|
 |
c862b5 |
From 179cf6b43b8f10b4907267d976cb503066710e6f Mon Sep 17 00:00:00 2001
|
|
|
c862b5 |
From: Watson Sato <wsato@redhat.com>
|
|
|
c862b5 |
Date: Thu, 14 May 2020 01:20:53 +0200
|
|
|
c862b5 |
Subject: [PATCH 1/4] Do not take paths from include or IncludeConfig
|
|
|
c862b5 |
|
|
|
c862b5 |
All paths in /etc/rsyslog.conf were taken as log files, but paths
|
|
|
c862b5 |
in lines containing "include" or "$IncludeConfig" are config files.
|
|
|
c862b5 |
|
|
|
c862b5 |
Let's not take them in as log files
|
|
|
c862b5 |
---
|
|
|
c862b5 |
.../rsyslog_files_permissions/oval/shared.xml | 10 ++++++++++
|
|
|
c862b5 |
1 file changed, 10 insertions(+)
|
|
|
c862b5 |
|
|
|
c862b5 |
diff --git a/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_files_permissions/oval/shared.xml b/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_files_permissions/oval/shared.xml
|
|
|
c862b5 |
index a78cd69df2..c74f3da3f5 100644
|
|
|
c862b5 |
--- a/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_files_permissions/oval/shared.xml
|
|
|
c862b5 |
+++ b/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_files_permissions/oval/shared.xml
|
|
|
c862b5 |
@@ -87,8 +87,18 @@
|
|
|
c862b5 |
-->
|
|
|
c862b5 |
<ind:pattern operation="pattern match">^[^\s#\$]+[\s]+.*[\s]+-?(/+[^:;\s]+);*.*$</ind:pattern>
|
|
|
c862b5 |
<ind:instance datatype="int" operation="greater than or equal">1</ind:instance>
|
|
|
c862b5 |
+ <filter action="exclude">state_ignore_include_paths</filter>
|
|
|
c862b5 |
</ind:textfilecontent54_object>
|
|
|
c862b5 |
|
|
|
c862b5 |
+ <ind:textfilecontent54_state id="state_ignore_include_paths" comment="ignore" version="1">
|
|
|
c862b5 |
+
|
|
|
c862b5 |
+ include() or $IncludeConfig statements.
|
|
|
c862b5 |
+ These paths are conf files, not log files. Their permissions don't need to be as
|
|
|
c862b5 |
+ required for log files, thus, lets exclude them from the list of objects found
|
|
|
c862b5 |
+ -->
|
|
|
c862b5 |
+ <ind:text operation="pattern match">(?:file="[^\s;]+"|\$IncludeConfig[\s]+[^\s;]+)</ind:text>
|
|
|
c862b5 |
+ </ind:textfilecontent54_state>
|
|
|
c862b5 |
+
|
|
|
c862b5 |
|
|
|
c862b5 |
retrieved from the different rsyslog configuration files
|
|
|
c862b5 |
-->
|
|
|
c862b5 |
|
|
|
c862b5 |
From 4a408d29313d8ea5aed4fa65cacad86f8078159c Mon Sep 17 00:00:00 2001
|
|
|
c862b5 |
From: Watson Sato <wsato@redhat.com>
|
|
|
c862b5 |
Date: Thu, 14 May 2020 00:16:37 +0200
|
|
|
c862b5 |
Subject: [PATCH 2/4] Fix permissions of files referenced by include()
|
|
|
c862b5 |
|
|
|
c862b5 |
The remediation script also needs to parse the files included via
|
|
|
c862b5 |
"include()".
|
|
|
c862b5 |
The awk also takes into consideration the multiline aspect.
|
|
|
c862b5 |
---
|
|
|
c862b5 |
.../rsyslog_files_permissions/bash/shared.sh | 4 +++-
|
|
|
c862b5 |
1 file changed, 3 insertions(+), 1 deletion(-)
|
|
|
c862b5 |
|
|
|
c862b5 |
diff --git a/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_files_permissions/bash/shared.sh b/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_files_permissions/bash/shared.sh
|
|
|
c862b5 |
index 6cbf0c6a24..dca35301e7 100644
|
|
|
c862b5 |
--- a/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_files_permissions/bash/shared.sh
|
|
|
c862b5 |
+++ b/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_files_permissions/bash/shared.sh
|
|
|
c862b5 |
@@ -6,12 +6,14 @@ RSYSLOG_ETC_CONFIG="/etc/rsyslog.conf"
|
|
|
c862b5 |
# * And also the log file paths listed after rsyslog's $IncludeConfig directive
|
|
|
c862b5 |
# (store the result into array for the case there's shell glob used as value of IncludeConfig)
|
|
|
c862b5 |
readarray -t RSYSLOG_INCLUDE_CONFIG < <(grep -e "\$IncludeConfig[[:space:]]\+[^[:space:];]\+" /etc/rsyslog.conf | cut -d ' ' -f 2)
|
|
|
c862b5 |
+readarray -t RSYSLOG_INCLUDE < <(awk '/)/{f=0} /include\(/{f=1} f{nf=gensub(".*file=\"(\\S+)\".*","\\1",1); if($0!=nf){print nf}}' /etc/rsyslog.conf)
|
|
|
c862b5 |
+
|
|
|
c862b5 |
# Declare an array to hold the final list of different log file paths
|
|
|
c862b5 |
declare -a LOG_FILE_PATHS
|
|
|
c862b5 |
|
|
|
c862b5 |
# Browse each file selected above as containing paths of log files
|
|
|
c862b5 |
# ('/etc/rsyslog.conf' and '/etc/rsyslog.d/*.conf' in the default configuration)
|
|
|
c862b5 |
-for LOG_FILE in "${RSYSLOG_ETC_CONFIG}" "${RSYSLOG_INCLUDE_CONFIG[@]}"
|
|
|
c862b5 |
+for LOG_FILE in "${RSYSLOG_ETC_CONFIG}" "${RSYSLOG_INCLUDE_CONFIG[@]}" "${RSYSLOG_INCLUDE[@]}"
|
|
|
c862b5 |
do
|
|
|
c862b5 |
# From each of these files extract just particular log file path(s), thus:
|
|
|
c862b5 |
# * Ignore lines starting with space (' '), comment ('#"), or variable syntax ('$') characters,
|
|
|
c862b5 |
|
|
|
c862b5 |
From 812e9b487e3c11a18e5e3a965ac23ec1a0d64e91 Mon Sep 17 00:00:00 2001
|
|
|
c862b5 |
From: Watson Sato <wsato@redhat.com>
|
|
|
c862b5 |
Date: Fri, 15 May 2020 15:53:58 +0200
|
|
|
c862b5 |
Subject: [PATCH 3/4] Make regex for include file more strict
|
|
|
c862b5 |
|
|
|
c862b5 |
For some reason gensub in awk doesn't support non capturing group.
|
|
|
c862b5 |
So the group with OR is capturing and we substitute everyting with the
|
|
|
c862b5 |
second group, witch matches the file path.
|
|
|
c862b5 |
---
|
|
|
c862b5 |
.../rsyslog_files_permissions/bash/shared.sh | 2 +-
|
|
|
c862b5 |
1 file changed, 1 insertion(+), 1 deletion(-)
|
|
|
c862b5 |
|
|
|
c862b5 |
diff --git a/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_files_permissions/bash/shared.sh b/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_files_permissions/bash/shared.sh
|
|
|
c862b5 |
index dca35301e7..99d2d0e794 100644
|
|
|
c862b5 |
--- a/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_files_permissions/bash/shared.sh
|
|
|
c862b5 |
+++ b/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_files_permissions/bash/shared.sh
|
|
|
c862b5 |
@@ -6,7 +6,7 @@ RSYSLOG_ETC_CONFIG="/etc/rsyslog.conf"
|
|
|
c862b5 |
# * And also the log file paths listed after rsyslog's $IncludeConfig directive
|
|
|
c862b5 |
# (store the result into array for the case there's shell glob used as value of IncludeConfig)
|
|
|
c862b5 |
readarray -t RSYSLOG_INCLUDE_CONFIG < <(grep -e "\$IncludeConfig[[:space:]]\+[^[:space:];]\+" /etc/rsyslog.conf | cut -d ' ' -f 2)
|
|
|
c862b5 |
-readarray -t RSYSLOG_INCLUDE < <(awk '/)/{f=0} /include\(/{f=1} f{nf=gensub(".*file=\"(\\S+)\".*","\\1",1); if($0!=nf){print nf}}' /etc/rsyslog.conf)
|
|
|
c862b5 |
+readarray -t RSYSLOG_INCLUDE < <(awk '/)/{f=0} /include\(/{f=1} f{nf=gensub("^(include\\(|\\s*)file=\"(\\S+)\".*","\\2",1); if($0!=nf){print nf}}' /etc/rsyslog.conf)
|
|
|
c862b5 |
|
|
|
c862b5 |
# Declare an array to hold the final list of different log file paths
|
|
|
c862b5 |
declare -a LOG_FILE_PATHS
|
|
|
c862b5 |
|
|
|
c862b5 |
From c49f8aaf717313a41bbdfca188dd491a13d1133e Mon Sep 17 00:00:00 2001
|
|
|
c862b5 |
From: Watson Sato <wsato@redhat.com>
|
|
|
c862b5 |
Date: Fri, 15 May 2020 16:55:02 +0200
|
|
|
c862b5 |
Subject: [PATCH 4/4] Extend OVAL fix to groupownership and ownership
|
|
|
c862b5 |
|
|
|
c862b5 |
These three files basically work the same way
|
|
|
c862b5 |
---
|
|
|
c862b5 |
.../rsyslog_files_groupownership/oval/shared.xml | 10 ++++++++++
|
|
|
c862b5 |
.../rsyslog_files_ownership/oval/shared.xml | 10 ++++++++++
|
|
|
c862b5 |
.../rsyslog_files_permissions/oval/shared.xml | 4 ++--
|
|
|
c862b5 |
3 files changed, 22 insertions(+), 2 deletions(-)
|
|
|
c862b5 |
|
|
|
c862b5 |
diff --git a/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_files_groupownership/oval/shared.xml b/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_files_groupownership/oval/shared.xml
|
|
|
c862b5 |
index 5828f25321..9941e2b94f 100644
|
|
|
c862b5 |
--- a/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_files_groupownership/oval/shared.xml
|
|
|
c862b5 |
+++ b/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_files_groupownership/oval/shared.xml
|
|
|
c862b5 |
@@ -86,8 +86,18 @@
|
|
|
c862b5 |
-->
|
|
|
c862b5 |
<ind:pattern operation="pattern match">^[^(\s|#|\$)]+[\s]+.*[\s]+-?(/+[^:;\s]+);*.*$</ind:pattern>
|
|
|
c862b5 |
<ind:instance datatype="int" operation="greater than or equal">1</ind:instance>
|
|
|
c862b5 |
+ <filter action="exclude">state_groupownership_ignore_include_paths</filter>
|
|
|
c862b5 |
</ind:textfilecontent54_object>
|
|
|
c862b5 |
|
|
|
c862b5 |
+ <ind:textfilecontent54_state id="state_groupownership_ignore_include_paths" comment="ignore" version="1">
|
|
|
c862b5 |
+
|
|
|
c862b5 |
+ include() or $IncludeConfig statements.
|
|
|
c862b5 |
+ These paths are conf files, not log files. Their groupownership don't need to be as
|
|
|
c862b5 |
+ required for log files, thus, lets exclude them from the list of objects found
|
|
|
c862b5 |
+ -->
|
|
|
c862b5 |
+ <ind:text operation="pattern match">(?:file="[^\s;]+"|\$IncludeConfig[\s]+[^\s;]+)</ind:text>
|
|
|
c862b5 |
+ </ind:textfilecontent54_state>
|
|
|
c862b5 |
+
|
|
|
c862b5 |
|
|
|
c862b5 |
retrieved from the different rsyslog configuration files
|
|
|
c862b5 |
-->
|
|
|
c862b5 |
diff --git a/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_files_ownership/oval/shared.xml b/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_files_ownership/oval/shared.xml
|
|
|
c862b5 |
index 3c46eab6d6..29dd1a989e 100644
|
|
|
c862b5 |
--- a/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_files_ownership/oval/shared.xml
|
|
|
c862b5 |
+++ b/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_files_ownership/oval/shared.xml
|
|
|
c862b5 |
@@ -83,8 +83,18 @@
|
|
|
c862b5 |
-->
|
|
|
c862b5 |
<ind:pattern operation="pattern match">^[^(\s|#|\$)]+[\s]+.*[\s]+-?(/+[^:;\s]+);*.*$</ind:pattern>
|
|
|
c862b5 |
<ind:instance datatype="int" operation="greater than or equal">1</ind:instance>
|
|
|
c862b5 |
+ <filter action="exclude">state_owner_ignore_include_paths</filter>
|
|
|
c862b5 |
</ind:textfilecontent54_object>
|
|
|
c862b5 |
|
|
|
c862b5 |
+ <ind:textfilecontent54_state id="state_owner_ignore_include_paths" comment="ignore" version="1">
|
|
|
c862b5 |
+
|
|
|
c862b5 |
+ include() or $IncludeConfig statements.
|
|
|
c862b5 |
+ These paths are conf files, not log files. Their owner don't need to be as
|
|
|
c862b5 |
+ required for log files, thus, lets exclude them from the list of objects found
|
|
|
c862b5 |
+ -->
|
|
|
c862b5 |
+ <ind:text operation="pattern match">(?:file="[^\s;]+"|\$IncludeConfig[\s]+[^\s;]+)</ind:text>
|
|
|
c862b5 |
+ </ind:textfilecontent54_state>
|
|
|
c862b5 |
+
|
|
|
c862b5 |
|
|
|
c862b5 |
retrieved from the different rsyslog configuration files
|
|
|
c862b5 |
-->
|
|
|
c862b5 |
diff --git a/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_files_permissions/oval/shared.xml b/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_files_permissions/oval/shared.xml
|
|
|
c862b5 |
index c74f3da3f5..da37a15b8c 100644
|
|
|
c862b5 |
--- a/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_files_permissions/oval/shared.xml
|
|
|
c862b5 |
+++ b/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_files_permissions/oval/shared.xml
|
|
|
c862b5 |
@@ -87,10 +87,10 @@
|
|
|
c862b5 |
-->
|
|
|
c862b5 |
<ind:pattern operation="pattern match">^[^\s#\$]+[\s]+.*[\s]+-?(/+[^:;\s]+);*.*$</ind:pattern>
|
|
|
c862b5 |
<ind:instance datatype="int" operation="greater than or equal">1</ind:instance>
|
|
|
c862b5 |
- <filter action="exclude">state_ignore_include_paths</filter>
|
|
|
c862b5 |
+ <filter action="exclude">state_permissions_ignore_include_paths</filter>
|
|
|
c862b5 |
</ind:textfilecontent54_object>
|
|
|
c862b5 |
|
|
|
c862b5 |
- <ind:textfilecontent54_state id="state_ignore_include_paths" comment="ignore" version="1">
|
|
|
c862b5 |
+ <ind:textfilecontent54_state id="state_permissions_ignore_include_paths" comment="ignore" version="1">
|
|
|
c862b5 |
|
|
|
c862b5 |
include() or $IncludeConfig statements.
|
|
|
c862b5 |
These paths are conf files, not log files. Their permissions don't need to be as
|