diff --git a/.gitignore b/.gitignore index fdc5616..1380026 100644 --- a/.gitignore +++ b/.gitignore @@ -1 +1 @@ -SOURCES/scap-security-guide-0.1.66.tar.bz2 +SOURCES/scap-security-guide-0.1.69.tar.bz2 diff --git a/.scap-security-guide.metadata b/.scap-security-guide.metadata index 36621a0..1cc3399 100644 --- a/.scap-security-guide.metadata +++ b/.scap-security-guide.metadata @@ -1 +1 @@ -fdef63150c650bc29c06eea0aba6092688ab60a9 SOURCES/scap-security-guide-0.1.66.tar.bz2 +60f885bdfa51fa2fa707d0c2fd32e0b1f9ee9589 SOURCES/scap-security-guide-0.1.69.tar.bz2 diff --git a/SOURCES/scap-security-guide-0.1.67-firewalld_sshd_port_enabled_tests-PR_10162.patch b/SOURCES/scap-security-guide-0.1.67-firewalld_sshd_port_enabled_tests-PR_10162.patch deleted file mode 100644 index eb63127..0000000 --- a/SOURCES/scap-security-guide-0.1.67-firewalld_sshd_port_enabled_tests-PR_10162.patch +++ /dev/null @@ -1,106 +0,0 @@ -From a8cea205d5f9f975ca03ef39e79d18698236cfe2 Mon Sep 17 00:00:00 2001 -From: Watson Sato -Date: Mon, 13 Feb 2023 17:49:14 +0100 -Subject: [PATCH 3/5] Change custom zones check in firewalld_sshd_port_enabled - -Patch-name: scap-security-guide-0.1.67-firewalld_sshd_port_enabled_tests-PR_10162.patch -Patch-status: Change custom zones check in firewalld_sshd_port_enabled ---- - .../oval/shared.xml | 68 +++++++++++++++---- - 1 file changed, 54 insertions(+), 14 deletions(-) - -diff --git a/linux_os/guide/services/ssh/ssh_server/firewalld_sshd_port_enabled/oval/shared.xml b/linux_os/guide/services/ssh/ssh_server/firewalld_sshd_port_enabled/oval/shared.xml -index 4adef2e53f..d7c96665b4 100644 ---- a/linux_os/guide/services/ssh/ssh_server/firewalld_sshd_port_enabled/oval/shared.xml -+++ b/linux_os/guide/services/ssh/ssh_server/firewalld_sshd_port_enabled/oval/shared.xml -@@ -133,9 +133,10 @@ - OVAL resources in order to detect and assess only active zone, which are zones with at - least one NIC assigned to it. Since it was possible to easily have the list of active - zones, it was cumbersome to use that list in other OVAL objects without introduce a high -- level of complexity to make sure environments with multiple NICs and multiple zones are -- in use. So, in favor of simplicity and readbility it was decided to work with a static -- list. It means that, in the future, it is possible this list needs to be updated. --> -+ level of complexity to ensure proper assessment in environments where multiple NICs and -+ multiple zones are in use. So, in favor of simplicity and readbility it was decided to -+ work with a static list. It means that, in the future, it is possible this list needs to -+ be updated. --> - -@@ -145,23 +146,62 @@ - -- -+ -- -- -- -+ -+ -+ -+ -+ -+ var_firewalld_sshd_port_enabled_custom_zone_files_with_ssh_count -+ -+ -+ -+ -+ -+ -+ - - -- /etc/firewalld/zones -- ^.*\.xml$ -- /zone/service[@name='ssh'] -+ /etc/firewalld/zones -+ ^.*\.xml$ -+ /zone/service[@name='ssh'] - - -- -- /zone/service[@name='ssh'] -- -+ -+ -+ -+ -+ -+ -+ -+ -+ -+ -+ -+ -+ /etc/firewalld/zones -+ ^.*\.xml$ -+ - - - -- -- /etc/rsyslog.conf -- ^(?:include\([\n\s]*file="([^\s;]+)".*|\$IncludeConfig[\s]+([^\s;]+))$ -- 1 -- state_permissions_ignore_hidden_paths -- -- -- -- -- ^.*\/\..*$ -- -- -- -- -- -- -- -- -- -- -- -- -- -- var_rfp_include_config_regex -- -- -- -- ^/etc/rsyslog.conf$ -- -- -- -- var_rfp_syslog_config -- -- -- -- -- -- object_var_rfp_include_config_regex -- object_var_rfp_syslog_config -- -- -- -- -- -- -- -- -- -- -- -- -- ^[^(\s|#|\$)]+[\s]+.*[\s]+-?(/+[^:;\s]+);*\.*$ -- 1 -- state_permissions_ignore_include_paths -- -- -- -- -- (?:file="[^\s;]+"|\$IncludeConfig[\s]+[^\s;]+|\/dev\/.*) -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- regular -- false -- {{% if product in ["debian10", "debian11", "ubuntu1604", "ubuntu1804", "ubuntu2004", "ubuntu2204", "sle15", "sle12"] %}} -- true -- {{% else %}} -- false -- {{% endif %}} -- false -- false -- false -- false -- false -- -- -diff --git a/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_files_permissions/rule.yml b/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_files_permissions/rule.yml -index 508ff73cde..042c35362d 100644 ---- a/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_files_permissions/rule.yml -+++ b/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_files_permissions/rule.yml -@@ -1,18 +1,24 @@ -+{{%- if product in ["debian10", "debian11", "ubuntu1604", "ubuntu1804", "ubuntu2004", "ubuntu2204", "sle15", "sle12"] %}} -+ {{%- set rsyslog_perm='640' %}} -+{{%- else %}} -+ {{%- set rsyslog_perm='600' %}} -+{{%- endif %}} -+ - documentation_complete: true - - title: 'Ensure System Log Files Have Correct Permissions' - - description: |- - The file permissions for all log files written by rsyslog should -- be set to 600, or more restrictive. These log files are determined by the -+ be set to {{{ rsyslog_perm }}}, or more restrictive. These log files are determined by the - second part of each Rule line in /etc/rsyslog.conf and typically - all appear in /var/log. For each log file LOGFILE - referenced in /etc/rsyslog.conf, run the following command to - inspect the file's permissions: -
$ ls -l LOGFILE
-- If the permissions are not 600 or more restrictive, run the following -+ If the permissions are not {{{ rsyslog_perm }}} or more restrictive, run the following - command to correct this: --
$ sudo chmod 0600 LOGFILE
" -+
$ sudo chmod {{{ rsyslog_perm }}} LOGFILE
" - - rationale: |- - Log files can contain valuable information regarding system -@@ -46,9 +52,23 @@ ocil_clause: 'the permissions are not correct' - - ocil: |- - The file permissions for all log files written by rsyslog should -- be set to 600, or more restrictive. These log files are determined by the -+ be set to {{{ rsyslog_perm }}}, or more restrictive. These log files are determined by the - second part of each Rule line in /etc/rsyslog.conf and typically - all appear in /var/log. To see the permissions of a given log - file, run the following command: -
$ ls -l LOGFILE
-- The permissions should be 600, or more restrictive. -+ The permissions should be {{{ rsyslog_perm }}}, or more restrictive. -+ -+template: -+ name: rsyslog_logfiles_attributes_modify -+ vars: -+ attribute: permissions -+ value: '0600' -+ value@debian10: '0640' -+ value@debian11: '0640' -+ value@sle12: '0640' -+ value@sle15: '0640' -+ value@ubuntu1604: '0640' -+ value@ubuntu1804: '0640' -+ value@ubuntu2004: '0640' -+ value@ubuntu2204: '0640' -diff --git a/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_files_permissions/tests/IncludeConfig_glob_perms_0600.pass.sh b/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_files_permissions/tests/IncludeConfig_glob_perms_0600.pass.sh -deleted file mode 100755 -index c27e7874d9..0000000000 ---- a/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_files_permissions/tests/IncludeConfig_glob_perms_0600.pass.sh -+++ /dev/null -@@ -1,40 +0,0 @@ --#!/bin/bash --# platform = multi_platform_rhel,multi_platform_fedora,multi_platform_ol,multi_platform_sle -- --# Check rsyslog.conf with log file permissions 0600 from rules and --# log file permissions 0600 from $IncludeConfig passes. --# test $IncludeConfig with wildcard (*.conf) -- --source $SHARED/rsyslog_log_utils.sh -- --PERMS=0600 -- --# setup test data --create_rsyslog_test_logs 2 -- --# setup test log files and permissions --chmod $PERMS ${RSYSLOG_TEST_LOGS[0]} --chmod $PERMS ${RSYSLOG_TEST_LOGS[1]} -- --# create test configuration file --test_conf=${RSYSLOG_TEST_DIR}/test1.conf --cat << EOF > ${test_conf} --# rsyslog configuration file -- --#### RULES #### -- --*.* ${RSYSLOG_TEST_LOGS[1]} --EOF -- --# create rsyslog.conf configuration file --cat << EOF > $RSYSLOG_CONF --# rsyslog configuration file -- --#### RULES #### -- --*.* ${RSYSLOG_TEST_LOGS[0]} -- --#### MODULES #### -- --\$IncludeConfig ${RSYSLOG_TEST_DIR}/*.conf --EOF -diff --git a/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_files_permissions/tests/IncludeConfig_glob_perms_0601.fail.sh b/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_files_permissions/tests/IncludeConfig_glob_perms_0601.fail.sh -deleted file mode 100755 -index 124b5e863e..0000000000 ---- a/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_files_permissions/tests/IncludeConfig_glob_perms_0601.fail.sh -+++ /dev/null -@@ -1,41 +0,0 @@ --#!/bin/bash --# platform = multi_platform_rhel,multi_platform_fedora,multi_platform_ol -- --# Check rsyslog.conf with log file permissions 0600 from rules and --# log file permissions 0601 from $IncludeConfig fails. --# test $IncludeConfig with wildcard (*.conf) -- --source $SHARED/rsyslog_log_utils.sh -- --PERMS_PASS=0600 --PERMS_FAIL=0601 -- --# setup test data --create_rsyslog_test_logs 2 -- --# setup test log files and permissions --chmod $PERMS_PASS ${RSYSLOG_TEST_LOGS[0]} --chmod $PERMS_FAIL ${RSYSLOG_TEST_LOGS[1]} -- --# create test configuration file --test_conf=${RSYSLOG_TEST_DIR}/test1.conf --cat << EOF > ${test_conf} --# rsyslog configuration file -- --#### RULES #### -- --*.* ${RSYSLOG_TEST_LOGS[1]} --EOF -- --# create rsyslog.conf configuration file --cat << EOF > $RSYSLOG_CONF --# rsyslog configuration file -- --#### RULES #### -- --*.* ${RSYSLOG_TEST_LOGS[0]} -- --#### MODULES #### -- --\$IncludeConfig ${RSYSLOG_TEST_DIR}/*.conf --EOF -diff --git a/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_files_permissions/tests/IncludeConfig_perms_0600.pass.sh b/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_files_permissions/tests/IncludeConfig_perms_0600.pass.sh -deleted file mode 100755 -index a6ff6a1109..0000000000 ---- a/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_files_permissions/tests/IncludeConfig_perms_0600.pass.sh -+++ /dev/null -@@ -1,39 +0,0 @@ --#!/bin/bash --# platform = multi_platform_rhel,multi_platform_fedora,multi_platform_ol,multi_platform_sle -- --# Check rsyslog.conf with log file permissions 0600 from rules and --# log file permissions 0600 from $IncludeConfig passes. -- --source $SHARED/rsyslog_log_utils.sh -- --PERMS=0600 -- --# setup test data --create_rsyslog_test_logs 2 -- --# setup test log files and permissions --chmod $PERMS ${RSYSLOG_TEST_LOGS[0]} --chmod $PERMS ${RSYSLOG_TEST_LOGS[1]} -- --# create test configuration file --test_conf=${RSYSLOG_TEST_DIR}/test1.conf --cat << EOF > ${test_conf} --# rsyslog configuration file -- --#### RULES #### -- --*.* ${RSYSLOG_TEST_LOGS[1]} --EOF -- --# create rsyslog.conf configuration file --cat << EOF > $RSYSLOG_CONF --# rsyslog configuration file -- --#### RULES #### -- --*.* ${RSYSLOG_TEST_LOGS[0]} -- --#### MODULES #### -- --\$IncludeConfig ${test_conf} --EOF -diff --git a/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_files_permissions/tests/IncludeConfig_perms_0601.fail.sh b/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_files_permissions/tests/IncludeConfig_perms_0601.fail.sh -deleted file mode 100755 -index 2ae5c89a4e..0000000000 ---- a/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_files_permissions/tests/IncludeConfig_perms_0601.fail.sh -+++ /dev/null -@@ -1,40 +0,0 @@ --#!/bin/bash --# platform = multi_platform_rhel,multi_platform_fedora,multi_platform_ol -- --# Check rsyslog.conf with log file permissions 0600 from rules and --# log file permissions 0601 from $IncludeConfig fails. -- --source $SHARED/rsyslog_log_utils.sh -- --PERMS_PASS=0600 --PERMS_FAIL=0601 -- --# setup test data --create_rsyslog_test_logs 2 -- --# setup test log files and permissions --chmod $PERMS_PASS ${RSYSLOG_TEST_LOGS[0]} --chmod $PERMS_FAIL ${RSYSLOG_TEST_LOGS[1]} -- --# create test configuration file --test_conf=${RSYSLOG_TEST_DIR}/test1.conf --cat << EOF > ${test_conf} --# rsyslog configuration file -- --#### RULES #### -- --*.* ${RSYSLOG_TEST_LOGS[1]} --EOF -- --# create rsyslog.conf configuration file --cat << EOF > $RSYSLOG_CONF --# rsyslog configuration file -- --#### RULES #### -- --*.* ${RSYSLOG_TEST_LOGS[0]} -- --#### MODULES #### -- --\$IncludeConfig ${test_conf} --EOF -diff --git a/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_files_permissions/tests/include_config_syntax_perms_0600.pass.sh b/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_files_permissions/tests/include_config_syntax_perms_0600.pass.sh -deleted file mode 100755 -index a5a2f67fad..0000000000 ---- a/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_files_permissions/tests/include_config_syntax_perms_0600.pass.sh -+++ /dev/null -@@ -1,85 +0,0 @@ --#!/bin/bash --# platform = multi_platform_rhel,multi_platform_fedora,multi_platform_ol,multi_platform_sle -- --# Check rsyslog.conf with log file permissions 0600 from rules and --# log file permissions 0600 from $IncludeConfig passes. -- --source $SHARED/rsyslog_log_utils.sh -- --PERMS=0600 -- --# setup test data --create_rsyslog_test_logs 5 -- --# setup test log files and permissions --chmod $PERMS ${RSYSLOG_TEST_LOGS[0]} --chmod $PERMS ${RSYSLOG_TEST_LOGS[1]} --chmod $PERMS ${RSYSLOG_TEST_LOGS[2]} --chmod $PERMS ${RSYSLOG_TEST_LOGS[3]} --chmod $PERMS ${RSYSLOG_TEST_LOGS[4]} -- --# create test configuration files --conf_subdir=${RSYSLOG_TEST_DIR}/subdir --conf_hiddir=${RSYSLOG_TEST_DIR}/.hiddir --mkdir ${conf_subdir} --mkdir ${conf_hiddir} -- --test_conf_in_subdir=${conf_subdir}/in_subdir.conf --test_conf_name_bak=${RSYSLOG_TEST_DIR}/name.bak -- --test_conf_in_hiddir=${conf_hiddir}/in_hiddir.conf --test_conf_dot_name=${RSYSLOG_TEST_DIR}/.name.conf -- --cat << EOF > ${test_conf_in_subdir} --# rsyslog configuration file -- --#### RULES #### -- --*.* ${RSYSLOG_TEST_LOGS[1]} --EOF -- --cat << EOF > ${test_conf_name_bak} --# rsyslog configuration file -- --#### RULES #### -- --*.* ${RSYSLOG_TEST_LOGS[2]} --EOF -- --cat << EOF > ${test_conf_in_hiddir} --# rsyslog configuration file --# not used -- --#### RULES #### -- --*.* ${RSYSLOG_TEST_LOGS[3]} --EOF -- --cat << EOF > ${test_conf_dot_name} --# rsyslog configuration file --# not used -- --#### RULES #### -- --*.* ${RSYSLOG_TEST_LOGS[4]} --EOF -- --# create rsyslog.conf configuration file --cat << EOF > $RSYSLOG_CONF --# rsyslog configuration file -- --#### RULES #### -- --*.* ${RSYSLOG_TEST_LOGS[0]} -- --#### MODULES #### -- --include(file="${RSYSLOG_TEST_DIR}/*/*.conf" mode="optional") --include(file="${RSYSLOG_TEST_DIR}/*.conf" mode="optional") --include(file="${RSYSLOG_TEST_DIR}" mode="optional") -- --\$IncludeConfig ${RSYSLOG_TEST_DIR}/*/*.conf --\$IncludeConfig ${RSYSLOG_TEST_DIR}/*.conf --\$IncludeConfig ${RSYSLOG_TEST_DIR} -- --EOF -diff --git a/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_files_permissions/tests/include_config_syntax_perms_0601.fail.sh b/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_files_permissions/tests/include_config_syntax_perms_0601.fail.sh -deleted file mode 100755 -index fe4db0a3c9..0000000000 ---- a/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_files_permissions/tests/include_config_syntax_perms_0601.fail.sh -+++ /dev/null -@@ -1,86 +0,0 @@ --#!/bin/bash --# platform = multi_platform_rhel,multi_platform_fedora,multi_platform_ol,multi_platform_sle -- --# Check rsyslog.conf with log file permissions 0600 from rules and --# log file permissions 0601 from $IncludeConfig fails. -- --source $SHARED/rsyslog_log_utils.sh -- --PERMS_PASS=0600 --PERMS_FAIL=0601 -- --# setup test data --create_rsyslog_test_logs 5 -- --# setup test log files and permissions --chmod $PERMS_PASS ${RSYSLOG_TEST_LOGS[0]} --chmod $PERMS_FAIL ${RSYSLOG_TEST_LOGS[1]} --chmod $PERMS_FAIL ${RSYSLOG_TEST_LOGS[2]} --chmod $PERMS_FAIL ${RSYSLOG_TEST_LOGS[3]} --chmod $PERMS_FAIL ${RSYSLOG_TEST_LOGS[4]} -- --# create test configuration files --conf_subdir=${RSYSLOG_TEST_DIR}/subdir --conf_hiddir=${RSYSLOG_TEST_DIR}/.hiddir --mkdir ${conf_subdir} --mkdir ${conf_hiddir} -- --test_conf_in_subdir=${conf_subdir}/in_subdir.conf --test_conf_name_bak=${RSYSLOG_TEST_DIR}/name.bak -- --test_conf_in_hiddir=${conf_hiddir}/in_hiddir.conf --test_conf_dot_name=${RSYSLOG_TEST_DIR}/.name.conf -- --cat << EOF > ${test_conf_in_subdir} --# rsyslog configuration file -- --#### RULES #### -- --*.* ${RSYSLOG_TEST_LOGS[1]} --EOF -- --cat << EOF > ${test_conf_name_bak} --# rsyslog configuration file -- --#### RULES #### -- --*.* ${RSYSLOG_TEST_LOGS[2]} --EOF -- --cat << EOF > ${test_conf_in_hiddir} --# rsyslog configuration file --# not used -- --#### RULES #### -- --*.* ${RSYSLOG_TEST_LOGS[3]} --EOF -- --cat << EOF > ${test_conf_dot_name} --# rsyslog configuration file --# not used -- --#### RULES #### -- --*.* ${RSYSLOG_TEST_LOGS[4]} --EOF -- --# create rsyslog.conf configuration file --cat << EOF > $RSYSLOG_CONF --# rsyslog configuration file -- --#### RULES #### -- --*.* ${RSYSLOG_TEST_LOGS[0]} -- --#### MODULES #### -- --include(file="${RSYSLOG_TEST_DIR}/*/*.conf" mode="optional") --include(file="${RSYSLOG_TEST_DIR}/*.conf" mode="optional") --include(file="${RSYSLOG_TEST_DIR}" mode="optional") -- --\$IncludeConfig ${RSYSLOG_TEST_DIR}/*/*.conf --\$IncludeConfig ${RSYSLOG_TEST_DIR}/*.conf --\$IncludeConfig ${RSYSLOG_TEST_DIR} -- --EOF -diff --git a/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_files_permissions/tests/include_multiline_perms_0600.pass.sh b/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_files_permissions/tests/include_multiline_perms_0600.pass.sh -deleted file mode 100755 -index eabcb21956..0000000000 ---- a/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_files_permissions/tests/include_multiline_perms_0600.pass.sh -+++ /dev/null -@@ -1,41 +0,0 @@ --#!/bin/bash --# platform = Red Hat Enterprise Linux 8,multi_platform_fedora,Oracle Linux 8,multi_platform_sle -- --# Check rsyslog.conf with log file permissions 0600 from rules and --# log file permissions 0600 from multiline include() passes. -- --source $SHARED/rsyslog_log_utils.sh -- --PERMS=0600 -- --# setup test data --create_rsyslog_test_logs 2 -- --# setup test log files and permissions --chmod $PERMS ${RSYSLOG_TEST_LOGS[0]} --chmod $PERMS ${RSYSLOG_TEST_LOGS[1]} -- --# create test configuration file --test_conf=${RSYSLOG_TEST_DIR}/test1.conf --cat << EOF > ${test_conf} --# rsyslog configuration file -- --#### RULES #### -- --*.* ${RSYSLOG_TEST_LOGS[1]} --EOF -- --# create rsyslog.conf configuration file --cat << EOF > $RSYSLOG_CONF --# rsyslog configuration file -- --#### RULES #### -- --*.* ${RSYSLOG_TEST_LOGS[0]} -- --#### MODULES #### -- --include( -- file="${test_conf}" --) --EOF -diff --git a/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_files_permissions/tests/include_perms_0600.pass.sh b/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_files_permissions/tests/include_perms_0600.pass.sh -deleted file mode 100755 -index 32cd4c334a..0000000000 ---- a/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_files_permissions/tests/include_perms_0600.pass.sh -+++ /dev/null -@@ -1,39 +0,0 @@ --#!/bin/bash --# platform = Red Hat Enterprise Linux 8,multi_platform_fedora,Oracle Linux 8,multi_platform_sle -- --# Check rsyslog.conf with log file permissions 0600 from rules and --# log file permissions 0600 from include() passes. -- --source $SHARED/rsyslog_log_utils.sh -- --PERMS=0600 -- --# setup test data --create_rsyslog_test_logs 2 -- --# setup test log files and permissions --chmod $PERMS ${RSYSLOG_TEST_LOGS[0]} --chmod $PERMS ${RSYSLOG_TEST_LOGS[1]} -- --# create test configuration file --test_conf=${RSYSLOG_TEST_DIR}/test1.conf --cat << EOF > ${test_conf} --# rsyslog configuration file -- --#### RULES #### -- --*.* ${RSYSLOG_TEST_LOGS[1]} --EOF -- --# create rsyslog.conf configuration file --cat << EOF > $RSYSLOG_CONF --# rsyslog configuration file -- --#### RULES #### -- --*.* ${RSYSLOG_TEST_LOGS[0]} -- --#### MODULES #### -- --include(file="${test_conf}") --EOF -diff --git a/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_files_permissions/tests/include_perms_0600_IncludeConfig_perms_0600.pass.sh b/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_files_permissions/tests/include_perms_0600_IncludeConfig_perms_0600.pass.sh -deleted file mode 100755 -index 357d4f9718..0000000000 ---- a/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_files_permissions/tests/include_perms_0600_IncludeConfig_perms_0600.pass.sh -+++ /dev/null -@@ -1,52 +0,0 @@ --#!/bin/bash --# platform = Red Hat Enterprise Linux 8,multi_platform_fedora,Oracle Linux 8 -- --# Check rsyslog.conf with log file permisssions 0600 from rules and --# log file permissions 0600 from include() passes. -- --source $SHARED/rsyslog_log_utils.sh -- --PERMS_PASS=0600 -- --# setup test data --create_rsyslog_test_logs 3 -- --# setup test log files and permissions --chmod $PERMS_PASS ${RSYSLOG_TEST_LOGS[0]} --chmod $PERMS_PASS ${RSYSLOG_TEST_LOGS[1]} --chmod $PERMS_PASS ${RSYSLOG_TEST_LOGS[2]} -- --# create test configuration file --test_conf=${RSYSLOG_TEST_DIR}/test1.conf --cat << EOF > ${test_conf} --# rsyslog configuration file -- --#### RULES #### -- --*.* ${RSYSLOG_TEST_LOGS[1]} --EOF -- --# create test2 configuration file --test_conf2=${RSYSLOG_TEST_DIR}/test2.conf --cat << EOF > ${test_conf2} --# rsyslog configuration file -- --#### RULES #### -- --*.* ${RSYSLOG_TEST_LOGS[2]} --EOF -- --# create rsyslog.conf configuration file --cat << EOF > $RSYSLOG_CONF --# rsyslog configuration file -- --#### RULES #### -- --*.* ${RSYSLOG_TEST_LOGS[0]} -- --#### MODULES #### -- --include(file="${test_conf}") -- --\$IncludeConfig ${test_conf2} --EOF -diff --git a/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_files_permissions/tests/include_perms_0600_IncludeConfig_perms_0601.fail.sh b/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_files_permissions/tests/include_perms_0600_IncludeConfig_perms_0601.fail.sh -deleted file mode 100755 -index 7bdb830c00..0000000000 ---- a/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_files_permissions/tests/include_perms_0600_IncludeConfig_perms_0601.fail.sh -+++ /dev/null -@@ -1,53 +0,0 @@ --#!/bin/bash --# platform = Red Hat Enterprise Linux 8,multi_platform_fedora,Oracle Linux 8 -- --# Check rsyslog.conf with log file permisssions 0600 from rules and --# log file permissions 0601 from include() fails. -- --source $SHARED/rsyslog_log_utils.sh -- --PERMS_PASS=0600 --PERMS_FAIL=0601 -- --# setup test data --create_rsyslog_test_logs 3 -- --# setup test log files and permissions --chmod $PERMS_PASS ${RSYSLOG_TEST_LOGS[0]} --chmod $PERMS_PASS ${RSYSLOG_TEST_LOGS[1]} --chmod $PERMS_FAIL ${RSYSLOG_TEST_LOGS[2]} -- --# create test configuration file --test_conf=${RSYSLOG_TEST_DIR}/test1.conf --cat << EOF > ${test_conf} --# rsyslog configuration file -- --#### RULES #### -- --*.* ${RSYSLOG_TEST_LOGS[1]} --EOF -- --# create test2 configuration file --test_conf2=${RSYSLOG_TEST_DIR}/test2.conf --cat << EOF > ${test_conf2} --# rsyslog configuration file -- --#### RULES #### -- --*.* ${RSYSLOG_TEST_LOGS[2]} --EOF -- --# create rsyslog.conf configuration file --cat << EOF > $RSYSLOG_CONF --# rsyslog configuration file -- --#### RULES #### -- --*.* ${RSYSLOG_TEST_LOGS[0]} -- --#### MODULES #### -- --include(file="${test_conf}") -- --\$IncludeConfig ${test_conf2} --EOF -diff --git a/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_files_permissions/tests/include_perms_0600_IncludeConfig_perms_0601_hidden.pass.sh b/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_files_permissions/tests/include_perms_0600_IncludeConfig_perms_0601_hidden.pass.sh -deleted file mode 100644 -index 9b0185c6b2..0000000000 ---- a/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_files_permissions/tests/include_perms_0600_IncludeConfig_perms_0601_hidden.pass.sh -+++ /dev/null -@@ -1,53 +0,0 @@ --#!/bin/bash --# platform = Red Hat Enterprise Linux 8,multi_platform_fedora,Oracle Linux 8 -- --# Check rsyslog.conf with log file permisssions 0600 from rules and --# log file permissions 0601 from include() fails. -- --source $SHARED/rsyslog_log_utils.sh -- --PERMS_PASS=0600 --PERMS_FAIL=0601 -- --# setup test data --create_rsyslog_test_logs 3 -- --# setup test log files and permissions --chmod $PERMS_PASS ${RSYSLOG_TEST_LOGS[0]} --chmod $PERMS_PASS ${RSYSLOG_TEST_LOGS[1]} --chmod $PERMS_FAIL ${RSYSLOG_TEST_LOGS[2]} -- --# create test configuration file --test_conf=${RSYSLOG_TEST_DIR}/test1.conf --cat << EOF > ${test_conf} --# rsyslog configuration file -- --#### RULES #### -- --*.* ${RSYSLOG_TEST_LOGS[1]} --EOF -- --# create hidden test2 configuration file --test_conf2=${RSYSLOG_TEST_DIR}/.test2.conf --cat << EOF > ${test_conf2} --# rsyslog configuration file -- --#### RULES #### -- --*.* ${RSYSLOG_TEST_LOGS[2]} --EOF -- --# create rsyslog.conf configuration file --cat << EOF > $RSYSLOG_CONF --# rsyslog configuration file -- --#### RULES #### -- --*.* ${RSYSLOG_TEST_LOGS[0]} -- --#### MODULES #### -- --include(file="${test_conf}") -- --\$IncludeConfig ${test_conf2} --EOF -diff --git a/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_files_permissions/tests/include_perms_0600_IncludeConfig_perms_0601_missing.pass.sh b/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_files_permissions/tests/include_perms_0600_IncludeConfig_perms_0601_missing.pass.sh -deleted file mode 100644 -index b929f2a94a..0000000000 ---- a/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_files_permissions/tests/include_perms_0600_IncludeConfig_perms_0601_missing.pass.sh -+++ /dev/null -@@ -1,45 +0,0 @@ --#!/bin/bash --# platform = Red Hat Enterprise Linux 8,multi_platform_fedora,Oracle Linux 8 -- --# Check rsyslog.conf with log file permisssions 0600 from rules and --# log file permissions 0601 from include() fails. -- --source $SHARED/rsyslog_log_utils.sh -- --PERMS_PASS=0600 --PERMS_FAIL=0601 -- --# setup test data --create_rsyslog_test_logs 3 -- --# setup test log files and permissions --chmod $PERMS_PASS ${RSYSLOG_TEST_LOGS[0]} --chmod $PERMS_PASS ${RSYSLOG_TEST_LOGS[1]} --chmod $PERMS_FAIL ${RSYSLOG_TEST_LOGS[2]} -- --# create test configuration file --test_conf=${RSYSLOG_TEST_DIR}/test1.conf --cat << EOF > ${test_conf} --# rsyslog configuration file -- --#### RULES #### -- --*.* ${RSYSLOG_TEST_LOGS[1]} --EOF -- --# Skip creation test2 configuration file -- --# create rsyslog.conf configuration file --cat << EOF > $RSYSLOG_CONF --# rsyslog configuration file -- --#### RULES #### -- --*.* ${RSYSLOG_TEST_LOGS[0]} -- --#### MODULES #### -- --include(file="${test_conf}") -- --\$IncludeConfig ${test_conf2} --EOF -diff --git a/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_files_permissions/tests/include_perms_0600_cloudinit.pass.sh b/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_files_permissions/tests/include_perms_0600_cloudinit.pass.sh -deleted file mode 100644 -index 2eb515a43e..0000000000 ---- a/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_files_permissions/tests/include_perms_0600_cloudinit.pass.sh -+++ /dev/null -@@ -1,23 +0,0 @@ --#!/bin/bash --# platform = Red Hat Enterprise Linux 8,multi_platform_fedora,Oracle Linux 8,multi_platform_sle -- --source $SHARED/rsyslog_log_utils.sh -- --PERMS=0600 -- --# setup test data --create_rsyslog_test_logs 2 -- --# setup test log files and permissions --chmod $PERMS ${RSYSLOG_TEST_LOGS[@]} -- --# create rsyslog.conf configuration file --cat << EOF > $RSYSLOG_CONF --# rsyslog configuration file -- --#### RULES #### -- --*.* ${RSYSLOG_TEST_LOGS[0]} --:syslogtag, isequal, "[CLOUDINIT]" ${RSYSLOG_TEST_LOGS[1]} --EOF -- -diff --git a/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_files_permissions/tests/include_perms_0601.fail.sh b/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_files_permissions/tests/include_perms_0601.fail.sh -deleted file mode 100755 -index fd3f9e92ec..0000000000 ---- a/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_files_permissions/tests/include_perms_0601.fail.sh -+++ /dev/null -@@ -1,41 +0,0 @@ --#!/bin/bash --# platform = Red Hat Enterprise Linux 8,multi_platform_fedora,Oracle Linux 8 -- --# Check rsyslog.conf with log file permissions 0600 from rules and --# log file permissions 0601 from include() fails. -- --source $SHARED/rsyslog_log_utils.sh -- --PERMS_FAIL=0601 -- --PERMS_PASS=0600 -- --# setup test data --create_rsyslog_test_logs 2 -- --# setup test log files and permissions --chmod $PERMS_PASS ${RSYSLOG_TEST_LOGS[0]} --chmod $PERMS_FAIL ${RSYSLOG_TEST_LOGS[1]} -- --# create test configuration file --test_conf=${RSYSLOG_TEST_DIR}/test1.conf --cat << EOF > ${test_conf} --# rsyslog configuration file -- --#### RULES #### -- --*.* ${RSYSLOG_TEST_LOGS[1]} --EOF -- --# create rsyslog.conf configuration file --cat << EOF > $RSYSLOG_CONF --# rsyslog configuration file -- --#### RULES #### -- --*.* ${RSYSLOG_TEST_LOGS[0]} -- --#### MODULES #### -- --include(file="${test_conf}") --EOF -diff --git a/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_files_permissions/tests/include_perms_0601_cloudinit.fail.sh b/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_files_permissions/tests/include_perms_0601_cloudinit.fail.sh -deleted file mode 100644 -index 7a598626d0..0000000000 ---- a/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_files_permissions/tests/include_perms_0601_cloudinit.fail.sh -+++ /dev/null -@@ -1,22 +0,0 @@ --#!/bin/bash --# platform = Red Hat Enterprise Linux 8,multi_platform_fedora,Oracle Linux 8,multi_platform_sle -- --source $SHARED/rsyslog_log_utils.sh -- --# setup test data --create_rsyslog_test_logs 2 -- --# setup test log files and permissions --chmod 0600 ${RSYSLOG_TEST_LOGS[0]} --chmod 0601 ${RSYSLOG_TEST_LOGS[1]} -- --# create rsyslog.conf configuration file --cat << EOF > $RSYSLOG_CONF --# rsyslog configuration file -- --#### RULES #### -- --*.* ${RSYSLOG_TEST_LOGS[0]} --:syslogtag, isequal, "[CLOUDINIT]" ${RSYSLOG_TEST_LOGS[1]} --EOF -- -diff --git a/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_files_permissions/tests/mixed_correct_attr_group_read.pass.sh b/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_files_permissions/tests/mixed_correct_attr_group_read.pass.sh -new file mode 100755 -index 0000000000..b3846fec47 ---- /dev/null -+++ b/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_files_permissions/tests/mixed_correct_attr_group_read.pass.sh -@@ -0,0 +1,25 @@ -+#!/bin/bash -+# platform = multi_platform_sle,multi_platform_ubuntu -+ -+# Declare variables used for the tests and define the create_rsyslog_test_logs function -+source $SHARED/rsyslog_log_utils.sh -+ -+CHATTR="chmod" -+ATTR_VALUE="0640" -+ -+# create three test log file -+create_rsyslog_test_logs 2 -+ -+# setup test log file property -+$CHATTR $ATTR_VALUE ${RSYSLOG_TEST_LOGS[0]} -+$CHATTR $ATTR_VALUE ${RSYSLOG_TEST_LOGS[1]} -+ -+# add rules with both syntax for different test log files -+cat << EOF > $RSYSLOG_CONF -+# rsyslog configuration file -+ -+#### RULES #### -+*.* ${RSYSLOG_TEST_LOGS[0]} -+*.* action(type="omfile" FileCreateMode="0640" fileOwner="root" fileGroup="hoiadm" File="${RSYSLOG_TEST_LOGS[1]}") -+ -+EOF -diff --git a/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_files_permissions/tests/mixed_correct_attr_stricter.pass.sh b/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_files_permissions/tests/mixed_correct_attr_stricter.pass.sh -new file mode 100755 -index 0000000000..0b4cb5dce0 ---- /dev/null -+++ b/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_files_permissions/tests/mixed_correct_attr_stricter.pass.sh -@@ -0,0 +1,25 @@ -+#!/bin/bash -+# platform = multi_platform_all -+ -+# Declare variables used for the tests and define the create_rsyslog_test_logs function -+source $SHARED/rsyslog_log_utils.sh -+ -+CHATTR="chmod" -+ATTR_VALUE="0400" -+ -+# create three test log file -+create_rsyslog_test_logs 2 -+ -+# setup test log file property -+$CHATTR $ATTR_VALUE ${RSYSLOG_TEST_LOGS[0]} -+$CHATTR $ATTR_VALUE ${RSYSLOG_TEST_LOGS[1]} -+ -+# add rules with both syntax for different test log files -+cat << EOF > $RSYSLOG_CONF -+# rsyslog configuration file -+ -+#### RULES #### -+*.* ${RSYSLOG_TEST_LOGS[0]} -+*.* action(type="omfile" FileCreateMode="0640" fileOwner="root" fileGroup="hoiadm" File="${RSYSLOG_TEST_LOGS[1]}") -+ -+EOF -diff --git a/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_files_permissions/tests/perms_0600.pass.sh b/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_files_permissions/tests/perms_0600.pass.sh -deleted file mode 100755 -index fbdcd18f77..0000000000 ---- a/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_files_permissions/tests/perms_0600.pass.sh -+++ /dev/null -@@ -1,35 +0,0 @@ --#!/bin/bash --# platform = multi_platform_rhel,multi_platform_fedora,multi_platform_ol,multi_platform_sle -- --# Check if log file with permissions 0600 in rsyslog.conf passes. -- --source $SHARED/rsyslog_log_utils.sh -- --PERMS=0600 -- --# setup test data --create_rsyslog_test_logs 4 -- --# setup all files with incorrect permission --chmod 0601 "${RSYSLOG_TEST_LOGS[@]}" -- --# setup the real logfile with correct permissions --chmod $PERMS "${RSYSLOG_TEST_LOGS[0]}" -- --# add rule with 0600 permissions log file --cat << EOF > $RSYSLOG_CONF --# rsyslog configuration file -- --#### RULES #### -- --*.* ${RSYSLOG_TEST_LOGS[0]} -- -- *.* ${RSYSLOG_TEST_LOGS[1]} -- --authpriv.* /nonexistent_file -- --# *.* /irrelevant_file -- --\$something /irrelevant_file -- --EOF -diff --git a/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_files_permissions/tests/perms_0601.fail.sh b/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_files_permissions/tests/perms_0601.fail.sh -deleted file mode 100755 -index 75e9558c63..0000000000 ---- a/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_files_permissions/tests/perms_0601.fail.sh -+++ /dev/null -@@ -1,34 +0,0 @@ --#!/bin/bash --# platform = multi_platform_rhel,multi_platform_fedora,multi_platform_ol,multi_platform_sle -- --# Check if log file with permissions 0601 in rsyslog.conf fails. -- --source $SHARED/rsyslog_log_utils.sh -- --PERMS=0601 -- --# setup test data --create_rsyslog_test_logs 3 -- --# setup test log file and permissions --chmod $PERMS ${RSYSLOG_TEST_LOGS[0]} -- --# add rule with 0601 permissions log file --cat << EOF > $RSYSLOG_CONF --# rsyslog configuration file -- --#### RULES #### -- --*.* ${RSYSLOG_TEST_LOGS[0]} -- --cron.* /nonexistent_file -- -- authpriv.* /irrelevant_file -- --# *.* /irrelevant_file -- --\$something /irrelevant_file -- --something.* ${RSYSLOG_TEST_LOGS[2]} -- --EOF -diff --git a/shared/templates/rsyslog_logfiles_attributes_modify/ansible.template b/shared/templates/rsyslog_logfiles_attributes_modify/ansible.template -index fc9e8844b6..81d6220415 100644 ---- a/shared/templates/rsyslog_logfiles_attributes_modify/ansible.template -+++ b/shared/templates/rsyslog_logfiles_attributes_modify/ansible.template -@@ -20,7 +20,7 @@ - - name: '{{{ rule_title }}} - Get include files directives' - ansible.builtin.shell: | - set -o pipefail -- grep -oP '^\s*include\s*\(\s*file.*' {{ rsyslog_etc_config }} |cut -d"\"" -f 2 || true -+ awk '/)/{f=0} /include\(/{f=1} f{nf=gensub("^(include\\(|\\s*)file=\"(\\S+)\".*","\\2",1); if($0!=nf){print nf}}' {{ rsyslog_etc_config }} || true - register: rsyslog_new_inc - changed_when: False - -@@ -61,8 +61,9 @@ - - name: '{{{ rule_title }}} -Setup log files attribute' - ansible.builtin.file: - path: "{{ item }}" -- owner: '{{ ( "{{{ ATTRIBUTE }}}" is match("owner")) | ternary({{{ VALUE }}}, omit) }}' -- group: '{{ ( "{{{ ATTRIBUTE }}}" is match("groupowner")) | ternary({{{ VALUE }}} , omit) }}' -+ {{{ 'owner: ' ~ VALUE if ATTRIBUTE == "owner" }}} -+ {{{- 'group: ' ~ VALUE if ATTRIBUTE == "groupowner" }}} -+ {{{- 'mode: ' ~ VALUE if ATTRIBUTE == "permissions" }}} - state: file - loop: "{{ log_files | list | flatten | unique }}" - failed_when: false -diff --git a/shared/templates/rsyslog_logfiles_attributes_modify/bash.template b/shared/templates/rsyslog_logfiles_attributes_modify/bash.template -index ab4a563dc5..d6755d5692 100644 ---- a/shared/templates/rsyslog_logfiles_attributes_modify/bash.template -+++ b/shared/templates/rsyslog_logfiles_attributes_modify/bash.template -@@ -48,7 +48,8 @@ do - # * Strip quotes and closing brackets from paths. - # * Ignore paths that match /dev|/etc.*\.conf, as those are paths, but likely not log files - # * From the remaining valid rows select only fields constituting a log file path -- # Text file column is understood to represent a log file path if and only if all of the following are met: -+ # Text file column is understood to represent a log file path if and only if all of the -+ # following are met: - # * it contains at least one slash '/' character, - # * it is preceded by space - # * it doesn't contain space (' '), colon (':'), and semicolon (';') characters -@@ -60,8 +61,8 @@ do - FILTERED_PATHS=$(awk '{if(NF>=2&&($NF~/^\//||$NF~/^-\//)){sub(/^-\//,"/",$NF);print $NF}}' <<< "${LINES_WITH_PATHS}") - CLEANED_PATHS=$(sed -e "s/[\"')]//g; /\\/etc.*\.conf/d; /\\/dev\\//d" <<< "${FILTERED_PATHS}") - MATCHED_ITEMS=$(sed -e "/^$/d" <<< "${CLEANED_PATHS}") -- # Since above sed command might return more than one item (delimited by newline), split the particular -- # matches entries into new array specific for this log file -+ # Since above sed command might return more than one item (delimited by newline), split -+ # the particular matches entries into new array specific for this log file - readarray -t ARRAY_FOR_LOG_FILE <<< "$MATCHED_ITEMS" - # Concatenate the two arrays - previous content of $LOG_FILE_PATHS array with - # items from newly created array for this log file -@@ -71,7 +72,8 @@ do - fi - done - --# Check for RainerScript action log format which might be also multiline so grep regex is a bit curly -+# Check for RainerScript action log format which might be also multiline so grep regex is a bit -+# curly: - # extract possibly multiline action omfile expressions - # extract File="logfile" expression - # match only "logfile" expression -@@ -82,22 +84,10 @@ do - LOG_FILE_PATHS+=("$(echo "${OMFILE_LINES}"| grep -oE "\"([/[:alnum:][:punct:]]*)\""|tr -d "\"")") - done - --FILE_PARAM="{{{ ATTRIBUTE }}}" --FILE_CMD="" --case "$FILE_PARAM" in -- "groupowner") -- FILE_CMD=$(which chgrp) -- ;; -- "owner") -- FILE_CMD=$(which chown) -- ;; -- *) -- echo -n "Not supported file attribute! " -- exit 1 -- ;; --esac -- --# Correct the form o -+# Ensure the correct attribute if file exists -+{{{ 'FILE_CMD="chown"' if ATTRIBUTE == "owner" }}} -+{{{- 'FILE_CMD="chgrp"' if ATTRIBUTE == "groupowner" }}} -+{{{- 'FILE_CMD="chmod"' if ATTRIBUTE == "permissions" }}} - for LOG_FILE_PATH in "${LOG_FILE_PATHS[@]}" - do - # Sanity check - if particular $LOG_FILE_PATH is empty string, skip it from further processing -@@ -105,6 +95,5 @@ do - then - continue - fi -- -- $FILE_CMD "+{{{ VALUE }}}" "$LOG_FILE_PATH" -+ $FILE_CMD "{{{ VALUE }}}" "$LOG_FILE_PATH" - done -diff --git a/shared/templates/rsyslog_logfiles_attributes_modify/oval.template b/shared/templates/rsyslog_logfiles_attributes_modify/oval.template -index 4f288df1c9..243d678852 100644 ---- a/shared/templates/rsyslog_logfiles_attributes_modify/oval.template -+++ b/shared/templates/rsyslog_logfiles_attributes_modify/oval.template -@@ -3,59 +3,57 @@ - {{{ oval_metadata("All syslog log files should have appropriate ownership.") }}} - - {{% if product in ["debian10", "debian11", "ubuntu1604"] %}} -- -+ - {{% endif %}} -- -+ - -- - - -- -- -- -+ -+ - /etc/rsyslog.conf - ^(?:include\([\n\s]*file="([^\s;]+)".*|\$IncludeConfig[\s]+([^\s;]+))$ -+ operation="pattern match">^(?:include\([\n\s]*file="([^\s;]+)".*|\$IncludeConfig[\s]+([^\s;]+))$ - 1 - - - - -+ comment="rsyslog's include config values converted to regex."> - - - -+ object_ref="object_{{{ _RULE_ID }}}_include_config_value"/> - - - - -- -- -+ -+ - var_{{{ _RULE_ID }}}_include_config_regex - - -- -+ - ^/etc/rsyslog.conf$ - - -- -+ - var_{{{ _RULE_ID }}}_syslog_config - - -- -- -+ -+ - - object_var_{{{ _RULE_ID }}}_include_config_regex - object_var_{{{ _RULE_ID }}}_syslog_config -@@ -64,74 +62,72 @@ - - -- -- -+ -+ - - -- -- -- -- -- ^\s*[^(\s|#|\$)]+\s+-?[\w\(="\s]*(\/[^:;\s"]+)+.*$ -+ -+ -+ -+ -+ ^\s*[^(\s|#|\$)]+\s+.*\s+-?[\w\(="\s]*(\/[^:;\s"]+)+.*$ - 1 -- state_{{{ _RULE_ID }}}_ownership_ignore_include_paths -+ state_{{{ _RULE_ID }}}_ignore_include_paths - - -- -- -+ -+ - (?:file="[^\s;]+"|\$IncludeConfig[\s]+[^\s;]+|\/dev\/.*) - - - -+ retrieved from the different rsyslog configuration files. --> - -- -+ comment="File paths of all rsyslog log files"> -+ - - -- -- -- -+ -+ -+ - - - -- -- -+ -+ - - - - regular - {{% if ATTRIBUTE == "groupowner" %}} - {{{ VALUE }}} -- {{% else %}} -+ {{% elif ATTRIBUTE == "owner" %}} - {{{ VALUE }}} -+ {{% else %}} -+ {{{ STATEMODE | indent(4) }}} - {{% endif %}} - -- - -diff --git a/shared/templates/rsyslog_logfiles_attributes_modify/template.py b/shared/templates/rsyslog_logfiles_attributes_modify/template.py -new file mode 100644 -index 0000000000..9ea31c9a6b ---- /dev/null -+++ b/shared/templates/rsyslog_logfiles_attributes_modify/template.py -@@ -0,0 +1,18 @@ -+def preprocess(data, lang): -+ if lang == "oval" and data["attribute"] == 'permissions': -+ # create STATEMODE used in the OVAL template by processing the octal permission and -+ # creating the equivalent permission fields of "unix:file_state" element. -+ mode = data["value"] -+ fields = [ -+ 'oexec', 'owrite', 'oread', 'gexec', 'gwrite', 'gread', -+ 'uexec', 'uwrite', 'uread', 'sticky', 'sgid', 'suid'] -+ mode_int = int(mode, 8) -+ mode_str = "" -+ for field in fields: -+ if mode_int & 0x01 == 0: -+ mode_str = ( -+ "false\n{mode_str}".format( -+ field=field, mode_str=mode_str)) -+ mode_int = mode_int >> 1 -+ data["statemode"] = mode_str.rstrip("\n") -+ return data -diff --git a/shared/templates/rsyslog_logfiles_attributes_modify/tests/IncludeConfig_is_other.fail.sh b/shared/templates/rsyslog_logfiles_attributes_modify/tests/IncludeConfig_is_other.fail.sh -deleted file mode 100755 -index db7e5261eb..0000000000 ---- a/shared/templates/rsyslog_logfiles_attributes_modify/tests/IncludeConfig_is_other.fail.sh -+++ /dev/null -@@ -1,50 +0,0 @@ --#!/bin/bash --# platform = multi_platform_rhel,multi_platform_fedora,multi_platform_ol,multi_platform_sle -- --# Check rsyslog.conf with root user log from rules and --# non root user log from $IncludeConfig fails. -- --source $SHARED/rsyslog_log_utils.sh -- --{{% if ATTRIBUTE == "owner" %}} --ADDCOMMAND="useradd" --CHATTR="chown" --{{% else %}} --ADDCOMMAND="groupadd" --CHATTR="chgrp" --{{% endif %}} -- --USER_TEST=testssg --$ADDCOMMAND $USER_TEST -- --USER_ROOT=root -- --# setup test data --create_rsyslog_test_logs 2 -- --# setup test log files ownership --$CHATTR $USER_ROOT ${RSYSLOG_TEST_LOGS[0]} --$CHATTR $USER_TEST ${RSYSLOG_TEST_LOGS[1]} -- --# create test configuration file --test_conf=${RSYSLOG_TEST_DIR}/test1.conf --cat << EOF > ${test_conf} --# rsyslog configuration file -- --#### RULES #### -- --*.* ${RSYSLOG_TEST_LOGS[1]} --EOF -- --# create rsyslog.conf configuration file --cat << EOF > $RSYSLOG_CONF --# rsyslog configuration file -- --#### RULES #### -- --*.* ${RSYSLOG_TEST_LOGS[0]} -- --#### MODULES #### -- --\$IncludeConfig ${test_conf} --EOF -diff --git a/shared/templates/rsyslog_logfiles_attributes_modify/tests/include_is_other.fail.sh b/shared/templates/rsyslog_logfiles_attributes_modify/tests/include_is_other.fail.sh -deleted file mode 100755 -index d79ae23cfc..0000000000 ---- a/shared/templates/rsyslog_logfiles_attributes_modify/tests/include_is_other.fail.sh -+++ /dev/null -@@ -1,50 +0,0 @@ --#!/bin/bash --# platform = Red Hat Enterprise Linux 8,multi_platform_fedora,Oracle Linux 8,multi_platform_sle -- --# Check rsyslog.conf with root user log from rules and --# non root user log from include() fails. -- --source $SHARED/rsyslog_log_utils.sh -- --{{% if ATTRIBUTE == "owner" %}} --ADDCOMMAND="useradd" --CHATTR="chown" --{{% else %}} --ADDCOMMAND="groupadd" --CHATTR="chgrp" --{{% endif %}} -- --USER_TEST=testssg --$ADDCOMMAND $USER_TEST -- --USER_ROOT=root -- --# setup test data --create_rsyslog_test_logs 2 -- --# setup test log files ownership --$CHATTR $USER_ROOT ${RSYSLOG_TEST_LOGS[0]} --$CHATTR $USER_TEST ${RSYSLOG_TEST_LOGS[1]} -- --# create test configuration file --test_conf=${RSYSLOG_TEST_DIR}/test1.conf --cat << EOF > ${test_conf} --# rsyslog configuration file -- --#### RULES #### -- --*.* ${RSYSLOG_TEST_LOGS[1]} --EOF -- --# create rsyslog.conf configuration file --cat << EOF > $RSYSLOG_CONF --# rsyslog configuration file -- --#### RULES #### -- --*.* ${RSYSLOG_TEST_LOGS[0]} -- --#### MODULES #### -- --include(file="${test_conf}") --EOF -diff --git a/shared/templates/rsyslog_logfiles_attributes_modify/tests/include_is_other_IncludeConfig_is_other_RainerLogClause.fail.sh b/shared/templates/rsyslog_logfiles_attributes_modify/tests/include_is_other_IncludeConfig_is_other_RainerLogClause.fail.sh -deleted file mode 100644 -index 7869a180a8..0000000000 ---- a/shared/templates/rsyslog_logfiles_attributes_modify/tests/include_is_other_IncludeConfig_is_other_RainerLogClause.fail.sh -+++ /dev/null -@@ -1,75 +0,0 @@ --#!/bin/bash --# platform = Red Hat Enterprise Linux 8,multi_platform_fedora,Oracle Linux 8,multi_platform_sle -- --# Check rsyslog.conf with root user log from rules and --# root user log from include() passes. -- --source $SHARED/rsyslog_log_utils.sh -- --{{% if ATTRIBUTE == "owner" %}} --ADDCOMMAND="useradd" --CHATTR="chown" --{{% else %}} --ADDCOMMAND="groupadd" --CHATTR="chgrp" --{{% endif %}} -- --USER_TEST=testssg --$ADDCOMMAND $USER_TEST -- --USER=root -- --# setup test data --create_rsyslog_test_logs 3 -- --# setup test log files ownership --$CHATTR $USER_TEST ${RSYSLOG_TEST_LOGS[0]} --$CHATTR $USER_TEST ${RSYSLOG_TEST_LOGS[1]} --$CHATTR $USER_TEST ${RSYSLOG_TEST_LOGS[2]} -- --# create test configuration file --test_conf=${RSYSLOG_TEST_DIR}/test1.conf --cat << EOF > ${test_conf} --# rsyslog configuration file -- --#### RULES #### -- --*.* ${RSYSLOG_TEST_LOGS[1]} --EOF -- --# create test2 configuration file --test_conf2=${RSYSLOG_TEST_DIR}/test2.conf --{{% if ATTRIBUTE == "owner" %}} --cat << EOF > ${test_conf2} --# rsyslog configuration file -- --#### RULES #### -- -- --*.* action(type="omfile" FileCreateMode="0640" fileOwner="$USER_TEST" fileGroup="root" File="${RSYSLOG_TEST_LOGS[2]}") --EOF --{{% else %}} --cat << EOF > ${test_conf2} --# rsyslog configuration file -- --#### RULES #### -- -- --*.* action(type="omfile" FileCreateMode="0640" fileOwner="root" fileGroup="$USER_TEST" File="${RSYSLOG_TEST_LOGS[2]}") --EOF --{{% endif %}} -- --# create rsyslog.conf configuration file --cat << EOF > $RSYSLOG_CONF --# rsyslog configuration file -- --#### RULES #### -- --*.* ${RSYSLOG_TEST_LOGS[0]} -- --#### MODULES #### -- --include(file="${test_conf}") -- --\$IncludeConfig ${test_conf2} --EOF -diff --git a/shared/templates/rsyslog_logfiles_attributes_modify/tests/include_is_root.pass.sh b/shared/templates/rsyslog_logfiles_attributes_modify/tests/include_is_root.pass.sh -deleted file mode 100755 -index e80395ca99..0000000000 ---- a/shared/templates/rsyslog_logfiles_attributes_modify/tests/include_is_root.pass.sh -+++ /dev/null -@@ -1,46 +0,0 @@ --#!/bin/bash --# platform = Red Hat Enterprise Linux 8,multi_platform_fedora,Oracle Linux 8,multi_platform_sle -- --# Check rsyslog.conf with root user log from rules and --# root user log from include() passes. -- --source $SHARED/rsyslog_log_utils.sh -- -- --{{% if ATTRIBUTE == "owner" %}} --CHATTR="chown" --{{% else %}} --CHATTR="chgrp" --{{% endif %}} -- --USER=root -- --# setup test data --create_rsyslog_test_logs 2 -- --# setup test log files ownership --$CHATTR $USER ${RSYSLOG_TEST_LOGS[0]} --$CHATTR $USER ${RSYSLOG_TEST_LOGS[1]} -- --# create test configuration file --test_conf=${RSYSLOG_TEST_DIR}/test1.conf --cat << EOF > ${test_conf} --# rsyslog configuration file -- --#### RULES #### -- --*.* ${RSYSLOG_TEST_LOGS[1]} --EOF -- --# create rsyslog.conf configuration file --cat << EOF > $RSYSLOG_CONF --# rsyslog configuration file -- --#### RULES #### -- --*.* ${RSYSLOG_TEST_LOGS[0]} -- --#### MODULES #### -- --include(file="${test_conf}") --EOF -diff --git a/shared/templates/rsyslog_logfiles_attributes_modify/tests/include_is_root_IncludeConfig_is_other.fail.sh b/shared/templates/rsyslog_logfiles_attributes_modify/tests/include_is_root_IncludeConfig_is_other.fail.sh -deleted file mode 100755 -index e7b4905dc5..0000000000 ---- a/shared/templates/rsyslog_logfiles_attributes_modify/tests/include_is_root_IncludeConfig_is_other.fail.sh -+++ /dev/null -@@ -1,63 +0,0 @@ --#!/bin/bash --# platform = Red Hat Enterprise Linux 8,multi_platform_fedora,Oracle Linux 8,multi_platform_sle -- --# Check rsyslog.conf with root user log from rules and --# non root user log from include() fails. -- --source $SHARED/rsyslog_log_utils.sh -- --{{% if ATTRIBUTE == "owner" %}} --ADDCOMMAND="useradd" --CHATTR="chown" --{{% else %}} --ADDCOMMAND="groupadd" --CHATTR="chgrp" --{{% endif %}} -- --USER_ROOT=root -- --USER_TEST=testssg --$ADDCOMMAND $USER_TEST -- --# setup test data --create_rsyslog_test_logs 3 -- --# setup test log files ownership --$CHATTR $USER_ROOT ${RSYSLOG_TEST_LOGS[0]} --$CHATTR $USER_ROOT ${RSYSLOG_TEST_LOGS[1]} --$CHATTR $USER_TEST ${RSYSLOG_TEST_LOGS[2]} -- --# create test configuration file --test_conf=${RSYSLOG_TEST_DIR}/test1.conf --cat << EOF > ${test_conf} --# rsyslog configuration file -- --#### RULES #### -- --*.* ${RSYSLOG_TEST_LOGS[1]} --EOF -- --# create test2 configuration file --test_conf2=${RSYSLOG_TEST_DIR}/test2.conf --cat << EOF > ${test_conf2} --# rsyslog configuration file -- --#### RULES #### -- --*.* ${RSYSLOG_TEST_LOGS[2]} --EOF -- --# create rsyslog.conf configuration file --cat << EOF > $RSYSLOG_CONF --# rsyslog configuration file -- --#### RULES #### -- --*.* ${RSYSLOG_TEST_LOGS[0]} -- --#### MODULES #### -- --include(file="${test_conf}") -- --\$IncludeConfig ${test_conf2} --EOF -diff --git a/shared/templates/rsyslog_logfiles_attributes_modify/tests/include_is_root_IncludeConfig_is_root.pass.sh b/shared/templates/rsyslog_logfiles_attributes_modify/tests/include_is_root_IncludeConfig_is_root.pass.sh -deleted file mode 100755 -index 6389e6ea3b..0000000000 ---- a/shared/templates/rsyslog_logfiles_attributes_modify/tests/include_is_root_IncludeConfig_is_root.pass.sh -+++ /dev/null -@@ -1,58 +0,0 @@ --#!/bin/bash --# platform = Red Hat Enterprise Linux 8,multi_platform_fedora,Oracle Linux 8,multi_platform_sle -- --# Check rsyslog.conf with root user log from rules and --# root user log from include() passes. -- --source $SHARED/rsyslog_log_utils.sh -- --{{% if ATTRIBUTE == "owner" %}} --CHATTR="chown" --{{% else %}} --CHATTR="chgrp" --{{% endif %}} -- --USER=root -- --# setup test data --create_rsyslog_test_logs 3 -- --# setup test log files ownership --$CHATTR $USER ${RSYSLOG_TEST_LOGS[0]} --$CHATTR $USER ${RSYSLOG_TEST_LOGS[1]} --$CHATTR $USER ${RSYSLOG_TEST_LOGS[2]} -- --# create test configuration file --test_conf=${RSYSLOG_TEST_DIR}/test1.conf --cat << EOF > ${test_conf} --# rsyslog configuration file -- --#### RULES #### -- --*.* ${RSYSLOG_TEST_LOGS[1]} --EOF -- --# create test2 configuration file --test_conf2=${RSYSLOG_TEST_DIR}/test2.conf --cat << EOF > ${test_conf2} --# rsyslog configuration file -- --#### RULES #### -- --*.* ${RSYSLOG_TEST_LOGS[2]} --EOF -- --# create rsyslog.conf configuration file --cat << EOF > $RSYSLOG_CONF --# rsyslog configuration file -- --#### RULES #### -- --*.* ${RSYSLOG_TEST_LOGS[0]} -- --#### MODULES #### -- --include(file="${test_conf}") -- --\$IncludeConfig ${test_conf2} --EOF -diff --git a/shared/templates/rsyslog_logfiles_attributes_modify/tests/include_is_root_IncludeConfig_is_root_RainerLogClause.pass.sh b/shared/templates/rsyslog_logfiles_attributes_modify/tests/include_is_root_IncludeConfig_is_root_RainerLogClause.pass.sh -deleted file mode 100755 -index 6b81a77c2f..0000000000 ---- a/shared/templates/rsyslog_logfiles_attributes_modify/tests/include_is_root_IncludeConfig_is_root_RainerLogClause.pass.sh -+++ /dev/null -@@ -1,59 +0,0 @@ --#!/bin/bash --# platform = Red Hat Enterprise Linux 8,multi_platform_fedora,Oracle Linux 8,multi_platform_sle -- --# Check rsyslog.conf with root user log from rules and --# root user log from include() passes. -- --source $SHARED/rsyslog_log_utils.sh -- --{{% if ATTRIBUTE == "owner" %}} --CHATTR="chown" --{{% else %}} --CHATTR="chgrp" --{{% endif %}} -- --USER=root -- --# setup test data --create_rsyslog_test_logs 3 -- --# setup test log files ownership --$CHATTR $USER ${RSYSLOG_TEST_LOGS[0]} --$CHATTR $USER ${RSYSLOG_TEST_LOGS[1]} --$CHATTR $USER ${RSYSLOG_TEST_LOGS[2]} -- --# create test configuration file --test_conf=${RSYSLOG_TEST_DIR}/test1.conf --cat << EOF > ${test_conf} --# rsyslog configuration file -- --#### RULES #### -- --*.* ${RSYSLOG_TEST_LOGS[1]} --EOF -- --# create test2 configuration file --test_conf2=${RSYSLOG_TEST_DIR}/test2.conf --cat << EOF > ${test_conf2} --# rsyslog configuration file -- --#### RULES #### -- -- --*.* action(type="omfile" FileCreateMode="0640" fileOwner="root" fileGroup="root" File="${RSYSLOG_TEST_LOGS[2]}") --EOF -- --# create rsyslog.conf configuration file --cat << EOF > $RSYSLOG_CONF --# rsyslog configuration file -- --#### RULES #### -- --*.* ${RSYSLOG_TEST_LOGS[0]} -- --#### MODULES #### -- --include(file="${test_conf}") -- --\$IncludeConfig ${test_conf2} --EOF -diff --git a/shared/templates/rsyslog_logfiles_attributes_modify/tests/include_multiline_is_root.pass.sh b/shared/templates/rsyslog_logfiles_attributes_modify/tests/include_multiline_is_root.pass.sh -deleted file mode 100755 -index 78b105abf3..0000000000 ---- a/shared/templates/rsyslog_logfiles_attributes_modify/tests/include_multiline_is_root.pass.sh -+++ /dev/null -@@ -1,47 +0,0 @@ --#!/bin/bash --# platform = Red Hat Enterprise Linux 8,multi_platform_fedora,Oracle Linux 8,multi_platform_sle -- --# Check rsyslog.conf with root user log from rules and --# root user log from multiline include() passes. -- --source $SHARED/rsyslog_log_utils.sh -- --{{% if ATTRIBUTE == "owner" %}} --CHATTR="chown" --{{% else %}} --CHATTR="chgrp" --{{% endif %}} -- --USER=root -- --# setup test data --create_rsyslog_test_logs 2 -- --# setup test log files ownership --$CHATTR $USER ${RSYSLOG_TEST_LOGS[0]} --$CHATTR $USER ${RSYSLOG_TEST_LOGS[1]} -- --# create test configuration file --test_conf=${RSYSLOG_TEST_DIR}/test1.conf --cat << EOF > ${test_conf} --# rsyslog configuration file -- --#### RULES #### -- --*.* ${RSYSLOG_TEST_LOGS[1]} --EOF -- --# create rsyslog.conf configuration file --cat << EOF > $RSYSLOG_CONF --# rsyslog configuration file -- --#### RULES #### -- --*.* ${RSYSLOG_TEST_LOGS[0]} -- --#### MODULES #### -- --include( -- file="${test_conf}" --) --EOF -diff --git a/shared/templates/rsyslog_logfiles_attributes_modify/tests/is_root.pass.sh b/shared/templates/rsyslog_logfiles_attributes_modify/tests/is_root.pass.sh -deleted file mode 100755 -index afce21fa27..0000000000 ---- a/shared/templates/rsyslog_logfiles_attributes_modify/tests/is_root.pass.sh -+++ /dev/null -@@ -1,30 +0,0 @@ --#!/bin/bash --# platform = multi_platform_rhel,multi_platform_fedora,multi_platform_ol,multi_platform_sle -- --# Check if log file with root user in rsyslog.conf passes. -- --source $SHARED/rsyslog_log_utils.sh -- --{{% if ATTRIBUTE == "owner" %}} --CHATTR="chown" --{{% else %}} --CHATTR="chgrp" --{{% endif %}} -- --USER=root -- --# setup test data --create_rsyslog_test_logs 1 -- --# setup test log file ownership --$CHATTR $USER ${RSYSLOG_TEST_LOGS[0]} -- --# add rule with root user owned log file --cat << EOF > $RSYSLOG_CONF --# rsyslog configuration file -- --#### RULES #### -- --*.* ${RSYSLOG_TEST_LOGS[0]} -- --EOF -diff --git a/shared/templates/rsyslog_logfiles_attributes_modify/tests/is_other.fail.sh b/shared/templates/rsyslog_logfiles_attributes_modify/tests/legacy_correct_attr.pass.sh -similarity index 53% -rename from shared/templates/rsyslog_logfiles_attributes_modify/tests/is_other.fail.sh -rename to shared/templates/rsyslog_logfiles_attributes_modify/tests/legacy_correct_attr.pass.sh -index 1afe20823c..dc362ae003 100755 ---- a/shared/templates/rsyslog_logfiles_attributes_modify/tests/is_other.fail.sh -+++ b/shared/templates/rsyslog_logfiles_attributes_modify/tests/legacy_correct_attr.pass.sh -@@ -1,33 +1,31 @@ - #!/bin/bash - # platform = multi_platform_rhel,multi_platform_fedora,multi_platform_ol,multi_platform_sle - --# Check if log file with non root user in rsyslog.conf fails. -- -+# Declare variables used for the tests and define the create_rsyslog_test_logs function - source $SHARED/rsyslog_log_utils.sh - - {{% if ATTRIBUTE == "owner" %}} --ADDCOMMAND="useradd" - CHATTR="chown" --{{% else %}} --ADDCOMMAND="groupadd" -+ATTR_VALUE="root" -+{{% elif ATTRIBUTE == "groupowner" %}} - CHATTR="chgrp" -+ATTR_VALUE="root" -+{{% else %}} -+CHATTR="chmod" -+ATTR_VALUE="0600" - {{% endif %}} - --USER=testssg -- --$ADDCOMMAND $USER -- --# setup test data -+# create one test log file - create_rsyslog_test_logs 1 - --# setup test log file ownership --$CHATTR $USER ${RSYSLOG_TEST_LOGS[0]} -+# setup test log file property -+$CHATTR $ATTR_VALUE ${RSYSLOG_TEST_LOGS[0]} - --# add rule with non-root user owned log file -+# add rule with test log file - cat << EOF > $RSYSLOG_CONF - # rsyslog configuration file - - #### RULES #### -- - *.* ${RSYSLOG_TEST_LOGS[0]} -+ - EOF -diff --git a/shared/templates/rsyslog_logfiles_attributes_modify/tests/IncludeConfig_is_root.pass.sh b/shared/templates/rsyslog_logfiles_attributes_modify/tests/legacy_include_correct_attr.pass.sh -similarity index 51% -rename from shared/templates/rsyslog_logfiles_attributes_modify/tests/IncludeConfig_is_root.pass.sh -rename to shared/templates/rsyslog_logfiles_attributes_modify/tests/legacy_include_correct_attr.pass.sh -index b03268fe3e..c742f41039 100755 ---- a/shared/templates/rsyslog_logfiles_attributes_modify/tests/IncludeConfig_is_root.pass.sh -+++ b/shared/templates/rsyslog_logfiles_attributes_modify/tests/legacy_include_correct_attr.pass.sh -@@ -1,45 +1,45 @@ - #!/bin/bash - # platform = multi_platform_rhel,multi_platform_fedora,multi_platform_ol,multi_platform_sle - --# Check rsyslog.conf with root user log from rules and --# root user log from $IncludeConfig passes. -- -+# Declare variables used for the tests and define the create_rsyslog_test_logs function - source $SHARED/rsyslog_log_utils.sh - - {{% if ATTRIBUTE == "owner" %}} - CHATTR="chown" --{{% else %}} -+ATTR_VALUE="root" -+{{% elif ATTRIBUTE == "groupowner" %}} - CHATTR="chgrp" -+ATTR_VALUE="root" -+{{% else %}} -+CHATTR="chmod" -+ATTR_VALUE="0600" - {{% endif %}} - --USER=root -- --# setup test data -+# create two test log file - create_rsyslog_test_logs 2 - --# setup test log files ownership --$CHATTR $USER ${RSYSLOG_TEST_LOGS[0]} --$CHATTR $USER ${RSYSLOG_TEST_LOGS[1]} -+# setup test log file property -+$CHATTR $ATTR_VALUE ${RSYSLOG_TEST_LOGS[0]} -+$CHATTR $ATTR_VALUE ${RSYSLOG_TEST_LOGS[1]} - --# create test configuration file -+# create test configuration file with rule for second test log file - test_conf=${RSYSLOG_TEST_DIR}/test1.conf - cat << EOF > ${test_conf} --# rsyslog configuration file -+# rsyslog test configuration file - - #### RULES #### -- - *.* ${RSYSLOG_TEST_LOGS[1]} -+ - EOF - --# create rsyslog.conf configuration file -+# add rule with first test log file plus an include statement - cat << EOF > $RSYSLOG_CONF - # rsyslog configuration file - - #### RULES #### -- - *.* ${RSYSLOG_TEST_LOGS[0]} - - #### MODULES #### -- - \$IncludeConfig ${test_conf} -+ - EOF -diff --git a/shared/templates/rsyslog_logfiles_attributes_modify/tests/legacy_include_incorrect_attr.fail.sh b/shared/templates/rsyslog_logfiles_attributes_modify/tests/legacy_include_incorrect_attr.fail.sh -new file mode 100755 -index 0000000000..a12d0bc653 ---- /dev/null -+++ b/shared/templates/rsyslog_logfiles_attributes_modify/tests/legacy_include_incorrect_attr.fail.sh -@@ -0,0 +1,50 @@ -+#!/bin/bash -+# platform = multi_platform_rhel,multi_platform_fedora,multi_platform_ol,multi_platform_sle -+ -+# Declare variables used for the tests and define the create_rsyslog_test_logs function -+source $SHARED/rsyslog_log_utils.sh -+ -+{{% if ATTRIBUTE == "owner" %}} -+CHATTR="chown" -+ATTR_VALUE="root" -+ATTR_INCORRECT_VALUE="cac_testuser" -+useradd $ATTR_INCORRECT_VALUE -+{{% elif ATTRIBUTE == "groupowner" %}} -+CHATTR="chgrp" -+ATTR_VALUE="root" -+ATTR_INCORRECT_VALUE="cac_testgroup" -+groupadd $ATTR_INCORRECT_VALUE -+{{% else %}} -+CHATTR="chmod" -+ATTR_VALUE="0600" -+ATTR_INCORRECT_VALUE="0666" -+{{% endif %}} -+ -+# create two test log file -+create_rsyslog_test_logs 2 -+ -+# setup test log file property -+$CHATTR $ATTR_VALUE ${RSYSLOG_TEST_LOGS[0]} -+$CHATTR $ATTR_INCORRECT_VALUE ${RSYSLOG_TEST_LOGS[1]} -+ -+# create test configuration file with rule for second test log file -+test_conf=${RSYSLOG_TEST_DIR}/test1.conf -+cat << EOF > ${test_conf} -+# rsyslog test configuration file -+ -+#### RULES #### -+*.* ${RSYSLOG_TEST_LOGS[1]} -+ -+EOF -+ -+# add rule with first test log file plus an include statement -+cat << EOF > $RSYSLOG_CONF -+# rsyslog configuration file -+ -+#### RULES #### -+*.* ${RSYSLOG_TEST_LOGS[0]} -+ -+#### MODULES #### -+\$IncludeConfig ${test_conf} -+ -+EOF -diff --git a/shared/templates/rsyslog_logfiles_attributes_modify/tests/legacy_incorrect_attr.fail.sh b/shared/templates/rsyslog_logfiles_attributes_modify/tests/legacy_incorrect_attr.fail.sh -new file mode 100755 -index 0000000000..25430db033 ---- /dev/null -+++ b/shared/templates/rsyslog_logfiles_attributes_modify/tests/legacy_incorrect_attr.fail.sh -@@ -0,0 +1,33 @@ -+#!/bin/bash -+# platform = multi_platform_rhel,multi_platform_fedora,multi_platform_ol,multi_platform_sle -+ -+# Declare variables used for the tests and define the create_rsyslog_test_logs function -+source $SHARED/rsyslog_log_utils.sh -+ -+{{% if ATTRIBUTE == "owner" %}} -+CHATTR="chown" -+ATTR_INCORRECT_VALUE="cac_testuser" -+useradd $ATTR_INCORRECT_VALUE -+{{% elif ATTRIBUTE == "groupowner" %}} -+CHATTR="chgrp" -+ATTR_INCORRECT_VALUE="cac_testgroup" -+groupadd $ATTR_INCORRECT_VALUE -+{{% else %}} -+CHATTR="chmod" -+ATTR_INCORRECT_VALUE="0666" -+{{% endif %}} -+ -+# create one test log file -+create_rsyslog_test_logs 1 -+ -+# setup test log file property -+$CHATTR $ATTR_INCORRECT_VALUE ${RSYSLOG_TEST_LOGS[0]} -+ -+# add rule with non-root user owned log file -+cat << EOF > $RSYSLOG_CONF -+# rsyslog configuration file -+ -+#### RULES #### -+*.* ${RSYSLOG_TEST_LOGS[0]} -+ -+EOF -diff --git a/shared/templates/rsyslog_logfiles_attributes_modify/tests/mixed_correct_attr.pass.sh b/shared/templates/rsyslog_logfiles_attributes_modify/tests/mixed_correct_attr.pass.sh -new file mode 100755 -index 0000000000..c1c5758d80 ---- /dev/null -+++ b/shared/templates/rsyslog_logfiles_attributes_modify/tests/mixed_correct_attr.pass.sh -@@ -0,0 +1,33 @@ -+#!/bin/bash -+# platform = multi_platform_rhel,multi_platform_fedora,multi_platform_ol,multi_platform_sle -+ -+# Declare variables used for the tests and define the create_rsyslog_test_logs function -+source $SHARED/rsyslog_log_utils.sh -+ -+{{% if ATTRIBUTE == "owner" %}} -+CHATTR="chown" -+ATTR_VALUE="root" -+{{% elif ATTRIBUTE == "groupowner" %}} -+CHATTR="chgrp" -+ATTR_VALUE="root" -+{{% else %}} -+CHATTR="chmod" -+ATTR_VALUE="0600" -+{{% endif %}} -+ -+# create three test log file -+create_rsyslog_test_logs 2 -+ -+# setup test log file property -+$CHATTR $ATTR_VALUE ${RSYSLOG_TEST_LOGS[0]} -+$CHATTR $ATTR_VALUE ${RSYSLOG_TEST_LOGS[1]} -+ -+# add rules with both syntax for different test log files -+cat << EOF > $RSYSLOG_CONF -+# rsyslog configuration file -+ -+#### RULES #### -+*.* ${RSYSLOG_TEST_LOGS[0]} -+*.* action(type="omfile" FileCreateMode="0640" fileOwner="root" fileGroup="hoiadm" File="${RSYSLOG_TEST_LOGS[1]}") -+ -+EOF -diff --git a/shared/templates/rsyslog_logfiles_attributes_modify/tests/mixed_include_correct_attr.pass.sh b/shared/templates/rsyslog_logfiles_attributes_modify/tests/mixed_include_correct_attr.pass.sh -new file mode 100755 -index 0000000000..0235130534 ---- /dev/null -+++ b/shared/templates/rsyslog_logfiles_attributes_modify/tests/mixed_include_correct_attr.pass.sh -@@ -0,0 +1,58 @@ -+#!/bin/bash -+# platform = multi_platform_rhel,multi_platform_fedora,multi_platform_ol,multi_platform_sle -+ -+# Declare variables used for the tests and define the create_rsyslog_test_logs function -+source $SHARED/rsyslog_log_utils.sh -+ -+{{% if ATTRIBUTE == "owner" %}} -+CHATTR="chown" -+ATTR_VALUE="root" -+{{% elif ATTRIBUTE == "groupowner" %}} -+CHATTR="chgrp" -+ATTR_VALUE="root" -+{{% else %}} -+CHATTR="chmod" -+ATTR_VALUE="0600" -+{{% endif %}} -+ -+# create three test log file -+create_rsyslog_test_logs 3 -+ -+# setup test log file property -+$CHATTR $ATTR_VALUE ${RSYSLOG_TEST_LOGS[0]} -+$CHATTR $ATTR_VALUE ${RSYSLOG_TEST_LOGS[1]} -+$CHATTR $ATTR_VALUE ${RSYSLOG_TEST_LOGS[2]} -+ -+# create first test configuration file with legacy rule for second test log file -+test_conf1=${RSYSLOG_TEST_DIR}/legacy.conf -+cat << EOF > ${test_conf1} -+# rsyslog test configuration file with legacy syntax -+ -+#### RULES #### -+*.* ${RSYSLOG_TEST_LOGS[1]} -+ -+EOF -+ -+# create second test configuration file with RainerScript rule for third test log file -+test_conf2=${RSYSLOG_TEST_DIR}/rainerscript.conf -+cat << EOF > ${test_conf2} -+# rsyslog test configuration file with RainerScript syntax -+ -+#### RULES #### -+*.* action(type="omfile" FileCreateMode="0640" fileOwner="root" fileGroup="hoiadm" File="${RSYSLOG_TEST_LOGS[2]}") -+ -+EOF -+ -+# add rule with first test log file plus two mixed include statement -+cat << EOF > $RSYSLOG_CONF -+# rsyslog configuration file -+ -+#### RULES #### -+*.* ${RSYSLOG_TEST_LOGS[0]} -+ -+#### MODULES #### -+\$IncludeConfig ${test_conf1} -+ -+include(file="${test_conf2}") -+ -+EOF -diff --git a/shared/templates/rsyslog_logfiles_attributes_modify/tests/mixed_include_incorrect_attr_legacy.fail.sh b/shared/templates/rsyslog_logfiles_attributes_modify/tests/mixed_include_incorrect_attr_legacy.fail.sh -new file mode 100755 -index 0000000000..bed0afaf5e ---- /dev/null -+++ b/shared/templates/rsyslog_logfiles_attributes_modify/tests/mixed_include_incorrect_attr_legacy.fail.sh -@@ -0,0 +1,63 @@ -+#!/bin/bash -+# platform = multi_platform_rhel,multi_platform_fedora,multi_platform_ol,multi_platform_sle -+ -+# Declare variables used for the tests and define the create_rsyslog_test_logs function -+source $SHARED/rsyslog_log_utils.sh -+ -+{{% if ATTRIBUTE == "owner" %}} -+CHATTR="chown" -+ATTR_VALUE="root" -+ATTR_INCORRECT_VALUE="cac_testuser" -+useradd $ATTR_INCORRECT_VALUE -+{{% elif ATTRIBUTE == "groupowner" %}} -+CHATTR="chgrp" -+ATTR_VALUE="root" -+ATTR_INCORRECT_VALUE="cac_testgroup" -+groupadd $ATTR_INCORRECT_VALUE -+{{% else %}} -+CHATTR="chmod" -+ATTR_VALUE="0600" -+ATTR_INCORRECT_VALUE="0666" -+{{% endif %}} -+ -+# create three test log file -+create_rsyslog_test_logs 3 -+ -+# setup test log file property -+$CHATTR $ATTR_VALUE ${RSYSLOG_TEST_LOGS[0]} -+$CHATTR $ATTR_INCORRECT_VALUE ${RSYSLOG_TEST_LOGS[1]} -+$CHATTR $ATTR_VALUE ${RSYSLOG_TEST_LOGS[2]} -+ -+# create first test configuration file with legacy rule for second test log file -+test_conf1=${RSYSLOG_TEST_DIR}/legacy.conf -+cat << EOF > ${test_conf1} -+# rsyslog test configuration file with legacy syntax -+ -+#### RULES #### -+*.* ${RSYSLOG_TEST_LOGS[1]} -+ -+EOF -+ -+# create second test configuration file with RainerScript rule for third test log file -+test_conf2=${RSYSLOG_TEST_DIR}/rainerscript.conf -+cat << EOF > ${test_conf2} -+# rsyslog test configuration file with RainerScript syntax -+ -+#### RULES #### -+*.* action(type="omfile" FileCreateMode="0640" fileOwner="root" fileGroup="hoiadm" File="${RSYSLOG_TEST_LOGS[2]}") -+ -+EOF -+ -+# add rule with first test log file plus two mixed include statement -+cat << EOF > $RSYSLOG_CONF -+# rsyslog configuration file -+ -+#### RULES #### -+*.* ${RSYSLOG_TEST_LOGS[0]} -+ -+#### MODULES #### -+\$IncludeConfig ${test_conf1} -+ -+include(file="${test_conf2}") -+ -+EOF -diff --git a/shared/templates/rsyslog_logfiles_attributes_modify/tests/mixed_include_incorrect_attr_rainer.fail.sh b/shared/templates/rsyslog_logfiles_attributes_modify/tests/mixed_include_incorrect_attr_rainer.fail.sh -new file mode 100755 -index 0000000000..83c69b3a17 ---- /dev/null -+++ b/shared/templates/rsyslog_logfiles_attributes_modify/tests/mixed_include_incorrect_attr_rainer.fail.sh -@@ -0,0 +1,63 @@ -+#!/bin/bash -+# platform = multi_platform_rhel,multi_platform_fedora,multi_platform_ol,multi_platform_sle -+ -+# Declare variables used for the tests and define the create_rsyslog_test_logs function -+source $SHARED/rsyslog_log_utils.sh -+ -+{{% if ATTRIBUTE == "owner" %}} -+CHATTR="chown" -+ATTR_VALUE="root" -+ATTR_INCORRECT_VALUE="cac_testuser" -+useradd $ATTR_INCORRECT_VALUE -+{{% elif ATTRIBUTE == "groupowner" %}} -+CHATTR="chgrp" -+ATTR_VALUE="root" -+ATTR_INCORRECT_VALUE="cac_testgroup" -+groupadd $ATTR_INCORRECT_VALUE -+{{% else %}} -+CHATTR="chmod" -+ATTR_VALUE="0600" -+ATTR_INCORRECT_VALUE="0666" -+{{% endif %}} -+ -+# create three test log file -+create_rsyslog_test_logs 3 -+ -+# setup test log file property -+$CHATTR $ATTR_VALUE ${RSYSLOG_TEST_LOGS[0]} -+$CHATTR $ATTR_VALUE ${RSYSLOG_TEST_LOGS[1]} -+$CHATTR $ATTR_INCORRECT_VALUE ${RSYSLOG_TEST_LOGS[2]} -+ -+# create first test configuration file with legacy rule for second test log file -+test_conf1=${RSYSLOG_TEST_DIR}/legacy.conf -+cat << EOF > ${test_conf1} -+# rsyslog test configuration file with legacy syntax -+ -+#### RULES #### -+*.* ${RSYSLOG_TEST_LOGS[1]} -+ -+EOF -+ -+# create second test configuration file with RainerScript rule for third test log file -+test_conf2=${RSYSLOG_TEST_DIR}/rainerscript.conf -+cat << EOF > ${test_conf2} -+# rsyslog test configuration file with RainerScript syntax -+ -+#### RULES #### -+*.* action(type="omfile" FileCreateMode="0640" fileOwner="root" fileGroup="hoiadm" File="${RSYSLOG_TEST_LOGS[2]}") -+ -+EOF -+ -+# add rule with first test log file plus two mixed include statement -+cat << EOF > $RSYSLOG_CONF -+# rsyslog configuration file -+ -+#### RULES #### -+*.* ${RSYSLOG_TEST_LOGS[0]} -+ -+#### MODULES #### -+\$IncludeConfig ${test_conf1} -+ -+include(file="${test_conf2}") -+ -+EOF -diff --git a/shared/templates/rsyslog_logfiles_attributes_modify/tests/mixed_incorrect_attr_cloudinit.fail.sh b/shared/templates/rsyslog_logfiles_attributes_modify/tests/mixed_incorrect_attr_cloudinit.fail.sh -new file mode 100755 -index 0000000000..43a6f2648d ---- /dev/null -+++ b/shared/templates/rsyslog_logfiles_attributes_modify/tests/mixed_incorrect_attr_cloudinit.fail.sh -@@ -0,0 +1,38 @@ -+#!/bin/bash -+# platform = multi_platform_rhel,multi_platform_fedora,multi_platform_ol,multi_platform_sle -+ -+# Declare variables used for the tests and define the create_rsyslog_test_logs function -+source $SHARED/rsyslog_log_utils.sh -+ -+{{% if ATTRIBUTE == "owner" %}} -+CHATTR="chown" -+ATTR_VALUE="root" -+ATTR_INCORRECT_VALUE="cac_testuser" -+useradd $ATTR_INCORRECT_VALUE -+{{% elif ATTRIBUTE == "groupowner" %}} -+CHATTR="chgrp" -+ATTR_VALUE="root" -+ATTR_INCORRECT_VALUE="cac_testgroup" -+groupadd $ATTR_INCORRECT_VALUE -+{{% else %}} -+CHATTR="chmod" -+ATTR_VALUE="0600" -+ATTR_INCORRECT_VALUE="0666" -+{{% endif %}} -+ -+# create three test log file -+create_rsyslog_test_logs 2 -+ -+# setup test log file property -+$CHATTR $ATTR_VALUE ${RSYSLOG_TEST_LOGS[0]} -+$CHATTR $ATTR_INCORRECT_VALUE ${RSYSLOG_TEST_LOGS[1]} -+ -+# add rules with both syntax for different test log files -+cat << EOF > $RSYSLOG_CONF -+# rsyslog configuration file -+ -+#### RULES #### -+*.* ${RSYSLOG_TEST_LOGS[0]} -+:syslogtag, isequal, "[CLOUDINIT]" ${RSYSLOG_TEST_LOGS[1]} -+ -+EOF -diff --git a/shared/templates/rsyslog_logfiles_attributes_modify/tests/mixed_incorrect_attr_legacy.fail.sh b/shared/templates/rsyslog_logfiles_attributes_modify/tests/mixed_incorrect_attr_legacy.fail.sh -new file mode 100755 -index 0000000000..f459e7377b ---- /dev/null -+++ b/shared/templates/rsyslog_logfiles_attributes_modify/tests/mixed_incorrect_attr_legacy.fail.sh -@@ -0,0 +1,38 @@ -+#!/bin/bash -+# platform = multi_platform_rhel,multi_platform_fedora,multi_platform_ol,multi_platform_sle -+ -+# Declare variables used for the tests and define the create_rsyslog_test_logs function -+source $SHARED/rsyslog_log_utils.sh -+ -+{{% if ATTRIBUTE == "owner" %}} -+CHATTR="chown" -+ATTR_VALUE="root" -+ATTR_INCORRECT_VALUE="cac_testuser" -+useradd $ATTR_INCORRECT_VALUE -+{{% elif ATTRIBUTE == "groupowner" %}} -+CHATTR="chgrp" -+ATTR_VALUE="root" -+ATTR_INCORRECT_VALUE="cac_testgroup" -+groupadd $ATTR_INCORRECT_VALUE -+{{% else %}} -+CHATTR="chmod" -+ATTR_VALUE="0600" -+ATTR_INCORRECT_VALUE="0666" -+{{% endif %}} -+ -+# create three test log file -+create_rsyslog_test_logs 2 -+ -+# setup test log file property -+$CHATTR $ATTR_INCORRECT_VALUE ${RSYSLOG_TEST_LOGS[0]} -+$CHATTR $ATTR_VALUE ${RSYSLOG_TEST_LOGS[1]} -+ -+# add rules with both syntax for different test log files -+cat << EOF > $RSYSLOG_CONF -+# rsyslog configuration file -+ -+#### RULES #### -+*.* ${RSYSLOG_TEST_LOGS[0]} -+*.* action(type="omfile" FileCreateMode="0640" fileOwner="root" fileGroup="hoiadm" File="${RSYSLOG_TEST_LOGS[1]}") -+ -+EOF -diff --git a/shared/templates/rsyslog_logfiles_attributes_modify/tests/mixed_incorrect_attr_rainer.fail.sh b/shared/templates/rsyslog_logfiles_attributes_modify/tests/mixed_incorrect_attr_rainer.fail.sh -new file mode 100755 -index 0000000000..67193b69d8 ---- /dev/null -+++ b/shared/templates/rsyslog_logfiles_attributes_modify/tests/mixed_incorrect_attr_rainer.fail.sh -@@ -0,0 +1,38 @@ -+#!/bin/bash -+# platform = multi_platform_rhel,multi_platform_fedora,multi_platform_ol,multi_platform_sle -+ -+# Declare variables used for the tests and define the create_rsyslog_test_logs function -+source $SHARED/rsyslog_log_utils.sh -+ -+{{% if ATTRIBUTE == "owner" %}} -+CHATTR="chown" -+ATTR_VALUE="root" -+ATTR_INCORRECT_VALUE="cac_testuser" -+useradd $ATTR_INCORRECT_VALUE -+{{% elif ATTRIBUTE == "groupowner" %}} -+CHATTR="chgrp" -+ATTR_VALUE="root" -+ATTR_INCORRECT_VALUE="cac_testgroup" -+groupadd $ATTR_INCORRECT_VALUE -+{{% else %}} -+CHATTR="chmod" -+ATTR_VALUE="0600" -+ATTR_INCORRECT_VALUE="0666" -+{{% endif %}} -+ -+# create three test log file -+create_rsyslog_test_logs 2 -+ -+# setup test log file property -+$CHATTR $ATTR_VALUE ${RSYSLOG_TEST_LOGS[0]} -+$CHATTR $ATTR_INCORRECT_VALUE ${RSYSLOG_TEST_LOGS[1]} -+ -+# add rules with both syntax for different test log files -+cat << EOF > $RSYSLOG_CONF -+# rsyslog configuration file -+ -+#### RULES #### -+*.* ${RSYSLOG_TEST_LOGS[0]} -+*.* action(type="omfile" FileCreateMode="0640" fileOwner="root" fileGroup="hoiadm" File="${RSYSLOG_TEST_LOGS[1]}") -+ -+EOF -diff --git a/shared/templates/rsyslog_logfiles_attributes_modify/tests/rainer_correct_attr.pass.sh b/shared/templates/rsyslog_logfiles_attributes_modify/tests/rainer_correct_attr.pass.sh -new file mode 100755 -index 0000000000..abdb09c485 ---- /dev/null -+++ b/shared/templates/rsyslog_logfiles_attributes_modify/tests/rainer_correct_attr.pass.sh -@@ -0,0 +1,31 @@ -+#!/bin/bash -+# platform = multi_platform_rhel,multi_platform_fedora,multi_platform_ol,multi_platform_sle -+ -+# Declare variables used for the tests and define the create_rsyslog_test_logs function -+source $SHARED/rsyslog_log_utils.sh -+ -+{{% if ATTRIBUTE == "owner" %}} -+CHATTR="chown" -+ATTR_VALUE="root" -+{{% elif ATTRIBUTE == "groupowner" %}} -+CHATTR="chgrp" -+ATTR_VALUE="root" -+{{% else %}} -+CHATTR="chmod" -+ATTR_VALUE="0600" -+{{% endif %}} -+ -+# create one test log file -+create_rsyslog_test_logs 1 -+ -+# setup test log file property -+$CHATTR $ATTR_VALUE ${RSYSLOG_TEST_LOGS[0]} -+ -+# add rule with test log file -+cat << EOF > $RSYSLOG_CONF -+# rsyslog configuration file -+ -+#### RULES #### -+*.* action(type="omfile" FileCreateMode="0640" fileOwner="root" fileGroup="hoiadm" File="${RSYSLOG_TEST_LOGS[0]}") -+ -+EOF -diff --git a/shared/templates/rsyslog_logfiles_attributes_modify/tests/rainer_include_correct_attr.pass.sh b/shared/templates/rsyslog_logfiles_attributes_modify/tests/rainer_include_correct_attr.pass.sh -new file mode 100755 -index 0000000000..8b73578e39 ---- /dev/null -+++ b/shared/templates/rsyslog_logfiles_attributes_modify/tests/rainer_include_correct_attr.pass.sh -@@ -0,0 +1,45 @@ -+#!/bin/bash -+# platform = multi_platform_rhel,multi_platform_fedora,multi_platform_ol,multi_platform_sle -+ -+# Declare variables used for the tests and define the create_rsyslog_test_logs function -+source $SHARED/rsyslog_log_utils.sh -+ -+{{% if ATTRIBUTE == "owner" %}} -+CHATTR="chown" -+ATTR_VALUE="root" -+{{% elif ATTRIBUTE == "groupowner" %}} -+CHATTR="chgrp" -+ATTR_VALUE="root" -+{{% else %}} -+CHATTR="chmod" -+ATTR_VALUE="0600" -+{{% endif %}} -+ -+# create two test log file -+create_rsyslog_test_logs 2 -+ -+# setup test log file property -+$CHATTR $ATTR_VALUE ${RSYSLOG_TEST_LOGS[0]} -+$CHATTR $ATTR_VALUE ${RSYSLOG_TEST_LOGS[1]} -+ -+# create test configuration file with rule for second test log file -+test_conf=${RSYSLOG_TEST_DIR}/test1.conf -+cat << EOF > ${test_conf} -+# rsyslog test configuration file -+ -+#### RULES #### -+*.* action(type="omfile" FileCreateMode="0640" fileOwner="root" fileGroup="hoiadm" File="${RSYSLOG_TEST_LOGS[1]}") -+ -+EOF -+ -+# add rule with first test log file plus an include statement -+cat << EOF > $RSYSLOG_CONF -+# rsyslog configuration file -+ -+#### RULES #### -+*.* action(type="omfile" FileCreateMode="0640" fileOwner="root" fileGroup="hoiadm" File="${RSYSLOG_TEST_LOGS[0]}") -+ -+#### MODULES #### -+include(file="${test_conf}") -+ -+EOF -diff --git a/shared/templates/rsyslog_logfiles_attributes_modify/tests/rainer_include_incorrect_attr.fail.sh b/shared/templates/rsyslog_logfiles_attributes_modify/tests/rainer_include_incorrect_attr.fail.sh -new file mode 100755 -index 0000000000..4c25c09e2e ---- /dev/null -+++ b/shared/templates/rsyslog_logfiles_attributes_modify/tests/rainer_include_incorrect_attr.fail.sh -@@ -0,0 +1,50 @@ -+#!/bin/bash -+# platform = multi_platform_rhel,multi_platform_fedora,multi_platform_ol,multi_platform_sle -+ -+# Declare variables used for the tests and define the create_rsyslog_test_logs function -+source $SHARED/rsyslog_log_utils.sh -+ -+{{% if ATTRIBUTE == "owner" %}} -+CHATTR="chown" -+ATTR_VALUE="root" -+ATTR_INCORRECT_VALUE="cac_testuser" -+useradd $ATTR_INCORRECT_VALUE -+{{% elif ATTRIBUTE == "groupowner" %}} -+CHATTR="chgrp" -+ATTR_VALUE="root" -+ATTR_INCORRECT_VALUE="cac_testgroup" -+groupadd $ATTR_INCORRECT_VALUE -+{{% else %}} -+CHATTR="chmod" -+ATTR_VALUE="0600" -+ATTR_INCORRECT_VALUE="0666" -+{{% endif %}} -+ -+# create two test log file -+create_rsyslog_test_logs 2 -+ -+# setup test log file property -+$CHATTR $ATTR_VALUE ${RSYSLOG_TEST_LOGS[0]} -+$CHATTR $ATTR_INCORRECT_VALUE ${RSYSLOG_TEST_LOGS[1]} -+ -+# create test configuration file with rule for second test log file -+test_conf=${RSYSLOG_TEST_DIR}/test1.conf -+cat << EOF > ${test_conf} -+# rsyslog test configuration file -+ -+#### RULES #### -+*.* action(type="omfile" FileCreateMode="0640" fileOwner="root" fileGroup="hoiadm" File="${RSYSLOG_TEST_LOGS[1]}") -+ -+EOF -+ -+# add rule with first test log file plus an include statement -+cat << EOF > $RSYSLOG_CONF -+# rsyslog configuration file -+ -+#### RULES #### -+*.* action(type="omfile" FileCreateMode="0640" fileOwner="root" fileGroup="hoiadm" File="${RSYSLOG_TEST_LOGS[0]}") -+ -+#### MODULES #### -+include(file="${test_conf}") -+ -+EOF -diff --git a/shared/templates/rsyslog_logfiles_attributes_modify/tests/rainer_include_multiline_correct_attr.pass.sh b/shared/templates/rsyslog_logfiles_attributes_modify/tests/rainer_include_multiline_correct_attr.pass.sh -new file mode 100755 -index 0000000000..508a5cf6eb ---- /dev/null -+++ b/shared/templates/rsyslog_logfiles_attributes_modify/tests/rainer_include_multiline_correct_attr.pass.sh -@@ -0,0 +1,47 @@ -+#!/bin/bash -+# platform = multi_platform_rhel,multi_platform_fedora,multi_platform_ol,multi_platform_sle -+ -+# Declare variables used for the tests and define the create_rsyslog_test_logs function -+source $SHARED/rsyslog_log_utils.sh -+ -+{{% if ATTRIBUTE == "owner" %}} -+CHATTR="chown" -+ATTR_VALUE="root" -+{{% elif ATTRIBUTE == "groupowner" %}} -+CHATTR="chgrp" -+ATTR_VALUE="root" -+{{% else %}} -+CHATTR="chmod" -+ATTR_VALUE="0600" -+{{% endif %}} -+ -+# create two test log file -+create_rsyslog_test_logs 2 -+ -+# setup test log file property -+$CHATTR $ATTR_VALUE ${RSYSLOG_TEST_LOGS[0]} -+$CHATTR $ATTR_VALUE ${RSYSLOG_TEST_LOGS[1]} -+ -+# create test configuration file with rule for second test log file -+test_conf=${RSYSLOG_TEST_DIR}/test1.conf -+cat << EOF > ${test_conf} -+# rsyslog test configuration file -+ -+#### RULES #### -+*.* action(type="omfile" FileCreateMode="0640" fileOwner="root" fileGroup="hoiadm" File="${RSYSLOG_TEST_LOGS[1]}") -+ -+EOF -+ -+# add rule with first test log file plus an include statement -+cat << EOF > $RSYSLOG_CONF -+# rsyslog configuration file -+ -+#### RULES #### -+*.* action(type="omfile" FileCreateMode="0640" fileOwner="root" fileGroup="hoiadm" File="${RSYSLOG_TEST_LOGS[0]}") -+ -+#### MODULES #### -+include( -+ file="${test_conf}" -+) -+ -+EOF -diff --git a/shared/templates/rsyslog_logfiles_attributes_modify/tests/rainer_include_multiline_incorrect_attr.fail.sh b/shared/templates/rsyslog_logfiles_attributes_modify/tests/rainer_include_multiline_incorrect_attr.fail.sh -new file mode 100755 -index 0000000000..49fada4cd4 ---- /dev/null -+++ b/shared/templates/rsyslog_logfiles_attributes_modify/tests/rainer_include_multiline_incorrect_attr.fail.sh -@@ -0,0 +1,52 @@ -+#!/bin/bash -+# platform = multi_platform_rhel,multi_platform_fedora,multi_platform_ol,multi_platform_sle -+ -+# Declare variables used for the tests and define the create_rsyslog_test_logs function -+source $SHARED/rsyslog_log_utils.sh -+ -+{{% if ATTRIBUTE == "owner" %}} -+CHATTR="chown" -+ATTR_VALUE="root" -+ATTR_INCORRECT_VALUE="cac_testuser" -+useradd $ATTR_INCORRECT_VALUE -+{{% elif ATTRIBUTE == "groupowner" %}} -+CHATTR="chgrp" -+ATTR_VALUE="root" -+ATTR_INCORRECT_VALUE="cac_testgroup" -+groupadd $ATTR_INCORRECT_VALUE -+{{% else %}} -+CHATTR="chmod" -+ATTR_VALUE="0600" -+ATTR_INCORRECT_VALUE="0666" -+{{% endif %}} -+ -+# create two test log file -+create_rsyslog_test_logs 2 -+ -+# setup test log file property -+$CHATTR $ATTR_VALUE ${RSYSLOG_TEST_LOGS[0]} -+$CHATTR $ATTR_INCORRECT_VALUE ${RSYSLOG_TEST_LOGS[1]} -+ -+# create test configuration file with rule for second test log file -+test_conf=${RSYSLOG_TEST_DIR}/test1.conf -+cat << EOF > ${test_conf} -+# rsyslog test configuration file -+ -+#### RULES #### -+*.* action(type="omfile" FileCreateMode="0640" fileOwner="root" fileGroup="hoiadm" File="${RSYSLOG_TEST_LOGS[1]}") -+ -+EOF -+ -+# add rule with first test log file plus an include statement -+cat << EOF > $RSYSLOG_CONF -+# rsyslog configuration file -+ -+#### RULES #### -+*.* action(type="omfile" FileCreateMode="0640" fileOwner="root" fileGroup="hoiadm" File="${RSYSLOG_TEST_LOGS[0]}") -+ -+#### MODULES #### -+include( -+ file="${test_conf}" -+) -+ -+EOF -diff --git a/shared/templates/rsyslog_logfiles_attributes_modify/tests/rainer_incorrect_attr.fail.sh b/shared/templates/rsyslog_logfiles_attributes_modify/tests/rainer_incorrect_attr.fail.sh -new file mode 100755 -index 0000000000..b17eb6b744 ---- /dev/null -+++ b/shared/templates/rsyslog_logfiles_attributes_modify/tests/rainer_incorrect_attr.fail.sh -@@ -0,0 +1,33 @@ -+#!/bin/bash -+# platform = multi_platform_rhel,multi_platform_fedora,multi_platform_ol,multi_platform_sle -+ -+# Declare variables used for the tests and define the create_rsyslog_test_logs function -+source $SHARED/rsyslog_log_utils.sh -+ -+{{% if ATTRIBUTE == "owner" %}} -+CHATTR="chown" -+ATTR_INCORRECT_VALUE="cac_testuser" -+useradd $ATTR_INCORRECT_VALUE -+{{% elif ATTRIBUTE == "groupowner" %}} -+CHATTR="chgrp" -+ATTR_INCORRECT_VALUE="cac_testgroup" -+groupadd $ATTR_INCORRECT_VALUE -+{{% else %}} -+CHATTR="chmod" -+ATTR_INCORRECT_VALUE="0666" -+{{% endif %}} -+ -+# create one test log file -+create_rsyslog_test_logs 1 -+ -+# setup test log file property -+$CHATTR $ATTR_INCORRECT_VALUE ${RSYSLOG_TEST_LOGS[0]} -+ -+# add rule with non-root user owned log file -+cat << EOF > $RSYSLOG_CONF -+# rsyslog configuration file -+ -+#### RULES #### -+*.* action(type="omfile" FileCreateMode="0640" fileOwner="root" fileGroup="hoiadm" File="${RSYSLOG_TEST_LOGS[0]}") -+ -+EOF --- -2.39.1 - diff --git a/SOURCES/scap-security-guide-0.1.67-rsyslog_files_rules_remediations-PR_9789.patch b/SOURCES/scap-security-guide-0.1.67-rsyslog_files_rules_remediations-PR_9789.patch deleted file mode 100644 index 80bcc2f..0000000 --- a/SOURCES/scap-security-guide-0.1.67-rsyslog_files_rules_remediations-PR_9789.patch +++ /dev/null @@ -1,1950 +0,0 @@ -From b8d2b568eb07b10f8a51f1327e399303bc06528d Mon Sep 17 00:00:00 2001 -From: Watson Sato -Date: Mon, 13 Feb 2023 17:49:12 +0100 -Subject: [PATCH 1/5] Rsyslog files rules remediations - -Patch-name: scap-security-guide-0.1.67-rsyslog_files_rules_remediations-PR_9789.patch -Patch-status: Rsyslog files rules remediations ---- - controls/cis_sle12.yml | 4 +- - controls/cis_sle15.yml | 4 +- - .../file_groupowner_logfiles_value.var | 18 --- - .../oval/shared.xml | 116 --------------- - .../rsyslog_files_groupownership/rule.yml | 39 ++++- - .../tests/IncludeConfig_is_other.fail.sh | 42 ------ - .../tests/IncludeConfig_is_root.pass.sh | 39 ----- - .../tests/include_is_other.fail.sh | 42 ------ - .../tests/include_is_root.pass.sh | 39 ----- - .../tests/include_multiline_is_root.pass.sh | 41 ------ - .../tests/is_other.fail.sh | 25 ---- - .../tests/is_root.pass.sh | 24 --- - .../rsyslog_files_ownership/oval/shared.xml | 114 --------------- - .../rsyslog_files_ownership/rule.yml | 44 +++++- - .../ansible/shared.yml | 12 ++ - .../rsyslog_logging_configured/bash/shared.sh | 7 + - .../oval/shared.xml | 41 ++++++ - .../rsyslog_logging_configured/rule.yml | 34 +++++ - ...with_everything_logged_to_messages.pass.sh | 13 ++ - .../rsyslog_file_with_no_logging.fail.sh | 12 ++ - .../profiles/anssi_np_nt28_average.profile | 2 - - products/debian10/profiles/standard.profile | 2 - - .../profiles/anssi_np_nt28_average.profile | 2 - - products/debian11/profiles/standard.profile | 2 - - products/rhel7/profiles/rht-ccp.profile | 2 - - products/rhel8/profiles/rht-ccp.profile | 2 - - .../profiles/anssi_bp28_intermediary.profile | 1 + - products/sle15/profiles/standard.profile | 2 - - .../profiles/anssi_np_nt28_average.profile | 2 - - products/ubuntu1604/profiles/standard.profile | 2 - - .../profiles/anssi_np_nt28_average.profile | 2 - - products/ubuntu1804/profiles/standard.profile | 2 - - products/ubuntu2004/profiles/standard.profile | 2 - - products/ubuntu2204/profiles/standard.profile | 2 - - shared/references/cce-sle12-avail.txt | 1 - - shared/references/cce-sle15-avail.txt | 1 - - .../ansible.template | 68 +++++++++ - .../bash.template | 110 ++++++++++++++ - .../oval.template | 137 ++++++++++++++++++ - .../template.yml | 4 + - .../tests/IncludeConfig_is_other.fail.sh | 14 +- - .../tests/IncludeConfig_is_root.pass.sh | 10 +- - .../tests/include_is_other.fail.sh | 14 +- - ...udeConfig_is_other_RainerLogClause.fail.sh | 37 ++++- - .../tests/include_is_root.pass.sh | 11 +- - ...ude_is_root_IncludeConfig_is_other.fail.sh | 16 +- - ...lude_is_root_IncludeConfig_is_root.pass.sh | 12 +- - ...ludeConfig_is_root_RainerLogClause.pass.sh | 22 +-- - .../tests/include_multiline_is_root.pass.sh | 10 +- - .../tests/is_other.fail.sh | 12 +- - .../tests/is_root.pass.sh | 8 +- - 51 files changed, 648 insertions(+), 576 deletions(-) - delete mode 100644 linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/file_groupowner_logfiles_value.var - delete mode 100644 linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_files_groupownership/oval/shared.xml - delete mode 100755 linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_files_groupownership/tests/IncludeConfig_is_other.fail.sh - delete mode 100755 linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_files_groupownership/tests/IncludeConfig_is_root.pass.sh - delete mode 100755 linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_files_groupownership/tests/include_is_other.fail.sh - delete mode 100755 linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_files_groupownership/tests/include_is_root.pass.sh - delete mode 100755 linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_files_groupownership/tests/include_multiline_is_root.pass.sh - delete mode 100755 linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_files_groupownership/tests/is_other.fail.sh - delete mode 100755 linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_files_groupownership/tests/is_root.pass.sh - delete mode 100644 linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_files_ownership/oval/shared.xml - create mode 100644 linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_logging_configured/ansible/shared.yml - create mode 100644 linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_logging_configured/bash/shared.sh - create mode 100644 linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_logging_configured/oval/shared.xml - create mode 100644 linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_logging_configured/rule.yml - create mode 100644 linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_logging_configured/tests/rsyslog_file_with_everything_logged_to_messages.pass.sh - create mode 100644 linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_logging_configured/tests/rsyslog_file_with_no_logging.fail.sh - create mode 100644 shared/templates/rsyslog_logfiles_attributes_modify/ansible.template - create mode 100644 shared/templates/rsyslog_logfiles_attributes_modify/bash.template - create mode 100644 shared/templates/rsyslog_logfiles_attributes_modify/oval.template - create mode 100644 shared/templates/rsyslog_logfiles_attributes_modify/template.yml - rename {linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_files_ownership => shared/templates/rsyslog_logfiles_attributes_modify}/tests/IncludeConfig_is_other.fail.sh (75%) - rename {linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_files_ownership => shared/templates/rsyslog_logfiles_attributes_modify}/tests/IncludeConfig_is_root.pass.sh (81%) - rename {linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_files_ownership => shared/templates/rsyslog_logfiles_attributes_modify}/tests/include_is_other.fail.sh (75%) - rename linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_files_groupownership/tests/include_is_root_IncludeConfig_is_root.pass.sh => shared/templates/rsyslog_logfiles_attributes_modify/tests/include_is_other_IncludeConfig_is_other_RainerLogClause.fail.sh (50%) - mode change 100755 => 100644 - rename {linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_files_ownership => shared/templates/rsyslog_logfiles_attributes_modify}/tests/include_is_root.pass.sh (81%) - rename {linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_files_ownership => shared/templates/rsyslog_logfiles_attributes_modify}/tests/include_is_root_IncludeConfig_is_other.fail.sh (77%) - rename {linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_files_ownership => shared/templates/rsyslog_logfiles_attributes_modify}/tests/include_is_root_IncludeConfig_is_root.pass.sh (82%) - rename linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_files_groupownership/tests/include_is_root_IncludeConfig_is_other.fail.sh => shared/templates/rsyslog_logfiles_attributes_modify/tests/include_is_root_IncludeConfig_is_root_RainerLogClause.pass.sh (65%) - rename {linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_files_ownership => shared/templates/rsyslog_logfiles_attributes_modify}/tests/include_multiline_is_root.pass.sh (81%) - rename {linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_files_ownership => shared/templates/rsyslog_logfiles_attributes_modify}/tests/is_other.fail.sh (70%) - rename {linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_files_ownership => shared/templates/rsyslog_logfiles_attributes_modify}/tests/is_root.pass.sh (77%) - -diff --git a/controls/cis_sle12.yml b/controls/cis_sle12.yml -index 5c464fe556..8576343b9d 100644 ---- a/controls/cis_sle12.yml -+++ b/controls/cis_sle12.yml -@@ -1321,7 +1321,9 @@ controls: - levels: - - l1_server - - l1_workstation -- status: manual -+ automated: yes -+ rules: -+ - rsyslog_logging_configured - - - id: 4.2.1.5 - title: Ensure rsyslog is configured to send logs to a remote log host (Automated) -diff --git a/controls/cis_sle15.yml b/controls/cis_sle15.yml -index 36d7616f90..f82341a038 100644 ---- a/controls/cis_sle15.yml -+++ b/controls/cis_sle15.yml -@@ -1469,7 +1469,9 @@ controls: - levels: - - l1_server - - l1_workstation -- status: manual -+ automated: yes -+ rules: -+ - rsyslog_logging_configured - - - id: 4.2.1.5 - title: Ensure rsyslog is configured to send logs to a remote log host (Automated) -diff --git a/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/file_groupowner_logfiles_value.var b/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/file_groupowner_logfiles_value.var -deleted file mode 100644 -index 7ebf8c191a..0000000000 ---- a/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/file_groupowner_logfiles_value.var -+++ /dev/null -@@ -1,18 +0,0 @@ --documentation_complete: true -- --title: 'group who owns log files' -- --description: |- -- Specify group owner of all logfiles specified in -- /etc/rsyslog.conf. -- --type: string -- --operator: equals -- --interactive: false -- --options: -- default: root -- adm: adm -- root: root -diff --git a/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_files_groupownership/oval/shared.xml b/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_files_groupownership/oval/shared.xml -deleted file mode 100644 -index 4567f4d411..0000000000 ---- a/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_files_groupownership/oval/shared.xml -+++ /dev/null -@@ -1,116 +0,0 @@ -- -- -- {{{ oval_metadata("All syslog log files should be owned by the appropriate group.") }}} -- -- -- {{% if product in ["debian10", "debian11", "ubuntu1604"] %}} -- -- {{% endif %}} -- -- -- -- -- -- -- -- /etc/rsyslog.conf -- ^(?:include\([\n\s]*file="([^\s;]+)".*|\$IncludeConfig[\s]+([^\s;]+))$ -- 1 -- -- -- -- -- -- -- -- -- -- -- -- -- -- var_rfg_include_config_regex -- -- -- -- ^/etc/rsyslog.conf$ -- -- -- -- var_rfg_syslog_config -- -- -- -- -- -- object_var_rfg_include_config_regex -- object_var_rfg_syslog_config -- -- -- -- -- -- -- -- -- -- -- -- -- ^[^(\s|#|\$)]+[\s]+.*[\s]+-?(/+[^:;\s]+);*\.*$ -- 1 -- state_groupownership_ignore_include_paths -- -- -- -- -- (?:file="[^\s;]+"|\$IncludeConfig[\s]+[^\s;]+|\/dev\/.*) -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- regular -- {{% if product in ["debian10", "debian11", "ubuntu1604", "ubuntu2004", "ubuntu2204"] %}} -- 4 -- {{% else %}} -- 0 -- {{% endif %}} -- -- -- -diff --git a/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_files_groupownership/rule.yml b/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_files_groupownership/rule.yml -index 4f797f4a21..13c89d90c5 100644 ---- a/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_files_groupownership/rule.yml -+++ b/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_files_groupownership/rule.yml -@@ -4,15 +4,30 @@ title: 'Ensure Log Files Are Owned By Appropriate Group' - - description: |- - The group-owner of all log files written by -- rsyslog should be {{{ xccdf_value("file_groupowner_logfiles_value") }}}. -+ rsyslog should be -+{{% if 'debian' in product or 'ubuntu' in product %}} -+ adm. -+{{% else %}} -+ root. -+{{% endif %}} - These log files are determined by the second part of each Rule line in - /etc/rsyslog.conf and typically all appear in /var/log. - For each log file LOGFILE referenced in /etc/rsyslog.conf, - run the following command to inspect the file's group owner: -
$ ls -l LOGFILE
-- If the owner is not {{{ xccdf_value("file_groupowner_logfiles_value") }}}, run the following command to -+ If the owner is not -+ {{% if 'debian' in product or 'ubuntu' in product %}} -+ adm, -+ {{% else %}} -+ root, -+ {{% endif %}} -+ run the following command to - correct this: --
$ sudo chgrp {{{ xccdf_value("file_groupowner_logfiles_value") }}} LOGFILE
-+{{% if 'debian' in product or 'ubuntu' in product %}} -+
$ sudo chgrp adm LOGFILE
-+{{% else %}} -+
$ sudo chgrp root LOGFILE
-+{{% endif %}} - - rationale: |- - The log files generated by rsyslog contain valuable information regarding system -@@ -47,8 +62,24 @@ references: - ocil_clause: 'the group-owner is not correct' - - ocil: |- -- The group-owner of all log files written by rsyslog should be {{{ xccdf_value("file_groupowner_logfiles_value") }}}. -+ The group-owner of all log files written by rsyslog should be -+ {{% if 'debian' in product or 'ubuntu' in product %}} -+ adm. -+ {{% else %}} -+ root. -+ {{% endif %}} - These log files are determined by the second part of each Rule line in - /etc/rsyslog.conf and typically all appear in /var/log. - To see the group-owner of a given log file, run the following command: -
$ ls -l LOGFILE
-+ -+template: -+ name: rsyslog_logfiles_attributes_modify -+ vars: -+ attribute: groupowner -+ value: 0 -+ value@debian10: 4 -+ value@debian11: 4 -+ value@ubuntu1604: 4 -+ value@ubuntu2004: 4 -+ value@ubuntu2204: 4 -diff --git a/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_files_groupownership/tests/IncludeConfig_is_other.fail.sh b/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_files_groupownership/tests/IncludeConfig_is_other.fail.sh -deleted file mode 100755 -index 575530ef2e..0000000000 ---- a/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_files_groupownership/tests/IncludeConfig_is_other.fail.sh -+++ /dev/null -@@ -1,42 +0,0 @@ --#!/bin/bash --# platform = multi_platform_rhel,multi_platform_fedora,multi_platform_ol,multi_platform_sle -- --# Check rsyslog.conf with root group-owner log from rules and --# non root group-owner log from $IncludeConfig fails. -- --source $SHARED/rsyslog_log_utils.sh -- --GROUP_TEST=testssg --groupadd $GROUP_TEST -- --GROUP_ROOT=root -- --# setup test data --create_rsyslog_test_logs 2 -- --# setup test log files ownership --chgrp $GROUP_ROOT ${RSYSLOG_TEST_LOGS[0]} --chgrp $GROUP_TEST ${RSYSLOG_TEST_LOGS[1]} -- --# create test configuration file --test_conf=${RSYSLOG_TEST_DIR}/test1.conf --cat << EOF > ${test_conf} --# rsyslog configuration file -- --#### RULES #### -- --*.* ${RSYSLOG_TEST_LOGS[1]} --EOF -- --# create rsyslog.conf configuration file --cat << EOF > $RSYSLOG_CONF --# rsyslog configuration file -- --#### RULES #### -- --*.* ${RSYSLOG_TEST_LOGS[0]} -- --#### MODULES #### -- --\$IncludeConfig ${test_conf} --EOF -diff --git a/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_files_groupownership/tests/IncludeConfig_is_root.pass.sh b/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_files_groupownership/tests/IncludeConfig_is_root.pass.sh -deleted file mode 100755 -index 39efc1a4b7..0000000000 ---- a/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_files_groupownership/tests/IncludeConfig_is_root.pass.sh -+++ /dev/null -@@ -1,39 +0,0 @@ --#!/bin/bash --# platform = multi_platform_rhel,multi_platform_fedora,multi_platform_ol,multi_platform_sle -- --# Check rsyslog.conf with root group-owner log from rules and --# root group-owner log from $IncludeConfig passes. -- --source $SHARED/rsyslog_log_utils.sh -- --GROUP=root -- --# setup test data --create_rsyslog_test_logs 2 -- --# setup test log files ownership --chgrp $GROUP ${RSYSLOG_TEST_LOGS[0]} --chgrp $GROUP ${RSYSLOG_TEST_LOGS[1]} -- --# create test configuration file --test_conf=${RSYSLOG_TEST_DIR}/test1.conf --cat << EOF > ${test_conf} --# rsyslog configuration file -- --#### RULES #### -- --*.* ${RSYSLOG_TEST_LOGS[1]} --EOF -- --# create rsyslog.conf configuration file --cat << EOF > $RSYSLOG_CONF --# rsyslog configuration file -- --#### RULES #### -- --*.* ${RSYSLOG_TEST_LOGS[0]} -- --#### MODULES #### -- --\$IncludeConfig ${test_conf} --EOF -diff --git a/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_files_groupownership/tests/include_is_other.fail.sh b/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_files_groupownership/tests/include_is_other.fail.sh -deleted file mode 100755 -index c0db7056b4..0000000000 ---- a/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_files_groupownership/tests/include_is_other.fail.sh -+++ /dev/null -@@ -1,42 +0,0 @@ --#!/bin/bash --# platform = Red Hat Enterprise Linux 8,multi_platform_fedora,Oracle Linux 8,multi_platform_sle -- --# Check rsyslog.conf with root group-owner log from rules and --# non root group-owner log from include() fails. -- --source $SHARED/rsyslog_log_utils.sh -- --GROUP_TEST=testssg --groupadd $GROUP_TEST -- --GROUP_ROOT=root -- --# setup test data --create_rsyslog_test_logs 2 -- --# setup test log files ownership --chgrp $GROUP_ROOT ${RSYSLOG_TEST_LOGS[0]} --chgrp $GROUP_TEST ${RSYSLOG_TEST_LOGS[1]} -- --# create test configuration file --test_conf=${RSYSLOG_TEST_DIR}/test1.conf --cat << EOF > ${test_conf} --# rsyslog configuration file -- --#### RULES #### -- --*.* ${RSYSLOG_TEST_LOGS[1]} --EOF -- --# create rsyslog.conf configuration file --cat << EOF > $RSYSLOG_CONF --# rsyslog configuration file -- --#### RULES #### -- --*.* ${RSYSLOG_TEST_LOGS[0]} -- --#### MODULES #### -- --include(file="${test_conf}") --EOF -diff --git a/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_files_groupownership/tests/include_is_root.pass.sh b/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_files_groupownership/tests/include_is_root.pass.sh -deleted file mode 100755 -index 1feaf762fc..0000000000 ---- a/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_files_groupownership/tests/include_is_root.pass.sh -+++ /dev/null -@@ -1,39 +0,0 @@ --#!/bin/bash --# platform = Red Hat Enterprise Linux 8,multi_platform_fedora,Oracle Linux 8,multi_platform_sle -- --# Check rsyslog.conf with root group-owner log from rules and --# root group-owner log from include() passes. -- --source $SHARED/rsyslog_log_utils.sh -- --GROUP=root -- --# setup test data --create_rsyslog_test_logs 2 -- --# setup test log files ownership --chgrp $GROUP ${RSYSLOG_TEST_LOGS[0]} --chgrp $GROUP ${RSYSLOG_TEST_LOGS[1]} -- --# create test configuration file --test_conf=${RSYSLOG_TEST_DIR}/test1.conf --cat << EOF > ${test_conf} --# rsyslog configuration file -- --#### RULES #### -- --*.* ${RSYSLOG_TEST_LOGS[1]} --EOF -- --# create rsyslog.conf configuration file --cat << EOF > $RSYSLOG_CONF --# rsyslog configuration file -- --#### RULES #### -- --*.* ${RSYSLOG_TEST_LOGS[0]} -- --#### MODULES #### -- --include(file="${test_conf}") --EOF -diff --git a/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_files_groupownership/tests/include_multiline_is_root.pass.sh b/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_files_groupownership/tests/include_multiline_is_root.pass.sh -deleted file mode 100755 -index 5a357d029b..0000000000 ---- a/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_files_groupownership/tests/include_multiline_is_root.pass.sh -+++ /dev/null -@@ -1,41 +0,0 @@ --#!/bin/bash --# platform = Red Hat Enterprise Linux 8,multi_platform_fedora,Oracle Linux 8,multi_platform_sle -- --# Check rsyslog.conf with root group-owner log from rules and --# root group-owner log from multiline include() passes. -- --source $SHARED/rsyslog_log_utils.sh -- --GROUP=root -- --# setup test data --create_rsyslog_test_logs 2 -- --# setup test log files ownership --chgrp $GROUP ${RSYSLOG_TEST_LOGS[0]} --chgrp $GROUP ${RSYSLOG_TEST_LOGS[1]} -- --# create test configuration file --test_conf=${RSYSLOG_TEST_DIR}/test1.conf --cat << EOF > ${test_conf} --# rsyslog configuration file -- --#### RULES #### -- --*.* ${RSYSLOG_TEST_LOGS[1]} --EOF -- --# create rsyslog.conf configuration file --cat << EOF > $RSYSLOG_CONF --# rsyslog configuration file -- --#### RULES #### -- --*.* ${RSYSLOG_TEST_LOGS[0]} -- --#### MODULES #### -- --include( -- file="${test_conf}" --) --EOF -diff --git a/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_files_groupownership/tests/is_other.fail.sh b/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_files_groupownership/tests/is_other.fail.sh -deleted file mode 100755 -index c7c01132f2..0000000000 ---- a/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_files_groupownership/tests/is_other.fail.sh -+++ /dev/null -@@ -1,25 +0,0 @@ --#!/bin/bash --# platform = multi_platform_rhel,multi_platform_fedora,multi_platform_ol,multi_platform_sle -- --# Check if log file with non root group-owner in rsyslog.conf fails. -- --source $SHARED/rsyslog_log_utils.sh -- --GROUP=testssg -- --groupadd $GROUP -- --# setup test data --create_rsyslog_test_logs 1 -- --# setup test log file ownership --chgrp $GROUP ${RSYSLOG_TEST_LOGS[0]} -- --# add rule with non-root group owned log file --cat << EOF > $RSYSLOG_CONF --# rsyslog configuration file -- --#### RULES #### -- --*.* ${RSYSLOG_TEST_LOGS[0]} --EOF -diff --git a/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_files_groupownership/tests/is_root.pass.sh b/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_files_groupownership/tests/is_root.pass.sh -deleted file mode 100755 -index 0ecbb35bd1..0000000000 ---- a/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_files_groupownership/tests/is_root.pass.sh -+++ /dev/null -@@ -1,24 +0,0 @@ --#!/bin/bash --# platform = multi_platform_rhel,multi_platform_fedora,multi_platform_ol,multi_platform_sle -- --# Check if log file with root group-owner in rsyslog.conf passes. -- --source $SHARED/rsyslog_log_utils.sh -- --GROUP=root -- --# setup test data --create_rsyslog_test_logs 1 -- --# setup test log file ownership --chgrp $GROUP ${RSYSLOG_TEST_LOGS[0]} -- --# add rule with root group owned log file --cat << EOF > $RSYSLOG_CONF --# rsyslog configuration file -- --#### RULES #### -- --*.* ${RSYSLOG_TEST_LOGS[0]} -- --EOF -diff --git a/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_files_ownership/oval/shared.xml b/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_files_ownership/oval/shared.xml -deleted file mode 100644 -index 8e3f68db26..0000000000 ---- a/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_files_ownership/oval/shared.xml -+++ /dev/null -@@ -1,114 +0,0 @@ -- -- -- {{{ oval_metadata("All syslog log files should be owned by the appropriate user.") }}} -- -- -- -- -- -- -- -- -- -- /etc/rsyslog.conf -- ^(?:include\([\n\s]*file="([^\s;]+)".*|\$IncludeConfig[\s]+([^\s;]+))$ -- 1 -- -- -- -- -- -- -- -- -- -- -- -- -- -- var_rfo_include_config_regex -- -- -- -- ^/etc/rsyslog.conf$ -- -- -- -- var_rfo_syslog_config -- -- -- -- -- -- object_var_rfo_include_config_regex -- object_var_rfo_syslog_config -- -- -- -- -- -- -- -- -- -- -- -- -- ^[^(#|\$)]+[\s]+.*[\s]+-?(/+[^:;\s]+);*\.*$ -- 1 -- state_owner_ignore_include_paths -- -- -- -- -- (?:file="[^\s;]+"|\$IncludeConfig[\s]+[^\s;]+|\/dev\/.*) -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- regular -- -- {{% if product in ["ubuntu2004", "ubuntu2204"] %}} -- 104 -- {{% else %}} -- 0 -- {{% endif %}} -- -- -- -diff --git a/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_files_ownership/rule.yml b/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_files_ownership/rule.yml -index 37c87b07cd..0d9bf40f4b 100644 ---- a/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_files_ownership/rule.yml -+++ b/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_files_ownership/rule.yml -@@ -4,15 +4,36 @@ title: 'Ensure Log Files Are Owned By Appropriate User' - - description: |- - The owner of all log files written by -- rsyslog should be {{{ xccdf_value("file_owner_logfiles_value") }}}. -+ rsyslog should be -+ {{% if product in ['ubuntu2204','ubuntu2004'] %}} -+ syslog. -+ {{% elif 'debian' in product or 'ubuntu' in product %}} -+ adm. -+ {{% else %}} -+ root. -+ {{% endif %}} - These log files are determined by the second part of each Rule line in - /etc/rsyslog.conf and typically all appear in /var/log. - For each log file LOGFILE referenced in /etc/rsyslog.conf, - run the following command to inspect the file's owner: -
$ ls -l LOGFILE
-- If the owner is not {{{ xccdf_value("file_owner_logfiles_value") }}}, run the following command to -+ If the owner is not -+ {{% if product in ['ubuntu2204','ubuntu2004'] %}} -+ syslog, -+ {{% elif 'debian' in product or 'ubuntu' in product %}} -+ adm, -+ {{% else %}} -+ root, -+ {{% endif %}} -+ run the following command to - correct this: --
$ sudo chown {{{ xccdf_value("file_owner_logfiles_value") }}} LOGFILE
-+ {{% if product in ['ubuntu2204','ubuntu2004'] %}} -+
$ sudo chown syslog LOGFILE
-+ {{% elif 'debian' in product or 'ubuntu' in product %}} -+
$ sudo chown adm LOGFILE
-+ {{% else %}} -+
$ sudo chown root LOGFILE
-+ {{% endif %}} - - rationale: |- - The log files generated by rsyslog contain valuable information regarding system -@@ -47,8 +68,23 @@ references: - ocil_clause: 'the owner is not correct' - - ocil: |- -- The owner of all log files written by rsyslog should be {{{ xccdf_value("file_owner_logfiles_value") }}}. -+ The owner of all log files written by rsyslog should be -+ {{% if product in ['ubuntu2204','ubuntu2004'] %}} -+ syslog. -+ {{% elif 'debian' in product or 'ubuntu' in product %}} -+ adm. -+ {{% else %}} -+ root. -+ {{% endif %}} - These log files are determined by the second part of each Rule line in - /etc/rsyslog.conf and typically all appear in /var/log. - To see the owner of a given log file, run the following command: -
$ ls -l LOGFILE
-+ -+template: -+ name: rsyslog_logfiles_attributes_modify -+ vars: -+ attribute: owner -+ value: 0 -+ value@ubuntu2004: 104 -+ value@ubuntu2204: 104 -diff --git a/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_logging_configured/ansible/shared.yml b/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_logging_configured/ansible/shared.yml -new file mode 100644 -index 0000000000..041e263155 ---- /dev/null -+++ b/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_logging_configured/ansible/shared.yml -@@ -0,0 +1,12 @@ -+# platform = multi_platform_sle -+# reboot = false -+# strategy = restrict -+# complexity = low -+# disruption = low -+ -+- name: "Set rsyslog remote loghost" -+ lineinfile: -+ dest: /etc/rsyslog.conf -+ regexp: "^\\*\\.\\*" -+ line: "*.* /var/log/messages" -+ create: yes -diff --git a/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_logging_configured/bash/shared.sh b/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_logging_configured/bash/shared.sh -new file mode 100644 -index 0000000000..d634610225 ---- /dev/null -+++ b/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_logging_configured/bash/shared.sh -@@ -0,0 +1,7 @@ -+# platform = multi_platform_sle -+# reboot = false -+# strategy = restrict -+# complexity = low -+# disruption = low -+ -+{{{ bash_replace_or_append('/etc/rsyslog.conf', '^\*\.\*', "/var/log/messages", '%s %s') }}} -diff --git a/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_logging_configured/oval/shared.xml b/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_logging_configured/oval/shared.xml -new file mode 100644 -index 0000000000..89e1e7616e ---- /dev/null -+++ b/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_logging_configured/oval/shared.xml -@@ -0,0 +1,41 @@ -+ -+ -+ {{{ oval_metadata("Syslog logs should be configured") }}} -+ -+ -+ {{% if product in ["debian10", "debian11", "ubuntu1604", "ubuntu1804"] %}} -+ -+ {{% endif %}} -+ -+ -+ -+ -+ -+ -+ -+ -+ -+ -+ -+ -+ -+ -+ -+ -+ /etc/rsyslog.conf -+ ^[^(\s|#|\$)]+[\s]+.*[\s]+(\:\w+\:\S*|-?(\/+[^:;\s]+);*\.*)$ -+ 1 -+ -+ -+ -+ /etc/rsyslog.d -+ ^.+\.conf$ -+ ^[^(\s|#|\$)]+[\s]+.*[\s]+(\:\w+\:\S*|-?(\/+[^:;\s]+);*\.*)$ -+ 1 -+ -+ -+ -diff --git a/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_logging_configured/rule.yml b/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_logging_configured/rule.yml -new file mode 100644 -index 0000000000..f9477de9e9 ---- /dev/null -+++ b/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_logging_configured/rule.yml -@@ -0,0 +1,34 @@ -+documentation_complete: true -+ -+title: 'Ensure logging is configured' -+ -+description: |- -+ The /etc/rsyslog.conf and /etc/rsyslog.d/*.conf files -+ specifies rules for logging and which files are to be used to log certain -+ classes of messages. -+ -+rationale: |- -+ A great deal of important security-related information is sent via -+ rsyslog (e.g., successful and failed su attempts, failed login attempts, -+ root login attempts, etc.). -+ -+severity: medium -+ -+identifiers: -+ cce@sle12: CCE-92379-7 -+ cce@sle15: CCE-92497-7 -+ -+references: -+ cis@sle12: 4.2.1.4 -+ cis@sle15: 4.2.1.4 -+ -+ocil_clause: 'no logging is configured' -+ -+ocil: |- -+ Review the contents of the /etc/rsyslog.conf and /etc/rsyslog.d/*.conf -+ files to ensure appropriate logging is set. In addition, run the following command: -+
ls -l /var/log/
-+ and verify that the log files are logging information -+ -+fixtext: |- -+ Configure logging with selectors covering each priority -diff --git a/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_logging_configured/tests/rsyslog_file_with_everything_logged_to_messages.pass.sh b/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_logging_configured/tests/rsyslog_file_with_everything_logged_to_messages.pass.sh -new file mode 100644 -index 0000000000..a4fb1cf07a ---- /dev/null -+++ b/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_logging_configured/tests/rsyslog_file_with_everything_logged_to_messages.pass.sh -@@ -0,0 +1,13 @@ -+#!/bin/bash -+# platform = multi_platform_sle -+ -+# Check rsyslog.conf with no includes and all loggging facility/priority configured to go to /var/log/messages -+ -+source $SHARED/rsyslog_log_utils.sh -+cat << EOF > ${RSYSLOG_CONF} -+# rsyslog configuration file -+ -+#### RULES #### -+ -+*.* /var/log/messages -+EOF -diff --git a/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_logging_configured/tests/rsyslog_file_with_no_logging.fail.sh b/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_logging_configured/tests/rsyslog_file_with_no_logging.fail.sh -new file mode 100644 -index 0000000000..158cf4c98d ---- /dev/null -+++ b/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_logging_configured/tests/rsyslog_file_with_no_logging.fail.sh -@@ -0,0 +1,12 @@ -+#!/bin/bash -+# platform = multi_platform_sle -+ -+# Check rsyslog.conf with no includes and no loggging facility/priority configured -+ -+source $SHARED/rsyslog_log_utils.sh -+cat << EOF > ${RSYSLOG_CONF} -+# rsyslog configuration file -+ -+#### RULES #### -+ -+EOF -diff --git a/products/debian10/profiles/anssi_np_nt28_average.profile b/products/debian10/profiles/anssi_np_nt28_average.profile -index 600f1a6f71..4c42814719 100644 ---- a/products/debian10/profiles/anssi_np_nt28_average.profile -+++ b/products/debian10/profiles/anssi_np_nt28_average.profile -@@ -22,9 +22,7 @@ selections: - - sshd_allow_only_protocol2 - - var_sshd_set_keepalive=0 - - sshd_set_keepalive_0 -- - file_owner_logfiles_value=adm - - rsyslog_files_ownership -- - file_groupowner_logfiles_value=adm - - rsyslog_files_groupownership - - rsyslog_files_permissions - - "!rsyslog_remote_loghost" -diff --git a/products/debian10/profiles/standard.profile b/products/debian10/profiles/standard.profile -index 3784182fa1..446f5aca1d 100644 ---- a/products/debian10/profiles/standard.profile -+++ b/products/debian10/profiles/standard.profile -@@ -33,9 +33,7 @@ selections: - - sshd_allow_only_protocol2 - - var_sshd_set_keepalive=0 - - sshd_set_keepalive_0 -- - file_owner_logfiles_value=adm - - rsyslog_files_ownership -- - file_groupowner_logfiles_value=adm - - rsyslog_files_groupownership - - rsyslog_files_permissions - - "!rsyslog_remote_loghost" -diff --git a/products/debian11/profiles/anssi_np_nt28_average.profile b/products/debian11/profiles/anssi_np_nt28_average.profile -index 600f1a6f71..4c42814719 100644 ---- a/products/debian11/profiles/anssi_np_nt28_average.profile -+++ b/products/debian11/profiles/anssi_np_nt28_average.profile -@@ -22,9 +22,7 @@ selections: - - sshd_allow_only_protocol2 - - var_sshd_set_keepalive=0 - - sshd_set_keepalive_0 -- - file_owner_logfiles_value=adm - - rsyslog_files_ownership -- - file_groupowner_logfiles_value=adm - - rsyslog_files_groupownership - - rsyslog_files_permissions - - "!rsyslog_remote_loghost" -diff --git a/products/debian11/profiles/standard.profile b/products/debian11/profiles/standard.profile -index e1b2c718df..c21f8d592b 100644 ---- a/products/debian11/profiles/standard.profile -+++ b/products/debian11/profiles/standard.profile -@@ -33,9 +33,7 @@ selections: - - sshd_allow_only_protocol2 - - var_sshd_set_keepalive=0 - - sshd_set_keepalive_0 -- - file_owner_logfiles_value=adm - - rsyslog_files_ownership -- - file_groupowner_logfiles_value=adm - - rsyslog_files_groupownership - - rsyslog_files_permissions - - "!rsyslog_remote_loghost" -diff --git a/products/rhel7/profiles/rht-ccp.profile b/products/rhel7/profiles/rht-ccp.profile -index 12a3a25013..a246d5a094 100644 ---- a/products/rhel7/profiles/rht-ccp.profile -+++ b/products/rhel7/profiles/rht-ccp.profile -@@ -11,8 +11,6 @@ description: |- - selections: - - var_selinux_state=enforcing - - var_selinux_policy_name=targeted -- - file_owner_logfiles_value=root -- - file_groupowner_logfiles_value=root - - sshd_idle_timeout_value=5_minutes - - var_accounts_minimum_age_login_defs=7 - - var_accounts_passwords_pam_faillock_deny=5 -diff --git a/products/rhel8/profiles/rht-ccp.profile b/products/rhel8/profiles/rht-ccp.profile -index b192461f95..6856951bff 100644 ---- a/products/rhel8/profiles/rht-ccp.profile -+++ b/products/rhel8/profiles/rht-ccp.profile -@@ -11,8 +11,6 @@ description: |- - selections: - - var_selinux_state=enforcing - - var_selinux_policy_name=targeted -- - file_owner_logfiles_value=root -- - file_groupowner_logfiles_value=root - - sshd_idle_timeout_value=5_minutes - - var_logind_session_timeout=5_minutes - - var_accounts_minimum_age_login_defs=7 -diff --git a/products/sle12/profiles/anssi_bp28_intermediary.profile b/products/sle12/profiles/anssi_bp28_intermediary.profile -index 24a98fd824..22498b6b6f 100644 ---- a/products/sle12/profiles/anssi_bp28_intermediary.profile -+++ b/products/sle12/profiles/anssi_bp28_intermediary.profile -@@ -23,3 +23,4 @@ description: |- - - selections: - - anssi:all:intermediary -+ -diff --git a/products/sle15/profiles/standard.profile b/products/sle15/profiles/standard.profile -index 204804c2ee..1af0a865ef 100644 ---- a/products/sle15/profiles/standard.profile -+++ b/products/sle15/profiles/standard.profile -@@ -29,9 +29,7 @@ selections: - - service_cron_enabled - - service_ntp_enabled - - service_rsyslog_enabled -- - file_owner_logfiles_value=adm - - rsyslog_files_ownership -- - file_groupowner_logfiles_value=adm - - rsyslog_files_groupownership - - rsyslog_files_permissions - - ensure_logrotate_activated -diff --git a/products/ubuntu1604/profiles/anssi_np_nt28_average.profile b/products/ubuntu1604/profiles/anssi_np_nt28_average.profile -index 600f1a6f71..4c42814719 100644 ---- a/products/ubuntu1604/profiles/anssi_np_nt28_average.profile -+++ b/products/ubuntu1604/profiles/anssi_np_nt28_average.profile -@@ -22,9 +22,7 @@ selections: - - sshd_allow_only_protocol2 - - var_sshd_set_keepalive=0 - - sshd_set_keepalive_0 -- - file_owner_logfiles_value=adm - - rsyslog_files_ownership -- - file_groupowner_logfiles_value=adm - - rsyslog_files_groupownership - - rsyslog_files_permissions - - "!rsyslog_remote_loghost" -diff --git a/products/ubuntu1604/profiles/standard.profile b/products/ubuntu1604/profiles/standard.profile -index 6fd70f0da6..93001f3bfe 100644 ---- a/products/ubuntu1604/profiles/standard.profile -+++ b/products/ubuntu1604/profiles/standard.profile -@@ -34,9 +34,7 @@ selections: - - sshd_allow_only_protocol2 - - var_sshd_set_keepalive=0 - - sshd_set_keepalive_0 -- - file_owner_logfiles_value=adm - - rsyslog_files_ownership -- - file_groupowner_logfiles_value=adm - - rsyslog_files_groupownership - - rsyslog_files_permissions - - "!rsyslog_remote_loghost" -diff --git a/products/ubuntu1804/profiles/anssi_np_nt28_average.profile b/products/ubuntu1804/profiles/anssi_np_nt28_average.profile -index 600f1a6f71..4c42814719 100644 ---- a/products/ubuntu1804/profiles/anssi_np_nt28_average.profile -+++ b/products/ubuntu1804/profiles/anssi_np_nt28_average.profile -@@ -22,9 +22,7 @@ selections: - - sshd_allow_only_protocol2 - - var_sshd_set_keepalive=0 - - sshd_set_keepalive_0 -- - file_owner_logfiles_value=adm - - rsyslog_files_ownership -- - file_groupowner_logfiles_value=adm - - rsyslog_files_groupownership - - rsyslog_files_permissions - - "!rsyslog_remote_loghost" -diff --git a/products/ubuntu1804/profiles/standard.profile b/products/ubuntu1804/profiles/standard.profile -index d587d499d8..a17117818e 100644 ---- a/products/ubuntu1804/profiles/standard.profile -+++ b/products/ubuntu1804/profiles/standard.profile -@@ -32,9 +32,7 @@ selections: - - sshd_allow_only_protocol2 - - var_sshd_set_keepalive=0 - - sshd_set_keepalive_0 -- - file_owner_logfiles_value=adm - - rsyslog_files_ownership -- - file_groupowner_logfiles_value=adm - - rsyslog_files_groupownership - - rsyslog_files_permissions - - "!rsyslog_remote_loghost" -diff --git a/products/ubuntu2004/profiles/standard.profile b/products/ubuntu2004/profiles/standard.profile -index 823a69a5d9..6ed27aa16d 100644 ---- a/products/ubuntu2004/profiles/standard.profile -+++ b/products/ubuntu2004/profiles/standard.profile -@@ -31,9 +31,7 @@ selections: - - sshd_disable_empty_passwords - - var_sshd_set_keepalive=0 - - sshd_set_keepalive -- - file_owner_logfiles_value=syslog - - rsyslog_files_ownership -- - file_groupowner_logfiles_value=adm - - rsyslog_files_groupownership - - rsyslog_files_permissions - - "!rsyslog_remote_loghost" -diff --git a/products/ubuntu2204/profiles/standard.profile b/products/ubuntu2204/profiles/standard.profile -index c8bc5369c9..1bb9f43e7d 100644 ---- a/products/ubuntu2204/profiles/standard.profile -+++ b/products/ubuntu2204/profiles/standard.profile -@@ -31,9 +31,7 @@ selections: - - sshd_disable_empty_passwords - - var_sshd_set_keepalive=0 - - sshd_set_keepalive -- - file_owner_logfiles_value=syslog - - rsyslog_files_ownership -- - file_groupowner_logfiles_value=adm - - rsyslog_files_groupownership - - rsyslog_files_permissions - - "!rsyslog_remote_loghost" -diff --git a/shared/references/cce-sle12-avail.txt b/shared/references/cce-sle12-avail.txt -index c119834759..4e0a76f8de 100644 ---- a/shared/references/cce-sle12-avail.txt -+++ b/shared/references/cce-sle12-avail.txt -@@ -54,7 +54,6 @@ CCE-92375-5 - CCE-92376-3 - CCE-92377-1 - CCE-92378-9 --CCE-92379-7 - CCE-92380-5 - CCE-92381-3 - CCE-92382-1 -diff --git a/shared/references/cce-sle15-avail.txt b/shared/references/cce-sle15-avail.txt -index d04c40d31f..e39dae033e 100644 ---- a/shared/references/cce-sle15-avail.txt -+++ b/shared/references/cce-sle15-avail.txt -@@ -17,7 +17,6 @@ CCE-92492-8 - CCE-92493-6 - CCE-92495-1 - CCE-92496-9 --CCE-92497-7 - CCE-92498-5 - CCE-92499-3 - CCE-92500-8 -diff --git a/shared/templates/rsyslog_logfiles_attributes_modify/ansible.template b/shared/templates/rsyslog_logfiles_attributes_modify/ansible.template -new file mode 100644 -index 0000000000..fc9e8844b6 ---- /dev/null -+++ b/shared/templates/rsyslog_logfiles_attributes_modify/ansible.template -@@ -0,0 +1,68 @@ -+# platform = multi_platform_all -+# reboot = false -+# strategy = configure -+# complexity = low -+# disruption = medium -+ -+- name: '{{{ rule_title }}} - Set rsyslog logfile configuration facts' -+ ansible.builtin.set_fact: -+ rsyslog_etc_config: "/etc/rsyslog.conf" -+ -+# * And also the log file paths listed after rsyslog's $IncludeConfig directive -+# (store the result into array for the case there's shell glob used as value of IncludeConfig) -+- name: '{{{ rule_title }}} - Get IncludeConfig directive' -+ ansible.builtin.shell: | -+ set -o pipefail -+ grep -e '$IncludeConfig' {{ rsyslog_etc_config }} | cut -d ' ' -f 2 || true -+ register: rsyslog_old_inc -+ changed_when: False -+ -+- name: '{{{ rule_title }}} - Get include files directives' -+ ansible.builtin.shell: | -+ set -o pipefail -+ grep -oP '^\s*include\s*\(\s*file.*' {{ rsyslog_etc_config }} |cut -d"\"" -f 2 || true -+ register: rsyslog_new_inc -+ changed_when: False -+ -+- name: '{{{ rule_title }}} - Aggregate rsyslog includes' -+ ansible.builtin.set_fact: -+ include_config_output: "{{ rsyslog_old_inc.stdout_lines + rsyslog_new_inc.stdout_lines }}" -+ -+- name: '{{{ rule_title }}} - List all config files' -+ ansible.builtin.find: -+ paths: "{{ include_config_output | list | map('dirname') }}" -+ patterns: "{{ include_config_output | list | map('basename') }}" -+ hidden: no -+ follow: yes -+ register: rsyslog_config_files -+ failed_when: False -+ changed_when: False -+ -+- name: '{{{ rule_title }}} - Extract log files old format' -+ ansible.builtin.shell: | -+ set -o pipefail -+ grep -oP '^[^(\s|#|\$)]+[\s]+.*[\s]+-?(/+[^:;\s]+);*\.*$' {{ item }} |awk '{print $NF}'|sed -e 's/^-//' || true -+ loop: "{{ rsyslog_config_files.files|map(attribute='path')|list|flatten|unique + [ rsyslog_etc_config ] }}" -+ register: log_files_old -+ changed_when: False -+ -+- name: '{{{ rule_title }}} - Extract log files new format' -+ ansible.builtin.shell: | -+ set -o pipefail -+ grep -ozP "action\s*\(\s*type\s*=\s*\"omfile\"[^\)]*\)" {{ item }} | grep -aoP "File\s*=\s*\"([/[:alnum:][:punct:]]*)\"\s*\)"|grep -oE "\"([/[:alnum:][:punct:]]*)\"" |tr -d "\""|| true -+ loop: "{{ rsyslog_config_files.files|map(attribute='path')|list|flatten|unique + [ rsyslog_etc_config ] }}" -+ register: log_files_new -+ changed_when: False -+ -+- name: '{{{ rule_title }}} - Sum all log files found' -+ ansible.builtin.set_fact: -+ log_files: "{{ log_files_new.results|map(attribute='stdout_lines')|list|flatten|unique + log_files_old.results|map(attribute='stdout_lines')|list|flatten|unique }}" -+ -+- name: '{{{ rule_title }}} -Setup log files attribute' -+ ansible.builtin.file: -+ path: "{{ item }}" -+ owner: '{{ ( "{{{ ATTRIBUTE }}}" is match("owner")) | ternary({{{ VALUE }}}, omit) }}' -+ group: '{{ ( "{{{ ATTRIBUTE }}}" is match("groupowner")) | ternary({{{ VALUE }}} , omit) }}' -+ state: file -+ loop: "{{ log_files | list | flatten | unique }}" -+ failed_when: false -diff --git a/shared/templates/rsyslog_logfiles_attributes_modify/bash.template b/shared/templates/rsyslog_logfiles_attributes_modify/bash.template -new file mode 100644 -index 0000000000..ab4a563dc5 ---- /dev/null -+++ b/shared/templates/rsyslog_logfiles_attributes_modify/bash.template -@@ -0,0 +1,110 @@ -+# platform = multi_platform_all -+ -+# List of log file paths to be inspected for correct permissions -+# * Primarily inspect log file paths listed in /etc/rsyslog.conf -+RSYSLOG_ETC_CONFIG="/etc/rsyslog.conf" -+# * And also the log file paths listed after rsyslog's $IncludeConfig directive -+# (store the result into array for the case there's shell glob used as value of IncludeConfig) -+readarray -t OLD_INC < <(grep -e "\$IncludeConfig[[:space:]]\+[^[:space:];]\+" /etc/rsyslog.conf | cut -d ' ' -f 2) -+readarray -t RSYSLOG_INCLUDE_CONFIG < <(for INCPATH in "${OLD_INC[@]}"; do eval printf '%s\\n' "${INCPATH}"; done) -+readarray -t NEW_INC < <(awk '/)/{f=0} /include\(/{f=1} f{nf=gensub("^(include\\(|\\s*)file=\"(\\S+)\".*","\\2",1); if($0!=nf){print nf}}' /etc/rsyslog.conf) -+readarray -t RSYSLOG_INCLUDE < <(for INCPATH in "${NEW_INC[@]}"; do eval printf '%s\\n' "${INCPATH}"; done) -+ -+# Declare an array to hold the final list of different log file paths -+declare -a LOG_FILE_PATHS -+ -+# Array to hold all rsyslog config entries -+RSYSLOG_CONFIGS=() -+RSYSLOG_CONFIGS=("${RSYSLOG_ETC_CONFIG}" "${RSYSLOG_INCLUDE_CONFIG[@]}" "${RSYSLOG_INCLUDE[@]}") -+ -+# Get full list of files to be checked -+# RSYSLOG_CONFIGS may contain globs such as -+# /etc/rsyslog.d/*.conf /etc/rsyslog.d/*.frule -+# So, loop over the entries in RSYSLOG_CONFIGS and use find to get the list of included files. -+RSYSLOG_CONFIG_FILES=() -+for ENTRY in "${RSYSLOG_CONFIGS[@]}" -+do -+ # If directory, rsyslog will search for config files in recursively. -+ # However, files in hidden sub-directories or hidden files will be ignored. -+ if [ -d "${ENTRY}" ] -+ then -+ readarray -t FINDOUT < <(find "${ENTRY}" -not -path '*/.*' -type f) -+ RSYSLOG_CONFIG_FILES+=("${FINDOUT[@]}") -+ elif [ -f "${ENTRY}" ] -+ then -+ RSYSLOG_CONFIG_FILES+=("${ENTRY}") -+ else -+ echo "Invalid include object: ${ENTRY}" -+ fi -+done -+ -+# Browse each file selected above as containing paths of log files -+# ('/etc/rsyslog.conf' and '/etc/rsyslog.d/*.conf' in the default configuration) -+for LOG_FILE in "${RSYSLOG_CONFIG_FILES[@]}" -+do -+ # From each of these files extract just particular log file path(s), thus: -+ # * Ignore lines starting with space (' '), comment ('#"), or variable syntax ('$') characters, -+ # * Ignore empty lines, -+ # * Strip quotes and closing brackets from paths. -+ # * Ignore paths that match /dev|/etc.*\.conf, as those are paths, but likely not log files -+ # * From the remaining valid rows select only fields constituting a log file path -+ # Text file column is understood to represent a log file path if and only if all of the following are met: -+ # * it contains at least one slash '/' character, -+ # * it is preceded by space -+ # * it doesn't contain space (' '), colon (':'), and semicolon (';') characters -+ # Search log file for path(s) only in case it exists! -+ if [[ -f "${LOG_FILE}" ]] -+ then -+ NORMALIZED_CONFIG_FILE_LINES=$(sed -e "/^[#|$]/d" "${LOG_FILE}") -+ LINES_WITH_PATHS=$(grep '[^/]*\s\+\S*/\S\+$' <<< "${NORMALIZED_CONFIG_FILE_LINES}") -+ FILTERED_PATHS=$(awk '{if(NF>=2&&($NF~/^\//||$NF~/^-\//)){sub(/^-\//,"/",$NF);print $NF}}' <<< "${LINES_WITH_PATHS}") -+ CLEANED_PATHS=$(sed -e "s/[\"')]//g; /\\/etc.*\.conf/d; /\\/dev\\//d" <<< "${FILTERED_PATHS}") -+ MATCHED_ITEMS=$(sed -e "/^$/d" <<< "${CLEANED_PATHS}") -+ # Since above sed command might return more than one item (delimited by newline), split the particular -+ # matches entries into new array specific for this log file -+ readarray -t ARRAY_FOR_LOG_FILE <<< "$MATCHED_ITEMS" -+ # Concatenate the two arrays - previous content of $LOG_FILE_PATHS array with -+ # items from newly created array for this log file -+ LOG_FILE_PATHS+=("${ARRAY_FOR_LOG_FILE[@]}") -+ # Delete the temporary array -+ unset ARRAY_FOR_LOG_FILE -+ fi -+done -+ -+# Check for RainerScript action log format which might be also multiline so grep regex is a bit curly -+# extract possibly multiline action omfile expressions -+# extract File="logfile" expression -+# match only "logfile" expression -+for LOG_FILE in "${RSYSLOG_CONFIG_FILES[@]}" -+do -+ ACTION_OMFILE_LINES=$(grep -ozP "action\s*\(\s*type\s*=\s*\"omfile\"[^\)]*\)" "${LOG_FILE}") -+ OMFILE_LINES=$(echo "${ACTION_OMFILE_LINES}"| grep -aoP "File\s*=\s*\"([/[:alnum:][:punct:]]*)\"\s*\)") -+ LOG_FILE_PATHS+=("$(echo "${OMFILE_LINES}"| grep -oE "\"([/[:alnum:][:punct:]]*)\""|tr -d "\"")") -+done -+ -+FILE_PARAM="{{{ ATTRIBUTE }}}" -+FILE_CMD="" -+case "$FILE_PARAM" in -+ "groupowner") -+ FILE_CMD=$(which chgrp) -+ ;; -+ "owner") -+ FILE_CMD=$(which chown) -+ ;; -+ *) -+ echo -n "Not supported file attribute! " -+ exit 1 -+ ;; -+esac -+ -+# Correct the form o -+for LOG_FILE_PATH in "${LOG_FILE_PATHS[@]}" -+do -+ # Sanity check - if particular $LOG_FILE_PATH is empty string, skip it from further processing -+ if [ -z "$LOG_FILE_PATH" ] -+ then -+ continue -+ fi -+ -+ $FILE_CMD "+{{{ VALUE }}}" "$LOG_FILE_PATH" -+done -diff --git a/shared/templates/rsyslog_logfiles_attributes_modify/oval.template b/shared/templates/rsyslog_logfiles_attributes_modify/oval.template -new file mode 100644 -index 0000000000..4f288df1c9 ---- /dev/null -+++ b/shared/templates/rsyslog_logfiles_attributes_modify/oval.template -@@ -0,0 +1,137 @@ -+ -+ -+ {{{ oval_metadata("All syslog log files should have appropriate ownership.") }}} -+ -+ {{% if product in ["debian10", "debian11", "ubuntu1604"] %}} -+ -+ {{% endif %}} -+ -+ -+ -+ -+ -+ -+ -+ -+ /etc/rsyslog.conf -+ ^(?:include\([\n\s]*file="([^\s;]+)".*|\$IncludeConfig[\s]+([^\s;]+))$ -+ 1 -+ -+ -+ -+ -+ -+ -+ -+ -+ -+ -+ -+ -+ -+ var_{{{ _RULE_ID }}}_include_config_regex -+ -+ -+ -+ ^/etc/rsyslog.conf$ -+ -+ -+ -+ var_{{{ _RULE_ID }}}_syslog_config -+ -+ -+ -+ -+ -+ object_var_{{{ _RULE_ID }}}_include_config_regex -+ object_var_{{{ _RULE_ID }}}_syslog_config -+ -+ -+ -+ -+ -+ -+ -+ -+ -+ -+ -+ -+ ^\s*[^(\s|#|\$)]+\s+-?[\w\(="\s]*(\/[^:;\s"]+)+.*$ -+ 1 -+ state_{{{ _RULE_ID }}}_ownership_ignore_include_paths -+ -+ -+ -+ -+ (?:file="[^\s;]+"|\$IncludeConfig[\s]+[^\s;]+|\/dev\/.*) -+ -+ -+ -+ -+ -+ -+ -+ -+ -+ -+ -+ -+ -+ -+ -+ -+ -+ -+ regular -+ {{% if ATTRIBUTE == "groupowner" %}} -+ {{{ VALUE }}} -+ {{% else %}} -+ {{{ VALUE }}} -+ {{% endif %}} -+ -+ -+ -diff --git a/shared/templates/rsyslog_logfiles_attributes_modify/template.yml b/shared/templates/rsyslog_logfiles_attributes_modify/template.yml -new file mode 100644 -index 0000000000..b57de6fbb6 ---- /dev/null -+++ b/shared/templates/rsyslog_logfiles_attributes_modify/template.yml -@@ -0,0 +1,4 @@ -+supported_languages: -+ - ansible -+ - bash -+ - oval -diff --git a/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_files_ownership/tests/IncludeConfig_is_other.fail.sh b/shared/templates/rsyslog_logfiles_attributes_modify/tests/IncludeConfig_is_other.fail.sh -similarity index 75% -rename from linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_files_ownership/tests/IncludeConfig_is_other.fail.sh -rename to shared/templates/rsyslog_logfiles_attributes_modify/tests/IncludeConfig_is_other.fail.sh -index 6c82a1942f..db7e5261eb 100755 ---- a/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_files_ownership/tests/IncludeConfig_is_other.fail.sh -+++ b/shared/templates/rsyslog_logfiles_attributes_modify/tests/IncludeConfig_is_other.fail.sh -@@ -6,8 +6,16 @@ - - source $SHARED/rsyslog_log_utils.sh - -+{{% if ATTRIBUTE == "owner" %}} -+ADDCOMMAND="useradd" -+CHATTR="chown" -+{{% else %}} -+ADDCOMMAND="groupadd" -+CHATTR="chgrp" -+{{% endif %}} -+ - USER_TEST=testssg --useradd $USER_TEST -+$ADDCOMMAND $USER_TEST - - USER_ROOT=root - -@@ -15,8 +23,8 @@ USER_ROOT=root - create_rsyslog_test_logs 2 - - # setup test log files ownership --chown $USER_ROOT ${RSYSLOG_TEST_LOGS[0]} --chown $USER_TEST ${RSYSLOG_TEST_LOGS[1]} -+$CHATTR $USER_ROOT ${RSYSLOG_TEST_LOGS[0]} -+$CHATTR $USER_TEST ${RSYSLOG_TEST_LOGS[1]} - - # create test configuration file - test_conf=${RSYSLOG_TEST_DIR}/test1.conf -diff --git a/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_files_ownership/tests/IncludeConfig_is_root.pass.sh b/shared/templates/rsyslog_logfiles_attributes_modify/tests/IncludeConfig_is_root.pass.sh -similarity index 81% -rename from linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_files_ownership/tests/IncludeConfig_is_root.pass.sh -rename to shared/templates/rsyslog_logfiles_attributes_modify/tests/IncludeConfig_is_root.pass.sh -index b24e5e1699..b03268fe3e 100755 ---- a/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_files_ownership/tests/IncludeConfig_is_root.pass.sh -+++ b/shared/templates/rsyslog_logfiles_attributes_modify/tests/IncludeConfig_is_root.pass.sh -@@ -6,14 +6,20 @@ - - source $SHARED/rsyslog_log_utils.sh - -+{{% if ATTRIBUTE == "owner" %}} -+CHATTR="chown" -+{{% else %}} -+CHATTR="chgrp" -+{{% endif %}} -+ - USER=root - - # setup test data - create_rsyslog_test_logs 2 - - # setup test log files ownership --chown $USER ${RSYSLOG_TEST_LOGS[0]} --chown $USER ${RSYSLOG_TEST_LOGS[1]} -+$CHATTR $USER ${RSYSLOG_TEST_LOGS[0]} -+$CHATTR $USER ${RSYSLOG_TEST_LOGS[1]} - - # create test configuration file - test_conf=${RSYSLOG_TEST_DIR}/test1.conf -diff --git a/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_files_ownership/tests/include_is_other.fail.sh b/shared/templates/rsyslog_logfiles_attributes_modify/tests/include_is_other.fail.sh -similarity index 75% -rename from linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_files_ownership/tests/include_is_other.fail.sh -rename to shared/templates/rsyslog_logfiles_attributes_modify/tests/include_is_other.fail.sh -index 18f43c6927..d79ae23cfc 100755 ---- a/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_files_ownership/tests/include_is_other.fail.sh -+++ b/shared/templates/rsyslog_logfiles_attributes_modify/tests/include_is_other.fail.sh -@@ -6,8 +6,16 @@ - - source $SHARED/rsyslog_log_utils.sh - -+{{% if ATTRIBUTE == "owner" %}} -+ADDCOMMAND="useradd" -+CHATTR="chown" -+{{% else %}} -+ADDCOMMAND="groupadd" -+CHATTR="chgrp" -+{{% endif %}} -+ - USER_TEST=testssg --useradd $USER_TEST -+$ADDCOMMAND $USER_TEST - - USER_ROOT=root - -@@ -15,8 +23,8 @@ USER_ROOT=root - create_rsyslog_test_logs 2 - - # setup test log files ownership --chown $USER_ROOT ${RSYSLOG_TEST_LOGS[0]} --chown $USER_TEST ${RSYSLOG_TEST_LOGS[1]} -+$CHATTR $USER_ROOT ${RSYSLOG_TEST_LOGS[0]} -+$CHATTR $USER_TEST ${RSYSLOG_TEST_LOGS[1]} - - # create test configuration file - test_conf=${RSYSLOG_TEST_DIR}/test1.conf -diff --git a/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_files_groupownership/tests/include_is_root_IncludeConfig_is_root.pass.sh b/shared/templates/rsyslog_logfiles_attributes_modify/tests/include_is_other_IncludeConfig_is_other_RainerLogClause.fail.sh -old mode 100755 -new mode 100644 -similarity index 50% -rename from linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_files_groupownership/tests/include_is_root_IncludeConfig_is_root.pass.sh -rename to shared/templates/rsyslog_logfiles_attributes_modify/tests/include_is_other_IncludeConfig_is_other_RainerLogClause.fail.sh -index 05dd50ed24..7869a180a8 ---- a/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_files_groupownership/tests/include_is_root_IncludeConfig_is_root.pass.sh -+++ b/shared/templates/rsyslog_logfiles_attributes_modify/tests/include_is_other_IncludeConfig_is_other_RainerLogClause.fail.sh -@@ -1,20 +1,31 @@ - #!/bin/bash - # platform = Red Hat Enterprise Linux 8,multi_platform_fedora,Oracle Linux 8,multi_platform_sle - --# Check rsyslog.conf with root group-owner log from rules and --# root group-owner log from include() passes. -+# Check rsyslog.conf with root user log from rules and -+# root user log from include() passes. - - source $SHARED/rsyslog_log_utils.sh - --GROUP=root -+{{% if ATTRIBUTE == "owner" %}} -+ADDCOMMAND="useradd" -+CHATTR="chown" -+{{% else %}} -+ADDCOMMAND="groupadd" -+CHATTR="chgrp" -+{{% endif %}} -+ -+USER_TEST=testssg -+$ADDCOMMAND $USER_TEST -+ -+USER=root - - # setup test data - create_rsyslog_test_logs 3 - - # setup test log files ownership --chgrp $GROUP ${RSYSLOG_TEST_LOGS[0]} --chgrp $GROUP ${RSYSLOG_TEST_LOGS[1]} --chgrp $GROUP ${RSYSLOG_TEST_LOGS[2]} -+$CHATTR $USER_TEST ${RSYSLOG_TEST_LOGS[0]} -+$CHATTR $USER_TEST ${RSYSLOG_TEST_LOGS[1]} -+$CHATTR $USER_TEST ${RSYSLOG_TEST_LOGS[2]} - - # create test configuration file - test_conf=${RSYSLOG_TEST_DIR}/test1.conf -@@ -28,13 +39,25 @@ EOF - - # create test2 configuration file - test_conf2=${RSYSLOG_TEST_DIR}/test2.conf -+{{% if ATTRIBUTE == "owner" %}} -+cat << EOF > ${test_conf2} -+# rsyslog configuration file -+ -+#### RULES #### -+ -+ -+*.* action(type="omfile" FileCreateMode="0640" fileOwner="$USER_TEST" fileGroup="root" File="${RSYSLOG_TEST_LOGS[2]}") -+EOF -+{{% else %}} - cat << EOF > ${test_conf2} - # rsyslog configuration file - - #### RULES #### - --*.* ${RSYSLOG_TEST_LOGS[2]} -+ -+*.* action(type="omfile" FileCreateMode="0640" fileOwner="root" fileGroup="$USER_TEST" File="${RSYSLOG_TEST_LOGS[2]}") - EOF -+{{% endif %}} - - # create rsyslog.conf configuration file - cat << EOF > $RSYSLOG_CONF -diff --git a/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_files_ownership/tests/include_is_root.pass.sh b/shared/templates/rsyslog_logfiles_attributes_modify/tests/include_is_root.pass.sh -similarity index 81% -rename from linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_files_ownership/tests/include_is_root.pass.sh -rename to shared/templates/rsyslog_logfiles_attributes_modify/tests/include_is_root.pass.sh -index 69dead5135..e80395ca99 100755 ---- a/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_files_ownership/tests/include_is_root.pass.sh -+++ b/shared/templates/rsyslog_logfiles_attributes_modify/tests/include_is_root.pass.sh -@@ -6,14 +6,21 @@ - - source $SHARED/rsyslog_log_utils.sh - -+ -+{{% if ATTRIBUTE == "owner" %}} -+CHATTR="chown" -+{{% else %}} -+CHATTR="chgrp" -+{{% endif %}} -+ - USER=root - - # setup test data - create_rsyslog_test_logs 2 - - # setup test log files ownership --chown $USER ${RSYSLOG_TEST_LOGS[0]} --chown $USER ${RSYSLOG_TEST_LOGS[1]} -+$CHATTR $USER ${RSYSLOG_TEST_LOGS[0]} -+$CHATTR $USER ${RSYSLOG_TEST_LOGS[1]} - - # create test configuration file - test_conf=${RSYSLOG_TEST_DIR}/test1.conf -diff --git a/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_files_ownership/tests/include_is_root_IncludeConfig_is_other.fail.sh b/shared/templates/rsyslog_logfiles_attributes_modify/tests/include_is_root_IncludeConfig_is_other.fail.sh -similarity index 77% -rename from linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_files_ownership/tests/include_is_root_IncludeConfig_is_other.fail.sh -rename to shared/templates/rsyslog_logfiles_attributes_modify/tests/include_is_root_IncludeConfig_is_other.fail.sh -index e725fb4d54..e7b4905dc5 100755 ---- a/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_files_ownership/tests/include_is_root_IncludeConfig_is_other.fail.sh -+++ b/shared/templates/rsyslog_logfiles_attributes_modify/tests/include_is_root_IncludeConfig_is_other.fail.sh -@@ -6,18 +6,26 @@ - - source $SHARED/rsyslog_log_utils.sh - -+{{% if ATTRIBUTE == "owner" %}} -+ADDCOMMAND="useradd" -+CHATTR="chown" -+{{% else %}} -+ADDCOMMAND="groupadd" -+CHATTR="chgrp" -+{{% endif %}} -+ - USER_ROOT=root - - USER_TEST=testssg --useradd $USER_TEST -+$ADDCOMMAND $USER_TEST - - # setup test data - create_rsyslog_test_logs 3 - - # setup test log files ownership --chown $USER_ROOT ${RSYSLOG_TEST_LOGS[0]} --chown $USER_ROOT ${RSYSLOG_TEST_LOGS[1]} --chown $USER_TEST ${RSYSLOG_TEST_LOGS[2]} -+$CHATTR $USER_ROOT ${RSYSLOG_TEST_LOGS[0]} -+$CHATTR $USER_ROOT ${RSYSLOG_TEST_LOGS[1]} -+$CHATTR $USER_TEST ${RSYSLOG_TEST_LOGS[2]} - - # create test configuration file - test_conf=${RSYSLOG_TEST_DIR}/test1.conf -diff --git a/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_files_ownership/tests/include_is_root_IncludeConfig_is_root.pass.sh b/shared/templates/rsyslog_logfiles_attributes_modify/tests/include_is_root_IncludeConfig_is_root.pass.sh -similarity index 82% -rename from linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_files_ownership/tests/include_is_root_IncludeConfig_is_root.pass.sh -rename to shared/templates/rsyslog_logfiles_attributes_modify/tests/include_is_root_IncludeConfig_is_root.pass.sh -index ca47d453c1..6389e6ea3b 100755 ---- a/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_files_ownership/tests/include_is_root_IncludeConfig_is_root.pass.sh -+++ b/shared/templates/rsyslog_logfiles_attributes_modify/tests/include_is_root_IncludeConfig_is_root.pass.sh -@@ -6,15 +6,21 @@ - - source $SHARED/rsyslog_log_utils.sh - -+{{% if ATTRIBUTE == "owner" %}} -+CHATTR="chown" -+{{% else %}} -+CHATTR="chgrp" -+{{% endif %}} -+ - USER=root - - # setup test data - create_rsyslog_test_logs 3 - - # setup test log files ownership --chown $USER ${RSYSLOG_TEST_LOGS[0]} --chown $USER ${RSYSLOG_TEST_LOGS[1]} --chown $USER ${RSYSLOG_TEST_LOGS[2]} -+$CHATTR $USER ${RSYSLOG_TEST_LOGS[0]} -+$CHATTR $USER ${RSYSLOG_TEST_LOGS[1]} -+$CHATTR $USER ${RSYSLOG_TEST_LOGS[2]} - - # create test configuration file - test_conf=${RSYSLOG_TEST_DIR}/test1.conf -diff --git a/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_files_groupownership/tests/include_is_root_IncludeConfig_is_other.fail.sh b/shared/templates/rsyslog_logfiles_attributes_modify/tests/include_is_root_IncludeConfig_is_root_RainerLogClause.pass.sh -similarity index 65% -rename from linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_files_groupownership/tests/include_is_root_IncludeConfig_is_other.fail.sh -rename to shared/templates/rsyslog_logfiles_attributes_modify/tests/include_is_root_IncludeConfig_is_root_RainerLogClause.pass.sh -index 9747e0b28b..6b81a77c2f 100755 ---- a/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_files_groupownership/tests/include_is_root_IncludeConfig_is_other.fail.sh -+++ b/shared/templates/rsyslog_logfiles_attributes_modify/tests/include_is_root_IncludeConfig_is_root_RainerLogClause.pass.sh -@@ -1,23 +1,26 @@ - #!/bin/bash - # platform = Red Hat Enterprise Linux 8,multi_platform_fedora,Oracle Linux 8,multi_platform_sle - --# Check rsyslog.conf with root group-owner log from rules and --# non root group-owner log from include() fails. -+# Check rsyslog.conf with root user log from rules and -+# root user log from include() passes. - - source $SHARED/rsyslog_log_utils.sh - --GROUP_ROOT=root -+{{% if ATTRIBUTE == "owner" %}} -+CHATTR="chown" -+{{% else %}} -+CHATTR="chgrp" -+{{% endif %}} - --GROUP_TEST=testssg --groupadd $GROUP_TEST -+USER=root - - # setup test data - create_rsyslog_test_logs 3 - - # setup test log files ownership --chgrp $GROUP_ROOT ${RSYSLOG_TEST_LOGS[0]} --chgrp $GROUP_ROOT ${RSYSLOG_TEST_LOGS[1]} --chgrp $GROUP_TEST ${RSYSLOG_TEST_LOGS[2]} -+$CHATTR $USER ${RSYSLOG_TEST_LOGS[0]} -+$CHATTR $USER ${RSYSLOG_TEST_LOGS[1]} -+$CHATTR $USER ${RSYSLOG_TEST_LOGS[2]} - - # create test configuration file - test_conf=${RSYSLOG_TEST_DIR}/test1.conf -@@ -36,7 +39,8 @@ cat << EOF > ${test_conf2} - - #### RULES #### - --*.* ${RSYSLOG_TEST_LOGS[2]} -+ -+*.* action(type="omfile" FileCreateMode="0640" fileOwner="root" fileGroup="root" File="${RSYSLOG_TEST_LOGS[2]}") - EOF - - # create rsyslog.conf configuration file -diff --git a/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_files_ownership/tests/include_multiline_is_root.pass.sh b/shared/templates/rsyslog_logfiles_attributes_modify/tests/include_multiline_is_root.pass.sh -similarity index 81% -rename from linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_files_ownership/tests/include_multiline_is_root.pass.sh -rename to shared/templates/rsyslog_logfiles_attributes_modify/tests/include_multiline_is_root.pass.sh -index d68cc2e67d..78b105abf3 100755 ---- a/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_files_ownership/tests/include_multiline_is_root.pass.sh -+++ b/shared/templates/rsyslog_logfiles_attributes_modify/tests/include_multiline_is_root.pass.sh -@@ -6,14 +6,20 @@ - - source $SHARED/rsyslog_log_utils.sh - -+{{% if ATTRIBUTE == "owner" %}} -+CHATTR="chown" -+{{% else %}} -+CHATTR="chgrp" -+{{% endif %}} -+ - USER=root - - # setup test data - create_rsyslog_test_logs 2 - - # setup test log files ownership --chown $USER ${RSYSLOG_TEST_LOGS[0]} --chown $USER ${RSYSLOG_TEST_LOGS[1]} -+$CHATTR $USER ${RSYSLOG_TEST_LOGS[0]} -+$CHATTR $USER ${RSYSLOG_TEST_LOGS[1]} - - # create test configuration file - test_conf=${RSYSLOG_TEST_DIR}/test1.conf -diff --git a/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_files_ownership/tests/is_other.fail.sh b/shared/templates/rsyslog_logfiles_attributes_modify/tests/is_other.fail.sh -similarity index 70% -rename from linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_files_ownership/tests/is_other.fail.sh -rename to shared/templates/rsyslog_logfiles_attributes_modify/tests/is_other.fail.sh -index 7edbb17ea1..1afe20823c 100755 ---- a/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_files_ownership/tests/is_other.fail.sh -+++ b/shared/templates/rsyslog_logfiles_attributes_modify/tests/is_other.fail.sh -@@ -5,15 +5,23 @@ - - source $SHARED/rsyslog_log_utils.sh - -+{{% if ATTRIBUTE == "owner" %}} -+ADDCOMMAND="useradd" -+CHATTR="chown" -+{{% else %}} -+ADDCOMMAND="groupadd" -+CHATTR="chgrp" -+{{% endif %}} -+ - USER=testssg - --useradd $USER -+$ADDCOMMAND $USER - - # setup test data - create_rsyslog_test_logs 1 - - # setup test log file ownership --chown $USER ${RSYSLOG_TEST_LOGS[0]} -+$CHATTR $USER ${RSYSLOG_TEST_LOGS[0]} - - # add rule with non-root user owned log file - cat << EOF > $RSYSLOG_CONF -diff --git a/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_files_ownership/tests/is_root.pass.sh b/shared/templates/rsyslog_logfiles_attributes_modify/tests/is_root.pass.sh -similarity index 77% -rename from linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_files_ownership/tests/is_root.pass.sh -rename to shared/templates/rsyslog_logfiles_attributes_modify/tests/is_root.pass.sh -index e0e518bc50..afce21fa27 100755 ---- a/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_files_ownership/tests/is_root.pass.sh -+++ b/shared/templates/rsyslog_logfiles_attributes_modify/tests/is_root.pass.sh -@@ -5,13 +5,19 @@ - - source $SHARED/rsyslog_log_utils.sh - -+{{% if ATTRIBUTE == "owner" %}} -+CHATTR="chown" -+{{% else %}} -+CHATTR="chgrp" -+{{% endif %}} -+ - USER=root - - # setup test data - create_rsyslog_test_logs 1 - - # setup test log file ownership --chown $USER ${RSYSLOG_TEST_LOGS[0]} -+$CHATTR $USER ${RSYSLOG_TEST_LOGS[0]} - - # add rule with root user owned log file - cat << EOF > $RSYSLOG_CONF --- -2.39.1 - diff --git a/SOURCES/scap-security-guide-0.1.70-fix_enable_fips_mode-PR_10961.patch b/SOURCES/scap-security-guide-0.1.70-fix_enable_fips_mode-PR_10961.patch new file mode 100644 index 0000000..af7d37e --- /dev/null +++ b/SOURCES/scap-security-guide-0.1.70-fix_enable_fips_mode-PR_10961.patch @@ -0,0 +1,52 @@ +From 75dd0e76be957e5fd92c98f01f7d672b2549fd3d Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Jan=20=C4=8Cern=C3=BD?= +Date: Tue, 8 Aug 2023 15:15:21 +0200 +Subject: [PATCH] Remove kernel cmdline check + +The OVAL in rule enable_fips_mode contains multiple checks. One +of these checks tests presence of `fips=1` in `/etc/kernel/cmdline`. +Although this is useful for latest RHEL versions, this file doesn't +exist on RHEL 8.6 and 9.0. This causes that the rule fails after +remediation on these RHEL versions. + +We want the same OVAL behavior on all minor RHEL releases, therefore +we will remove this test from the OVAL completely. + +Related to: https://github.com/ComplianceAsCode/content/pull/10897 +--- + .../fips/enable_fips_mode/oval/shared.xml | 15 --------------- + 1 file changed, 15 deletions(-) + +diff --git a/linux_os/guide/system/software/integrity/fips/enable_fips_mode/oval/shared.xml b/linux_os/guide/system/software/integrity/fips/enable_fips_mode/oval/shared.xml +index 88aae7aaab9..3b50e07060e 100644 +--- a/linux_os/guide/system/software/integrity/fips/enable_fips_mode/oval/shared.xml ++++ b/linux_os/guide/system/software/integrity/fips/enable_fips_mode/oval/shared.xml +@@ -12,8 +12,6 @@ + comment="system cryptography policy is configured"/> + +- + {{% if "ol" in product or "rhel" in product %}} + + +@@ -57,19 +55,6 @@ + ^(?:.*\s)?fips=1(?:\s.*)?$ +
+ +- +- +- +- +- +- +- ^/etc/kernel/cmdline +- ^(.*)$ +- 1 +- +- + + diff --git a/SOURCES/scap-security-guide-0.1.70-improve_readability_enable_fips_mode-PR_10911.patch b/SOURCES/scap-security-guide-0.1.70-improve_readability_enable_fips_mode-PR_10911.patch new file mode 100644 index 0000000..fbc06d7 --- /dev/null +++ b/SOURCES/scap-security-guide-0.1.70-improve_readability_enable_fips_mode-PR_10911.patch @@ -0,0 +1,272 @@ +From 9d00e0d296ad4a5ce503b2dfe9647de6806b7b60 Mon Sep 17 00:00:00 2001 +From: Marcus Burghardt +Date: Thu, 27 Jul 2023 10:02:08 +0200 +Subject: [PATCH 1/2] Align the parameters ordering in OVAL objects + +This commit only improves readability without any technical impact in +the OVAL logic. +--- + .../fips/enable_fips_mode/oval/shared.xml | 81 ++++++++++++------- + 1 file changed, 50 insertions(+), 31 deletions(-) + +diff --git a/linux_os/guide/system/software/integrity/fips/enable_fips_mode/oval/shared.xml b/linux_os/guide/system/software/integrity/fips/enable_fips_mode/oval/shared.xml +index fe3f96f52a5..0ec076a5fb7 100644 +--- a/linux_os/guide/system/software/integrity/fips/enable_fips_mode/oval/shared.xml ++++ b/linux_os/guide/system/software/integrity/fips/enable_fips_mode/oval/shared.xml +@@ -1,32 +1,38 @@ + +- ++ + {{{ oval_metadata("Check if FIPS mode is enabled on the system") }}} + +- +- +- +- +- +- ++ ++ ++ ++ ++ ++ + {{% if "ol" in product or "rhel" in product %}} + + +- +- ++ ++ + + + +- ++ + + {{% if product in ["ol8", "rhel8"] %}} +- ++ + {{% else %}} +- ++ + {{% endif %}} + + +@@ -34,58 +40,71 @@ + + + +- ++ + + + ++ + + ^/boot/loader/entries/.*.conf + ^options (.*)$ + 1 + ++ + + ^(?:.*\s)?fips=1(?:\s.*)?$ + +- ++ ++ + + + ++ + + ^/etc/kernel/cmdline + ^(.*)$ + 1 + + +- ++ + + + ++ + + var_system_crypto_policy + +- ++ ++ + {{% if product in ["ol9","rhel9"] -%}} + ^FIPS(:OSPP)?$ + {{%- else %}} +- {{# Legacy and more relaxed list of crypto policies that were historically considered FIPS-compatible. More recent products should use the more restricted list of options #}} ++ {{# Legacy and more relaxed list of crypto policies that were historically considered ++ FIPS-compatible. More recent products should use the more restricted list of options #}} + ^FIPS(:(OSPP|NO-SHA1|NO-CAMELLIA))?$ + {{%- endif %}} + ++ + {{% if product in ["ol8","rhel8"] %}} +- ++ + + +- ++ ++ + /boot/grub2/grubenv + fips=1 + 1 + + {{% endif %}} +- ++ ++ + + +From 6a62a2f1b61e51326c7cadd2a0494200d98cc02e Mon Sep 17 00:00:00 2001 +From: Marcus Burghardt +Date: Thu, 27 Jul 2023 10:20:33 +0200 +Subject: [PATCH 2/2] Improve OVAL comments for better readability + +Simplified the comments and aligned the respective lines to the +project Style Guides. +--- + .../fips/enable_fips_mode/oval/shared.xml | 31 ++++++++++--------- + 1 file changed, 16 insertions(+), 15 deletions(-) + +diff --git a/linux_os/guide/system/software/integrity/fips/enable_fips_mode/oval/shared.xml b/linux_os/guide/system/software/integrity/fips/enable_fips_mode/oval/shared.xml +index 0ec076a5fb7..88aae7aaab9 100644 +--- a/linux_os/guide/system/software/integrity/fips/enable_fips_mode/oval/shared.xml ++++ b/linux_os/guide/system/software/integrity/fips/enable_fips_mode/oval/shared.xml +@@ -3,36 +3,36 @@ + {{{ oval_metadata("Check if FIPS mode is enabled on the system") }}} + + ++ comment="check /etc/system-fips file existence"/> + ++ comment="check option crypto.fips_enabled = 1 in sysctl"/> + ++ comment="dracut FIPS module is enabled"/> + + ++ comment="check if var_system_crypto_policy variable selection is set to FIPS"/> + ++ comment="check if kernel option fips=1 is present in /etc/kernel/cmdline"/> + {{% if "ol" in product or "rhel" in product %}} + + + ++ comment="generic test for s390x architecture"/> + ++ comment="check if kernel option fips=1 is present in /boot/loader/entries/.*.conf"/> + + + + ++ comment="generic test for non-s390x architecture"/> + + {{% if product in ["ol8", "rhel8"] %}} + + {{% else %}} + ++ comment="check if kernel option fips=1 is present in /boot/loader/entries/.*.conf"/> + {{% endif %}} + + +@@ -42,7 +42,7 @@ + + ++ comment="check if kernel option fips=1 is present in options in /boot/loader/entries/.*.conf"> + + + +@@ -59,7 +59,7 @@ + + ++ comment="check if kernel option fips=1 is present in /etc/kernel/cmdline"> + + + +@@ -71,7 +71,7 @@ +
+ + ++ check="at least one" comment="test if var_system_crypto_policy selection is set to FIPS"> + + + +@@ -81,7 +81,8 @@ +
+ + ++ comment="variable value is set to 'FIPS' or 'FIPS:modifier', where the modifier corresponds ++to a crypto policy module that further restricts the modified crypto policy."> + {{% if product in ["ol9","rhel9"] -%}} + ^FIPS(:OSPP)?$ + {{%- else %}} +@@ -94,7 +95,7 @@ + {{% if product in ["ol8","rhel8"] %}} + ++ comment="FIPS mode is selected in running kernel options"> + + + +@@ -106,5 +107,5 @@ + {{% endif %}} + + ++ datatype="string" comment="variable which selects the crypto policy"/> + diff --git a/SOURCES/scap-security-guide-0.1.70-remove_openssh_hardening_stig-PR_10996.patch b/SOURCES/scap-security-guide-0.1.70-remove_openssh_hardening_stig-PR_10996.patch new file mode 100644 index 0000000..a181eb5 --- /dev/null +++ b/SOURCES/scap-security-guide-0.1.70-remove_openssh_hardening_stig-PR_10996.patch @@ -0,0 +1,21 @@ +From 509c117acea0cc7a8457752cbdb4b8e7a6ca27d7 Mon Sep 17 00:00:00 2001 +From: Vojtech Polasek +Date: Tue, 15 Aug 2023 15:17:16 +0200 +Subject: [PATCH] remove rules not relevant to RHEL 9 from STIG profile + +rules have no remediation for RHEL 9, syntax for RHEL 9 is also different than RHEL 8 +--- + controls/srg_gpos/SRG-OS-000125-GPOS-00065.yml | 2 -- + 1 file changed, 2 deletions(-) + +diff --git a/controls/srg_gpos/SRG-OS-000125-GPOS-00065.yml b/controls/srg_gpos/SRG-OS-000125-GPOS-00065.yml +index d5fe6e1327b..9d9dc579fc4 100644 +--- a/controls/srg_gpos/SRG-OS-000125-GPOS-00065.yml ++++ b/controls/srg_gpos/SRG-OS-000125-GPOS-00065.yml +@@ -7,6 +7,4 @@ controls: + rules: + - sshd_enable_pam + - sysctl_crypto_fips_enabled +- - harden_sshd_ciphers_openssh_conf_crypto_policy +- - harden_sshd_macs_openssh_conf_crypto_policy + status: automated diff --git a/SOURCES/scap-security-guide-0.1.70-remove_secure_mode_insmod_anssi-PR_11001.patch b/SOURCES/scap-security-guide-0.1.70-remove_secure_mode_insmod_anssi-PR_11001.patch new file mode 100644 index 0000000..bf45744 --- /dev/null +++ b/SOURCES/scap-security-guide-0.1.70-remove_secure_mode_insmod_anssi-PR_11001.patch @@ -0,0 +1,30 @@ +From 08b9f875630e119d90a5a1fc3694f6168ad19cb9 Mon Sep 17 00:00:00 2001 +From: Vojtech Polasek +Date: Thu, 17 Aug 2023 10:50:09 +0200 +Subject: [PATCH] remove sebool_secure_mode_insmod from RHEL ANSSI high + +--- + products/rhel8/profiles/anssi_bp28_high.profile | 2 ++ + products/rhel9/profiles/anssi_bp28_high.profile | 2 ++ + 2 files changed, 4 insertions(+) + +diff --git a/products/rhel8/profiles/anssi_bp28_high.profile b/products/rhel8/profiles/anssi_bp28_high.profile +index e2eeabbb78d..204e141b1f5 100644 +--- a/products/rhel8/profiles/anssi_bp28_high.profile ++++ b/products/rhel8/profiles/anssi_bp28_high.profile +@@ -17,3 +17,5 @@ description: |- + + selections: + - anssi:all:high ++ # the following rule renders UEFI systems unbootable ++ - '!sebool_secure_mode_insmod' +diff --git a/products/rhel9/profiles/anssi_bp28_high.profile b/products/rhel9/profiles/anssi_bp28_high.profile +index e2eeabbb78d..204e141b1f5 100644 +--- a/products/rhel9/profiles/anssi_bp28_high.profile ++++ b/products/rhel9/profiles/anssi_bp28_high.profile +@@ -17,3 +17,5 @@ description: |- + + selections: + - anssi:all:high ++ # the following rule renders UEFI systems unbootable ++ - '!sebool_secure_mode_insmod' diff --git a/SPECS/scap-security-guide.spec b/SPECS/scap-security-guide.spec index 602077d..026e5d8 100644 --- a/SPECS/scap-security-guide.spec +++ b/SPECS/scap-security-guide.spec @@ -5,22 +5,19 @@ # global _default_patch_fuzz 2 # Normally shouldn't be needed as patches should apply cleanly Name: scap-security-guide -Version: 0.1.66 -Release: 1%{?dist} +Version: 0.1.69 +Release: 2%{?dist} Summary: Security guidance and baselines in SCAP formats License: BSD-3-Clause URL: https://github.com/ComplianceAsCode/content/ Source0: https://github.com/ComplianceAsCode/content/releases/download/v%{version}/scap-security-guide-%{version}.tar.bz2 -# Rsyslog files rules remediations -Patch1: scap-security-guide-0.1.67-rsyslog_files_rules_remediations-PR_9789.patch -# Extends rsyslog_logfiles_attributes_modify template for permissions -Patch2: scap-security-guide-0.1.67-rsyslog_files_permissions_template-PR_10139.patch -# Change custom zones check in firewalld_sshd_port_enabled -Patch3: scap-security-guide-0.1.67-firewalld_sshd_port_enabled_tests-PR_10162.patch -# Accept required and requisite control flag for pam_pwhistory -Patch4: scap-security-guide-0.1.67-pwhistory_control-PR_10175.patch -# remove rule logind_session_timeout and associated variable from profiles -Patch5: scap-security-guide-0.1.67-remove_logind_session_timeout_from_profiles-PR_10202.patch +# Fix rule enable_fips_mode +Patch1: scap-security-guide-0.1.70-improve_readability_enable_fips_mode-PR_10911.patch +Patch2: scap-security-guide-0.1.70-fix_enable_fips_mode-PR_10961.patch +# remove rules harden_sshd_(macs/ciphers)_openssh_conf_crypto_policy from STIG profile +Patch3: scap-security-guide-0.1.70-remove_openssh_hardening_stig-PR_10996.patch +# remove rule sebool_secure_mode_insmod from ANSSI high profile because it prevents UEFI-based systems from booting +Patch4: scap-security-guide-0.1.70-remove_secure_mode_insmod_anssi-PR_11001.patch BuildArch: noarch BuildRequires: libxslt @@ -108,6 +105,18 @@ rm %{buildroot}/%{_docdir}/%{name}/Contributors.md %endif %changelog +* Thu Aug 17 2023 Jan Černý - 0.1.69-2 +- Remove OpenSSH crypto policy hardening rules from STIG profile (RHBZ#2228447) +- Fix ANSSI High profile with secure boot (RHBZ#2228447) + +* Thu Aug 10 2023 Jan Černý - 0.1.69-1 +- Rebase to a new upstream release 0.1.69 (RHBZ#2228447) +- Fixed excess quotes in journald configuration files (RHBZ#2228439) +- Change rules checking password age to apply only to local users (RHBZ#2228467) +- update ANSSI BP-028 profiles to be aligned with version 2.0 (RHBZ#2228431) +- Correct URL used to download CVE checks. (RHBZ#2228469) +- Change rules checking home directories to apply only to local users (RHBZ#2228462) + * Wed Mar 15 2023 MSVSphere Packaging Team - 0.1.63-5 - Rebuilt for MSVSphere 9.1.