172 lines
11 KiB
Diff
172 lines
11 KiB
Diff
From 179cf6b43b8f10b4907267d976cb503066710e6f Mon Sep 17 00:00:00 2001
|
|
From: Watson Sato <wsato@redhat.com>
|
|
Date: Thu, 14 May 2020 01:20:53 +0200
|
|
Subject: [PATCH 1/4] Do not take paths from include or IncludeConfig
|
|
|
|
All paths in /etc/rsyslog.conf were taken as log files, but paths
|
|
in lines containing "include" or "$IncludeConfig" are config files.
|
|
|
|
Let's not take them in as log files
|
|
---
|
|
.../rsyslog_files_permissions/oval/shared.xml | 10 ++++++++++
|
|
1 file changed, 10 insertions(+)
|
|
|
|
diff --git a/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_files_permissions/oval/shared.xml b/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_files_permissions/oval/shared.xml
|
|
index a78cd69df2..c74f3da3f5 100644
|
|
--- a/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_files_permissions/oval/shared.xml
|
|
+++ b/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_files_permissions/oval/shared.xml
|
|
@@ -87,8 +87,18 @@
|
|
-->
|
|
<ind:pattern operation="pattern match">^[^\s#\$]+[\s]+.*[\s]+-?(/+[^:;\s]+);*.*$</ind:pattern>
|
|
<ind:instance datatype="int" operation="greater than or equal">1</ind:instance>
|
|
+ <filter action="exclude">state_ignore_include_paths</filter>
|
|
</ind:textfilecontent54_object>
|
|
|
|
+ <ind:textfilecontent54_state id="state_ignore_include_paths" comment="ignore" version="1">
|
|
+ <!-- Among the paths matched in object_rfp_log_files_paths there can be paths from
|
|
+ include() or $IncludeConfig statements.
|
|
+ These paths are conf files, not log files. Their permissions don't need to be as
|
|
+ required for log files, thus, lets exclude them from the list of objects found
|
|
+ -->
|
|
+ <ind:text operation="pattern match">(?:file="[^\s;]+"|\$IncludeConfig[\s]+[^\s;]+)</ind:text>
|
|
+ </ind:textfilecontent54_state>
|
|
+
|
|
<!-- Define OVAL variable to hold all the various system log files locations
|
|
retrieved from the different rsyslog configuration files
|
|
-->
|
|
|
|
From 4a408d29313d8ea5aed4fa65cacad86f8078159c Mon Sep 17 00:00:00 2001
|
|
From: Watson Sato <wsato@redhat.com>
|
|
Date: Thu, 14 May 2020 00:16:37 +0200
|
|
Subject: [PATCH 2/4] Fix permissions of files referenced by include()
|
|
|
|
The remediation script also needs to parse the files included via
|
|
"include()".
|
|
The awk also takes into consideration the multiline aspect.
|
|
---
|
|
.../rsyslog_files_permissions/bash/shared.sh | 4 +++-
|
|
1 file changed, 3 insertions(+), 1 deletion(-)
|
|
|
|
diff --git a/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_files_permissions/bash/shared.sh b/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_files_permissions/bash/shared.sh
|
|
index 6cbf0c6a24..dca35301e7 100644
|
|
--- a/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_files_permissions/bash/shared.sh
|
|
+++ b/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_files_permissions/bash/shared.sh
|
|
@@ -6,12 +6,14 @@ RSYSLOG_ETC_CONFIG="/etc/rsyslog.conf"
|
|
# * And also the log file paths listed after rsyslog's $IncludeConfig directive
|
|
# (store the result into array for the case there's shell glob used as value of IncludeConfig)
|
|
readarray -t RSYSLOG_INCLUDE_CONFIG < <(grep -e "\$IncludeConfig[[:space:]]\+[^[:space:];]\+" /etc/rsyslog.conf | cut -d ' ' -f 2)
|
|
+readarray -t RSYSLOG_INCLUDE < <(awk '/)/{f=0} /include\(/{f=1} f{nf=gensub(".*file=\"(\\S+)\".*","\\1",1); if($0!=nf){print nf}}' /etc/rsyslog.conf)
|
|
+
|
|
# Declare an array to hold the final list of different log file paths
|
|
declare -a LOG_FILE_PATHS
|
|
|
|
# Browse each file selected above as containing paths of log files
|
|
# ('/etc/rsyslog.conf' and '/etc/rsyslog.d/*.conf' in the default configuration)
|
|
-for LOG_FILE in "${RSYSLOG_ETC_CONFIG}" "${RSYSLOG_INCLUDE_CONFIG[@]}"
|
|
+for LOG_FILE in "${RSYSLOG_ETC_CONFIG}" "${RSYSLOG_INCLUDE_CONFIG[@]}" "${RSYSLOG_INCLUDE[@]}"
|
|
do
|
|
# From each of these files extract just particular log file path(s), thus:
|
|
# * Ignore lines starting with space (' '), comment ('#"), or variable syntax ('$') characters,
|
|
|
|
From 812e9b487e3c11a18e5e3a965ac23ec1a0d64e91 Mon Sep 17 00:00:00 2001
|
|
From: Watson Sato <wsato@redhat.com>
|
|
Date: Fri, 15 May 2020 15:53:58 +0200
|
|
Subject: [PATCH 3/4] Make regex for include file more strict
|
|
|
|
For some reason gensub in awk doesn't support non capturing group.
|
|
So the group with OR is capturing and we substitute everyting with the
|
|
second group, witch matches the file path.
|
|
---
|
|
.../rsyslog_files_permissions/bash/shared.sh | 2 +-
|
|
1 file changed, 1 insertion(+), 1 deletion(-)
|
|
|
|
diff --git a/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_files_permissions/bash/shared.sh b/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_files_permissions/bash/shared.sh
|
|
index dca35301e7..99d2d0e794 100644
|
|
--- a/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_files_permissions/bash/shared.sh
|
|
+++ b/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_files_permissions/bash/shared.sh
|
|
@@ -6,7 +6,7 @@ RSYSLOG_ETC_CONFIG="/etc/rsyslog.conf"
|
|
# * And also the log file paths listed after rsyslog's $IncludeConfig directive
|
|
# (store the result into array for the case there's shell glob used as value of IncludeConfig)
|
|
readarray -t RSYSLOG_INCLUDE_CONFIG < <(grep -e "\$IncludeConfig[[:space:]]\+[^[:space:];]\+" /etc/rsyslog.conf | cut -d ' ' -f 2)
|
|
-readarray -t RSYSLOG_INCLUDE < <(awk '/)/{f=0} /include\(/{f=1} f{nf=gensub(".*file=\"(\\S+)\".*","\\1",1); if($0!=nf){print nf}}' /etc/rsyslog.conf)
|
|
+readarray -t RSYSLOG_INCLUDE < <(awk '/)/{f=0} /include\(/{f=1} f{nf=gensub("^(include\\(|\\s*)file=\"(\\S+)\".*","\\2",1); if($0!=nf){print nf}}' /etc/rsyslog.conf)
|
|
|
|
# Declare an array to hold the final list of different log file paths
|
|
declare -a LOG_FILE_PATHS
|
|
|
|
From c49f8aaf717313a41bbdfca188dd491a13d1133e Mon Sep 17 00:00:00 2001
|
|
From: Watson Sato <wsato@redhat.com>
|
|
Date: Fri, 15 May 2020 16:55:02 +0200
|
|
Subject: [PATCH 4/4] Extend OVAL fix to groupownership and ownership
|
|
|
|
These three files basically work the same way
|
|
---
|
|
.../rsyslog_files_groupownership/oval/shared.xml | 10 ++++++++++
|
|
.../rsyslog_files_ownership/oval/shared.xml | 10 ++++++++++
|
|
.../rsyslog_files_permissions/oval/shared.xml | 4 ++--
|
|
3 files changed, 22 insertions(+), 2 deletions(-)
|
|
|
|
diff --git a/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_files_groupownership/oval/shared.xml b/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_files_groupownership/oval/shared.xml
|
|
index 5828f25321..9941e2b94f 100644
|
|
--- a/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_files_groupownership/oval/shared.xml
|
|
+++ b/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_files_groupownership/oval/shared.xml
|
|
@@ -86,8 +86,18 @@
|
|
-->
|
|
<ind:pattern operation="pattern match">^[^(\s|#|\$)]+[\s]+.*[\s]+-?(/+[^:;\s]+);*.*$</ind:pattern>
|
|
<ind:instance datatype="int" operation="greater than or equal">1</ind:instance>
|
|
+ <filter action="exclude">state_groupownership_ignore_include_paths</filter>
|
|
</ind:textfilecontent54_object>
|
|
|
|
+ <ind:textfilecontent54_state id="state_groupownership_ignore_include_paths" comment="ignore" version="1">
|
|
+ <!-- Among the paths matched in object_rfp_log_files_paths there can be paths from
|
|
+ include() or $IncludeConfig statements.
|
|
+ These paths are conf files, not log files. Their groupownership don't need to be as
|
|
+ required for log files, thus, lets exclude them from the list of objects found
|
|
+ -->
|
|
+ <ind:text operation="pattern match">(?:file="[^\s;]+"|\$IncludeConfig[\s]+[^\s;]+)</ind:text>
|
|
+ </ind:textfilecontent54_state>
|
|
+
|
|
<!-- Define OVAL variable to hold all the various system log files locations
|
|
retrieved from the different rsyslog configuration files
|
|
-->
|
|
diff --git a/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_files_ownership/oval/shared.xml b/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_files_ownership/oval/shared.xml
|
|
index 3c46eab6d6..29dd1a989e 100644
|
|
--- a/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_files_ownership/oval/shared.xml
|
|
+++ b/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_files_ownership/oval/shared.xml
|
|
@@ -83,8 +83,18 @@
|
|
-->
|
|
<ind:pattern operation="pattern match">^[^(\s|#|\$)]+[\s]+.*[\s]+-?(/+[^:;\s]+);*.*$</ind:pattern>
|
|
<ind:instance datatype="int" operation="greater than or equal">1</ind:instance>
|
|
+ <filter action="exclude">state_owner_ignore_include_paths</filter>
|
|
</ind:textfilecontent54_object>
|
|
|
|
+ <ind:textfilecontent54_state id="state_owner_ignore_include_paths" comment="ignore" version="1">
|
|
+ <!-- Among the paths matched in object_rfp_log_files_paths there can be paths from
|
|
+ include() or $IncludeConfig statements.
|
|
+ These paths are conf files, not log files. Their owner don't need to be as
|
|
+ required for log files, thus, lets exclude them from the list of objects found
|
|
+ -->
|
|
+ <ind:text operation="pattern match">(?:file="[^\s;]+"|\$IncludeConfig[\s]+[^\s;]+)</ind:text>
|
|
+ </ind:textfilecontent54_state>
|
|
+
|
|
<!-- Define OVAL variable to hold all the various system log files locations
|
|
retrieved from the different rsyslog configuration files
|
|
-->
|
|
diff --git a/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_files_permissions/oval/shared.xml b/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_files_permissions/oval/shared.xml
|
|
index c74f3da3f5..da37a15b8c 100644
|
|
--- a/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_files_permissions/oval/shared.xml
|
|
+++ b/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_files_permissions/oval/shared.xml
|
|
@@ -87,10 +87,10 @@
|
|
-->
|
|
<ind:pattern operation="pattern match">^[^\s#\$]+[\s]+.*[\s]+-?(/+[^:;\s]+);*.*$</ind:pattern>
|
|
<ind:instance datatype="int" operation="greater than or equal">1</ind:instance>
|
|
- <filter action="exclude">state_ignore_include_paths</filter>
|
|
+ <filter action="exclude">state_permissions_ignore_include_paths</filter>
|
|
</ind:textfilecontent54_object>
|
|
|
|
- <ind:textfilecontent54_state id="state_ignore_include_paths" comment="ignore" version="1">
|
|
+ <ind:textfilecontent54_state id="state_permissions_ignore_include_paths" comment="ignore" version="1">
|
|
<!-- Among the paths matched in object_rfp_log_files_paths there can be paths from
|
|
include() or $IncludeConfig statements.
|
|
These paths are conf files, not log files. Their permissions don't need to be as
|