1951 lines
86 KiB
Diff
1951 lines
86 KiB
Diff
From be0ffb00c4911eb6b6478525e27e494809ce44ea Mon Sep 17 00:00:00 2001
|
|
From: Watson Sato <wsato@redhat.com>
|
|
Date: Tue, 7 Feb 2023 10:53:17 +0100
|
|
Subject: [PATCH 2/5] Rsyslog files rules remediations
|
|
|
|
Patch-name: scap-security-guide-0.1.67-rsyslog_files_rules_remediations-PR_9789.patch
|
|
Patch-status: Rsyslog files rules remediations
|
|
---
|
|
controls/cis_sle12.yml | 4 +-
|
|
controls/cis_sle15.yml | 4 +-
|
|
.../file_groupowner_logfiles_value.var | 18 ---
|
|
.../oval/shared.xml | 116 ---------------
|
|
.../rsyslog_files_groupownership/rule.yml | 39 ++++-
|
|
.../tests/IncludeConfig_is_other.fail.sh | 42 ------
|
|
.../tests/IncludeConfig_is_root.pass.sh | 39 -----
|
|
.../tests/include_is_other.fail.sh | 42 ------
|
|
.../tests/include_is_root.pass.sh | 39 -----
|
|
.../tests/include_multiline_is_root.pass.sh | 41 ------
|
|
.../tests/is_other.fail.sh | 25 ----
|
|
.../tests/is_root.pass.sh | 24 ---
|
|
.../rsyslog_files_ownership/oval/shared.xml | 114 ---------------
|
|
.../rsyslog_files_ownership/rule.yml | 44 +++++-
|
|
.../ansible/shared.yml | 12 ++
|
|
.../rsyslog_logging_configured/bash/shared.sh | 7 +
|
|
.../oval/shared.xml | 41 ++++++
|
|
.../rsyslog_logging_configured/rule.yml | 34 +++++
|
|
...with_everything_logged_to_messages.pass.sh | 13 ++
|
|
.../rsyslog_file_with_no_logging.fail.sh | 12 ++
|
|
.../profiles/anssi_np_nt28_average.profile | 2 -
|
|
products/debian10/profiles/standard.profile | 2 -
|
|
.../profiles/anssi_np_nt28_average.profile | 2 -
|
|
products/debian11/profiles/standard.profile | 2 -
|
|
products/rhel7/profiles/rht-ccp.profile | 2 -
|
|
products/rhel8/profiles/rht-ccp.profile | 2 -
|
|
.../profiles/anssi_bp28_intermediary.profile | 1 +
|
|
products/sle15/profiles/standard.profile | 2 -
|
|
.../profiles/anssi_np_nt28_average.profile | 2 -
|
|
products/ubuntu1604/profiles/standard.profile | 2 -
|
|
.../profiles/anssi_np_nt28_average.profile | 2 -
|
|
products/ubuntu1804/profiles/standard.profile | 2 -
|
|
products/ubuntu2004/profiles/standard.profile | 2 -
|
|
products/ubuntu2204/profiles/standard.profile | 2 -
|
|
shared/references/cce-sle12-avail.txt | 1 -
|
|
shared/references/cce-sle15-avail.txt | 1 -
|
|
.../ansible.template | 68 +++++++++
|
|
.../bash.template | 110 ++++++++++++++
|
|
.../oval.template | 137 ++++++++++++++++++
|
|
.../template.yml | 4 +
|
|
.../tests/IncludeConfig_is_other.fail.sh | 14 +-
|
|
.../tests/IncludeConfig_is_root.pass.sh | 10 +-
|
|
.../tests/include_is_other.fail.sh | 14 +-
|
|
...udeConfig_is_other_RainerLogClause.fail.sh | 37 ++++-
|
|
.../tests/include_is_root.pass.sh | 11 +-
|
|
...ude_is_root_IncludeConfig_is_other.fail.sh | 16 +-
|
|
...lude_is_root_IncludeConfig_is_root.pass.sh | 12 +-
|
|
...ludeConfig_is_root_RainerLogClause.pass.sh | 22 +--
|
|
.../tests/include_multiline_is_root.pass.sh | 10 +-
|
|
.../tests/is_other.fail.sh | 12 +-
|
|
.../tests/is_root.pass.sh | 8 +-
|
|
51 files changed, 648 insertions(+), 576 deletions(-)
|
|
delete mode 100644 linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/file_groupowner_logfiles_value.var
|
|
delete mode 100644 linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_files_groupownership/oval/shared.xml
|
|
delete mode 100755 linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_files_groupownership/tests/IncludeConfig_is_other.fail.sh
|
|
delete mode 100755 linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_files_groupownership/tests/IncludeConfig_is_root.pass.sh
|
|
delete mode 100755 linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_files_groupownership/tests/include_is_other.fail.sh
|
|
delete mode 100755 linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_files_groupownership/tests/include_is_root.pass.sh
|
|
delete mode 100755 linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_files_groupownership/tests/include_multiline_is_root.pass.sh
|
|
delete mode 100755 linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_files_groupownership/tests/is_other.fail.sh
|
|
delete mode 100755 linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_files_groupownership/tests/is_root.pass.sh
|
|
delete mode 100644 linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_files_ownership/oval/shared.xml
|
|
create mode 100644 linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_logging_configured/ansible/shared.yml
|
|
create mode 100644 linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_logging_configured/bash/shared.sh
|
|
create mode 100644 linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_logging_configured/oval/shared.xml
|
|
create mode 100644 linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_logging_configured/rule.yml
|
|
create mode 100644 linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_logging_configured/tests/rsyslog_file_with_everything_logged_to_messages.pass.sh
|
|
create mode 100644 linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_logging_configured/tests/rsyslog_file_with_no_logging.fail.sh
|
|
create mode 100644 shared/templates/rsyslog_logfiles_attributes_modify/ansible.template
|
|
create mode 100644 shared/templates/rsyslog_logfiles_attributes_modify/bash.template
|
|
create mode 100644 shared/templates/rsyslog_logfiles_attributes_modify/oval.template
|
|
create mode 100644 shared/templates/rsyslog_logfiles_attributes_modify/template.yml
|
|
rename {linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_files_ownership => shared/templates/rsyslog_logfiles_attributes_modify}/tests/IncludeConfig_is_other.fail.sh (75%)
|
|
rename {linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_files_ownership => shared/templates/rsyslog_logfiles_attributes_modify}/tests/IncludeConfig_is_root.pass.sh (81%)
|
|
rename {linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_files_ownership => shared/templates/rsyslog_logfiles_attributes_modify}/tests/include_is_other.fail.sh (75%)
|
|
rename linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_files_groupownership/tests/include_is_root_IncludeConfig_is_root.pass.sh => shared/templates/rsyslog_logfiles_attributes_modify/tests/include_is_other_IncludeConfig_is_other_RainerLogClause.fail.sh (50%)
|
|
mode change 100755 => 100644
|
|
rename {linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_files_ownership => shared/templates/rsyslog_logfiles_attributes_modify}/tests/include_is_root.pass.sh (81%)
|
|
rename {linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_files_ownership => shared/templates/rsyslog_logfiles_attributes_modify}/tests/include_is_root_IncludeConfig_is_other.fail.sh (77%)
|
|
rename {linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_files_ownership => shared/templates/rsyslog_logfiles_attributes_modify}/tests/include_is_root_IncludeConfig_is_root.pass.sh (82%)
|
|
rename linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_files_groupownership/tests/include_is_root_IncludeConfig_is_other.fail.sh => shared/templates/rsyslog_logfiles_attributes_modify/tests/include_is_root_IncludeConfig_is_root_RainerLogClause.pass.sh (65%)
|
|
rename {linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_files_ownership => shared/templates/rsyslog_logfiles_attributes_modify}/tests/include_multiline_is_root.pass.sh (81%)
|
|
rename {linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_files_ownership => shared/templates/rsyslog_logfiles_attributes_modify}/tests/is_other.fail.sh (70%)
|
|
rename {linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_files_ownership => shared/templates/rsyslog_logfiles_attributes_modify}/tests/is_root.pass.sh (77%)
|
|
|
|
diff --git a/controls/cis_sle12.yml b/controls/cis_sle12.yml
|
|
index 5c464fe556..8576343b9d 100644
|
|
--- a/controls/cis_sle12.yml
|
|
+++ b/controls/cis_sle12.yml
|
|
@@ -1321,7 +1321,9 @@ controls:
|
|
levels:
|
|
- l1_server
|
|
- l1_workstation
|
|
- status: manual
|
|
+ automated: yes
|
|
+ rules:
|
|
+ - rsyslog_logging_configured
|
|
|
|
- id: 4.2.1.5
|
|
title: Ensure rsyslog is configured to send logs to a remote log host (Automated)
|
|
diff --git a/controls/cis_sle15.yml b/controls/cis_sle15.yml
|
|
index 36d7616f90..f82341a038 100644
|
|
--- a/controls/cis_sle15.yml
|
|
+++ b/controls/cis_sle15.yml
|
|
@@ -1469,7 +1469,9 @@ controls:
|
|
levels:
|
|
- l1_server
|
|
- l1_workstation
|
|
- status: manual
|
|
+ automated: yes
|
|
+ rules:
|
|
+ - rsyslog_logging_configured
|
|
|
|
- id: 4.2.1.5
|
|
title: Ensure rsyslog is configured to send logs to a remote log host (Automated)
|
|
diff --git a/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/file_groupowner_logfiles_value.var b/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/file_groupowner_logfiles_value.var
|
|
deleted file mode 100644
|
|
index 7ebf8c191a..0000000000
|
|
--- a/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/file_groupowner_logfiles_value.var
|
|
+++ /dev/null
|
|
@@ -1,18 +0,0 @@
|
|
-documentation_complete: true
|
|
-
|
|
-title: 'group who owns log files'
|
|
-
|
|
-description: |-
|
|
- Specify group owner of all logfiles specified in
|
|
- <tt>/etc/rsyslog.conf.</tt>
|
|
-
|
|
-type: string
|
|
-
|
|
-operator: equals
|
|
-
|
|
-interactive: false
|
|
-
|
|
-options:
|
|
- default: root
|
|
- adm: adm
|
|
- root: root
|
|
diff --git a/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_files_groupownership/oval/shared.xml b/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_files_groupownership/oval/shared.xml
|
|
deleted file mode 100644
|
|
index 4567f4d411..0000000000
|
|
--- a/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_files_groupownership/oval/shared.xml
|
|
+++ /dev/null
|
|
@@ -1,116 +0,0 @@
|
|
-<def-group oval_version="5.11">
|
|
- <definition class="compliance" id="rsyslog_files_groupownership" version="1">
|
|
- {{{ oval_metadata("All syslog log files should be owned by the appropriate group.") }}}
|
|
-
|
|
- <criteria operator="AND">
|
|
- {{% if product in ["debian10", "debian11", "ubuntu1604"] %}}
|
|
- <extend_definition comment="rsyslog daemon is used as local logging daemon" definition_ref="package_rsyslog_installed" />
|
|
- {{% endif %}}
|
|
- <criterion comment="Check if all system log files are owned by the appropriate group" test_ref="test_rsyslog_files_groupownership" />
|
|
- </criteria>
|
|
-
|
|
- </definition>
|
|
-
|
|
- <!-- First obtain rsyslog's $IncludeConfig directive and include() object (introduced in rsyslog v8.33.0) values. -->
|
|
- <ind:textfilecontent54_object id="object_rfg_rsyslog_include_config_value" comment="rsyslog's $IncludeConfig directive and include() object values" version="1">
|
|
- <ind:filepath>/etc/rsyslog.conf</ind:filepath>
|
|
- <ind:pattern operation="pattern match">^(?:include\([\n\s]*file="([^\s;]+)".*|\$IncludeConfig[\s]+([^\s;]+))$</ind:pattern>
|
|
- <ind:instance datatype="int" operation="greater than or equal">1</ind:instance>
|
|
- </ind:textfilecontent54_object>
|
|
-
|
|
- <!-- Turn that glob value into Perl's regex so it can be used as filepath pattern below -->
|
|
- <local_variable id="var_rfg_include_config_regex" datatype="string" version="1" comment="$IncludeConfig value converted to regex">
|
|
- <unique>
|
|
- <glob_to_regex>
|
|
- <object_component item_field="subexpression" object_ref="object_rfg_rsyslog_include_config_value" />
|
|
- </glob_to_regex>
|
|
- </unique>
|
|
- </local_variable>
|
|
-
|
|
- <!-- Create a variable_object from the regex variable
|
|
- If the variable has no values, there won't be any objects -->
|
|
- <ind:variable_object id="object_var_rfg_include_config_regex" comment="Make variable object from regex variable" version="1">
|
|
- <ind:var_ref>var_rfg_include_config_regex</ind:var_ref>
|
|
- </ind:variable_object>
|
|
-
|
|
- <local_variable id="var_rfg_syslog_config" datatype="string" version="1" comment="Locations of all rsyslog configuration files as collection">
|
|
- <literal_component datatype="string">^/etc/rsyslog.conf$</literal_component>
|
|
- </local_variable>
|
|
-
|
|
- <ind:variable_object id="object_var_rfg_syslog_config" comment="Make variable object for use" version="1">
|
|
- <ind:var_ref>var_rfg_syslog_config</ind:var_ref>
|
|
- </ind:variable_object>
|
|
-
|
|
- <!-- Combine the two variable_objects into one variable_object
|
|
- We do it this way to avoid referencing an empty variable in a state comparison, which
|
|
- will cause a test to evaluate to fail. Combining an empty set of objects is fine though -->
|
|
- <ind:variable_object id="object_var_rfg_all_log_files" comment="Filter out empty string" version="1">
|
|
- <set>
|
|
- <object_reference>object_var_rfg_include_config_regex</object_reference>
|
|
- <object_reference>object_var_rfg_syslog_config</object_reference>
|
|
- </set>
|
|
- </ind:variable_object>
|
|
-
|
|
- <!-- In element filepath of object_rfg_log_files_paths we need to pass a list of values,
|
|
- a list of objects won't do. So we make a local_variable from the variable_objects. -->
|
|
- <local_variable id="var_rfg_all_log_files" datatype="string" version="1" comment="Locations of all rsyslog configuration files as collection">
|
|
- <object_component object_ref="object_var_rfg_all_log_files" item_field="value"/>
|
|
- </local_variable>
|
|
-
|
|
- <!-- For each item from that collection (particular rsyslog's configuration file path) search
|
|
- that rsyslog's configuration file to select file paths for log files directives
|
|
- -->
|
|
- <ind:textfilecontent54_object id="object_rfg_log_files_paths" comment="All rsyslog configuration files" version="1">
|
|
- <ind:filepath operation="pattern match" var_ref="var_rfg_all_log_files" var_check="at least one" />
|
|
- <!-- Chunk of text retrieved from rsyslog's configuration file is considered
|
|
- to constitute a log file path if all of the following conditions are met:
|
|
- * the string represents a regular file on particular file system
|
|
- (verified via corresponding file_state below),
|
|
- * the chunk of text is in the last column in the row,
|
|
- (possibly suffixed by ';' character and rsyslog Template name),
|
|
- * contains at least one slash '/' character, and simultaneously
|
|
- doesn't contain any of ';', ':' and space characters,
|
|
- * the chunk was retrieved from a row not starting with space, '#',
|
|
- or '$' characters
|
|
- -->
|
|
- <ind:pattern operation="pattern match">^[^(\s|#|\$)]+[\s]+.*[\s]+-?(/+[^:;\s]+);*\.*$</ind:pattern>
|
|
- <ind:instance datatype="int" operation="greater than or equal">1</ind:instance>
|
|
- <filter action="exclude">state_groupownership_ignore_include_paths</filter>
|
|
- </ind:textfilecontent54_object>
|
|
-
|
|
- <ind:textfilecontent54_state id="state_groupownership_ignore_include_paths" comment="ignore" version="1">
|
|
- <!-- Among the paths matched in object_rfp_log_files_paths there can be paths from
|
|
- include() or $IncludeConfig statements.
|
|
- These paths are conf files, not log files. Their groupownership don't need to be as
|
|
- required for log files, thus, lets exclude them from the list of objects found
|
|
- -->
|
|
- <ind:text operation="pattern match">(?:file="[^\s;]+"|\$IncludeConfig[\s]+[^\s;]+|\/dev\/.*)</ind:text>
|
|
- </ind:textfilecontent54_state>
|
|
-
|
|
- <!-- Define OVAL variable to hold all the various system log files locations
|
|
- retrieved from the different rsyslog configuration files
|
|
- -->
|
|
- <local_variable id="var_rfg_log_files_paths" datatype="string" version="1" comment="File paths of all rsyslog configuration files">
|
|
- <object_component item_field="subexpression" object_ref="object_rfg_log_files_paths" />
|
|
- </local_variable>
|
|
-
|
|
- <!-- Perform the test if all rsyslog system log files are owned by the appropriate group -->
|
|
- <unix:file_test check="all" check_existence="all_exist" id="test_rsyslog_files_groupownership" version="1" comment="System log files are owned by the appropriate group">
|
|
- <unix:object object_ref="object_rsyslog_files_groupownership" />
|
|
- <unix:state state_ref="state_rsyslog_files_groupownership" />
|
|
- </unix:file_test>
|
|
-
|
|
- <unix:file_object id="object_rsyslog_files_groupownership" comment="Various system log files" version="1">
|
|
- <unix:filepath datatype="string" var_ref="var_rfg_log_files_paths" var_check="at least one" />
|
|
- </unix:file_object>
|
|
-
|
|
- <unix:file_state id="state_rsyslog_files_groupownership" version="1">
|
|
- <unix:type operation="equals">regular</unix:type>
|
|
- {{% if product in ["debian10", "debian11", "ubuntu1604", "ubuntu2004", "ubuntu2204"] %}}
|
|
- <unix:group_id datatype="int">4</unix:group_id>
|
|
- {{% else %}}
|
|
- <unix:group_id datatype="int">0</unix:group_id>
|
|
- {{% endif %}}
|
|
- </unix:file_state>
|
|
-
|
|
-</def-group>
|
|
diff --git a/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_files_groupownership/rule.yml b/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_files_groupownership/rule.yml
|
|
index 4f797f4a21..13c89d90c5 100644
|
|
--- a/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_files_groupownership/rule.yml
|
|
+++ b/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_files_groupownership/rule.yml
|
|
@@ -4,15 +4,30 @@ title: 'Ensure Log Files Are Owned By Appropriate Group'
|
|
|
|
description: |-
|
|
The group-owner of all log files written by
|
|
- <tt>rsyslog</tt> should be <tt>{{{ xccdf_value("file_groupowner_logfiles_value") }}}</tt>.
|
|
+ <tt>rsyslog</tt> should be
|
|
+{{% if 'debian' in product or 'ubuntu' in product %}}
|
|
+ <tt>adm</tt>.
|
|
+{{% else %}}
|
|
+ <tt>root</tt>.
|
|
+{{% endif %}}
|
|
These log files are determined by the second part of each Rule line in
|
|
<tt>/etc/rsyslog.conf</tt> and typically all appear in <tt>/var/log</tt>.
|
|
For each log file <i>LOGFILE</i> referenced in <tt>/etc/rsyslog.conf</tt>,
|
|
run the following command to inspect the file's group owner:
|
|
<pre>$ ls -l <i>LOGFILE</i></pre>
|
|
- If the owner is not <tt>{{{ xccdf_value("file_groupowner_logfiles_value") }}}</tt>, run the following command to
|
|
+ If the owner is not
|
|
+ {{% if 'debian' in product or 'ubuntu' in product %}}
|
|
+ <tt>adm</tt>,
|
|
+ {{% else %}}
|
|
+ <tt>root</tt>,
|
|
+ {{% endif %}}
|
|
+ run the following command to
|
|
correct this:
|
|
- <pre>$ sudo chgrp {{{ xccdf_value("file_groupowner_logfiles_value") }}} <i>LOGFILE</i></pre>
|
|
+{{% if 'debian' in product or 'ubuntu' in product %}}
|
|
+ <pre>$ sudo chgrp adm <i>LOGFILE</i></pre>
|
|
+{{% else %}}
|
|
+ <pre>$ sudo chgrp root <i>LOGFILE</i></pre>
|
|
+{{% endif %}}
|
|
|
|
rationale: |-
|
|
The log files generated by rsyslog contain valuable information regarding system
|
|
@@ -47,8 +62,24 @@ references:
|
|
ocil_clause: 'the group-owner is not correct'
|
|
|
|
ocil: |-
|
|
- The group-owner of all log files written by <tt>rsyslog</tt> should be <tt>{{{ xccdf_value("file_groupowner_logfiles_value") }}}</tt>.
|
|
+ The group-owner of all log files written by <tt>rsyslog</tt> should be
|
|
+ {{% if 'debian' in product or 'ubuntu' in product %}}
|
|
+ <tt>adm</tt>.
|
|
+ {{% else %}}
|
|
+ <tt>root</tt>.
|
|
+ {{% endif %}}
|
|
These log files are determined by the second part of each Rule line in
|
|
<tt>/etc/rsyslog.conf</tt> and typically all appear in <tt>/var/log</tt>.
|
|
To see the group-owner of a given log file, run the following command:
|
|
<pre>$ ls -l <i>LOGFILE</i></pre>
|
|
+
|
|
+template:
|
|
+ name: rsyslog_logfiles_attributes_modify
|
|
+ vars:
|
|
+ attribute: groupowner
|
|
+ value: 0
|
|
+ value@debian10: 4
|
|
+ value@debian11: 4
|
|
+ value@ubuntu1604: 4
|
|
+ value@ubuntu2004: 4
|
|
+ value@ubuntu2204: 4
|
|
diff --git a/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_files_groupownership/tests/IncludeConfig_is_other.fail.sh b/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_files_groupownership/tests/IncludeConfig_is_other.fail.sh
|
|
deleted file mode 100755
|
|
index 575530ef2e..0000000000
|
|
--- a/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_files_groupownership/tests/IncludeConfig_is_other.fail.sh
|
|
+++ /dev/null
|
|
@@ -1,42 +0,0 @@
|
|
-#!/bin/bash
|
|
-# platform = multi_platform_rhel,multi_platform_fedora,multi_platform_ol,multi_platform_sle
|
|
-
|
|
-# Check rsyslog.conf with root group-owner log from rules and
|
|
-# non root group-owner log from $IncludeConfig fails.
|
|
-
|
|
-source $SHARED/rsyslog_log_utils.sh
|
|
-
|
|
-GROUP_TEST=testssg
|
|
-groupadd $GROUP_TEST
|
|
-
|
|
-GROUP_ROOT=root
|
|
-
|
|
-# setup test data
|
|
-create_rsyslog_test_logs 2
|
|
-
|
|
-# setup test log files ownership
|
|
-chgrp $GROUP_ROOT ${RSYSLOG_TEST_LOGS[0]}
|
|
-chgrp $GROUP_TEST ${RSYSLOG_TEST_LOGS[1]}
|
|
-
|
|
-# create test configuration file
|
|
-test_conf=${RSYSLOG_TEST_DIR}/test1.conf
|
|
-cat << EOF > ${test_conf}
|
|
-# rsyslog configuration file
|
|
-
|
|
-#### RULES ####
|
|
-
|
|
-*.* ${RSYSLOG_TEST_LOGS[1]}
|
|
-EOF
|
|
-
|
|
-# create rsyslog.conf configuration file
|
|
-cat << EOF > $RSYSLOG_CONF
|
|
-# rsyslog configuration file
|
|
-
|
|
-#### RULES ####
|
|
-
|
|
-*.* ${RSYSLOG_TEST_LOGS[0]}
|
|
-
|
|
-#### MODULES ####
|
|
-
|
|
-\$IncludeConfig ${test_conf}
|
|
-EOF
|
|
diff --git a/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_files_groupownership/tests/IncludeConfig_is_root.pass.sh b/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_files_groupownership/tests/IncludeConfig_is_root.pass.sh
|
|
deleted file mode 100755
|
|
index 39efc1a4b7..0000000000
|
|
--- a/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_files_groupownership/tests/IncludeConfig_is_root.pass.sh
|
|
+++ /dev/null
|
|
@@ -1,39 +0,0 @@
|
|
-#!/bin/bash
|
|
-# platform = multi_platform_rhel,multi_platform_fedora,multi_platform_ol,multi_platform_sle
|
|
-
|
|
-# Check rsyslog.conf with root group-owner log from rules and
|
|
-# root group-owner log from $IncludeConfig passes.
|
|
-
|
|
-source $SHARED/rsyslog_log_utils.sh
|
|
-
|
|
-GROUP=root
|
|
-
|
|
-# setup test data
|
|
-create_rsyslog_test_logs 2
|
|
-
|
|
-# setup test log files ownership
|
|
-chgrp $GROUP ${RSYSLOG_TEST_LOGS[0]}
|
|
-chgrp $GROUP ${RSYSLOG_TEST_LOGS[1]}
|
|
-
|
|
-# create test configuration file
|
|
-test_conf=${RSYSLOG_TEST_DIR}/test1.conf
|
|
-cat << EOF > ${test_conf}
|
|
-# rsyslog configuration file
|
|
-
|
|
-#### RULES ####
|
|
-
|
|
-*.* ${RSYSLOG_TEST_LOGS[1]}
|
|
-EOF
|
|
-
|
|
-# create rsyslog.conf configuration file
|
|
-cat << EOF > $RSYSLOG_CONF
|
|
-# rsyslog configuration file
|
|
-
|
|
-#### RULES ####
|
|
-
|
|
-*.* ${RSYSLOG_TEST_LOGS[0]}
|
|
-
|
|
-#### MODULES ####
|
|
-
|
|
-\$IncludeConfig ${test_conf}
|
|
-EOF
|
|
diff --git a/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_files_groupownership/tests/include_is_other.fail.sh b/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_files_groupownership/tests/include_is_other.fail.sh
|
|
deleted file mode 100755
|
|
index c0db7056b4..0000000000
|
|
--- a/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_files_groupownership/tests/include_is_other.fail.sh
|
|
+++ /dev/null
|
|
@@ -1,42 +0,0 @@
|
|
-#!/bin/bash
|
|
-# platform = Red Hat Enterprise Linux 8,multi_platform_fedora,Oracle Linux 8,multi_platform_sle
|
|
-
|
|
-# Check rsyslog.conf with root group-owner log from rules and
|
|
-# non root group-owner log from include() fails.
|
|
-
|
|
-source $SHARED/rsyslog_log_utils.sh
|
|
-
|
|
-GROUP_TEST=testssg
|
|
-groupadd $GROUP_TEST
|
|
-
|
|
-GROUP_ROOT=root
|
|
-
|
|
-# setup test data
|
|
-create_rsyslog_test_logs 2
|
|
-
|
|
-# setup test log files ownership
|
|
-chgrp $GROUP_ROOT ${RSYSLOG_TEST_LOGS[0]}
|
|
-chgrp $GROUP_TEST ${RSYSLOG_TEST_LOGS[1]}
|
|
-
|
|
-# create test configuration file
|
|
-test_conf=${RSYSLOG_TEST_DIR}/test1.conf
|
|
-cat << EOF > ${test_conf}
|
|
-# rsyslog configuration file
|
|
-
|
|
-#### RULES ####
|
|
-
|
|
-*.* ${RSYSLOG_TEST_LOGS[1]}
|
|
-EOF
|
|
-
|
|
-# create rsyslog.conf configuration file
|
|
-cat << EOF > $RSYSLOG_CONF
|
|
-# rsyslog configuration file
|
|
-
|
|
-#### RULES ####
|
|
-
|
|
-*.* ${RSYSLOG_TEST_LOGS[0]}
|
|
-
|
|
-#### MODULES ####
|
|
-
|
|
-include(file="${test_conf}")
|
|
-EOF
|
|
diff --git a/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_files_groupownership/tests/include_is_root.pass.sh b/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_files_groupownership/tests/include_is_root.pass.sh
|
|
deleted file mode 100755
|
|
index 1feaf762fc..0000000000
|
|
--- a/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_files_groupownership/tests/include_is_root.pass.sh
|
|
+++ /dev/null
|
|
@@ -1,39 +0,0 @@
|
|
-#!/bin/bash
|
|
-# platform = Red Hat Enterprise Linux 8,multi_platform_fedora,Oracle Linux 8,multi_platform_sle
|
|
-
|
|
-# Check rsyslog.conf with root group-owner log from rules and
|
|
-# root group-owner log from include() passes.
|
|
-
|
|
-source $SHARED/rsyslog_log_utils.sh
|
|
-
|
|
-GROUP=root
|
|
-
|
|
-# setup test data
|
|
-create_rsyslog_test_logs 2
|
|
-
|
|
-# setup test log files ownership
|
|
-chgrp $GROUP ${RSYSLOG_TEST_LOGS[0]}
|
|
-chgrp $GROUP ${RSYSLOG_TEST_LOGS[1]}
|
|
-
|
|
-# create test configuration file
|
|
-test_conf=${RSYSLOG_TEST_DIR}/test1.conf
|
|
-cat << EOF > ${test_conf}
|
|
-# rsyslog configuration file
|
|
-
|
|
-#### RULES ####
|
|
-
|
|
-*.* ${RSYSLOG_TEST_LOGS[1]}
|
|
-EOF
|
|
-
|
|
-# create rsyslog.conf configuration file
|
|
-cat << EOF > $RSYSLOG_CONF
|
|
-# rsyslog configuration file
|
|
-
|
|
-#### RULES ####
|
|
-
|
|
-*.* ${RSYSLOG_TEST_LOGS[0]}
|
|
-
|
|
-#### MODULES ####
|
|
-
|
|
-include(file="${test_conf}")
|
|
-EOF
|
|
diff --git a/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_files_groupownership/tests/include_multiline_is_root.pass.sh b/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_files_groupownership/tests/include_multiline_is_root.pass.sh
|
|
deleted file mode 100755
|
|
index 5a357d029b..0000000000
|
|
--- a/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_files_groupownership/tests/include_multiline_is_root.pass.sh
|
|
+++ /dev/null
|
|
@@ -1,41 +0,0 @@
|
|
-#!/bin/bash
|
|
-# platform = Red Hat Enterprise Linux 8,multi_platform_fedora,Oracle Linux 8,multi_platform_sle
|
|
-
|
|
-# Check rsyslog.conf with root group-owner log from rules and
|
|
-# root group-owner log from multiline include() passes.
|
|
-
|
|
-source $SHARED/rsyslog_log_utils.sh
|
|
-
|
|
-GROUP=root
|
|
-
|
|
-# setup test data
|
|
-create_rsyslog_test_logs 2
|
|
-
|
|
-# setup test log files ownership
|
|
-chgrp $GROUP ${RSYSLOG_TEST_LOGS[0]}
|
|
-chgrp $GROUP ${RSYSLOG_TEST_LOGS[1]}
|
|
-
|
|
-# create test configuration file
|
|
-test_conf=${RSYSLOG_TEST_DIR}/test1.conf
|
|
-cat << EOF > ${test_conf}
|
|
-# rsyslog configuration file
|
|
-
|
|
-#### RULES ####
|
|
-
|
|
-*.* ${RSYSLOG_TEST_LOGS[1]}
|
|
-EOF
|
|
-
|
|
-# create rsyslog.conf configuration file
|
|
-cat << EOF > $RSYSLOG_CONF
|
|
-# rsyslog configuration file
|
|
-
|
|
-#### RULES ####
|
|
-
|
|
-*.* ${RSYSLOG_TEST_LOGS[0]}
|
|
-
|
|
-#### MODULES ####
|
|
-
|
|
-include(
|
|
- file="${test_conf}"
|
|
-)
|
|
-EOF
|
|
diff --git a/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_files_groupownership/tests/is_other.fail.sh b/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_files_groupownership/tests/is_other.fail.sh
|
|
deleted file mode 100755
|
|
index c7c01132f2..0000000000
|
|
--- a/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_files_groupownership/tests/is_other.fail.sh
|
|
+++ /dev/null
|
|
@@ -1,25 +0,0 @@
|
|
-#!/bin/bash
|
|
-# platform = multi_platform_rhel,multi_platform_fedora,multi_platform_ol,multi_platform_sle
|
|
-
|
|
-# Check if log file with non root group-owner in rsyslog.conf fails.
|
|
-
|
|
-source $SHARED/rsyslog_log_utils.sh
|
|
-
|
|
-GROUP=testssg
|
|
-
|
|
-groupadd $GROUP
|
|
-
|
|
-# setup test data
|
|
-create_rsyslog_test_logs 1
|
|
-
|
|
-# setup test log file ownership
|
|
-chgrp $GROUP ${RSYSLOG_TEST_LOGS[0]}
|
|
-
|
|
-# add rule with non-root group owned log file
|
|
-cat << EOF > $RSYSLOG_CONF
|
|
-# rsyslog configuration file
|
|
-
|
|
-#### RULES ####
|
|
-
|
|
-*.* ${RSYSLOG_TEST_LOGS[0]}
|
|
-EOF
|
|
diff --git a/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_files_groupownership/tests/is_root.pass.sh b/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_files_groupownership/tests/is_root.pass.sh
|
|
deleted file mode 100755
|
|
index 0ecbb35bd1..0000000000
|
|
--- a/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_files_groupownership/tests/is_root.pass.sh
|
|
+++ /dev/null
|
|
@@ -1,24 +0,0 @@
|
|
-#!/bin/bash
|
|
-# platform = multi_platform_rhel,multi_platform_fedora,multi_platform_ol,multi_platform_sle
|
|
-
|
|
-# Check if log file with root group-owner in rsyslog.conf passes.
|
|
-
|
|
-source $SHARED/rsyslog_log_utils.sh
|
|
-
|
|
-GROUP=root
|
|
-
|
|
-# setup test data
|
|
-create_rsyslog_test_logs 1
|
|
-
|
|
-# setup test log file ownership
|
|
-chgrp $GROUP ${RSYSLOG_TEST_LOGS[0]}
|
|
-
|
|
-# add rule with root group owned log file
|
|
-cat << EOF > $RSYSLOG_CONF
|
|
-# rsyslog configuration file
|
|
-
|
|
-#### RULES ####
|
|
-
|
|
-*.* ${RSYSLOG_TEST_LOGS[0]}
|
|
-
|
|
-EOF
|
|
diff --git a/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_files_ownership/oval/shared.xml b/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_files_ownership/oval/shared.xml
|
|
deleted file mode 100644
|
|
index 8e3f68db26..0000000000
|
|
--- a/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_files_ownership/oval/shared.xml
|
|
+++ /dev/null
|
|
@@ -1,114 +0,0 @@
|
|
-<def-group oval_version="5.11">
|
|
- <definition class="compliance" id="rsyslog_files_ownership" version="1">
|
|
- {{{ oval_metadata("All syslog log files should be owned by the appropriate user.") }}}
|
|
-
|
|
- <criteria>
|
|
- <criterion comment="Check if all system log files are owned by appropriate user" test_ref="test_rsyslog_files_ownership" />
|
|
- </criteria>
|
|
-
|
|
- </definition>
|
|
-
|
|
- <!-- First obtain rsyslog's $IncludeConfig directive and include() object (introduced in rsyslog v8.33.0) values. -->
|
|
- <ind:textfilecontent54_object id="object_rfo_rsyslog_include_config_value" comment="rsyslog's $IncludeConfig directive and include() object values" version="1">
|
|
- <ind:filepath>/etc/rsyslog.conf</ind:filepath>
|
|
- <ind:pattern operation="pattern match">^(?:include\([\n\s]*file="([^\s;]+)".*|\$IncludeConfig[\s]+([^\s;]+))$</ind:pattern>
|
|
- <ind:instance datatype="int" operation="greater than or equal">1</ind:instance>
|
|
- </ind:textfilecontent54_object>
|
|
-
|
|
- <!-- Turn that glob value into Perl's regex so it can be used as filepath pattern below -->
|
|
- <local_variable id="var_rfo_include_config_regex" datatype="string" version="1" comment="$IncludeConfig value converted to regex">
|
|
- <unique>
|
|
- <glob_to_regex>
|
|
- <object_component item_field="subexpression" object_ref="object_rfo_rsyslog_include_config_value" />
|
|
- </glob_to_regex>
|
|
- </unique>
|
|
- </local_variable>
|
|
-
|
|
- <!-- Create a variable_object from the regex variable
|
|
- If the variable has no values, there won't be any objects -->
|
|
- <ind:variable_object id="object_var_rfo_include_config_regex" comment="Make variable object from regex variable" version="1">
|
|
- <ind:var_ref>var_rfo_include_config_regex</ind:var_ref>
|
|
- </ind:variable_object>
|
|
-
|
|
- <local_variable id="var_rfo_syslog_config" datatype="string" version="1" comment="Locations of all rsyslog configuration files as collection">
|
|
- <literal_component datatype="string">^/etc/rsyslog.conf$</literal_component>
|
|
- </local_variable>
|
|
-
|
|
- <ind:variable_object id="object_var_rfo_syslog_config" comment="Make variable object for use" version="1">
|
|
- <ind:var_ref>var_rfo_syslog_config</ind:var_ref>
|
|
- </ind:variable_object>
|
|
-
|
|
- <!-- Combine the two variable_objects into one variable_object
|
|
- We do it this way to avoid referencing an empty variable in a state comparison, which
|
|
- will cause a test to evaluate to fail. Combining an empty set of objects is fine though -->
|
|
- <ind:variable_object id="object_var_rfo_all_log_files" comment="Filter out empty string" version="1">
|
|
- <set>
|
|
- <object_reference>object_var_rfo_include_config_regex</object_reference>
|
|
- <object_reference>object_var_rfo_syslog_config</object_reference>
|
|
- </set>
|
|
- </ind:variable_object>
|
|
-
|
|
- <!-- In element filepath of object_rfg_log_files_paths we need to pass a list of values,
|
|
- a list of objects won't do. So we make a local_variable from the variable_objects. -->
|
|
- <local_variable id="var_rfo_all_log_files" datatype="string" version="1" comment="Locations of all rsyslog configuration files as collection">
|
|
- <object_component object_ref="object_var_rfo_all_log_files" item_field="value"/>
|
|
- </local_variable>
|
|
-
|
|
- <!-- For each item from that collection (particular rsyslog's configuration file path) search
|
|
- that rsyslog's configuration file to select file paths for log files directives
|
|
- -->
|
|
- <ind:textfilecontent54_object id="object_rfo_log_files_paths" comment="All rsyslog configuration files" version="1">
|
|
- <ind:filepath operation="pattern match" var_ref="var_rfo_all_log_files" var_check="at least one" />
|
|
- <!-- Chunk of text retrieved from rsyslog's configuration file is considered
|
|
- to constitute a log file path if all of the following conditions are met:
|
|
- * the string represents a regular file on particular file system
|
|
- (verified via corresponding file_state below),
|
|
- * the chunk of text is in the last column in the row,
|
|
- (possibly suffixed by ';' character and rsyslog Template name),
|
|
- * contains at least one slash '/' character, and simultaneously
|
|
- doesn't contain any of ';', ':' and space characters,
|
|
- * the chunk was retrieved from a row not starting with space, '#',
|
|
- or '$' characters
|
|
- -->
|
|
- <ind:pattern operation="pattern match">^[^(#|\$)]+[\s]+.*[\s]+-?(/+[^:;\s]+);*\.*$</ind:pattern>
|
|
- <ind:instance datatype="int" operation="greater than or equal">1</ind:instance>
|
|
- <filter action="exclude">state_owner_ignore_include_paths</filter>
|
|
- </ind:textfilecontent54_object>
|
|
-
|
|
- <ind:textfilecontent54_state id="state_owner_ignore_include_paths" comment="ignore" version="1">
|
|
- <!-- Among the paths matched in object_rfp_log_files_paths there can be paths from
|
|
- include() or $IncludeConfig statements.
|
|
- These paths are conf files, not log files. Their owner don't need to be as
|
|
- required for log files, thus, lets exclude them from the list of objects found
|
|
- -->
|
|
- <ind:text operation="pattern match">(?:file="[^\s;]+"|\$IncludeConfig[\s]+[^\s;]+|\/dev\/.*)</ind:text>
|
|
- </ind:textfilecontent54_state>
|
|
-
|
|
- <!-- Define OVAL variable to hold all the various system log files locations
|
|
- retrieved from the different rsyslog configuration files
|
|
- -->
|
|
- <local_variable id="var_rfo_log_files_paths" datatype="string" version="1" comment="File paths of all rsyslog configuration files">
|
|
- <object_component item_field="subexpression" object_ref="object_rfo_log_files_paths" />
|
|
- </local_variable>
|
|
-
|
|
- <!-- Perform the test if all rsyslog system log files are owned by the appropriate user -->
|
|
- <unix:file_test check="all" check_existence="all_exist" id="test_rsyslog_files_ownership" version="1" comment="System log files are owned by the appropriate user">
|
|
- <unix:object object_ref="object_rsyslog_files_ownership" />
|
|
- <unix:state state_ref="state_rsyslog_files_ownership" />
|
|
- </unix:file_test>
|
|
-
|
|
- <unix:file_object id="object_rsyslog_files_ownership" comment="Various system log files" version="1">
|
|
- <unix:filepath datatype="string" var_ref="var_rfo_log_files_paths" var_check="at least one" />
|
|
- </unix:file_object>
|
|
-
|
|
- <unix:file_state id="state_rsyslog_files_ownership" version="1">
|
|
- <unix:type operation="equals">regular</unix:type>
|
|
-
|
|
- {{% if product in ["ubuntu2004", "ubuntu2204"] %}}
|
|
- <unix:user_id datatype="int">104</unix:user_id>
|
|
- {{% else %}}
|
|
- <unix:user_id datatype="int">0</unix:user_id>
|
|
- {{% endif %}}
|
|
- </unix:file_state>
|
|
-
|
|
-</def-group>
|
|
diff --git a/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_files_ownership/rule.yml b/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_files_ownership/rule.yml
|
|
index 37c87b07cd..0d9bf40f4b 100644
|
|
--- a/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_files_ownership/rule.yml
|
|
+++ b/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_files_ownership/rule.yml
|
|
@@ -4,15 +4,36 @@ title: 'Ensure Log Files Are Owned By Appropriate User'
|
|
|
|
description: |-
|
|
The owner of all log files written by
|
|
- <tt>rsyslog</tt> should be <tt>{{{ xccdf_value("file_owner_logfiles_value") }}}</tt>.
|
|
+ <tt>rsyslog</tt> should be
|
|
+ {{% if product in ['ubuntu2204','ubuntu2004'] %}}
|
|
+ <tt>syslog</tt>.
|
|
+ {{% elif 'debian' in product or 'ubuntu' in product %}}
|
|
+ <tt>adm</tt>.
|
|
+ {{% else %}}
|
|
+ <tt>root</tt>.
|
|
+ {{% endif %}}
|
|
These log files are determined by the second part of each Rule line in
|
|
<tt>/etc/rsyslog.conf</tt> and typically all appear in <tt>/var/log</tt>.
|
|
For each log file <i>LOGFILE</i> referenced in <tt>/etc/rsyslog.conf</tt>,
|
|
run the following command to inspect the file's owner:
|
|
<pre>$ ls -l <i>LOGFILE</i></pre>
|
|
- If the owner is not <tt>{{{ xccdf_value("file_owner_logfiles_value") }}}</tt>, run the following command to
|
|
+ If the owner is not
|
|
+ {{% if product in ['ubuntu2204','ubuntu2004'] %}}
|
|
+ <tt>syslog</tt>,
|
|
+ {{% elif 'debian' in product or 'ubuntu' in product %}}
|
|
+ <tt>adm</tt>,
|
|
+ {{% else %}}
|
|
+ <tt>root</tt>,
|
|
+ {{% endif %}}
|
|
+ run the following command to
|
|
correct this:
|
|
- <pre>$ sudo chown {{{ xccdf_value("file_owner_logfiles_value") }}} <i>LOGFILE</i></pre>
|
|
+ {{% if product in ['ubuntu2204','ubuntu2004'] %}}
|
|
+ <pre>$ sudo chown syslog <i>LOGFILE</i></pre>
|
|
+ {{% elif 'debian' in product or 'ubuntu' in product %}}
|
|
+ <pre>$ sudo chown adm <i>LOGFILE</i></pre>
|
|
+ {{% else %}}
|
|
+ <pre>$ sudo chown root <i>LOGFILE</i></pre>
|
|
+ {{% endif %}}
|
|
|
|
rationale: |-
|
|
The log files generated by rsyslog contain valuable information regarding system
|
|
@@ -47,8 +68,23 @@ references:
|
|
ocil_clause: 'the owner is not correct'
|
|
|
|
ocil: |-
|
|
- The owner of all log files written by <tt>rsyslog</tt> should be <tt>{{{ xccdf_value("file_owner_logfiles_value") }}}</tt>.
|
|
+ The owner of all log files written by <tt>rsyslog</tt> should be
|
|
+ {{% if product in ['ubuntu2204','ubuntu2004'] %}}
|
|
+ <tt>syslog</tt>.
|
|
+ {{% elif 'debian' in product or 'ubuntu' in product %}}
|
|
+ <tt>adm</tt>.
|
|
+ {{% else %}}
|
|
+ <tt>root</tt>.
|
|
+ {{% endif %}}
|
|
These log files are determined by the second part of each Rule line in
|
|
<tt>/etc/rsyslog.conf</tt> and typically all appear in <tt>/var/log</tt>.
|
|
To see the owner of a given log file, run the following command:
|
|
<pre>$ ls -l <i>LOGFILE</i></pre>
|
|
+
|
|
+template:
|
|
+ name: rsyslog_logfiles_attributes_modify
|
|
+ vars:
|
|
+ attribute: owner
|
|
+ value: 0
|
|
+ value@ubuntu2004: 104
|
|
+ value@ubuntu2204: 104
|
|
diff --git a/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_logging_configured/ansible/shared.yml b/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_logging_configured/ansible/shared.yml
|
|
new file mode 100644
|
|
index 0000000000..041e263155
|
|
--- /dev/null
|
|
+++ b/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_logging_configured/ansible/shared.yml
|
|
@@ -0,0 +1,12 @@
|
|
+# platform = multi_platform_sle
|
|
+# reboot = false
|
|
+# strategy = restrict
|
|
+# complexity = low
|
|
+# disruption = low
|
|
+
|
|
+- name: "Set rsyslog remote loghost"
|
|
+ lineinfile:
|
|
+ dest: /etc/rsyslog.conf
|
|
+ regexp: "^\\*\\.\\*"
|
|
+ line: "*.* /var/log/messages"
|
|
+ create: yes
|
|
diff --git a/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_logging_configured/bash/shared.sh b/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_logging_configured/bash/shared.sh
|
|
new file mode 100644
|
|
index 0000000000..d634610225
|
|
--- /dev/null
|
|
+++ b/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_logging_configured/bash/shared.sh
|
|
@@ -0,0 +1,7 @@
|
|
+# platform = multi_platform_sle
|
|
+# reboot = false
|
|
+# strategy = restrict
|
|
+# complexity = low
|
|
+# disruption = low
|
|
+
|
|
+{{{ bash_replace_or_append('/etc/rsyslog.conf', '^\*\.\*', "/var/log/messages", '%s %s') }}}
|
|
diff --git a/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_logging_configured/oval/shared.xml b/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_logging_configured/oval/shared.xml
|
|
new file mode 100644
|
|
index 0000000000..89e1e7616e
|
|
--- /dev/null
|
|
+++ b/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_logging_configured/oval/shared.xml
|
|
@@ -0,0 +1,41 @@
|
|
+<def-group>
|
|
+ <definition class="compliance" id="rsyslog_logging_configured" version="1">
|
|
+ {{{ oval_metadata("Syslog logs should be configured") }}}
|
|
+
|
|
+ <criteria operator="AND">
|
|
+ {{% if product in ["debian10", "debian11", "ubuntu1604", "ubuntu1804"] %}}
|
|
+ <extend_definition comment="rsyslog daemon is used as local logging daemon" definition_ref="package_rsyslog_installed" />
|
|
+ {{% endif %}}
|
|
+ <criteria operator="OR">
|
|
+ <criterion comment="Logging configured within /etc/rsyslog.conf" test_ref="test_logging_configured_rsyslog_conf" />
|
|
+ <criterion comment="Remote logging set within /etc/rsyslog.d" test_ref="test_logging_configured_rsyslog_d" />
|
|
+ </criteria>
|
|
+ </criteria>
|
|
+ </definition>
|
|
+
|
|
+ <ind:textfilecontent54_test check="all" check_existence="all_exist"
|
|
+ comment="Ensures system logging configured in main conf file"
|
|
+ id="test_logging_configured_rsyslog_conf" version="1">
|
|
+ <ind:object object_ref="object_logging_configured_rsyslog_conf" />
|
|
+ </ind:textfilecontent54_test>
|
|
+
|
|
+ <ind:textfilecontent54_test check="all" check_existence="all_exist"
|
|
+ comment="Ensures system logging_configured in .d files"
|
|
+ id="test_logging_configured_rsyslog_d" version="1">
|
|
+ <ind:object object_ref="object_logging_configured_rsyslog_d" />
|
|
+ </ind:textfilecontent54_test>
|
|
+
|
|
+ <ind:textfilecontent54_object id="object_logging_configured_rsyslog_conf" version="1">
|
|
+ <ind:filepath>/etc/rsyslog.conf</ind:filepath>
|
|
+ <ind:pattern operation="pattern match">^[^(\s|#|\$)]+[\s]+.*[\s]+(\:\w+\:\S*|-?(\/+[^:;\s]+);*\.*)$</ind:pattern>
|
|
+ <ind:instance datatype="int">1</ind:instance>
|
|
+ </ind:textfilecontent54_object>
|
|
+
|
|
+ <ind:textfilecontent54_object id="object_logging_configured_rsyslog_d" version="1">
|
|
+ <ind:path>/etc/rsyslog.d</ind:path>
|
|
+ <ind:filename operation="pattern match">^.+\.conf$</ind:filename>
|
|
+ <ind:pattern operation="pattern match">^[^(\s|#|\$)]+[\s]+.*[\s]+(\:\w+\:\S*|-?(\/+[^:;\s]+);*\.*)$</ind:pattern>
|
|
+ <ind:instance datatype="int">1</ind:instance>
|
|
+ </ind:textfilecontent54_object>
|
|
+
|
|
+</def-group>
|
|
diff --git a/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_logging_configured/rule.yml b/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_logging_configured/rule.yml
|
|
new file mode 100644
|
|
index 0000000000..f9477de9e9
|
|
--- /dev/null
|
|
+++ b/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_logging_configured/rule.yml
|
|
@@ -0,0 +1,34 @@
|
|
+documentation_complete: true
|
|
+
|
|
+title: 'Ensure logging is configured'
|
|
+
|
|
+description: |-
|
|
+ The <tt>/etc/rsyslog.conf</tt> and <tt>/etc/rsyslog.d/*.conf</tt> files
|
|
+ specifies rules for logging and which files are to be used to log certain
|
|
+ classes of messages.
|
|
+
|
|
+rationale: |-
|
|
+ A great deal of important security-related information is sent via
|
|
+ rsyslog (e.g., successful and failed su attempts, failed login attempts,
|
|
+ root login attempts, etc.).
|
|
+
|
|
+severity: medium
|
|
+
|
|
+identifiers:
|
|
+ cce@sle12: CCE-92379-7
|
|
+ cce@sle15: CCE-92497-7
|
|
+
|
|
+references:
|
|
+ cis@sle12: 4.2.1.4
|
|
+ cis@sle15: 4.2.1.4
|
|
+
|
|
+ocil_clause: 'no logging is configured'
|
|
+
|
|
+ocil: |-
|
|
+ Review the contents of the <tt>/etc/rsyslog.conf</tt> and <tt>/etc/rsyslog.d/*.conf</tt>
|
|
+ files to ensure appropriate logging is set. In addition, run the following command:
|
|
+ <pre>ls -l /var/log/</pre>
|
|
+ and verify that the log files are logging information
|
|
+
|
|
+fixtext: |-
|
|
+ Configure logging with selectors covering each priority
|
|
diff --git a/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_logging_configured/tests/rsyslog_file_with_everything_logged_to_messages.pass.sh b/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_logging_configured/tests/rsyslog_file_with_everything_logged_to_messages.pass.sh
|
|
new file mode 100644
|
|
index 0000000000..a4fb1cf07a
|
|
--- /dev/null
|
|
+++ b/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_logging_configured/tests/rsyslog_file_with_everything_logged_to_messages.pass.sh
|
|
@@ -0,0 +1,13 @@
|
|
+#!/bin/bash
|
|
+# platform = multi_platform_sle
|
|
+
|
|
+# Check rsyslog.conf with no includes and all loggging facility/priority configured to go to /var/log/messages
|
|
+
|
|
+source $SHARED/rsyslog_log_utils.sh
|
|
+cat << EOF > ${RSYSLOG_CONF}
|
|
+# rsyslog configuration file
|
|
+
|
|
+#### RULES ####
|
|
+
|
|
+*.* /var/log/messages
|
|
+EOF
|
|
diff --git a/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_logging_configured/tests/rsyslog_file_with_no_logging.fail.sh b/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_logging_configured/tests/rsyslog_file_with_no_logging.fail.sh
|
|
new file mode 100644
|
|
index 0000000000..158cf4c98d
|
|
--- /dev/null
|
|
+++ b/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_logging_configured/tests/rsyslog_file_with_no_logging.fail.sh
|
|
@@ -0,0 +1,12 @@
|
|
+#!/bin/bash
|
|
+# platform = multi_platform_sle
|
|
+
|
|
+# Check rsyslog.conf with no includes and no loggging facility/priority configured
|
|
+
|
|
+source $SHARED/rsyslog_log_utils.sh
|
|
+cat << EOF > ${RSYSLOG_CONF}
|
|
+# rsyslog configuration file
|
|
+
|
|
+#### RULES ####
|
|
+
|
|
+EOF
|
|
diff --git a/products/debian10/profiles/anssi_np_nt28_average.profile b/products/debian10/profiles/anssi_np_nt28_average.profile
|
|
index 600f1a6f71..4c42814719 100644
|
|
--- a/products/debian10/profiles/anssi_np_nt28_average.profile
|
|
+++ b/products/debian10/profiles/anssi_np_nt28_average.profile
|
|
@@ -22,9 +22,7 @@ selections:
|
|
- sshd_allow_only_protocol2
|
|
- var_sshd_set_keepalive=0
|
|
- sshd_set_keepalive_0
|
|
- - file_owner_logfiles_value=adm
|
|
- rsyslog_files_ownership
|
|
- - file_groupowner_logfiles_value=adm
|
|
- rsyslog_files_groupownership
|
|
- rsyslog_files_permissions
|
|
- "!rsyslog_remote_loghost"
|
|
diff --git a/products/debian10/profiles/standard.profile b/products/debian10/profiles/standard.profile
|
|
index 3784182fa1..446f5aca1d 100644
|
|
--- a/products/debian10/profiles/standard.profile
|
|
+++ b/products/debian10/profiles/standard.profile
|
|
@@ -33,9 +33,7 @@ selections:
|
|
- sshd_allow_only_protocol2
|
|
- var_sshd_set_keepalive=0
|
|
- sshd_set_keepalive_0
|
|
- - file_owner_logfiles_value=adm
|
|
- rsyslog_files_ownership
|
|
- - file_groupowner_logfiles_value=adm
|
|
- rsyslog_files_groupownership
|
|
- rsyslog_files_permissions
|
|
- "!rsyslog_remote_loghost"
|
|
diff --git a/products/debian11/profiles/anssi_np_nt28_average.profile b/products/debian11/profiles/anssi_np_nt28_average.profile
|
|
index 600f1a6f71..4c42814719 100644
|
|
--- a/products/debian11/profiles/anssi_np_nt28_average.profile
|
|
+++ b/products/debian11/profiles/anssi_np_nt28_average.profile
|
|
@@ -22,9 +22,7 @@ selections:
|
|
- sshd_allow_only_protocol2
|
|
- var_sshd_set_keepalive=0
|
|
- sshd_set_keepalive_0
|
|
- - file_owner_logfiles_value=adm
|
|
- rsyslog_files_ownership
|
|
- - file_groupowner_logfiles_value=adm
|
|
- rsyslog_files_groupownership
|
|
- rsyslog_files_permissions
|
|
- "!rsyslog_remote_loghost"
|
|
diff --git a/products/debian11/profiles/standard.profile b/products/debian11/profiles/standard.profile
|
|
index e1b2c718df..c21f8d592b 100644
|
|
--- a/products/debian11/profiles/standard.profile
|
|
+++ b/products/debian11/profiles/standard.profile
|
|
@@ -33,9 +33,7 @@ selections:
|
|
- sshd_allow_only_protocol2
|
|
- var_sshd_set_keepalive=0
|
|
- sshd_set_keepalive_0
|
|
- - file_owner_logfiles_value=adm
|
|
- rsyslog_files_ownership
|
|
- - file_groupowner_logfiles_value=adm
|
|
- rsyslog_files_groupownership
|
|
- rsyslog_files_permissions
|
|
- "!rsyslog_remote_loghost"
|
|
diff --git a/products/rhel7/profiles/rht-ccp.profile b/products/rhel7/profiles/rht-ccp.profile
|
|
index 12a3a25013..a246d5a094 100644
|
|
--- a/products/rhel7/profiles/rht-ccp.profile
|
|
+++ b/products/rhel7/profiles/rht-ccp.profile
|
|
@@ -11,8 +11,6 @@ description: |-
|
|
selections:
|
|
- var_selinux_state=enforcing
|
|
- var_selinux_policy_name=targeted
|
|
- - file_owner_logfiles_value=root
|
|
- - file_groupowner_logfiles_value=root
|
|
- sshd_idle_timeout_value=5_minutes
|
|
- var_accounts_minimum_age_login_defs=7
|
|
- var_accounts_passwords_pam_faillock_deny=5
|
|
diff --git a/products/rhel8/profiles/rht-ccp.profile b/products/rhel8/profiles/rht-ccp.profile
|
|
index ae1e7d5a15..0a00d2f46b 100644
|
|
--- a/products/rhel8/profiles/rht-ccp.profile
|
|
+++ b/products/rhel8/profiles/rht-ccp.profile
|
|
@@ -11,8 +11,6 @@ description: |-
|
|
selections:
|
|
- var_selinux_state=enforcing
|
|
- var_selinux_policy_name=targeted
|
|
- - file_owner_logfiles_value=root
|
|
- - file_groupowner_logfiles_value=root
|
|
- sshd_idle_timeout_value=5_minutes
|
|
- var_logind_session_timeout=5_minutes
|
|
- var_accounts_minimum_age_login_defs=7
|
|
diff --git a/products/sle12/profiles/anssi_bp28_intermediary.profile b/products/sle12/profiles/anssi_bp28_intermediary.profile
|
|
index 24a98fd824..22498b6b6f 100644
|
|
--- a/products/sle12/profiles/anssi_bp28_intermediary.profile
|
|
+++ b/products/sle12/profiles/anssi_bp28_intermediary.profile
|
|
@@ -23,3 +23,4 @@ description: |-
|
|
|
|
selections:
|
|
- anssi:all:intermediary
|
|
+
|
|
diff --git a/products/sle15/profiles/standard.profile b/products/sle15/profiles/standard.profile
|
|
index 204804c2ee..1af0a865ef 100644
|
|
--- a/products/sle15/profiles/standard.profile
|
|
+++ b/products/sle15/profiles/standard.profile
|
|
@@ -29,9 +29,7 @@ selections:
|
|
- service_cron_enabled
|
|
- service_ntp_enabled
|
|
- service_rsyslog_enabled
|
|
- - file_owner_logfiles_value=adm
|
|
- rsyslog_files_ownership
|
|
- - file_groupowner_logfiles_value=adm
|
|
- rsyslog_files_groupownership
|
|
- rsyslog_files_permissions
|
|
- ensure_logrotate_activated
|
|
diff --git a/products/ubuntu1604/profiles/anssi_np_nt28_average.profile b/products/ubuntu1604/profiles/anssi_np_nt28_average.profile
|
|
index 600f1a6f71..4c42814719 100644
|
|
--- a/products/ubuntu1604/profiles/anssi_np_nt28_average.profile
|
|
+++ b/products/ubuntu1604/profiles/anssi_np_nt28_average.profile
|
|
@@ -22,9 +22,7 @@ selections:
|
|
- sshd_allow_only_protocol2
|
|
- var_sshd_set_keepalive=0
|
|
- sshd_set_keepalive_0
|
|
- - file_owner_logfiles_value=adm
|
|
- rsyslog_files_ownership
|
|
- - file_groupowner_logfiles_value=adm
|
|
- rsyslog_files_groupownership
|
|
- rsyslog_files_permissions
|
|
- "!rsyslog_remote_loghost"
|
|
diff --git a/products/ubuntu1604/profiles/standard.profile b/products/ubuntu1604/profiles/standard.profile
|
|
index 6fd70f0da6..93001f3bfe 100644
|
|
--- a/products/ubuntu1604/profiles/standard.profile
|
|
+++ b/products/ubuntu1604/profiles/standard.profile
|
|
@@ -34,9 +34,7 @@ selections:
|
|
- sshd_allow_only_protocol2
|
|
- var_sshd_set_keepalive=0
|
|
- sshd_set_keepalive_0
|
|
- - file_owner_logfiles_value=adm
|
|
- rsyslog_files_ownership
|
|
- - file_groupowner_logfiles_value=adm
|
|
- rsyslog_files_groupownership
|
|
- rsyslog_files_permissions
|
|
- "!rsyslog_remote_loghost"
|
|
diff --git a/products/ubuntu1804/profiles/anssi_np_nt28_average.profile b/products/ubuntu1804/profiles/anssi_np_nt28_average.profile
|
|
index 600f1a6f71..4c42814719 100644
|
|
--- a/products/ubuntu1804/profiles/anssi_np_nt28_average.profile
|
|
+++ b/products/ubuntu1804/profiles/anssi_np_nt28_average.profile
|
|
@@ -22,9 +22,7 @@ selections:
|
|
- sshd_allow_only_protocol2
|
|
- var_sshd_set_keepalive=0
|
|
- sshd_set_keepalive_0
|
|
- - file_owner_logfiles_value=adm
|
|
- rsyslog_files_ownership
|
|
- - file_groupowner_logfiles_value=adm
|
|
- rsyslog_files_groupownership
|
|
- rsyslog_files_permissions
|
|
- "!rsyslog_remote_loghost"
|
|
diff --git a/products/ubuntu1804/profiles/standard.profile b/products/ubuntu1804/profiles/standard.profile
|
|
index d587d499d8..a17117818e 100644
|
|
--- a/products/ubuntu1804/profiles/standard.profile
|
|
+++ b/products/ubuntu1804/profiles/standard.profile
|
|
@@ -32,9 +32,7 @@ selections:
|
|
- sshd_allow_only_protocol2
|
|
- var_sshd_set_keepalive=0
|
|
- sshd_set_keepalive_0
|
|
- - file_owner_logfiles_value=adm
|
|
- rsyslog_files_ownership
|
|
- - file_groupowner_logfiles_value=adm
|
|
- rsyslog_files_groupownership
|
|
- rsyslog_files_permissions
|
|
- "!rsyslog_remote_loghost"
|
|
diff --git a/products/ubuntu2004/profiles/standard.profile b/products/ubuntu2004/profiles/standard.profile
|
|
index 823a69a5d9..6ed27aa16d 100644
|
|
--- a/products/ubuntu2004/profiles/standard.profile
|
|
+++ b/products/ubuntu2004/profiles/standard.profile
|
|
@@ -31,9 +31,7 @@ selections:
|
|
- sshd_disable_empty_passwords
|
|
- var_sshd_set_keepalive=0
|
|
- sshd_set_keepalive
|
|
- - file_owner_logfiles_value=syslog
|
|
- rsyslog_files_ownership
|
|
- - file_groupowner_logfiles_value=adm
|
|
- rsyslog_files_groupownership
|
|
- rsyslog_files_permissions
|
|
- "!rsyslog_remote_loghost"
|
|
diff --git a/products/ubuntu2204/profiles/standard.profile b/products/ubuntu2204/profiles/standard.profile
|
|
index c8bc5369c9..1bb9f43e7d 100644
|
|
--- a/products/ubuntu2204/profiles/standard.profile
|
|
+++ b/products/ubuntu2204/profiles/standard.profile
|
|
@@ -31,9 +31,7 @@ selections:
|
|
- sshd_disable_empty_passwords
|
|
- var_sshd_set_keepalive=0
|
|
- sshd_set_keepalive
|
|
- - file_owner_logfiles_value=syslog
|
|
- rsyslog_files_ownership
|
|
- - file_groupowner_logfiles_value=adm
|
|
- rsyslog_files_groupownership
|
|
- rsyslog_files_permissions
|
|
- "!rsyslog_remote_loghost"
|
|
diff --git a/shared/references/cce-sle12-avail.txt b/shared/references/cce-sle12-avail.txt
|
|
index c119834759..4e0a76f8de 100644
|
|
--- a/shared/references/cce-sle12-avail.txt
|
|
+++ b/shared/references/cce-sle12-avail.txt
|
|
@@ -54,7 +54,6 @@ CCE-92375-5
|
|
CCE-92376-3
|
|
CCE-92377-1
|
|
CCE-92378-9
|
|
-CCE-92379-7
|
|
CCE-92380-5
|
|
CCE-92381-3
|
|
CCE-92382-1
|
|
diff --git a/shared/references/cce-sle15-avail.txt b/shared/references/cce-sle15-avail.txt
|
|
index d04c40d31f..e39dae033e 100644
|
|
--- a/shared/references/cce-sle15-avail.txt
|
|
+++ b/shared/references/cce-sle15-avail.txt
|
|
@@ -17,7 +17,6 @@ CCE-92492-8
|
|
CCE-92493-6
|
|
CCE-92495-1
|
|
CCE-92496-9
|
|
-CCE-92497-7
|
|
CCE-92498-5
|
|
CCE-92499-3
|
|
CCE-92500-8
|
|
diff --git a/shared/templates/rsyslog_logfiles_attributes_modify/ansible.template b/shared/templates/rsyslog_logfiles_attributes_modify/ansible.template
|
|
new file mode 100644
|
|
index 0000000000..fc9e8844b6
|
|
--- /dev/null
|
|
+++ b/shared/templates/rsyslog_logfiles_attributes_modify/ansible.template
|
|
@@ -0,0 +1,68 @@
|
|
+# platform = multi_platform_all
|
|
+# reboot = false
|
|
+# strategy = configure
|
|
+# complexity = low
|
|
+# disruption = medium
|
|
+
|
|
+- name: '{{{ rule_title }}} - Set rsyslog logfile configuration facts'
|
|
+ ansible.builtin.set_fact:
|
|
+ rsyslog_etc_config: "/etc/rsyslog.conf"
|
|
+
|
|
+# * And also the log file paths listed after rsyslog's $IncludeConfig directive
|
|
+# (store the result into array for the case there's shell glob used as value of IncludeConfig)
|
|
+- name: '{{{ rule_title }}} - Get IncludeConfig directive'
|
|
+ ansible.builtin.shell: |
|
|
+ set -o pipefail
|
|
+ grep -e '$IncludeConfig' {{ rsyslog_etc_config }} | cut -d ' ' -f 2 || true
|
|
+ register: rsyslog_old_inc
|
|
+ changed_when: False
|
|
+
|
|
+- name: '{{{ rule_title }}} - Get include files directives'
|
|
+ ansible.builtin.shell: |
|
|
+ set -o pipefail
|
|
+ grep -oP '^\s*include\s*\(\s*file.*' {{ rsyslog_etc_config }} |cut -d"\"" -f 2 || true
|
|
+ register: rsyslog_new_inc
|
|
+ changed_when: False
|
|
+
|
|
+- name: '{{{ rule_title }}} - Aggregate rsyslog includes'
|
|
+ ansible.builtin.set_fact:
|
|
+ include_config_output: "{{ rsyslog_old_inc.stdout_lines + rsyslog_new_inc.stdout_lines }}"
|
|
+
|
|
+- name: '{{{ rule_title }}} - List all config files'
|
|
+ ansible.builtin.find:
|
|
+ paths: "{{ include_config_output | list | map('dirname') }}"
|
|
+ patterns: "{{ include_config_output | list | map('basename') }}"
|
|
+ hidden: no
|
|
+ follow: yes
|
|
+ register: rsyslog_config_files
|
|
+ failed_when: False
|
|
+ changed_when: False
|
|
+
|
|
+- name: '{{{ rule_title }}} - Extract log files old format'
|
|
+ ansible.builtin.shell: |
|
|
+ set -o pipefail
|
|
+ grep -oP '^[^(\s|#|\$)]+[\s]+.*[\s]+-?(/+[^:;\s]+);*\.*$' {{ item }} |awk '{print $NF}'|sed -e 's/^-//' || true
|
|
+ loop: "{{ rsyslog_config_files.files|map(attribute='path')|list|flatten|unique + [ rsyslog_etc_config ] }}"
|
|
+ register: log_files_old
|
|
+ changed_when: False
|
|
+
|
|
+- name: '{{{ rule_title }}} - Extract log files new format'
|
|
+ ansible.builtin.shell: |
|
|
+ set -o pipefail
|
|
+ grep -ozP "action\s*\(\s*type\s*=\s*\"omfile\"[^\)]*\)" {{ item }} | grep -aoP "File\s*=\s*\"([/[:alnum:][:punct:]]*)\"\s*\)"|grep -oE "\"([/[:alnum:][:punct:]]*)\"" |tr -d "\""|| true
|
|
+ loop: "{{ rsyslog_config_files.files|map(attribute='path')|list|flatten|unique + [ rsyslog_etc_config ] }}"
|
|
+ register: log_files_new
|
|
+ changed_when: False
|
|
+
|
|
+- name: '{{{ rule_title }}} - Sum all log files found'
|
|
+ ansible.builtin.set_fact:
|
|
+ log_files: "{{ log_files_new.results|map(attribute='stdout_lines')|list|flatten|unique + log_files_old.results|map(attribute='stdout_lines')|list|flatten|unique }}"
|
|
+
|
|
+- name: '{{{ rule_title }}} -Setup log files attribute'
|
|
+ ansible.builtin.file:
|
|
+ path: "{{ item }}"
|
|
+ owner: '{{ ( "{{{ ATTRIBUTE }}}" is match("owner")) | ternary({{{ VALUE }}}, omit) }}'
|
|
+ group: '{{ ( "{{{ ATTRIBUTE }}}" is match("groupowner")) | ternary({{{ VALUE }}} , omit) }}'
|
|
+ state: file
|
|
+ loop: "{{ log_files | list | flatten | unique }}"
|
|
+ failed_when: false
|
|
diff --git a/shared/templates/rsyslog_logfiles_attributes_modify/bash.template b/shared/templates/rsyslog_logfiles_attributes_modify/bash.template
|
|
new file mode 100644
|
|
index 0000000000..ab4a563dc5
|
|
--- /dev/null
|
|
+++ b/shared/templates/rsyslog_logfiles_attributes_modify/bash.template
|
|
@@ -0,0 +1,110 @@
|
|
+# platform = multi_platform_all
|
|
+
|
|
+# List of log file paths to be inspected for correct permissions
|
|
+# * Primarily inspect log file paths listed in /etc/rsyslog.conf
|
|
+RSYSLOG_ETC_CONFIG="/etc/rsyslog.conf"
|
|
+# * And also the log file paths listed after rsyslog's $IncludeConfig directive
|
|
+# (store the result into array for the case there's shell glob used as value of IncludeConfig)
|
|
+readarray -t OLD_INC < <(grep -e "\$IncludeConfig[[:space:]]\+[^[:space:];]\+" /etc/rsyslog.conf | cut -d ' ' -f 2)
|
|
+readarray -t RSYSLOG_INCLUDE_CONFIG < <(for INCPATH in "${OLD_INC[@]}"; do eval printf '%s\\n' "${INCPATH}"; done)
|
|
+readarray -t NEW_INC < <(awk '/)/{f=0} /include\(/{f=1} f{nf=gensub("^(include\\(|\\s*)file=\"(\\S+)\".*","\\2",1); if($0!=nf){print nf}}' /etc/rsyslog.conf)
|
|
+readarray -t RSYSLOG_INCLUDE < <(for INCPATH in "${NEW_INC[@]}"; do eval printf '%s\\n' "${INCPATH}"; done)
|
|
+
|
|
+# Declare an array to hold the final list of different log file paths
|
|
+declare -a LOG_FILE_PATHS
|
|
+
|
|
+# Array to hold all rsyslog config entries
|
|
+RSYSLOG_CONFIGS=()
|
|
+RSYSLOG_CONFIGS=("${RSYSLOG_ETC_CONFIG}" "${RSYSLOG_INCLUDE_CONFIG[@]}" "${RSYSLOG_INCLUDE[@]}")
|
|
+
|
|
+# Get full list of files to be checked
|
|
+# RSYSLOG_CONFIGS may contain globs such as
|
|
+# /etc/rsyslog.d/*.conf /etc/rsyslog.d/*.frule
|
|
+# So, loop over the entries in RSYSLOG_CONFIGS and use find to get the list of included files.
|
|
+RSYSLOG_CONFIG_FILES=()
|
|
+for ENTRY in "${RSYSLOG_CONFIGS[@]}"
|
|
+do
|
|
+ # If directory, rsyslog will search for config files in recursively.
|
|
+ # However, files in hidden sub-directories or hidden files will be ignored.
|
|
+ if [ -d "${ENTRY}" ]
|
|
+ then
|
|
+ readarray -t FINDOUT < <(find "${ENTRY}" -not -path '*/.*' -type f)
|
|
+ RSYSLOG_CONFIG_FILES+=("${FINDOUT[@]}")
|
|
+ elif [ -f "${ENTRY}" ]
|
|
+ then
|
|
+ RSYSLOG_CONFIG_FILES+=("${ENTRY}")
|
|
+ else
|
|
+ echo "Invalid include object: ${ENTRY}"
|
|
+ fi
|
|
+done
|
|
+
|
|
+# Browse each file selected above as containing paths of log files
|
|
+# ('/etc/rsyslog.conf' and '/etc/rsyslog.d/*.conf' in the default configuration)
|
|
+for LOG_FILE in "${RSYSLOG_CONFIG_FILES[@]}"
|
|
+do
|
|
+ # From each of these files extract just particular log file path(s), thus:
|
|
+ # * Ignore lines starting with space (' '), comment ('#"), or variable syntax ('$') characters,
|
|
+ # * Ignore empty lines,
|
|
+ # * Strip quotes and closing brackets from paths.
|
|
+ # * Ignore paths that match /dev|/etc.*\.conf, as those are paths, but likely not log files
|
|
+ # * From the remaining valid rows select only fields constituting a log file path
|
|
+ # Text file column is understood to represent a log file path if and only if all of the following are met:
|
|
+ # * it contains at least one slash '/' character,
|
|
+ # * it is preceded by space
|
|
+ # * it doesn't contain space (' '), colon (':'), and semicolon (';') characters
|
|
+ # Search log file for path(s) only in case it exists!
|
|
+ if [[ -f "${LOG_FILE}" ]]
|
|
+ then
|
|
+ NORMALIZED_CONFIG_FILE_LINES=$(sed -e "/^[#|$]/d" "${LOG_FILE}")
|
|
+ LINES_WITH_PATHS=$(grep '[^/]*\s\+\S*/\S\+$' <<< "${NORMALIZED_CONFIG_FILE_LINES}")
|
|
+ FILTERED_PATHS=$(awk '{if(NF>=2&&($NF~/^\//||$NF~/^-\//)){sub(/^-\//,"/",$NF);print $NF}}' <<< "${LINES_WITH_PATHS}")
|
|
+ CLEANED_PATHS=$(sed -e "s/[\"')]//g; /\\/etc.*\.conf/d; /\\/dev\\//d" <<< "${FILTERED_PATHS}")
|
|
+ MATCHED_ITEMS=$(sed -e "/^$/d" <<< "${CLEANED_PATHS}")
|
|
+ # Since above sed command might return more than one item (delimited by newline), split the particular
|
|
+ # matches entries into new array specific for this log file
|
|
+ readarray -t ARRAY_FOR_LOG_FILE <<< "$MATCHED_ITEMS"
|
|
+ # Concatenate the two arrays - previous content of $LOG_FILE_PATHS array with
|
|
+ # items from newly created array for this log file
|
|
+ LOG_FILE_PATHS+=("${ARRAY_FOR_LOG_FILE[@]}")
|
|
+ # Delete the temporary array
|
|
+ unset ARRAY_FOR_LOG_FILE
|
|
+ fi
|
|
+done
|
|
+
|
|
+# Check for RainerScript action log format which might be also multiline so grep regex is a bit curly
|
|
+# extract possibly multiline action omfile expressions
|
|
+# extract File="logfile" expression
|
|
+# match only "logfile" expression
|
|
+for LOG_FILE in "${RSYSLOG_CONFIG_FILES[@]}"
|
|
+do
|
|
+ ACTION_OMFILE_LINES=$(grep -ozP "action\s*\(\s*type\s*=\s*\"omfile\"[^\)]*\)" "${LOG_FILE}")
|
|
+ OMFILE_LINES=$(echo "${ACTION_OMFILE_LINES}"| grep -aoP "File\s*=\s*\"([/[:alnum:][:punct:]]*)\"\s*\)")
|
|
+ LOG_FILE_PATHS+=("$(echo "${OMFILE_LINES}"| grep -oE "\"([/[:alnum:][:punct:]]*)\""|tr -d "\"")")
|
|
+done
|
|
+
|
|
+FILE_PARAM="{{{ ATTRIBUTE }}}"
|
|
+FILE_CMD=""
|
|
+case "$FILE_PARAM" in
|
|
+ "groupowner")
|
|
+ FILE_CMD=$(which chgrp)
|
|
+ ;;
|
|
+ "owner")
|
|
+ FILE_CMD=$(which chown)
|
|
+ ;;
|
|
+ *)
|
|
+ echo -n "Not supported file attribute! "
|
|
+ exit 1
|
|
+ ;;
|
|
+esac
|
|
+
|
|
+# Correct the form o
|
|
+for LOG_FILE_PATH in "${LOG_FILE_PATHS[@]}"
|
|
+do
|
|
+ # Sanity check - if particular $LOG_FILE_PATH is empty string, skip it from further processing
|
|
+ if [ -z "$LOG_FILE_PATH" ]
|
|
+ then
|
|
+ continue
|
|
+ fi
|
|
+
|
|
+ $FILE_CMD "+{{{ VALUE }}}" "$LOG_FILE_PATH"
|
|
+done
|
|
diff --git a/shared/templates/rsyslog_logfiles_attributes_modify/oval.template b/shared/templates/rsyslog_logfiles_attributes_modify/oval.template
|
|
new file mode 100644
|
|
index 0000000000..4f288df1c9
|
|
--- /dev/null
|
|
+++ b/shared/templates/rsyslog_logfiles_attributes_modify/oval.template
|
|
@@ -0,0 +1,137 @@
|
|
+<def-group oval_version="5.11">
|
|
+ <definition class="compliance" id="{{{_RULE_ID }}}" version="1">
|
|
+ {{{ oval_metadata("All syslog log files should have appropriate ownership.") }}}
|
|
+ <criteria operator="AND">
|
|
+ {{% if product in ["debian10", "debian11", "ubuntu1604"] %}}
|
|
+ <extend_definition comment="rsyslog daemon is used as local logging daemon"
|
|
+ definition_ref="package_rsyslog_installed" />
|
|
+ {{% endif %}}
|
|
+ <criterion comment="Check if all system log files are owned by the appropriate
|
|
+ {{{ ATTRIBUTE }}}" test_ref="test_{{{ _RULE_ID }}}" />
|
|
+ </criteria>
|
|
+
|
|
+ </definition>
|
|
+
|
|
+ <!-- First obtain rsyslog's $IncludeConfig directive and include() object (introduced in rsyslog
|
|
+ v8.33.0) values. -->
|
|
+
|
|
+ <ind:textfilecontent54_object id="object_{{{ _RULE_ID }}}_include_config_value"
|
|
+ comment="rsyslog's $IncludeConfig directive and include() object values" version="1">
|
|
+ <ind:filepath>/etc/rsyslog.conf</ind:filepath>
|
|
+ <ind:pattern
|
|
+ operation="pattern match">^(?:include\([\n\s]*file="([^\s;]+)".*|\$IncludeConfig[\s]+([^\s;]+))$</ind:pattern>
|
|
+ <ind:instance datatype="int" operation="greater than or equal">1</ind:instance>
|
|
+ </ind:textfilecontent54_object>
|
|
+
|
|
+ <!-- Turn that glob value into Perl's regex so it can be used as filepath pattern below -->
|
|
+ <local_variable id="var_{{{ _RULE_ID }}}_include_config_regex" datatype="string" version="1"
|
|
+ comment="$IncludeConfig value converted to regex">
|
|
+ <unique>
|
|
+ <glob_to_regex>
|
|
+ <object_component item_field="subexpression"
|
|
+ object_ref="object_{{{ _RULE_ID }}}_include_config_value" />
|
|
+ </glob_to_regex>
|
|
+ </unique>
|
|
+ </local_variable>
|
|
+
|
|
+ <!-- Create a variable_object from the regex variable
|
|
+ If the variable has no values, there won't be any objects -->
|
|
+ <ind:variable_object id="object_var_{{{ _RULE_ID }}}_include_config_regex"
|
|
+ comment="Make variable object from regex variable" version="1">
|
|
+ <ind:var_ref>var_{{{ _RULE_ID }}}_include_config_regex</ind:var_ref>
|
|
+ </ind:variable_object>
|
|
+
|
|
+ <local_variable id="var_{{{ _RULE_ID }}}_syslog_config" datatype="string"
|
|
+ version="1" comment="Locations of all rsyslog configuration files as collection">
|
|
+ <literal_component datatype="string">^/etc/rsyslog.conf$</literal_component>
|
|
+ </local_variable>
|
|
+
|
|
+ <ind:variable_object id="object_var_{{{ _RULE_ID }}}_syslog_config"
|
|
+ comment="Make variable object for use" version="1">
|
|
+ <ind:var_ref>var_{{{ _RULE_ID }}}_syslog_config</ind:var_ref>
|
|
+ </ind:variable_object>
|
|
+
|
|
+ <!-- Combine the two variable_objects into one variable_object
|
|
+ We do it this way to avoid referencing an empty variable in a state comparison, which
|
|
+ will cause a test to evaluate to fail. Combining an empty set of objects is fine though -->
|
|
+ <ind:variable_object id="object_var_{{{ _RULE_ID }}}_all_log_files"
|
|
+ comment="Filter out empty string" version="1">
|
|
+ <set>
|
|
+ <object_reference>object_var_{{{ _RULE_ID }}}_include_config_regex</object_reference>
|
|
+ <object_reference>object_var_{{{ _RULE_ID }}}_syslog_config</object_reference>
|
|
+ </set>
|
|
+ </ind:variable_object>
|
|
+
|
|
+ <!-- In element filepath of object_rfg_log_files_paths we need to pass a list of values,
|
|
+ a list of objects won't do. So we make a local_variable from the variable_objects. -->
|
|
+ <local_variable id="var_{{{ _RULE_ID }}}_all_log_files" datatype="string" version="1"
|
|
+ comment="Locations of all rsyslog configuration files as collection">
|
|
+ <object_component object_ref="object_var_{{{ _RULE_ID }}}_all_log_files" item_field="value"/>
|
|
+ </local_variable>
|
|
+
|
|
+ <!-- For each item from that collection (particular rsyslog's configuration file path) search
|
|
+ that rsyslog's configuration file to select file paths for log files directives
|
|
+ -->
|
|
+ <ind:textfilecontent54_object id="object_{{{ _RULE_ID }}}_log_files_paths"
|
|
+ comment="All rsyslog configuration files" version="1">
|
|
+ <ind:filepath operation="pattern match" var_ref="var_{{{ _RULE_ID }}}_all_log_files"
|
|
+ var_check="at least one" />
|
|
+ <!-- Chunk of text retrieved from rsyslog's configuration file is considered
|
|
+ to constitute a log file path if all of the following conditions are met:
|
|
+ * the string represents a regular file on particular file system
|
|
+ (verified via corresponding file_state below),
|
|
+ * the chunk of text is in the last column in the row,
|
|
+ (possibly suffixed by ';' character and rsyslog Template name),
|
|
+ * contains at least one slash '/' character, and simultaneously
|
|
+ doesn't contain any of ';', ':' and space characters,
|
|
+ * the chunk was retrieved from a row not starting with space, '#',
|
|
+ or '$' characters
|
|
+ -->
|
|
+ <ind:pattern
|
|
+ operation="pattern match">^\s*[^(\s|#|\$)]+\s+-?[\w\(="\s]*(\/[^:;\s"]+)+.*$</ind:pattern>
|
|
+ <ind:instance datatype="int" operation="greater than or equal">1</ind:instance>
|
|
+ <filter action="exclude">state_{{{ _RULE_ID }}}_ownership_ignore_include_paths</filter>
|
|
+ </ind:textfilecontent54_object>
|
|
+
|
|
+ <ind:textfilecontent54_state id="state_{{{ _RULE_ID }}}_ownership_ignore_include_paths"
|
|
+ comment="ignore" version="1">
|
|
+ <!-- Among the paths matched in object_rfp_log_files_paths there can be paths from
|
|
+ include() or $IncludeConfig statements.
|
|
+ These paths are conf files, not log files. Their groupownership don't need to be as
|
|
+ required for log files, thus, lets exclude them from the list of objects found
|
|
+ -->
|
|
+ <ind:text
|
|
+ operation="pattern match">(?:file="[^\s;]+"|\$IncludeConfig[\s]+[^\s;]+|\/dev\/.*)</ind:text>
|
|
+ </ind:textfilecontent54_state>
|
|
+
|
|
+ <!-- Define OVAL variable to hold all the various system log files locations
|
|
+ retrieved from the different rsyslog configuration files
|
|
+ -->
|
|
+ <local_variable id="var_{{{ _RULE_ID }}}_log_files_paths" datatype="string" version="1"
|
|
+ comment="File paths of all rsyslog configuration files">
|
|
+ <object_component item_field="subexpression" object_ref="object_{{{ _RULE_ID }}}_log_files_paths" />
|
|
+ </local_variable>
|
|
+
|
|
+ <!-- Perform the test if all rsyslog system log files are owned by the appropriate group -->
|
|
+ <unix:file_test check="all" check_existence="all_exist" id="test_{{{ _RULE_ID }}}" version="1"
|
|
+ comment="System log files are owned by the appropriate group">
|
|
+ <unix:object object_ref="object_rsyslog_files_{{{ _RULE_ID }}}_ownership" />
|
|
+ <unix:state state_ref="state_{{{ _RULE_ID }}}" />
|
|
+ </unix:file_test>
|
|
+
|
|
+ <unix:file_object id="object_rsyslog_files_{{{ _RULE_ID }}}_ownership"
|
|
+ comment="Various system log files" version="1">
|
|
+ <unix:filepath datatype="string" var_ref="var_{{{ _RULE_ID }}}_log_files_paths"
|
|
+ var_check="at least one" />
|
|
+ </unix:file_object>
|
|
+
|
|
+ <unix:file_state id="state_{{{ _RULE_ID }}}" version="1">
|
|
+ <unix:type operation="equals">regular</unix:type>
|
|
+ {{% if ATTRIBUTE == "groupowner" %}}
|
|
+ <unix:group_id datatype="int">{{{ VALUE }}}</unix:group_id>
|
|
+ {{% else %}}
|
|
+ <unix:user_id datatype="int">{{{ VALUE }}}</unix:user_id>
|
|
+ {{% endif %}}
|
|
+ </unix:file_state>
|
|
+
|
|
+</def-group>
|
|
diff --git a/shared/templates/rsyslog_logfiles_attributes_modify/template.yml b/shared/templates/rsyslog_logfiles_attributes_modify/template.yml
|
|
new file mode 100644
|
|
index 0000000000..b57de6fbb6
|
|
--- /dev/null
|
|
+++ b/shared/templates/rsyslog_logfiles_attributes_modify/template.yml
|
|
@@ -0,0 +1,4 @@
|
|
+supported_languages:
|
|
+ - ansible
|
|
+ - bash
|
|
+ - oval
|
|
diff --git a/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_files_ownership/tests/IncludeConfig_is_other.fail.sh b/shared/templates/rsyslog_logfiles_attributes_modify/tests/IncludeConfig_is_other.fail.sh
|
|
similarity index 75%
|
|
rename from linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_files_ownership/tests/IncludeConfig_is_other.fail.sh
|
|
rename to shared/templates/rsyslog_logfiles_attributes_modify/tests/IncludeConfig_is_other.fail.sh
|
|
index 6c82a1942f..db7e5261eb 100755
|
|
--- a/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_files_ownership/tests/IncludeConfig_is_other.fail.sh
|
|
+++ b/shared/templates/rsyslog_logfiles_attributes_modify/tests/IncludeConfig_is_other.fail.sh
|
|
@@ -6,8 +6,16 @@
|
|
|
|
source $SHARED/rsyslog_log_utils.sh
|
|
|
|
+{{% if ATTRIBUTE == "owner" %}}
|
|
+ADDCOMMAND="useradd"
|
|
+CHATTR="chown"
|
|
+{{% else %}}
|
|
+ADDCOMMAND="groupadd"
|
|
+CHATTR="chgrp"
|
|
+{{% endif %}}
|
|
+
|
|
USER_TEST=testssg
|
|
-useradd $USER_TEST
|
|
+$ADDCOMMAND $USER_TEST
|
|
|
|
USER_ROOT=root
|
|
|
|
@@ -15,8 +23,8 @@ USER_ROOT=root
|
|
create_rsyslog_test_logs 2
|
|
|
|
# setup test log files ownership
|
|
-chown $USER_ROOT ${RSYSLOG_TEST_LOGS[0]}
|
|
-chown $USER_TEST ${RSYSLOG_TEST_LOGS[1]}
|
|
+$CHATTR $USER_ROOT ${RSYSLOG_TEST_LOGS[0]}
|
|
+$CHATTR $USER_TEST ${RSYSLOG_TEST_LOGS[1]}
|
|
|
|
# create test configuration file
|
|
test_conf=${RSYSLOG_TEST_DIR}/test1.conf
|
|
diff --git a/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_files_ownership/tests/IncludeConfig_is_root.pass.sh b/shared/templates/rsyslog_logfiles_attributes_modify/tests/IncludeConfig_is_root.pass.sh
|
|
similarity index 81%
|
|
rename from linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_files_ownership/tests/IncludeConfig_is_root.pass.sh
|
|
rename to shared/templates/rsyslog_logfiles_attributes_modify/tests/IncludeConfig_is_root.pass.sh
|
|
index b24e5e1699..b03268fe3e 100755
|
|
--- a/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_files_ownership/tests/IncludeConfig_is_root.pass.sh
|
|
+++ b/shared/templates/rsyslog_logfiles_attributes_modify/tests/IncludeConfig_is_root.pass.sh
|
|
@@ -6,14 +6,20 @@
|
|
|
|
source $SHARED/rsyslog_log_utils.sh
|
|
|
|
+{{% if ATTRIBUTE == "owner" %}}
|
|
+CHATTR="chown"
|
|
+{{% else %}}
|
|
+CHATTR="chgrp"
|
|
+{{% endif %}}
|
|
+
|
|
USER=root
|
|
|
|
# setup test data
|
|
create_rsyslog_test_logs 2
|
|
|
|
# setup test log files ownership
|
|
-chown $USER ${RSYSLOG_TEST_LOGS[0]}
|
|
-chown $USER ${RSYSLOG_TEST_LOGS[1]}
|
|
+$CHATTR $USER ${RSYSLOG_TEST_LOGS[0]}
|
|
+$CHATTR $USER ${RSYSLOG_TEST_LOGS[1]}
|
|
|
|
# create test configuration file
|
|
test_conf=${RSYSLOG_TEST_DIR}/test1.conf
|
|
diff --git a/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_files_ownership/tests/include_is_other.fail.sh b/shared/templates/rsyslog_logfiles_attributes_modify/tests/include_is_other.fail.sh
|
|
similarity index 75%
|
|
rename from linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_files_ownership/tests/include_is_other.fail.sh
|
|
rename to shared/templates/rsyslog_logfiles_attributes_modify/tests/include_is_other.fail.sh
|
|
index 18f43c6927..d79ae23cfc 100755
|
|
--- a/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_files_ownership/tests/include_is_other.fail.sh
|
|
+++ b/shared/templates/rsyslog_logfiles_attributes_modify/tests/include_is_other.fail.sh
|
|
@@ -6,8 +6,16 @@
|
|
|
|
source $SHARED/rsyslog_log_utils.sh
|
|
|
|
+{{% if ATTRIBUTE == "owner" %}}
|
|
+ADDCOMMAND="useradd"
|
|
+CHATTR="chown"
|
|
+{{% else %}}
|
|
+ADDCOMMAND="groupadd"
|
|
+CHATTR="chgrp"
|
|
+{{% endif %}}
|
|
+
|
|
USER_TEST=testssg
|
|
-useradd $USER_TEST
|
|
+$ADDCOMMAND $USER_TEST
|
|
|
|
USER_ROOT=root
|
|
|
|
@@ -15,8 +23,8 @@ USER_ROOT=root
|
|
create_rsyslog_test_logs 2
|
|
|
|
# setup test log files ownership
|
|
-chown $USER_ROOT ${RSYSLOG_TEST_LOGS[0]}
|
|
-chown $USER_TEST ${RSYSLOG_TEST_LOGS[1]}
|
|
+$CHATTR $USER_ROOT ${RSYSLOG_TEST_LOGS[0]}
|
|
+$CHATTR $USER_TEST ${RSYSLOG_TEST_LOGS[1]}
|
|
|
|
# create test configuration file
|
|
test_conf=${RSYSLOG_TEST_DIR}/test1.conf
|
|
diff --git a/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_files_groupownership/tests/include_is_root_IncludeConfig_is_root.pass.sh b/shared/templates/rsyslog_logfiles_attributes_modify/tests/include_is_other_IncludeConfig_is_other_RainerLogClause.fail.sh
|
|
old mode 100755
|
|
new mode 100644
|
|
similarity index 50%
|
|
rename from linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_files_groupownership/tests/include_is_root_IncludeConfig_is_root.pass.sh
|
|
rename to shared/templates/rsyslog_logfiles_attributes_modify/tests/include_is_other_IncludeConfig_is_other_RainerLogClause.fail.sh
|
|
index 05dd50ed24..7869a180a8
|
|
--- a/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_files_groupownership/tests/include_is_root_IncludeConfig_is_root.pass.sh
|
|
+++ b/shared/templates/rsyslog_logfiles_attributes_modify/tests/include_is_other_IncludeConfig_is_other_RainerLogClause.fail.sh
|
|
@@ -1,20 +1,31 @@
|
|
#!/bin/bash
|
|
# platform = Red Hat Enterprise Linux 8,multi_platform_fedora,Oracle Linux 8,multi_platform_sle
|
|
|
|
-# Check rsyslog.conf with root group-owner log from rules and
|
|
-# root group-owner log from include() passes.
|
|
+# Check rsyslog.conf with root user log from rules and
|
|
+# root user log from include() passes.
|
|
|
|
source $SHARED/rsyslog_log_utils.sh
|
|
|
|
-GROUP=root
|
|
+{{% if ATTRIBUTE == "owner" %}}
|
|
+ADDCOMMAND="useradd"
|
|
+CHATTR="chown"
|
|
+{{% else %}}
|
|
+ADDCOMMAND="groupadd"
|
|
+CHATTR="chgrp"
|
|
+{{% endif %}}
|
|
+
|
|
+USER_TEST=testssg
|
|
+$ADDCOMMAND $USER_TEST
|
|
+
|
|
+USER=root
|
|
|
|
# setup test data
|
|
create_rsyslog_test_logs 3
|
|
|
|
# setup test log files ownership
|
|
-chgrp $GROUP ${RSYSLOG_TEST_LOGS[0]}
|
|
-chgrp $GROUP ${RSYSLOG_TEST_LOGS[1]}
|
|
-chgrp $GROUP ${RSYSLOG_TEST_LOGS[2]}
|
|
+$CHATTR $USER_TEST ${RSYSLOG_TEST_LOGS[0]}
|
|
+$CHATTR $USER_TEST ${RSYSLOG_TEST_LOGS[1]}
|
|
+$CHATTR $USER_TEST ${RSYSLOG_TEST_LOGS[2]}
|
|
|
|
# create test configuration file
|
|
test_conf=${RSYSLOG_TEST_DIR}/test1.conf
|
|
@@ -28,13 +39,25 @@ EOF
|
|
|
|
# create test2 configuration file
|
|
test_conf2=${RSYSLOG_TEST_DIR}/test2.conf
|
|
+{{% if ATTRIBUTE == "owner" %}}
|
|
+cat << EOF > ${test_conf2}
|
|
+# rsyslog configuration file
|
|
+
|
|
+#### RULES ####
|
|
+
|
|
+
|
|
+*.* action(type="omfile" FileCreateMode="0640" fileOwner="$USER_TEST" fileGroup="root" File="${RSYSLOG_TEST_LOGS[2]}")
|
|
+EOF
|
|
+{{% else %}}
|
|
cat << EOF > ${test_conf2}
|
|
# rsyslog configuration file
|
|
|
|
#### RULES ####
|
|
|
|
-*.* ${RSYSLOG_TEST_LOGS[2]}
|
|
+
|
|
+*.* action(type="omfile" FileCreateMode="0640" fileOwner="root" fileGroup="$USER_TEST" File="${RSYSLOG_TEST_LOGS[2]}")
|
|
EOF
|
|
+{{% endif %}}
|
|
|
|
# create rsyslog.conf configuration file
|
|
cat << EOF > $RSYSLOG_CONF
|
|
diff --git a/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_files_ownership/tests/include_is_root.pass.sh b/shared/templates/rsyslog_logfiles_attributes_modify/tests/include_is_root.pass.sh
|
|
similarity index 81%
|
|
rename from linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_files_ownership/tests/include_is_root.pass.sh
|
|
rename to shared/templates/rsyslog_logfiles_attributes_modify/tests/include_is_root.pass.sh
|
|
index 69dead5135..e80395ca99 100755
|
|
--- a/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_files_ownership/tests/include_is_root.pass.sh
|
|
+++ b/shared/templates/rsyslog_logfiles_attributes_modify/tests/include_is_root.pass.sh
|
|
@@ -6,14 +6,21 @@
|
|
|
|
source $SHARED/rsyslog_log_utils.sh
|
|
|
|
+
|
|
+{{% if ATTRIBUTE == "owner" %}}
|
|
+CHATTR="chown"
|
|
+{{% else %}}
|
|
+CHATTR="chgrp"
|
|
+{{% endif %}}
|
|
+
|
|
USER=root
|
|
|
|
# setup test data
|
|
create_rsyslog_test_logs 2
|
|
|
|
# setup test log files ownership
|
|
-chown $USER ${RSYSLOG_TEST_LOGS[0]}
|
|
-chown $USER ${RSYSLOG_TEST_LOGS[1]}
|
|
+$CHATTR $USER ${RSYSLOG_TEST_LOGS[0]}
|
|
+$CHATTR $USER ${RSYSLOG_TEST_LOGS[1]}
|
|
|
|
# create test configuration file
|
|
test_conf=${RSYSLOG_TEST_DIR}/test1.conf
|
|
diff --git a/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_files_ownership/tests/include_is_root_IncludeConfig_is_other.fail.sh b/shared/templates/rsyslog_logfiles_attributes_modify/tests/include_is_root_IncludeConfig_is_other.fail.sh
|
|
similarity index 77%
|
|
rename from linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_files_ownership/tests/include_is_root_IncludeConfig_is_other.fail.sh
|
|
rename to shared/templates/rsyslog_logfiles_attributes_modify/tests/include_is_root_IncludeConfig_is_other.fail.sh
|
|
index e725fb4d54..e7b4905dc5 100755
|
|
--- a/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_files_ownership/tests/include_is_root_IncludeConfig_is_other.fail.sh
|
|
+++ b/shared/templates/rsyslog_logfiles_attributes_modify/tests/include_is_root_IncludeConfig_is_other.fail.sh
|
|
@@ -6,18 +6,26 @@
|
|
|
|
source $SHARED/rsyslog_log_utils.sh
|
|
|
|
+{{% if ATTRIBUTE == "owner" %}}
|
|
+ADDCOMMAND="useradd"
|
|
+CHATTR="chown"
|
|
+{{% else %}}
|
|
+ADDCOMMAND="groupadd"
|
|
+CHATTR="chgrp"
|
|
+{{% endif %}}
|
|
+
|
|
USER_ROOT=root
|
|
|
|
USER_TEST=testssg
|
|
-useradd $USER_TEST
|
|
+$ADDCOMMAND $USER_TEST
|
|
|
|
# setup test data
|
|
create_rsyslog_test_logs 3
|
|
|
|
# setup test log files ownership
|
|
-chown $USER_ROOT ${RSYSLOG_TEST_LOGS[0]}
|
|
-chown $USER_ROOT ${RSYSLOG_TEST_LOGS[1]}
|
|
-chown $USER_TEST ${RSYSLOG_TEST_LOGS[2]}
|
|
+$CHATTR $USER_ROOT ${RSYSLOG_TEST_LOGS[0]}
|
|
+$CHATTR $USER_ROOT ${RSYSLOG_TEST_LOGS[1]}
|
|
+$CHATTR $USER_TEST ${RSYSLOG_TEST_LOGS[2]}
|
|
|
|
# create test configuration file
|
|
test_conf=${RSYSLOG_TEST_DIR}/test1.conf
|
|
diff --git a/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_files_ownership/tests/include_is_root_IncludeConfig_is_root.pass.sh b/shared/templates/rsyslog_logfiles_attributes_modify/tests/include_is_root_IncludeConfig_is_root.pass.sh
|
|
similarity index 82%
|
|
rename from linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_files_ownership/tests/include_is_root_IncludeConfig_is_root.pass.sh
|
|
rename to shared/templates/rsyslog_logfiles_attributes_modify/tests/include_is_root_IncludeConfig_is_root.pass.sh
|
|
index ca47d453c1..6389e6ea3b 100755
|
|
--- a/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_files_ownership/tests/include_is_root_IncludeConfig_is_root.pass.sh
|
|
+++ b/shared/templates/rsyslog_logfiles_attributes_modify/tests/include_is_root_IncludeConfig_is_root.pass.sh
|
|
@@ -6,15 +6,21 @@
|
|
|
|
source $SHARED/rsyslog_log_utils.sh
|
|
|
|
+{{% if ATTRIBUTE == "owner" %}}
|
|
+CHATTR="chown"
|
|
+{{% else %}}
|
|
+CHATTR="chgrp"
|
|
+{{% endif %}}
|
|
+
|
|
USER=root
|
|
|
|
# setup test data
|
|
create_rsyslog_test_logs 3
|
|
|
|
# setup test log files ownership
|
|
-chown $USER ${RSYSLOG_TEST_LOGS[0]}
|
|
-chown $USER ${RSYSLOG_TEST_LOGS[1]}
|
|
-chown $USER ${RSYSLOG_TEST_LOGS[2]}
|
|
+$CHATTR $USER ${RSYSLOG_TEST_LOGS[0]}
|
|
+$CHATTR $USER ${RSYSLOG_TEST_LOGS[1]}
|
|
+$CHATTR $USER ${RSYSLOG_TEST_LOGS[2]}
|
|
|
|
# create test configuration file
|
|
test_conf=${RSYSLOG_TEST_DIR}/test1.conf
|
|
diff --git a/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_files_groupownership/tests/include_is_root_IncludeConfig_is_other.fail.sh b/shared/templates/rsyslog_logfiles_attributes_modify/tests/include_is_root_IncludeConfig_is_root_RainerLogClause.pass.sh
|
|
similarity index 65%
|
|
rename from linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_files_groupownership/tests/include_is_root_IncludeConfig_is_other.fail.sh
|
|
rename to shared/templates/rsyslog_logfiles_attributes_modify/tests/include_is_root_IncludeConfig_is_root_RainerLogClause.pass.sh
|
|
index 9747e0b28b..6b81a77c2f 100755
|
|
--- a/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_files_groupownership/tests/include_is_root_IncludeConfig_is_other.fail.sh
|
|
+++ b/shared/templates/rsyslog_logfiles_attributes_modify/tests/include_is_root_IncludeConfig_is_root_RainerLogClause.pass.sh
|
|
@@ -1,23 +1,26 @@
|
|
#!/bin/bash
|
|
# platform = Red Hat Enterprise Linux 8,multi_platform_fedora,Oracle Linux 8,multi_platform_sle
|
|
|
|
-# Check rsyslog.conf with root group-owner log from rules and
|
|
-# non root group-owner log from include() fails.
|
|
+# Check rsyslog.conf with root user log from rules and
|
|
+# root user log from include() passes.
|
|
|
|
source $SHARED/rsyslog_log_utils.sh
|
|
|
|
-GROUP_ROOT=root
|
|
+{{% if ATTRIBUTE == "owner" %}}
|
|
+CHATTR="chown"
|
|
+{{% else %}}
|
|
+CHATTR="chgrp"
|
|
+{{% endif %}}
|
|
|
|
-GROUP_TEST=testssg
|
|
-groupadd $GROUP_TEST
|
|
+USER=root
|
|
|
|
# setup test data
|
|
create_rsyslog_test_logs 3
|
|
|
|
# setup test log files ownership
|
|
-chgrp $GROUP_ROOT ${RSYSLOG_TEST_LOGS[0]}
|
|
-chgrp $GROUP_ROOT ${RSYSLOG_TEST_LOGS[1]}
|
|
-chgrp $GROUP_TEST ${RSYSLOG_TEST_LOGS[2]}
|
|
+$CHATTR $USER ${RSYSLOG_TEST_LOGS[0]}
|
|
+$CHATTR $USER ${RSYSLOG_TEST_LOGS[1]}
|
|
+$CHATTR $USER ${RSYSLOG_TEST_LOGS[2]}
|
|
|
|
# create test configuration file
|
|
test_conf=${RSYSLOG_TEST_DIR}/test1.conf
|
|
@@ -36,7 +39,8 @@ cat << EOF > ${test_conf2}
|
|
|
|
#### RULES ####
|
|
|
|
-*.* ${RSYSLOG_TEST_LOGS[2]}
|
|
+
|
|
+*.* action(type="omfile" FileCreateMode="0640" fileOwner="root" fileGroup="root" File="${RSYSLOG_TEST_LOGS[2]}")
|
|
EOF
|
|
|
|
# create rsyslog.conf configuration file
|
|
diff --git a/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_files_ownership/tests/include_multiline_is_root.pass.sh b/shared/templates/rsyslog_logfiles_attributes_modify/tests/include_multiline_is_root.pass.sh
|
|
similarity index 81%
|
|
rename from linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_files_ownership/tests/include_multiline_is_root.pass.sh
|
|
rename to shared/templates/rsyslog_logfiles_attributes_modify/tests/include_multiline_is_root.pass.sh
|
|
index d68cc2e67d..78b105abf3 100755
|
|
--- a/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_files_ownership/tests/include_multiline_is_root.pass.sh
|
|
+++ b/shared/templates/rsyslog_logfiles_attributes_modify/tests/include_multiline_is_root.pass.sh
|
|
@@ -6,14 +6,20 @@
|
|
|
|
source $SHARED/rsyslog_log_utils.sh
|
|
|
|
+{{% if ATTRIBUTE == "owner" %}}
|
|
+CHATTR="chown"
|
|
+{{% else %}}
|
|
+CHATTR="chgrp"
|
|
+{{% endif %}}
|
|
+
|
|
USER=root
|
|
|
|
# setup test data
|
|
create_rsyslog_test_logs 2
|
|
|
|
# setup test log files ownership
|
|
-chown $USER ${RSYSLOG_TEST_LOGS[0]}
|
|
-chown $USER ${RSYSLOG_TEST_LOGS[1]}
|
|
+$CHATTR $USER ${RSYSLOG_TEST_LOGS[0]}
|
|
+$CHATTR $USER ${RSYSLOG_TEST_LOGS[1]}
|
|
|
|
# create test configuration file
|
|
test_conf=${RSYSLOG_TEST_DIR}/test1.conf
|
|
diff --git a/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_files_ownership/tests/is_other.fail.sh b/shared/templates/rsyslog_logfiles_attributes_modify/tests/is_other.fail.sh
|
|
similarity index 70%
|
|
rename from linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_files_ownership/tests/is_other.fail.sh
|
|
rename to shared/templates/rsyslog_logfiles_attributes_modify/tests/is_other.fail.sh
|
|
index 7edbb17ea1..1afe20823c 100755
|
|
--- a/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_files_ownership/tests/is_other.fail.sh
|
|
+++ b/shared/templates/rsyslog_logfiles_attributes_modify/tests/is_other.fail.sh
|
|
@@ -5,15 +5,23 @@
|
|
|
|
source $SHARED/rsyslog_log_utils.sh
|
|
|
|
+{{% if ATTRIBUTE == "owner" %}}
|
|
+ADDCOMMAND="useradd"
|
|
+CHATTR="chown"
|
|
+{{% else %}}
|
|
+ADDCOMMAND="groupadd"
|
|
+CHATTR="chgrp"
|
|
+{{% endif %}}
|
|
+
|
|
USER=testssg
|
|
|
|
-useradd $USER
|
|
+$ADDCOMMAND $USER
|
|
|
|
# setup test data
|
|
create_rsyslog_test_logs 1
|
|
|
|
# setup test log file ownership
|
|
-chown $USER ${RSYSLOG_TEST_LOGS[0]}
|
|
+$CHATTR $USER ${RSYSLOG_TEST_LOGS[0]}
|
|
|
|
# add rule with non-root user owned log file
|
|
cat << EOF > $RSYSLOG_CONF
|
|
diff --git a/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_files_ownership/tests/is_root.pass.sh b/shared/templates/rsyslog_logfiles_attributes_modify/tests/is_root.pass.sh
|
|
similarity index 77%
|
|
rename from linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_files_ownership/tests/is_root.pass.sh
|
|
rename to shared/templates/rsyslog_logfiles_attributes_modify/tests/is_root.pass.sh
|
|
index e0e518bc50..afce21fa27 100755
|
|
--- a/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_files_ownership/tests/is_root.pass.sh
|
|
+++ b/shared/templates/rsyslog_logfiles_attributes_modify/tests/is_root.pass.sh
|
|
@@ -5,13 +5,19 @@
|
|
|
|
source $SHARED/rsyslog_log_utils.sh
|
|
|
|
+{{% if ATTRIBUTE == "owner" %}}
|
|
+CHATTR="chown"
|
|
+{{% else %}}
|
|
+CHATTR="chgrp"
|
|
+{{% endif %}}
|
|
+
|
|
USER=root
|
|
|
|
# setup test data
|
|
create_rsyslog_test_logs 1
|
|
|
|
# setup test log file ownership
|
|
-chown $USER ${RSYSLOG_TEST_LOGS[0]}
|
|
+$CHATTR $USER ${RSYSLOG_TEST_LOGS[0]}
|
|
|
|
# add rule with root user owned log file
|
|
cat << EOF > $RSYSLOG_CONF
|
|
--
|
|
2.39.1
|
|
|