LOGS[3]}
|
|
+EOF
|
|
+
|
|
# create rsyslog.conf configuration file
|
|
cat << EOF > $RSYSLOG_CONF
|
|
# rsyslog configuration file
|
|
diff --git a/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_files_permissions/tests/include_config_syntax_perms_0601.fail.sh b/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_files_permissions/tests/include_config_syntax_perms_0601.fail.sh
|
|
index 73ff3332c6d..063b1a0cbe5 100755
|
|
--- a/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_files_permissions/tests/include_config_syntax_perms_0601.fail.sh
|
|
+++ b/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_files_permissions/tests/include_config_syntax_perms_0601.fail.sh
|
|
@@ -10,20 +10,24 @@ PERMS_PASS=0600
|
|
PERMS_FAIL=0601
|
|
|
|
# setup test data
|
|
-create_rsyslog_test_logs 3
|
|
+create_rsyslog_test_logs 4
|
|
|
|
# setup test log files and permissions
|
|
chmod $PERMS_PASS ${RSYSLOG_TEST_LOGS[0]}
|
|
chmod $PERMS_FAIL ${RSYSLOG_TEST_LOGS[1]}
|
|
chmod $PERMS_FAIL ${RSYSLOG_TEST_LOGS[2]}
|
|
+chmod $PERMS_FAIL ${RSYSLOG_TEST_LOGS[3]}
|
|
|
|
# create test configuration file
|
|
conf_subdir=${RSYSLOG_TEST_DIR}/subdir
|
|
mkdir ${conf_subdir}
|
|
test_subdir_conf=${conf_subdir}/test_subdir.conf
|
|
test_conf=${RSYSLOG_TEST_DIR}/test.conf
|
|
+test_bak=${RSYSLOG_TEST_DIR}/test.bak
|
|
+
|
|
cat << EOF > ${test_subdir_conf}
|
|
# rsyslog configuration file
|
|
+# test_subdir_conf
|
|
|
|
#### RULES ####
|
|
|
|
@@ -32,12 +36,22 @@ EOF
|
|
|
|
cat << EOF > ${test_conf}
|
|
# rsyslog configuration file
|
|
+# test_conf
|
|
|
|
#### RULES ####
|
|
|
|
*.* ${RSYSLOG_TEST_LOGS[1]}
|
|
EOF
|
|
|
|
+cat << EOF > ${test_bak}
|
|
+# rsyslog configuration file
|
|
+# test_bak
|
|
+
|
|
+#### RULES ####
|
|
+
|
|
+*.* ${RSYSLOG_TEST_LOGS[3]}
|
|
+EOF
|
|
+
|
|
# create rsyslog.conf configuration file
|
|
cat << EOF > $RSYSLOG_CONF
|
|
# rsyslog configuration file
|
|
|
|
From fcfc7c126ed76488085ef35cd0fd497c272aa364 Mon Sep 17 00:00:00 2001
|
|
From: Flos Lonicerae <lonicerae@gmail.com>
|
|
Date: Sat, 21 May 2022 16:02:26 +0800
|
|
Subject: [PATCH 08/15] Match glob() function of rsyslog
|
|
|
|
---
|
|
.../rsyslog_files_permissions/bash/shared.sh | 5 ++-
|
|
.../include_config_syntax_perms_0600.pass.sh | 39 ++++++++++++-------
|
|
.../include_config_syntax_perms_0601.fail.sh | 39 ++++++++++++-------
|
|
3 files changed, 55 insertions(+), 28 deletions(-)
|
|
|
|
diff --git a/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_files_permissions/bash/shared.sh b/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_files_permissions/bash/shared.sh
|
|
index cd5014105e9..38105bf086b 100644
|
|
--- a/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_files_permissions/bash/shared.sh
|
|
+++ b/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_files_permissions/bash/shared.sh
|
|
@@ -21,10 +21,11 @@ RSYSLOG_CONFIGS+=("${RSYSLOG_ETC_CONFIG}" "${RSYSLOG_INCLUDE_CONFIG[@]}" "${RSYS
|
|
declare -a RSYSLOG_CONFIG_FILES
|
|
for ENTRY in "${RSYSLOG_CONFIGS[@]}"
|
|
do
|
|
- # If directory, need to include files recursively
|
|
+ # If directory, rsyslog will search for config files in recursively.
|
|
+ # However, files in hidden sub-directories or hidden files will be ignored.
|
|
if [ -d "${ENTRY}" ]
|
|
then
|
|
- readarray -t FINDOUT < <(find "${ENTRY}" -type f)
|
|
+ readarray -t FINDOUT < <(find "${ENTRY}" -not -path '*/.*' -type f)
|
|
RSYSLOG_CONFIG_FILES+=("${FINDOUT[@]}")
|
|
elif [ -f "${ENTRY}" ]
|
|
then
|
|
diff --git a/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_files_permissions/tests/include_config_syntax_perms_0600.pass.sh b/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_files_permissions/tests/include_config_syntax_perms_0600.pass.sh
|
|
index 755865ca522..a5a2f67fadc 100755
|
|
--- a/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_files_permissions/tests/include_config_syntax_perms_0600.pass.sh
|
|
+++ b/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_files_permissions/tests/include_config_syntax_perms_0600.pass.sh
|
|
@@ -9,48 +9,61 @@ source $SHARED/rsyslog_log_utils.sh
|
|
PERMS=0600
|
|
|
|
# setup test data
|
|
-create_rsyslog_test_logs 4
|
|
+create_rsyslog_test_logs 5
|
|
|
|
# setup test log files and permissions
|
|
chmod $PERMS ${RSYSLOG_TEST_LOGS[0]}
|
|
chmod $PERMS ${RSYSLOG_TEST_LOGS[1]}
|
|
chmod $PERMS ${RSYSLOG_TEST_LOGS[2]}
|
|
chmod $PERMS ${RSYSLOG_TEST_LOGS[3]}
|
|
+chmod $PERMS ${RSYSLOG_TEST_LOGS[4]}
|
|
|
|
-# create test configuration file
|
|
+# create test configuration files
|
|
conf_subdir=${RSYSLOG_TEST_DIR}/subdir
|
|
+conf_hiddir=${RSYSLOG_TEST_DIR}/.hiddir
|
|
mkdir ${conf_subdir}
|
|
-test_subdir_conf=${conf_subdir}/test_subdir.conf
|
|
-test_conf=${RSYSLOG_TEST_DIR}/test.conf
|
|
-test_bak=${RSYSLOG_TEST_DIR}/test.bak
|
|
+mkdir ${conf_hiddir}
|
|
|
|
-cat << EOF > ${test_subdir_conf}
|
|
+test_conf_in_subdir=${conf_subdir}/in_subdir.conf
|
|
+test_conf_name_bak=${RSYSLOG_TEST_DIR}/name.bak
|
|
+
|
|
+test_conf_in_hiddir=${conf_hiddir}/in_hiddir.conf
|
|
+test_conf_dot_name=${RSYSLOG_TEST_DIR}/.name.conf
|
|
+
|
|
+cat << EOF > ${test_conf_in_subdir}
|
|
# rsyslog configuration file
|
|
-# test_subdir_conf
|
|
|
|
#### RULES ####
|
|
|
|
-*.* ${RSYSLOG_TEST_LOGS[2]}
|
|
+*.* ${RSYSLOG_TEST_LOGS[1]}
|
|
EOF
|
|
|
|
-cat << EOF > ${test_conf}
|
|
+cat << EOF > ${test_conf_name_bak}
|
|
# rsyslog configuration file
|
|
-# test_conf
|
|
|
|
#### RULES ####
|
|
|
|
-*.* ${RSYSLOG_TEST_LOGS[1]}
|
|
+*.* ${RSYSLOG_TEST_LOGS[2]}
|
|
EOF
|
|
|
|
-cat << EOF > ${test_bak}
|
|
+cat << EOF > ${test_conf_in_hiddir}
|
|
# rsyslog configuration file
|
|
-# test_bak
|
|
+# not used
|
|
|
|
#### RULES ####
|
|
|
|
*.* ${RSYSLOG_TEST_LOGS[3]}
|
|
EOF
|
|
|
|
+cat << EOF > ${test_conf_dot_name}
|
|
+# rsyslog configuration file
|
|
+# not used
|
|
+
|
|
+#### RULES ####
|
|
+
|
|
+*.* ${RSYSLOG_TEST_LOGS[4]}
|
|
+EOF
|
|
+
|
|
# create rsyslog.conf configuration file
|
|
cat << EOF > $RSYSLOG_CONF
|
|
# rsyslog configuration file
|
|
diff --git a/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_files_permissions/tests/include_config_syntax_perms_0601.fail.sh b/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_files_permissions/tests/include_config_syntax_perms_0601.fail.sh
|
|
index 063b1a0cbe5..a9d0adfb727 100755
|
|
--- a/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_files_permissions/tests/include_config_syntax_perms_0601.fail.sh
|
|
+++ b/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_files_permissions/tests/include_config_syntax_perms_0601.fail.sh
|
|
@@ -10,48 +10,61 @@ PERMS_PASS=0600
|
|
PERMS_FAIL=0601
|
|
|
|
# setup test data
|
|
-create_rsyslog_test_logs 4
|
|
+create_rsyslog_test_logs 5
|
|
|
|
# setup test log files and permissions
|
|
chmod $PERMS_PASS ${RSYSLOG_TEST_LOGS[0]}
|
|
chmod $PERMS_FAIL ${RSYSLOG_TEST_LOGS[1]}
|
|
chmod $PERMS_FAIL ${RSYSLOG_TEST_LOGS[2]}
|
|
chmod $PERMS_FAIL ${RSYSLOG_TEST_LOGS[3]}
|
|
+chmod $PERMS_FAIL ${RSYSLOG_TEST_LOGS[4]}
|
|
|
|
-# create test configuration file
|
|
+# create test configuration files
|
|
conf_subdir=${RSYSLOG_TEST_DIR}/subdir
|
|
+conf_hiddir=${RSYSLOG_TEST_DIR}/.hiddir
|
|
mkdir ${conf_subdir}
|
|
-test_subdir_conf=${conf_subdir}/test_subdir.conf
|
|
-test_conf=${RSYSLOG_TEST_DIR}/test.conf
|
|
-test_bak=${RSYSLOG_TEST_DIR}/test.bak
|
|
+mkdir ${conf_hiddir}
|
|
|
|
-cat << EOF > ${test_subdir_conf}
|
|
+test_conf_in_subdir=${conf_subdir}/in_subdir.conf
|
|
+test_conf_name_bak=${RSYSLOG_TEST_DIR}/name.bak
|
|
+
|
|
+test_conf_in_hiddir=${conf_hiddir}/in_hiddir.conf
|
|
+test_conf_dot_name=${RSYSLOG_TEST_DIR}/.name.conf
|
|
+
|
|
+cat << EOF > ${test_conf_in_subdir}
|
|
# rsyslog configuration file
|
|
-# test_subdir_conf
|
|
|
|
#### RULES ####
|
|
|
|
-*.* ${RSYSLOG_TEST_LOGS[2]}
|
|
+*.* ${RSYSLOG_TEST_LOGS[1]}
|
|
EOF
|
|
|
|
-cat << EOF > ${test_conf}
|
|
+cat << EOF > ${test_conf_name_bak}
|
|
# rsyslog configuration file
|
|
-# test_conf
|
|
|
|
#### RULES ####
|
|
|
|
-*.* ${RSYSLOG_TEST_LOGS[1]}
|
|
+*.* ${RSYSLOG_TEST_LOGS[2]}
|
|
EOF
|
|
|
|
-cat << EOF > ${test_bak}
|
|
+cat << EOF > ${test_conf_in_hiddir}
|
|
# rsyslog configuration file
|
|
-# test_bak
|
|
+# not used
|
|
|
|
#### RULES ####
|
|
|
|
*.* ${RSYSLOG_TEST_LOGS[3]}
|
|
EOF
|
|
|
|
+cat << EOF > ${test_conf_dot_name}
|
|
+# rsyslog configuration file
|
|
+# not used
|
|
+
|
|
+#### RULES ####
|
|
+
|
|
+*.* ${RSYSLOG_TEST_LOGS[4]}
|
|
+EOF
|
|
+
|
|
# create rsyslog.conf configuration file
|
|
cat << EOF > $RSYSLOG_CONF
|
|
# rsyslog configuration file
|
|
|
|
From 313094b7d5c13ba38a2d02fad544cd4665c5a17d Mon Sep 17 00:00:00 2001
|
|
From: Flos Lonicerae <lonicerae@gmail.com>
|
|
Date: Sun, 22 May 2022 21:10:16 +0800
|
|
Subject: [PATCH 09/15] Fixed incorrect parsing of rules in old code
|
|
|
|
---
|
|
.../rsyslog_files_permissions/bash/shared.sh | 2 +-
|
|
1 file changed, 1 insertion(+), 1 deletion(-)
|
|
|
|
diff --git a/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_files_permissions/bash/shared.sh b/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_files_permissions/bash/shared.sh
|
|
index 38105bf086b..e1129e34c81 100644
|
|
--- a/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_files_permissions/bash/shared.sh
|
|
+++ b/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_files_permissions/bash/shared.sh
|
|
@@ -54,7 +54,7 @@ do
|
|
then
|
|
NORMALIZED_CONFIG_FILE_LINES=$(sed -e "/^[#|$]/d" "${LOG_FILE}")
|
|
LINES_WITH_PATHS=$(grep '[^/]*\s\+\S*/\S\+$' <<< "${NORMALIZED_CONFIG_FILE_LINES}")
|
|
- FILTERED_PATHS=$(sed -e 's/[^\/]*[[:space:]]*\([^:;[:space:]]*\)/\1/g' <<< "${LINES_WITH_PATHS}")
|
|
+ FILTERED_PATHS=$(awk '{if(NF>=2&&($2~/^\//||$2~/^-\//)){sub(/^-\//,"/",$2);print $2}}' <<< "${LINES_WITH_PATHS}")
|
|
CLEANED_PATHS=$(sed -e "s/[\"')]//g; /\\/etc.*\.conf/d; /\\/dev\\//d" <<< "${FILTERED_PATHS}")
|
|
MATCHED_ITEMS=$(sed -e "/^$/d" <<< "${CLEANED_PATHS}")
|
|
# Since above sed command might return more than one item (delimited by newline), split the particular
|
|
|
|
From 86f655ac79d879c1f47bda7a06cc15a64e65e5fb Mon Sep 17 00:00:00 2001
|
|
From: Flos Lonicerae <lonicerae@gmail.com>
|
|
Date: Tue, 24 May 2022 00:42:17 +0800
|
|
Subject: [PATCH 10/15] Added platform.
|
|
|
|
---
|
|
.../tests/include_config_syntax_perms_0601.fail.sh | 2 +-
|
|
1 file changed, 1 insertion(+), 1 deletion(-)
|
|
|
|
diff --git a/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_files_permissions/tests/include_config_syntax_perms_0601.fail.sh b/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_files_permissions/tests/include_config_syntax_perms_0601.fail.sh
|
|
index a9d0adfb727..fe4db0a3c91 100755
|
|
--- a/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_files_permissions/tests/include_config_syntax_perms_0601.fail.sh
|
|
+++ b/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_files_permissions/tests/include_config_syntax_perms_0601.fail.sh
|
|
@@ -1,5 +1,5 @@
|
|
#!/bin/bash
|
|
-# platform = multi_platform_rhel,multi_platform_fedora,multi_platform_ol
|
|
+# platform = multi_platform_rhel,multi_platform_fedora,multi_platform_ol,multi_platform_sle
|
|
|
|
# Check rsyslog.conf with log file permissions 0600 from rules and
|
|
# log file permissions 0601 from $IncludeConfig fails.
|
|
|
|
From e71901895f29af9a34fe81938be1332691b6f64a Mon Sep 17 00:00:00 2001
|
|
From: Watson Sato <wsato@redhat.com>
|
|
Date: Wed, 10 Aug 2022 13:56:39 +0200
|
|
Subject: [PATCH 11/15] Reset the arrays before using them
|
|
|
|
When bash remediations for a profile are generated, it can happen that a
|
|
variable with same name is used for multiple remediations.
|
|
So let's reset the array before using it.
|
|
---
|
|
.../rsyslog_files_permissions/bash/shared.sh | 11 +++++++----
|
|
1 file changed, 7 insertions(+), 4 deletions(-)
|
|
|
|
diff --git a/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_files_permissions/bash/shared.sh b/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_files_permissions/bash/shared.sh
|
|
index e1129e34c81..d1856ffbe7b 100644
|
|
--- a/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_files_permissions/bash/shared.sh
|
|
+++ b/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_files_permissions/bash/shared.sh
|
|
@@ -14,11 +14,14 @@ readarray -t RSYSLOG_INCLUDE < <(for INCPATH in "${NEW_INC[@]}"; do eval printf
|
|
declare -a LOG_FILE_PATHS
|
|
|
|
# Array to hold all rsyslog config entries
|
|
-declare -a RSYSLOG_CONFIGS
|
|
-RSYSLOG_CONFIGS+=("${RSYSLOG_ETC_CONFIG}" "${RSYSLOG_INCLUDE_CONFIG[@]}" "${RSYSLOG_INCLUDE[@]}")
|
|
+RSYSLOG_CONFIGS=()
|
|
+RSYSLOG_CONFIGS=("${RSYSLOG_ETC_CONFIG}" "${RSYSLOG_INCLUDE_CONFIG[@]}" "${RSYSLOG_INCLUDE[@]}")
|
|
|
|
-# Array to hold all rsyslog config files
|
|
-declare -a RSYSLOG_CONFIG_FILES
|
|
+# Get full list of files to be checked
|
|
+# RSYSLOG_CONFIGS may contain globs such as
|
|
+# /etc/rsyslog.d/*.conf /etc/rsyslog.d/*.frule
|
|
+# So, loop over the entries in RSYSLOG_CONFIGS and use find to get the list of included files.
|
|
+RSYSLOG_CONFIG_FILES=()
|
|
for ENTRY in "${RSYSLOG_CONFIGS[@]}"
|
|
do
|
|
# If directory, rsyslog will search for config files in recursively.
|
|
|
|
From 525dce106bf8d054c83e8d79acbb92cc16224e4c Mon Sep 17 00:00:00 2001
|
|
From: Watson Sato <wsato@redhat.com>
|
|
Date: Wed, 10 Aug 2022 14:55:37 +0200
|
|
Subject: [PATCH 12/15] Don't parse hidden config files for Includes
|
|
|
|
Let's follow rsyslog behavior and not capture process hidden config
|
|
files for includes.
|
|
---
|
|
.../rsyslog_files_permissions/oval/shared.xml | 9 ++++
|
|
...00_IncludeConfig_perms_0601_hidden.pass.sh | 53 +++++++++++++++++++
|
|
2 files changed, 62 insertions(+)
|
|
create mode 100644 linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_files_permissions/tests/include_perms_0600_IncludeConfig_perms_0601_hidden.pass.sh
|
|
|
|
diff --git a/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_files_permissions/oval/shared.xml b/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_files_permissions/oval/shared.xml
|
|
index a04e6fd8900..d13177216c3 100644
|
|
--- a/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_files_permissions/oval/shared.xml
|
|
+++ b/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_files_permissions/oval/shared.xml
|
|
@@ -17,8 +17,17 @@
|
|
<ind:filepath>/etc/rsyslog.conf</ind:filepath>
|
|
<ind:pattern operation="pattern match">^(?:include\([\n\s]*file="([^\s;]+)".*|\$IncludeConfig[\s]+([^\s;]+))$</ind:pattern>
|
|
<ind:instance datatype="int" operation="greater than or equal">1</ind:instance>
|
|
+ <filter action="exclude">state_permissions_ignore_hidden_paths</filter>
|
|
</ind:textfilecontent54_object>
|
|
|
|
+ <ind:textfilecontent54_state id="state_permissions_ignore_hidden_paths" comment="ignore hidden conf files" version="1">
|
|
+ <!-- Among the paths matched in object_rfp_rsyslog_include_config_value there can be paths from
|
|
+ include() or $IncludeConfig that point to hidden dirs or files.
|
|
+ Rsyslog ignores these conf files, so we should ignore them too.
|
|
+ -->
|
|
+ <ind:subexpression operation="pattern match">^.*\/\..*$</ind:subexpression>
|
|
+ </ind:textfilecontent54_state>
|
|
+
|
|
<!-- Turn that glob value into Perl's regex so it can be used as filepath pattern below -->
|
|
<local_variable id="var_rfp_include_config_regex" datatype="string" version="1" comment="$IncludeConfig value converted to regex">
|
|
<unique>
|
|
diff --git a/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_files_permissions/tests/include_perms_0600_IncludeConfig_perms_0601_hidden.pass.sh b/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_files_permissions/tests/include_perms_0600_IncludeConfig_perms_0601_hidden.pass.sh
|
|
new file mode 100644
|
|
index 00000000000..9b0185c6b2f
|
|
--- /dev/null
|
|
+++ b/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_files_permissions/tests/include_perms_0600_IncludeConfig_perms_0601_hidden.pass.sh
|
|
@@ -0,0 +1,53 @@
|
|
+#!/bin/bash
|
|
+# platform = Red Hat Enterprise Linux 8,multi_platform_fedora,Oracle Linux 8
|
|
+
|
|
+# Check rsyslog.conf with log file permisssions 0600 from rules and
|
|
+# log file permissions 0601 from include() fails.
|
|
+
|
|
+source $SHARED/rsyslog_log_utils.sh
|
|
+
|
|
+PERMS_PASS=0600
|
|
+PERMS_FAIL=0601
|
|
+
|
|
+# setup test data
|
|
+create_rsyslog_test_logs 3
|
|
+
|
|
+# setup test log files and permissions
|
|
+chmod $PERMS_PASS ${RSYSLOG_TEST_LOGS[0]}
|
|
+chmod $PERMS_PASS ${RSYSLOG_TEST_LOGS[1]}
|
|
+chmod $PERMS_FAIL ${RSYSLOG_TEST_LOGS[2]}
|
|
+
|
|
+# create test configuration file
|
|
+test_conf=${RSYSLOG_TEST_DIR}/test1.conf
|
|
+cat << EOF > ${test_conf}
|
|
+# rsyslog configuration file
|
|
+
|
|
+#### RULES ####
|
|
+
|
|
+*.* ${RSYSLOG_TEST_LOGS[1]}
|
|
+EOF
|
|
+
|
|
+# create hidden test2 configuration file
|
|
+test_conf2=${RSYSLOG_TEST_DIR}/.test2.conf
|
|
+cat << EOF > ${test_conf2}
|
|
+# rsyslog configuration file
|
|
+
|
|
+#### RULES ####
|
|
+
|
|
+*.* ${RSYSLOG_TEST_LOGS[2]}
|
|
+EOF
|
|
+
|
|
+# create rsyslog.conf configuration file
|
|
+cat << EOF > $RSYSLOG_CONF
|
|
+# rsyslog configuration file
|
|
+
|
|
+#### RULES ####
|
|
+
|
|
+*.* ${RSYSLOG_TEST_LOGS[0]}
|
|
+
|
|
+#### MODULES ####
|
|
+
|
|
+include(file="${test_conf}")
|
|
+
|
|
+\$IncludeConfig ${test_conf2}
|
|
+EOF
|
|
|
|
From d872c4a2cfcd3331b7aae954aacf3d0d481d1582 Mon Sep 17 00:00:00 2001
|
|
From: Watson Sato <wsato@redhat.com>
|
|
Date: Wed, 10 Aug 2022 15:49:11 +0200
|
|
Subject: [PATCH 13/15] Add test for for missing rsyslog included files
|
|
|
|
The rsyslog conf file may include other config files.
|
|
If the included missing files are missing rsyslog will generate an
|
|
error, but will still continue working.
|
|
https://www.rsyslog.com/doc/master/rainerscript/include.html#include-a-required-file
|
|
|
|
There is not a good way of ensuring that all files defined in a list of paths exist.
|
|
---
|
|
...0_IncludeConfig_perms_0601_missing.pass.sh | 45 +++++++++++++++++++
|
|
1 file changed, 45 insertions(+)
|
|
create mode 100644 linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_files_permissions/tests/include_perms_0600_IncludeConfig_perms_0601_missing.pass.sh
|
|
|
|
diff --git a/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_files_permissions/tests/include_perms_0600_IncludeConfig_perms_0601_missing.pass.sh b/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_files_permissions/tests/include_perms_0600_IncludeConfig_perms_0601_missing.pass.sh
|
|
new file mode 100644
|
|
index 00000000000..b929f2a94ab
|
|
--- /dev/null
|
|
+++ b/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_files_permissions/tests/include_perms_0600_IncludeConfig_perms_0601_missing.pass.sh
|
|
@@ -0,0 +1,45 @@
|
|
+#!/bin/bash
|
|
+# platform = Red Hat Enterprise Linux 8,multi_platform_fedora,Oracle Linux 8
|
|
+
|
|
+# Check rsyslog.conf with log file permisssions 0600 from rules and
|
|
+# log file permissions 0601 from include() fails.
|
|
+
|
|
+source $SHARED/rsyslog_log_utils.sh
|
|
+
|
|
+PERMS_PASS=0600
|
|
+PERMS_FAIL=0601
|
|
+
|
|
+# setup test data
|
|
+create_rsyslog_test_logs 3
|
|
+
|
|
+# setup test log files and permissions
|
|
+chmod $PERMS_PASS ${RSYSLOG_TEST_LOGS[0]}
|
|
+chmod $PERMS_PASS ${RSYSLOG_TEST_LOGS[1]}
|
|
+chmod $PERMS_FAIL ${RSYSLOG_TEST_LOGS[2]}
|
|
+
|
|
+# create test configuration file
|
|
+test_conf=${RSYSLOG_TEST_DIR}/test1.conf
|
|
+cat << EOF > ${test_conf}
|
|
+# rsyslog configuration file
|
|
+
|
|
+#### RULES ####
|
|
+
|
|
+*.* ${RSYSLOG_TEST_LOGS[1]}
|
|
+EOF
|
|
+
|
|
+# Skip creation test2 configuration file
|
|
+
|
|
+# create rsyslog.conf configuration file
|
|
+cat << EOF > $RSYSLOG_CONF
|
|
+# rsyslog configuration file
|
|
+
|
|
+#### RULES ####
|
|
+
|
|
+*.* ${RSYSLOG_TEST_LOGS[0]}
|
|
+
|
|
+#### MODULES ####
|
|
+
|
|
+include(file="${test_conf}")
|
|
+
|
|
+\$IncludeConfig ${test_conf2}
|
|
+EOF
|
|
|
|
From cf9eaf6e55405248731cb08268bcba6a58a93486 Mon Sep 17 00:00:00 2001
|
|
From: Watson Sato <wsato@redhat.com>
|
|
Date: Wed, 10 Aug 2022 21:47:18 +0200
|
|
Subject: [PATCH 14/15] Align Ansible remediation with Bash
|
|
|
|
The remediation now expands the glob expressions and doesn't collect
|
|
hidden files or directories to check for their permissions.
|
|
---
|
|
.../rsyslog_files_permissions/ansible/shared.yml | 15 +++++++++++----
|
|
1 file changed, 11 insertions(+), 4 deletions(-)
|
|
|
|
diff --git a/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_files_permissions/ansible/shared.yml b/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_files_permissions/ansible/shared.yml
|
|
index 635b72f7352..c558bf46c71 100644
|
|
--- a/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_files_permissions/ansible/shared.yml
|
|
+++ b/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_files_permissions/ansible/shared.yml
|
|
@@ -19,19 +19,26 @@
|
|
shell: |
|
|
set -o pipefail
|
|
grep -e '$IncludeConfig' {{ rsyslog_etc_config }} | cut -d ' ' -f 2 || true
|
|
- register: include_config_output
|
|
+ register: rsyslog_old_inc
|
|
changed_when: False
|
|
|
|
- name: "Get include files directives"
|
|
shell: |
|
|
set -o pipefail
|
|
grep -oP '^\s*include\s*\(\s*file.*' {{ rsyslog_etc_config }} |cut -d"\"" -f 2 || true
|
|
- register: include_files_output
|
|
+ register: rsyslog_new_inc
|
|
changed_when: False
|
|
|
|
+- name: "Expand glob expressions"
|
|
+ shell: |
|
|
+ set -o pipefail
|
|
+ eval printf '%s\\n' {{ item }}
|
|
+ register: include_config_output
|
|
+ loop: "{{ rsyslog_old_inc.stdout_lines + rsyslog_new_inc.stdout_lines }}"
|
|
+
|
|
- name: "List all config files"
|
|
- shell: find "$(dirname "{{ item }}" )" -maxdepth 1 -name "$(basename "{{ item }}")"
|
|
- loop: "{{ include_config_output.stdout_lines + include_files_output.stdout_lines }}"
|
|
+ shell: find {{ item }} -not -path "*/.*" -type f
|
|
+ loop: "{{ include_config_output.results|map(attribute='stdout_lines')|list|flatten }}"
|
|
register: rsyslog_config_files
|
|
changed_when: False
|
|
|
|
|
|
From 37e98ed3a86a0e56543132752c62982ff01cd3d9 Mon Sep 17 00:00:00 2001
|
|
From: Watson Sato <wsato@redhat.com>
|
|
Date: Wed, 10 Aug 2022 21:56:05 +0200
|
|
Subject: [PATCH 15/15] Ignore invalid or non existing include objects
|
|
|
|
Let's not fail the task when the find doesn't find the include object.
|
|
When the include is a glob expression that doesn't evaluate to any file
|
|
the glob itself is used in find command.
|
|
|
|
The Bash remediation prints a message for each include that is not a
|
|
file is not a directory or doesn't exist.
|
|
---
|
|
.../rsyslog_files_permissions/ansible/shared.yml | 1 +
|
|
1 file changed, 1 insertion(+)
|
|
|
|
diff --git a/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_files_permissions/ansible/shared.yml b/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_files_permissions/ansible/shared.yml
|
|
index c558bf46c71..3a9380cf13b 100644
|
|
--- a/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_files_permissions/ansible/shared.yml
|
|
+++ b/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_files_permissions/ansible/shared.yml
|
|
@@ -40,6 +40,7 @@
|
|
shell: find {{ item }} -not -path "*/.*" -type f
|
|
loop: "{{ include_config_output.results|map(attribute='stdout_lines')|list|flatten }}"
|
|
register: rsyslog_config_files
|
|
+ failed_when: False
|
|
changed_when: False
|
|
|
|
- name: "Extract log files"
|