From 179cf6b43b8f10b4907267d976cb503066710e6f Mon Sep 17 00:00:00 2001

From: Watson Sato <wsato@redhat.com>

Date: Thu, 14 May 2020 01:20:53 +0200

Subject: [PATCH 1/4] Do not take paths from include or IncludeConfig

All paths in /etc/rsyslog.conf were taken as log files, but paths

in lines containing "include" or "$IncludeConfig" are config files.

Let's not take them in as log files

---

 .../rsyslog_files_permissions/oval/shared.xml          | 10 ++++++++++

 1 file changed, 10 insertions(+)

diff --git a/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_files_permissions/oval/shared.xml b/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_files_permissions/oval/shared.xml

index a78cd69df2..c74f3da3f5 100644

--- a/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_files_permissions/oval/shared.xml

+++ b/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_files_permissions/oval/shared.xml

@@ -87,8 +87,18 @@

     -->

     <ind:pattern operation="pattern match">^[^\s#\$]+[\s]+.*[\s]+-?(/+[^:;\s]+);*.*$</ind:pattern>

     <ind:instance datatype="int" operation="greater than or equal">1</ind:instance>

+    <filter action="exclude">state_ignore_include_paths</filter>

   </ind:textfilecontent54_object>

+  <ind:textfilecontent54_state id="state_ignore_include_paths" comment="ignore" version="1">

+    

+         include() or $IncludeConfig statements.

+         These paths are conf files, not log files. Their permissions don't need to be as

+         required for log files, thus, lets exclude them from the list of objects found

+    -->

+    <ind:text operation="pattern match">(?:file="[^\s;]+"|\$IncludeConfig[\s]+[^\s;]+)</ind:text>

+  </ind:textfilecontent54_state>

+

        retrieved from the different rsyslog configuration files

   -->

From 4a408d29313d8ea5aed4fa65cacad86f8078159c Mon Sep 17 00:00:00 2001

From: Watson Sato <wsato@redhat.com>

Date: Thu, 14 May 2020 00:16:37 +0200

Subject: [PATCH 2/4] Fix permissions of files referenced by include()

The remediation script also needs to parse the files included via

"include()".

The awk also takes into consideration the multiline aspect.

---

 .../rsyslog_files_permissions/bash/shared.sh                  | 4 +++-

 1 file changed, 3 insertions(+), 1 deletion(-)

diff --git a/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_files_permissions/bash/shared.sh b/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_files_permissions/bash/shared.sh

index 6cbf0c6a24..dca35301e7 100644

--- a/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_files_permissions/bash/shared.sh

+++ b/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_files_permissions/bash/shared.sh

@@ -6,12 +6,14 @@ RSYSLOG_ETC_CONFIG="/etc/rsyslog.conf"

 # * And also the log file paths listed after rsyslog's $IncludeConfig directive

 #   (store the result into array for the case there's shell glob used as value of IncludeConfig)

 readarray -t RSYSLOG_INCLUDE_CONFIG < <(grep -e "\$IncludeConfig[[:space:]]\+[^[:space:];]\+" /etc/rsyslog.conf | cut -d ' ' -f 2)

+readarray -t RSYSLOG_INCLUDE < <(awk '/)/{f=0} /include\(/{f=1} f{nf=gensub(".*file=\"(\\S+)\".*","\\1",1); if($0!=nf){print nf}}' /etc/rsyslog.conf)

+

 # Declare an array to hold the final list of different log file paths

 declare -a LOG_FILE_PATHS

 # Browse each file selected above as containing paths of log files

 # ('/etc/rsyslog.conf' and '/etc/rsyslog.d/*.conf' in the default configuration)

-for LOG_FILE in "${RSYSLOG_ETC_CONFIG}" "${RSYSLOG_INCLUDE_CONFIG[@]}"

+for LOG_FILE in "${RSYSLOG_ETC_CONFIG}" "${RSYSLOG_INCLUDE_CONFIG[@]}" "${RSYSLOG_INCLUDE[@]}"

 do

 	# From each of these files extract just particular log file path(s), thus:

 	# * Ignore lines starting with space (' '), comment ('#"), or variable syntax ('$') characters,

From 812e9b487e3c11a18e5e3a965ac23ec1a0d64e91 Mon Sep 17 00:00:00 2001

From: Watson Sato <wsato@redhat.com>

Date: Fri, 15 May 2020 15:53:58 +0200

Subject: [PATCH 3/4] Make regex for include file more strict

For some reason gensub in awk doesn't support non capturing group.

So the group with OR is capturing and we substitute everyting with the

second group, witch matches the file path.

---

 .../rsyslog_files_permissions/bash/shared.sh                    | 2 +-

 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_files_permissions/bash/shared.sh b/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_files_permissions/bash/shared.sh

index dca35301e7..99d2d0e794 100644

--- a/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_files_permissions/bash/shared.sh

+++ b/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_files_permissions/bash/shared.sh

@@ -6,7 +6,7 @@ RSYSLOG_ETC_CONFIG="/etc/rsyslog.conf"

 # * And also the log file paths listed after rsyslog's $IncludeConfig directive

 #   (store the result into array for the case there's shell glob used as value of IncludeConfig)

 readarray -t RSYSLOG_INCLUDE_CONFIG < <(grep -e "\$IncludeConfig[[:space:]]\+[^[:space:];]\+" /etc/rsyslog.conf | cut -d ' ' -f 2)

-readarray -t RSYSLOG_INCLUDE < <(awk '/)/{f=0} /include\(/{f=1} f{nf=gensub(".*file=\"(\\S+)\".*","\\1",1); if($0!=nf){print nf}}' /etc/rsyslog.conf)

+readarray -t RSYSLOG_INCLUDE < <(awk '/)/{f=0} /include\(/{f=1} f{nf=gensub("^(include\\(|\\s*)file=\"(\\S+)\".*","\\2",1); if($0!=nf){print nf}}' /etc/rsyslog.conf)

 # Declare an array to hold the final list of different log file paths

 declare -a LOG_FILE_PATHS

From c49f8aaf717313a41bbdfca188dd491a13d1133e Mon Sep 17 00:00:00 2001

From: Watson Sato <wsato@redhat.com>

Date: Fri, 15 May 2020 16:55:02 +0200

Subject: [PATCH 4/4] Extend OVAL fix to groupownership and ownership

These three files basically work the same way

---

 .../rsyslog_files_groupownership/oval/shared.xml       | 10 ++++++++++

 .../rsyslog_files_ownership/oval/shared.xml            | 10 ++++++++++

 .../rsyslog_files_permissions/oval/shared.xml          |  4 ++--

 3 files changed, 22 insertions(+), 2 deletions(-)

diff --git a/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_files_groupownership/oval/shared.xml b/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_files_groupownership/oval/shared.xml

index 5828f25321..9941e2b94f 100644

--- a/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_files_groupownership/oval/shared.xml

+++ b/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_files_groupownership/oval/shared.xml

@@ -86,8 +86,18 @@

     -->

     <ind:pattern operation="pattern match">^[^(\s|#|\$)]+[\s]+.*[\s]+-?(/+[^:;\s]+);*.*$</ind:pattern>

     <ind:instance datatype="int" operation="greater than or equal">1</ind:instance>

+    <filter action="exclude">state_groupownership_ignore_include_paths</filter>

   </ind:textfilecontent54_object>

+  <ind:textfilecontent54_state id="state_groupownership_ignore_include_paths" comment="ignore" version="1">

+    

+         include() or $IncludeConfig statements.

+         These paths are conf files, not log files. Their groupownership don't need to be as

+         required for log files, thus, lets exclude them from the list of objects found

+    -->

+    <ind:text operation="pattern match">(?:file="[^\s;]+"|\$IncludeConfig[\s]+[^\s;]+)</ind:text>

+  </ind:textfilecontent54_state>

+

        retrieved from the different rsyslog configuration files

   -->

diff --git a/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_files_ownership/oval/shared.xml b/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_files_ownership/oval/shared.xml

index 3c46eab6d6..29dd1a989e 100644

--- a/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_files_ownership/oval/shared.xml

+++ b/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_files_ownership/oval/shared.xml

@@ -83,8 +83,18 @@

     -->

     <ind:pattern operation="pattern match">^[^(\s|#|\$)]+[\s]+.*[\s]+-?(/+[^:;\s]+);*.*$</ind:pattern>

     <ind:instance datatype="int" operation="greater than or equal">1</ind:instance>

+    <filter action="exclude">state_owner_ignore_include_paths</filter>

   </ind:textfilecontent54_object>

+  <ind:textfilecontent54_state id="state_owner_ignore_include_paths" comment="ignore" version="1">

+    

+         include() or $IncludeConfig statements.

+         These paths are conf files, not log files. Their owner don't need to be as

+         required for log files, thus, lets exclude them from the list of objects found

+    -->

+    <ind:text operation="pattern match">(?:file="[^\s;]+"|\$IncludeConfig[\s]+[^\s;]+)</ind:text>

+  </ind:textfilecontent54_state>

+

        retrieved from the different rsyslog configuration files

   -->

diff --git a/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_files_permissions/oval/shared.xml b/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_files_permissions/oval/shared.xml

index c74f3da3f5..da37a15b8c 100644

--- a/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_files_permissions/oval/shared.xml

+++ b/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_files_permissions/oval/shared.xml

@@ -87,10 +87,10 @@

     -->

     <ind:pattern operation="pattern match">^[^\s#\$]+[\s]+.*[\s]+-?(/+[^:;\s]+);*.*$</ind:pattern>

     <ind:instance datatype="int" operation="greater than or equal">1</ind:instance>

-    <filter action="exclude">state_ignore_include_paths</filter>

+    <filter action="exclude">state_permissions_ignore_include_paths</filter>

   </ind:textfilecontent54_object>

-  <ind:textfilecontent54_state id="state_ignore_include_paths" comment="ignore" version="1">

+  <ind:textfilecontent54_state id="state_permissions_ignore_include_paths" comment="ignore" version="1">

          include() or $IncludeConfig statements.

          These paths are conf files, not log files. Their permissions don't need to be as