From 0a22bbbaeabd9c13254ef251479e9d74143620e6 Mon Sep 17 00:00:00 2001

From: Ilya Okomin <ilya.okomin@oracle.com>

Date: Mon, 23 Mar 2020 20:07:47 -0400

Subject: [PATCH] Fix rsyslog_nolisten regex to match rule description

Signed-off-by: Ilya Okomin <ilya.okomin@oracle.com>

---

 .../rsyslog_nolisten/oval/shared.xml                          | 4 ++--

 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/linux_os/guide/system/logging/rsyslog_accepting_remote_messages/rsyslog_nolisten/oval/shared.xml b/linux_os/guide/system/logging/rsyslog_accepting_remote_messages/rsyslog_nolisten/oval/shared.xml

index e38dee5bbc..b56281e283 100644

--- a/linux_os/guide/system/logging/rsyslog_accepting_remote_messages/rsyslog_nolisten/oval/shared.xml

+++ b/linux_os/guide/system/logging/rsyslog_accepting_remote_messages/rsyslog_nolisten/oval/shared.xml

@@ -16,13 +16,13 @@

     </criteria>

   </definition>

-  comment="Ensure that the /etc/rsyslog.conf does not contain $InputTCPServerRun | $UDPServerRun | $InputRELPServerRun"

+  comment="Ensure that the /etc/rsyslog.conf does not contain $InputTCPServerRun | $UDPServerRun | $InputRELPServerRun | $ModLoad imtcp | $ModLoad imudp | $ModLoad imrelp"

   id="test_rsyslog_nolisten" version="1">

     <ind:object object_ref="object_rsyslog_nolisten" />

   </ind:textfilecontent54_test>

   <ind:textfilecontent54_object id="object_rsyslog_nolisten" version="2">

     <ind:filepath>/etc/rsyslog.conf</ind:filepath>

-    <ind:pattern operation="pattern match">^[\s]*\$(?:Input(?:TCP|RELP)|UDP)ServerRun</ind:pattern>

+    <ind:pattern operation="pattern match">^[\s]*\$((?:Input(?:TCP|RELP)|UDP)ServerRun|ModLoad[\s]+(imtcp|imudp|imrelp))</ind:pattern>

     <ind:instance datatype="int">1</ind:instance>

   </ind:textfilecontent54_object>

 </def-group>