From 7d188e88ef47a50714b127658b4138540af8396c Mon Sep 17 00:00:00 2001
From: Watson Sato <wsato@redhat.com>
Date: Tue, 7 Feb 2023 10:53:17 +0100
Subject: [PATCH 2/5] Rsyslog files rules remediations
Patch-name: scap-security-guide-0.1.67-rsyslog_files_rules_remediations-PR_9789.patch
Patch-status: Rsyslog files rules remediations
---
controls/cis_sle12.yml | 4 +-
controls/cis_sle15.yml | 4 +-
.../file_groupowner_logfiles_value.var | 18 ---
.../oval/shared.xml | 116 ---------------
.../rsyslog_files_groupownership/rule.yml | 39 ++++-
.../tests/IncludeConfig_is_other.fail.sh | 42 ------
.../tests/IncludeConfig_is_root.pass.sh | 39 -----
.../tests/include_is_other.fail.sh | 42 ------
.../tests/include_is_root.pass.sh | 39 -----
.../tests/include_multiline_is_root.pass.sh | 41 ------
.../tests/is_other.fail.sh | 25 ----
.../tests/is_root.pass.sh | 24 ---
.../rsyslog_files_ownership/oval/shared.xml | 114 ---------------
.../rsyslog_files_ownership/rule.yml | 44 +++++-
.../ansible/shared.yml | 12 ++
.../rsyslog_logging_configured/bash/shared.sh | 7 +
.../oval/shared.xml | 41 ++++++
.../rsyslog_logging_configured/rule.yml | 34 +++++
...with_everything_logged_to_messages.pass.sh | 13 ++
.../rsyslog_file_with_no_logging.fail.sh | 12 ++
.../profiles/anssi_np_nt28_average.profile | 2 -
products/debian10/profiles/standard.profile | 2 -
.../profiles/anssi_np_nt28_average.profile | 2 -
products/debian11/profiles/standard.profile | 2 -
products/rhel7/profiles/rht-ccp.profile | 2 -
products/rhel8/profiles/rht-ccp.profile | 2 -
.../profiles/anssi_bp28_intermediary.profile | 1 +
products/sle15/profiles/standard.profile | 2 -
.../profiles/anssi_np_nt28_average.profile | 2 -
products/ubuntu1604/profiles/standard.profile | 2 -
.../profiles/anssi_np_nt28_average.profile | 2 -
products/ubuntu1804/profiles/standard.profile | 2 -
products/ubuntu2004/profiles/standard.profile | 2 -
products/ubuntu2204/profiles/standard.profile | 2 -
shared/references/cce-sle12-avail.txt | 1 -
shared/references/cce-sle15-avail.txt | 1 -
.../ansible.template | 68 +++++++++
.../bash.template | 110 ++++++++++++++
.../oval.template | 137 ++++++++++++++++++
.../template.yml | 4 +
.../tests/IncludeConfig_is_other.fail.sh | 14 +-
.../tests/IncludeConfig_is_root.pass.sh | 10 +-
.../tests/include_is_other.fail.sh | 14 +-
...udeConfig_is_other_RainerLogClause.fail.sh | 37 ++++-
.../tests/include_is_root.pass.sh | 11 +-
...ude_is_root_IncludeConfig_is_other.fail.sh | 16 +-
...lude_is_root_IncludeConfig_is_root.pass.sh | 12 +-
...ludeConfig_is_root_RainerLogClause.pass.sh | 22 +--
.../tests/include_multiline_is_root.pass.sh | 10 +-
.../tests/is_other.fail.sh | 12 +-
.../tests/is_root.pass.sh | 8 +-
51 files changed, 648 insertions(+), 576 deletions(-)
delete mode 100644 linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/file_groupowner_logfiles_value.var
delete mode 100644 linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_files_groupownership/oval/shared.xml
delete mode 100755 linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_files_groupownership/tests/IncludeConfig_is_other.fail.sh
delete mode 100755 linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_files_groupownership/tests/IncludeConfig_is_root.pass.sh
delete mode 100755 linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_files_groupownership/tests/include_is_other.fail.sh
delete mode 100755 linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_files_groupownership/tests/include_is_root.pass.sh
delete mode 100755 linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_files_groupownership/tests/include_multiline_is_root.pass.sh
delete mode 100755 linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_files_groupownership/tests/is_other.fail.sh
delete mode 100755 linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_files_groupownership/tests/is_root.pass.sh
delete mode 100644 linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_files_ownership/oval/shared.xml
create mode 100644 linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_logging_configured/ansible/shared.yml
create mode 100644 linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_logging_configured/bash/shared.sh
create mode 100644 linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_logging_configured/oval/shared.xml
create mode 100644 linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_logging_configured/rule.yml
create mode 100644 linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_logging_configured/tests/rsyslog_file_with_everything_logged_to_messages.pass.sh
create mode 100644 linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_logging_configured/tests/rsyslog_file_with_no_logging.fail.sh
create mode 100644 shared/templates/rsyslog_logfiles_attributes_modify/ansible.template
create mode 100644 shared/templates/rsyslog_logfiles_attributes_modify/bash.template
create mode 100644 shared/templates/rsyslog_logfiles_attributes_modify/oval.template
create mode 100644 shared/templates/rsyslog_logfiles_attributes_modify/template.yml
rename {linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_files_ownership => shared/templates/rsyslog_logfiles_attributes_modify}/tests/IncludeConfig_is_other.fail.sh (75%)
rename {linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_files_ownership => shared/templates/rsyslog_logfiles_attributes_modify}/tests/IncludeConfig_is_root.pass.sh (81%)
rename {linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_files_ownership => shared/templates/rsyslog_logfiles_attributes_modify}/tests/include_is_other.fail.sh (75%)
rename linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_files_groupownership/tests/include_is_root_IncludeConfig_is_root.pass.sh => shared/templates/rsyslog_logfiles_attributes_modify/tests/include_is_other_IncludeConfig_is_other_RainerLogClause.fail.sh (50%)
mode change 100755 => 100644
rename {linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_files_ownership => shared/templates/rsyslog_logfiles_attributes_modify}/tests/include_is_root.pass.sh (81%)
rename {linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_files_ownership => shared/templates/rsyslog_logfiles_attributes_modify}/tests/include_is_root_IncludeConfig_is_other.fail.sh (77%)
rename {linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_files_ownership => shared/templates/rsyslog_logfiles_attributes_modify}/tests/include_is_root_IncludeConfig_is_root.pass.sh (82%)
rename linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_files_groupownership/tests/include_is_root_IncludeConfig_is_other.fail.sh => shared/templates/rsyslog_logfiles_attributes_modify/tests/include_is_root_IncludeConfig_is_root_RainerLogClause.pass.sh (65%)
rename {linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_files_ownership => shared/templates/rsyslog_logfiles_attributes_modify}/tests/include_multiline_is_root.pass.sh (81%)
rename {linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_files_ownership => shared/templates/rsyslog_logfiles_attributes_modify}/tests/is_other.fail.sh (70%)
rename {linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_files_ownership => shared/templates/rsyslog_logfiles_attributes_modify}/tests/is_root.pass.sh (77%)
diff --git a/controls/cis_sle12.yml b/controls/cis_sle12.yml
index 5c464fe556..8576343b9d 100644
--- a/controls/cis_sle12.yml
+++ b/controls/cis_sle12.yml
@@ -1321,7 +1321,9 @@ controls:
levels:
- l1_server
- l1_workstation
- status: manual
+ automated: yes
+ rules:
+ - rsyslog_logging_configured
- id: 4.2.1.5
title: Ensure rsyslog is configured to send logs to a remote log host (Automated)
diff --git a/controls/cis_sle15.yml b/controls/cis_sle15.yml
index 36d7616f90..f82341a038 100644
--- a/controls/cis_sle15.yml
+++ b/controls/cis_sle15.yml
@@ -1469,7 +1469,9 @@ controls:
levels:
- l1_server
- l1_workstation
- status: manual
+ automated: yes
+ rules:
+ - rsyslog_logging_configured
- id: 4.2.1.5
title: Ensure rsyslog is configured to send logs to a remote log host (Automated)
diff --git a/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/file_groupowner_logfiles_value.var b/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/file_groupowner_logfiles_value.var
deleted file mode 100644
index 7ebf8c191a..0000000000
--- a/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/file_groupowner_logfiles_value.var
+++ /dev/null
@@ -1,18 +0,0 @@
-documentation_complete: true
-
-title: 'group who owns log files'
-
-description: |-
- Specify group owner of all logfiles specified in
- <tt>/etc/rsyslog.conf.</tt>
-
-type: string
-
-operator: equals
-
-interactive: false
-
-options:
- default: root
- adm: adm
- root: root
diff --git a/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_files_groupownership/oval/shared.xml b/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_files_groupownership/oval/shared.xml
deleted file mode 100644
index 4567f4d411..0000000000
--- a/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_files_groupownership/oval/shared.xml
+++ /dev/null
@@ -1,116 +0,0 @@
-<def-group oval_version="5.11">
- <definition class="compliance" id="rsyslog_files_groupownership" version="1">
- {{{ oval_metadata("All syslog log files should be owned by the appropriate group.") }}}
-
- <criteria operator="AND">
- {{% if product in ["debian10", "debian11", "ubuntu1604"] %}}
- <extend_definition comment="rsyslog daemon is used as local logging daemon" definition_ref="package_rsyslog_installed" />
- {{% endif %}}
- <criterion comment="Check if all system log files are owned by the appropriate group" test_ref="test_rsyslog_files_groupownership" />
- </criteria>
-
- </definition>
-
- <!-- First obtain rsyslog's $IncludeConfig directive and include() object (introduced in rsyslog v8.33.0) values. -->
- <ind:textfilecontent54_object id="object_rfg_rsyslog_include_config_value" comment="rsyslog's $IncludeConfig directive and include() object values" version="1">
- <ind:filepath>/etc/rsyslog.conf</ind:filepath>
- <ind:pattern operation="pattern match">^(?:include\([\n\s]*file="([^\s;]+)".*|\$IncludeConfig[\s]+([^\s;]+))$</ind:pattern>
- <ind:instance datatype="int" operation="greater than or equal">1</ind:instance>
- </ind:textfilecontent54_object>
-
- <!-- Turn that glob value into Perl's regex so it can be used as filepath pattern below -->
- <local_variable id="var_rfg_include_config_regex" datatype="string" version="1" comment="$IncludeConfig value converted to regex">
- <unique>
- <glob_to_regex>
- <object_component item_field="subexpression" object_ref="object_rfg_rsyslog_include_config_value" />
- </glob_to_regex>
- </unique>
- </local_variable>
-
- <!-- Create a variable_object from the regex variable
- If the variable has no values, there won't be any objects -->
- <ind:variable_object id="object_var_rfg_include_config_regex" comment="Make variable object from regex variable" version="1">
- <ind:var_ref>var_rfg_include_config_regex</ind:var_ref>
- </ind:variable_object>
-
- <local_variable id="var_rfg_syslog_config" datatype="string" version="1" comment="Locations of all rsyslog configuration files as collection">
- <literal_component datatype="string">^/etc/rsyslog.conf$</literal_component>
- </local_variable>
-
- <ind:variable_object id="object_var_rfg_syslog_config" comment="Make variable object for use" version="1">
- <ind:var_ref>var_rfg_syslog_config</ind:var_ref>
- </ind:variable_object>
-
- <!-- Combine the two variable_objects into one variable_object
- We do it this way to avoid referencing an empty variable in a state comparison, which
- will cause a test to evaluate to fail. Combining an empty set of objects is fine though -->
- <ind:variable_object id="object_var_rfg_all_log_files" comment="Filter out empty string" version="1">
- <set>
- <object_reference>object_var_rfg_include_config_regex</object_reference>
- <object_reference>object_var_rfg_syslog_config</object_reference>
- </set>
- </ind:variable_object>
-
- <!-- In element filepath of object_rfg_log_files_paths we need to pass a list of values,
- a list of objects won't do. So we make a local_variable from the variable_objects. -->
- <local_variable id="var_rfg_all_log_files" datatype="string" version="1" comment="Locations of all rsyslog configuration files as collection">
- <object_component object_ref="object_var_rfg_all_log_files" item_field="value"/>
- </local_variable>
-
- <!-- For each item from that collection (particular rsyslog's configuration file path) search
- that rsyslog's configuration file to select file paths for log files directives
- -->
- <ind:textfilecontent54_object id="object_rfg_log_files_paths" comment="All rsyslog configuration files" version="1">
- <ind:filepath operation="pattern match" var_ref="var_rfg_all_log_files" var_check="at least one" />
- <!-- Chunk of text retrieved from rsyslog's configuration file is considered
- to constitute a log file path if all of the following conditions are met:
- * the string represents a regular file on particular file system
- (verified via corresponding file_state below),
- * the chunk of text is in the last column in the row,
- (possibly suffixed by ';' character and rsyslog Template name),
- * contains at least one slash '/' character, and simultaneously
- doesn't contain any of ';', ':' and space characters,
- * the chunk was retrieved from a row not starting with space, '#',
- or '$' characters
- -->
- <ind:pattern operation="pattern match">^[^(\s|#|\$)]+[\s]+.*[\s]+-?(/+[^:;\s]+);*\.*$</ind:pattern>
- <ind:instance datatype="int" operation="greater than or equal">1</ind:instance>
- <filter action="exclude">state_groupownership_ignore_include_paths</filter>
- </ind:textfilecontent54_object>
-
- <ind:textfilecontent54_state id="state_groupownership_ignore_include_paths" comment="ignore" version="1">
- <!-- Among the paths matched in object_rfp_log_files_paths there can be paths from
- include() or $IncludeConfig statements.
- These paths are conf files, not log files. Their groupownership don't need to be as
- required for log files, thus, lets exclude them from the list of objects found
- -->
- <ind:text operation="pattern match">(?:file="[^\s;]+"|\$IncludeConfig[\s]+[^\s;]+|\/dev\/.*)</ind:text>
- </ind:textfilecontent54_state>
-
- <!-- Define OVAL variable to hold all the various system log files locations
- retrieved from the different rsyslog configuration files
- -->
- <local_variable id="var_rfg_log_files_paths" datatype="string" version="1" comment="File paths of all rsyslog configuration files">
- <object_component item_field="subexpression" object_ref="object_rfg_log_files_paths" />
- </local_variable>
-
- <!-- Perform the test if all rsyslog system log files are owned by the appropriate group -->
- <unix:file_test check="all" check_existence="all_exist" id="test_rsyslog_files_groupownership" version="1" comment="System log files are owned by the appropriate group">
- <unix:object object_ref="object_rsyslog_files_groupownership" />
- <unix:state state_ref="state_rsyslog_files_groupownership" />
- </unix:file_test>
-
- <unix:file_object id="object_rsyslog_files_groupownership" comment="Various system log files" version="1">
- <unix:filepath datatype="string" var_ref="var_rfg_log_files_paths" var_check="at least one" />
- </unix:file_object>
-
- <unix:file_state id="state_rsyslog_files_groupownership" version="1">
- <unix:type operation="equals">regular</unix:type>
- {{% if product in ["debian10", "debian11", "ubuntu1604", "ubuntu2004", "ubuntu2204"] %}}
- <unix:group_id datatype="int">4</unix:group_id>
- {{% else %}}
- <unix:group_id datatype="int">0</unix:group_id>
- {{% endif %}}
- </unix:file_state>
-
-</def-group>
diff --git a/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_files_groupownership/rule.yml b/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_files_groupownership/rule.yml
index 4f797f4a21..13c89d90c5 100644
--- a/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_files_groupownership/rule.yml
+++ b/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_files_groupownership/rule.yml
@@ -4,15 +4,30 @@ title: 'Ensure Log Files Are Owned By Appropriate Group'
description: |-
The group-owner of all log files written by
- <tt>rsyslog</tt> should be <tt>{{{ xccdf_value("file_groupowner_logfiles_value") }}}</tt>.
+ <tt>rsyslog</tt> should be
+{{% if 'debian' in product or 'ubuntu' in product %}}
+ <tt>adm</tt>.
+{{% else %}}
+ <tt>root</tt>.
+{{% endif %}}
These log files are determined by the second part of each Rule line in
<tt>/etc/rsyslog.conf</tt> and typically all appear in <tt>/var/log</tt>.
For each log file <i>LOGFILE</i> referenced in <tt>/etc/rsyslog.conf</tt>,
run the following command to inspect the file's group owner:
<pre>$ ls -l <i>LOGFILE</i></pre>
- If the owner is not <tt>{{{ xccdf_value("file_groupowner_logfiles_value") }}}</tt>, run the following command to
+ If the owner is not
+ {{% if 'debian' in product or 'ubuntu' in product %}}
+ <tt>adm</tt>,
+ {{% else %}}
+ <tt>root</tt>,
+ {{% endif %}}
+ run the following command to
correct this:
- <pre>$ sudo chgrp {{{ xccdf_value("file_groupowner_logfiles_value") }}} <i>LOGFILE</i></pre>
+{{% if 'debian' in product or 'ubuntu' in product %}}
+ <pre>$ sudo chgrp adm <i>LOGFILE</i></pre>
+{{% else %}}
+ <pre>$ sudo chgrp root <i>LOGFILE</i></pre>
+{{% endif %}}
rationale: |-
The log files generated by rsyslog contain valuable information regarding system
@@ -47,8 +62,24 @@ references:
ocil_clause: 'the group-owner is not correct'
ocil: |-
- The group-owner of all log files written by <tt>rsyslog</tt> should be <tt>{{{ xccdf_value("file_groupowner_logfiles_value") }}}</tt>.
+ The group-owner of all log files written by <tt>rsyslog</tt> should be
+ {{% if 'debian' in product or 'ubuntu' in product %}}
+ <tt>adm</tt>.
+ {{% else %}}
+ <tt>root</tt>.
+ {{% endif %}}
These log files are determined by the second part of each Rule line in
<tt>/etc/rsyslog.conf</tt> and typically all appear in <tt>/var/log</tt>.
To see the group-owner of a given log file, run the following command:
<pre>$ ls -l <i>LOGFILE</i></pre>
+
+template:
+ name: rsyslog_logfiles_attributes_modify
+ vars:
+ attribute: groupowner
+ value: 0
+ value@debian10: 4
+ value@debian11: 4
+ value@ubuntu1604: 4
+ value@ubuntu2004: 4
+ value@ubuntu2204: 4
diff --git a/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_files_groupownership/tests/IncludeConfig_is_other.fail.sh b/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_files_groupownership/tests/IncludeConfig_is_other.fail.sh
deleted file mode 100755
index 575530ef2e..0000000000
--- a/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_files_groupownership/tests/IncludeConfig_is_other.fail.sh
+++ /dev/null
@@ -1,42 +0,0 @@
-#!/bin/bash
-# platform = multi_platform_rhel,multi_platform_fedora,multi_platform_ol,multi_platform_sle
-
-# Check rsyslog.conf with root group-owner log from rules and
-# non root group-owner log from $IncludeConfig fails.
-
-source $SHARED/rsyslog_log_utils.sh
-
-GROUP_TEST=testssg
-groupadd $GROUP_TEST
-
-GROUP_ROOT=root
-
-# setup test data
-create_rsyslog_test_logs 2
-
-# setup test log files ownership
-chgrp $GROUP_ROOT ${RSYSLOG_TEST_LOGS[0]}
-chgrp $GROUP_TEST ${RSYSLOG_TEST_LOGS[1]}
-
-# create test configuration file
-test_conf=${RSYSLOG_TEST_DIR}/test1.conf
-cat << EOF > ${test_conf}
-# rsyslog configuration file
-
-#### RULES ####
-
-*.* ${RSYSLOG_TEST_LOGS[1]}
-EOF
-
-# create rsyslog.conf configuration file
-cat << EOF > $RSYSLOG_CONF
-# rsyslog configuration file
-
-#### RULES ####
-
-*.* ${RSYSLOG_TEST_LOGS[0]}
-
-#### MODULES ####
-
-\$IncludeConfig ${test_conf}
-EOF
diff --git a/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_files_groupownership/tests/IncludeConfig_is_root.pass.sh b/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_files_groupownership/tests/IncludeConfig_is_root.pass.sh
deleted file mode 100755
index 39efc1a4b7..0000000000
--- a/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_files_groupownership/tests/IncludeConfig_is_root.pass.sh
+++ /dev/null
@@ -1,39 +0,0 @@
-#!/bin/bash
-# platform = multi_platform_rhel,multi_platform_fedora,multi_platform_ol,multi_platform_sle
-
-# Check rsyslog.conf with root group-owner log from rules and
-# root group-owner log from $IncludeConfig passes.
-
-source $SHARED/rsyslog_log_utils.sh
-
-GROUP=root
-
-# setup test data
-create_rsyslog_test_logs 2
-
-# setup test log files ownership
-chgrp $GROUP ${RSYSLOG_TEST_LOGS[0]}
-chgrp $GROUP ${RSYSLOG_TEST_LOGS[1]}
-
-# create test configuration file
-test_conf=${RSYSLOG_TEST_DIR}/test1.conf
-cat << EOF > ${test_conf}
-# rsyslog configuration file
-
-#### RULES ####
-
-*.* ${RSYSLOG_TEST_LOGS[1]}
-EOF
-
-# create rsyslog.conf configuration file
-cat << EOF > $RSYSLOG_CONF
-# rsyslog configuration file
-
-#### RULES ####
-
-*.* ${RSYSLOG_TEST_LOGS[0]}
-
-#### MODULES ####
-
-\$IncludeConfig ${test_conf}
-EOF
diff --git a/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_files_groupownership/tests/include_is_other.fail.sh b/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_files_groupownership/tests/include_is_other.fail.sh
deleted file mode 100755
index c0db7056b4..0000000000
--- a/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_files_groupownership/tests/include_is_other.fail.sh
+++ /dev/null
@@ -1,42 +0,0 @@
-#!/bin/bash
-# platform = Red Hat Enterprise Linux 8,multi_platform_fedora,Oracle Linux 8,multi_platform_sle
-
-# Check rsyslog.conf with root group-owner log from rules and
-# non root group-owner log from include() fails.
-
-source $SHARED/rsyslog_log_utils.sh
-
-GROUP_TEST=testssg
-groupadd $GROUP_TEST
-
-GROUP_ROOT=root
-
-# setup test data
-create_rsyslog_test_logs 2
-
-# setup test log files ownership
-chgrp $GROUP_ROOT ${RSYSLOG_TEST_LOGS[0]}
-chgrp $GROUP_TEST ${RSYSLOG_TEST_LOGS[1]}
-
-# create test configuration file
-test_conf=${RSYSLOG_TEST_DIR}/test1.conf
-cat << EOF > ${test_conf}
-# rsyslog configuration file
-
-#### RULES ####
-
-*.* ${RSYSLOG_TEST_LOGS[1]}
-EOF
-
-# create rsyslog.conf configuration file
-cat << EOF > $RSYSLOG_CONF
-# rsyslog configuration file
-
-#### RULES ####
-
-*.* ${RSYSLOG_TEST_LOGS[0]}
-
-#### MODULES ####
-
-include(file="${test_conf}")
-EOF
diff --git a/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_files_groupownership/tests/include_is_root.pass.sh b/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_files_groupownership/tests/include_is_root.pass.sh
deleted file mode 100755
index 1feaf762fc..0000000000
--- a/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_files_groupownership/tests/include_is_root.pass.sh
+++ /dev/null
@@ -1,39 +0,0 @@
-#!/bin/bash
-# platform = Red Hat Enterprise Linux 8,multi_platform_fedora,Oracle Linux 8,multi_platform_sle
-
-# Check rsyslog.conf with root group-owner log from rules and
-# root group-owner log from include() passes.
-
-source $SHARED/rsyslog_log_utils.sh
-
-GROUP=root
-
-# setup test data
-create_rsyslog_test_logs 2
-
-# setup test log files ownership
-chgrp $GROUP ${RSYSLOG_TEST_LOGS[0]}
-chgrp $GROUP ${RSYSLOG_TEST_LOGS[1]}
-
-# create test configuration file
-test_conf=${RSYSLOG_TEST_DIR}/test1.conf
-cat << EOF > ${test_conf}
-# rsyslog configuration file
-
-#### RULES ####
-
-*.* ${RSYSLOG_TEST_LOGS[1]}
-EOF
-
-# create rsyslog.conf configuration file
-cat << EOF > $RSYSLOG_CONF
-# rsyslog configuration file
-
-#### RULES ####
-
-*.* ${RSYSLOG_TEST_LOGS[0]}
-
-#### MODULES ####
-
-include(file="${test_conf}")
-EOF
diff --git a/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_files_groupownership/tests/include_multiline_is_root.pass.sh b/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_files_groupownership/tests/include_multiline_is_root.pass.sh
deleted file mode 100755
index 5a357d029b..0000000000
--- a/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_files_groupownership/tests/include_multiline_is_root.pass.sh
+++ /dev/null
@@ -1,41 +0,0 @@
-#!/bin/bash
-# platform = Red Hat Enterprise Linux 8,multi_platform_fedora,Oracle Linux 8,multi_platform_sle
-
-# Check rsyslog.conf with root group-owner log from rules and
-# root group-owner log from multiline include() passes.
-
-source $SHARED/rsyslog_log_utils.sh
-
-GROUP=root
-
-# setup test data
-create_rsyslog_test_logs 2
-
-# setup test log files ownership
-chgrp $GROUP ${RSYSLOG_TEST_LOGS[0]}
-chgrp $GROUP ${RSYSLOG_TEST_LOGS[1]}
-
-# create test configuration file
-test_conf=${RSYSLOG_TEST_DIR}/test1.conf
-cat << EOF > ${test_conf}
-# rsyslog configuration file
-
-#### RULES ####
-
-*.* ${RSYSLOG_TEST_LOGS[1]}
-EOF
-
-# create rsyslog.conf configuration file
-cat << EOF > $RSYSLOG_CONF
-# rsyslog configuration file
-
-#### RULES ####
-
-*.* ${RSYSLOG_TEST_LOGS[0]}
-
-#### MODULES ####
-
-include(
- file="${test_conf}"
-)
-EOF
diff --git a/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_files_groupownership/tests/is_other.fail.sh b/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_files_groupownership/tests/is_other.fail.sh
deleted file mode 100755
index c7c01132f2..0000000000
--- a/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_files_groupownership/tests/is_other.fail.sh
+++ /dev/null
@@ -1,25 +0,0 @@
-#!/bin/bash
-# platform = multi_platform_rhel,multi_platform_fedora,multi_platform_ol,multi_platform_sle
-
-# Check if log file with non root group-owner in rsyslog.conf fails.
-
-source $SHARED/rsyslog_log_utils.sh
-
-GROUP=testssg
-
-groupadd $GROUP
-
-# setup test data
-create_rsyslog_test_logs 1
-
-# setup test log file ownership
-chgrp $GROUP ${RSYSLOG_TEST_LOGS[0]}
-
-# add rule with non-root group owned log file
-cat << EOF > $RSYSLOG_CONF
-# rsyslog configuration file
-
-#### RULES ####
-
-*.* ${RSYSLOG_TEST_LOGS[0]}
-EOF
diff --git a/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_files_groupownership/tests/is_root.pass.sh b/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_files_groupownership/tests/is_root.pass.sh
deleted file mode 100755
index 0ecbb35bd1..0000000000
--- a/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_files_groupownership/tests/is_root.pass.sh
+++ /dev/null
@@ -1,24 +0,0 @@
-#!/bin/bash
-# platform = multi_platform_rhel,multi_platform_fedora,multi_platform_ol,multi_platform_sle
-
-# Check if log file with root group-owner in rsyslog.conf passes.
-
-source $SHARED/rsyslog_log_utils.sh
-
-GROUP=root
-
-# setup test data
-create_rsyslog_test_logs 1
-
-# setup test log file ownership
-chgrp $GROUP ${RSYSLOG_TEST_LOGS[0]}
-
-# add rule with root group owned log file
-cat << EOF > $RSYSLOG_CONF
-# rsyslog configuration file
-
-#### RULES ####
-
-*.* ${RSYSLOG_TEST_LOGS[0]}
-
-EOF
diff --git a/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_files_ownership/oval/shared.xml b/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_files_ownership/oval/shared.xml
deleted file mode 100644
index 8e3f68db26..0000000000
--- a/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_files_ownership/oval/shared.xml
+++ /dev/null
@@ -1,114 +0,0 @@
-<def-group oval_version="5.11">
- <definition class="compliance" id="rsyslog_files_ownership" version="1">
- {{{ oval_metadata("All syslog log files should be owned by the appropriate user.") }}}
-
- <criteria>
- <criterion comment="Check if all system log files are owned by appropriate user" test_ref="test_rsyslog_files_ownership" />
- </criteria>
-
- </definition>
-
- <!-- First obtain rsyslog's $IncludeConfig directive and include() object (introduced in rsyslog v8.33.0) values. -->
- <ind:textfilecontent54_object id="object_rfo_rsyslog_include_config_value" comment="rsyslog's $IncludeConfig directive and include() object values" version="1">
- <ind:filepath>/etc/rsyslog.conf</ind:filepath>
- <ind:pattern operation="pattern match">^(?:include\([\n\s]*file="([^\s;]+)".*|\$IncludeConfig[\s]+([^\s;]+))$</ind:pattern>
- <ind:instance datatype="int" operation="greater than or equal">1</ind:instance>
- </ind:textfilecontent54_object>
-
- <!-- Turn that glob value into Perl's regex so it can be used as filepath pattern below -->
- <local_variable id="var_rfo_include_config_regex" datatype="string" version="1" comment="$IncludeConfig value converted to regex">
- <unique>
- <glob_to_regex>
- <object_component item_field="subexpression" object_ref="object_rfo_rsyslog_include_config_value" />
- </glob_to_regex>
- </unique>
- </local_variable>
-
- <!-- Create a variable_object from the regex variable
- If the variable has no values, there won't be any objects -->
- <ind:variable_object id="object_var_rfo_include_config_regex" comment="Make variable object from regex variable" version="1">
- <ind:var_ref>var_rfo_include_config_regex</ind:var_ref>
- </ind:variable_object>
-
- <local_variable id="var_rfo_syslog_config" datatype="string" version="1" comment="Locations of all rsyslog configuration files as collection">
- <literal_component datatype="string">^/etc/rsyslog.conf$</literal_component>
- </local_variable>
-
- <ind:variable_object id="object_var_rfo_syslog_config" comment="Make variable object for use" version="1">
- <ind:var_ref>var_rfo_syslog_config</ind:var_ref>
- </ind:variable_object>
-
- <!-- Combine the two variable_objects into one variable_object
- We do it this way to avoid referencing an empty variable in a state comparison, which
- will cause a test to evaluate to fail. Combining an empty set of objects is fine though -->
- <ind:variable_object id="object_var_rfo_all_log_files" comment="Filter out empty string" version="1">
- <set>
- <object_reference>object_var_rfo_include_config_regex</object_reference>
- <object_reference>object_var_rfo_syslog_config</object_reference>
- </set>
- </ind:variable_object>
-
- <!-- In element filepath of object_rfg_log_files_paths we need to pass a list of values,
- a list of objects won't do. So we make a local_variable from the variable_objects. -->
- <local_variable id="var_rfo_all_log_files" datatype="string" version="1" comment="Locations of all rsyslog configuration files as collection">
- <object_component object_ref="object_var_rfo_all_log_files" item_field="value"/>
- </local_variable>
-
- <!-- For each item from that collection (particular rsyslog's configuration file path) search
- that rsyslog's configuration file to select file paths for log files directives
- -->
- <ind:textfilecontent54_object id="object_rfo_log_files_paths" comment="All rsyslog configuration files" version="1">
- <ind:filepath operation="pattern match" var_ref="var_rfo_all_log_files" var_check="at least one" />
- <!-- Chunk of text retrieved from rsyslog's configuration file is considered
- to constitute a log file path if all of the following conditions are met:
- * the string represents a regular file on particular file system
- (verified via corresponding file_state below),
- * the chunk of text is in the last column in the row,
- (possibly suffixed by ';' character and rsyslog Template name),
- * contains at least one slash '/' character, and simultaneously
- doesn't contain any of ';', ':' and space characters,
- * the chunk was retrieved from a row not starting with space, '#',
- or '$' characters
- -->
- <ind:pattern operation="pattern match">^[^(#|\$)]+[\s]+.*[\s]+-?(/+[^:;\s]+);*\.*$</ind:pattern>
- <ind:instance datatype="int" operation="greater than or equal">1</ind:instance>
- <filter action="exclude">state_owner_ignore_include_paths</filter>
- </ind:textfilecontent54_object>
-
- <ind:textfilecontent54_state id="state_owner_ignore_include_paths" comment="ignore" version="1">
- <!-- Among the paths matched in object_rfp_log_files_paths there can be paths from
- include() or $IncludeConfig statements.
- These paths are conf files, not log files. Their owner don't need to be as
- required for log files, thus, lets exclude them from the list of objects found
- -->
- <ind:text operation="pattern match">(?:file="[^\s;]+"|\$IncludeConfig[\s]+[^\s;]+|\/dev\/.*)</ind:text>
- </ind:textfilecontent54_state>
-
- <!-- Define OVAL variable to hold all the various system log files locations
- retrieved from the different rsyslog configuration files
- -->
- <local_variable id="var_rfo_log_files_paths" datatype="string" version="1" comment="File paths of all rsyslog configuration files">
- <object_component item_field="subexpression" object_ref="object_rfo_log_files_paths" />
- </local_variable>
-
- <!-- Perform the test if all rsyslog system log files are owned by the appropriate user -->
- <unix:file_test check="all" check_existence="all_exist" id="test_rsyslog_files_ownership" version="1" comment="System log files are owned by the appropriate user">
- <unix:object object_ref="object_rsyslog_files_ownership" />
- <unix:state state_ref="state_rsyslog_files_ownership" />
- </unix:file_test>
-
- <unix:file_object id="object_rsyslog_files_ownership" comment="Various system log files" version="1">
- <unix:filepath datatype="string" var_ref="var_rfo_log_files_paths" var_check="at least one" />
- </unix:file_object>
-
- <unix:file_state id="state_rsyslog_files_ownership" version="1">
- <unix:type operation="equals">regular</unix:type>
-
- {{% if product in ["ubuntu2004", "ubuntu2204"] %}}
- <unix:user_id datatype="int">104</unix:user_id>
- {{% else %}}
- <unix:user_id datatype="int">0</unix:user_id>
- {{% endif %}}
- </unix:file_state>
-
-</def-group>
diff --git a/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_files_ownership/rule.yml b/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_files_ownership/rule.yml
index 37c87b07cd..0d9bf40f4b 100644
--- a/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_files_ownership/rule.yml
+++ b/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_files_ownership/rule.yml
@@ -4,15 +4,36 @@ title: 'Ensure Log Files Are Owned By Appropriate User'
description: |-
The owner of all log files written by
- <tt>rsyslog</tt> should be <tt>{{{ xccdf_value("file_owner_logfiles_value") }}}</tt>.
+ <tt>rsyslog</tt> should be
+ {{% if product in ['ubuntu2204','ubuntu2004'] %}}
+ <tt>syslog</tt>.
+ {{% elif 'debian' in product or 'ubuntu' in product %}}
+ <tt>adm</tt>.
+ {{% else %}}
+ <tt>root</tt>.
+ {{% endif %}}
These log files are determined by the second part of each Rule line in
<tt>/etc/rsyslog.conf</tt> and typically all appear in <tt>/var/log</tt>.
For each log file <i>LOGFILE</i> referenced in <tt>/etc/rsyslog.conf</tt>,
run the following command to inspect the file's owner:
<pre>$ ls -l <i>LOGFILE</i></pre>
- If the owner is not <tt>{{{ xccdf_value("file_owner_logfiles_value") }}}</tt>, run the following command to
+ If the owner is not
+ {{% if product in ['ubuntu2204','ubuntu2004'] %}}
+ <tt>syslog</tt>,
+ {{% elif 'debian' in product or 'ubuntu' in product %}}
+ <tt>adm</tt>,
+ {{% else %}}
+ <tt>root</tt>,
+ {{% endif %}}
+ run the following command to
correct this:
- <pre>$ sudo chown {{{ xccdf_value("file_owner_logfiles_value") }}} <i>LOGFILE</i></pre>
+ {{% if product in ['ubuntu2204','ubuntu2004'] %}}
+ <pre>$ sudo chown syslog <i>LOGFILE</i></pre>
+ {{% elif 'debian' in product or 'ubuntu' in product %}}
+ <pre>$ sudo chown adm <i>LOGFILE</i></pre>
+ {{% else %}}
+ <pre>$ sudo chown root <i>LOGFILE</i></pre>
+ {{% endif %}}
rationale: |-
The log files generated by rsyslog contain valuable information regarding system
@@ -47,8 +68,23 @@ references:
ocil_clause: 'the owner is not correct'
ocil: |-
- The owner of all log files written by <tt>rsyslog</tt> should be <tt>{{{ xccdf_value("file_owner_logfiles_value") }}}</tt>.
+ The owner of all log files written by <tt>rsyslog</tt> should be
+ {{% if product in ['ubuntu2204','ubuntu2004'] %}}
+ <tt>syslog</tt>.
+ {{% elif 'debian' in product or 'ubuntu' in product %}}
+ <tt>adm</tt>.
+ {{% else %}}
+ <tt>root</tt>.
+ {{% endif %}}
These log files are determined by the second part of each Rule line in
<tt>/etc/rsyslog.conf</tt> and typically all appear in <tt>/var/log</tt>.
To see the owner of a given log file, run the following command:
<pre>$ ls -l <i>LOGFILE</i></pre>
+
+template:
+ name: rsyslog_logfiles_attributes_modify
+ vars:
+ attribute: owner
+ value: 0
+ value@ubuntu2004: 104
+ value@ubuntu2204: 104
diff --git a/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_logging_configured/ansible/shared.yml b/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_logging_configured/ansible/shared.yml
new file mode 100644
index 0000000000..041e263155
--- /dev/null
+++ b/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_logging_configured/ansible/shared.yml
@@ -0,0 +1,12 @@
+# platform = multi_platform_sle
+# reboot = false
+# strategy = restrict
+# complexity = low
+# disruption = low
+
+- name: "Set rsyslog remote loghost"
+ lineinfile:
+ dest: /etc/rsyslog.conf
+ regexp: "^\\*\\.\\*"
+ line: "*.* /var/log/messages"
+ create: yes
diff --git a/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_logging_configured/bash/shared.sh b/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_logging_configured/bash/shared.sh
new file mode 100644
index 0000000000..d634610225
--- /dev/null
+++ b/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_logging_configured/bash/shared.sh
@@ -0,0 +1,7 @@
+# platform = multi_platform_sle
+# reboot = false
+# strategy = restrict
+# complexity = low
+# disruption = low
+
+{{{ bash_replace_or_append('/etc/rsyslog.conf', '^\*\.\*', "/var/log/messages", '%s %s') }}}
diff --git a/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_logging_configured/oval/shared.xml b/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_logging_configured/oval/shared.xml
new file mode 100644
index 0000000000..89e1e7616e
--- /dev/null
+++ b/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_logging_configured/oval/shared.xml
@@ -0,0 +1,41 @@
+<def-group>
+ <definition class="compliance" id="rsyslog_logging_configured" version="1">
+ {{{ oval_metadata("Syslog logs should be configured") }}}
+
+ <criteria operator="AND">
+ {{% if product in ["debian10", "debian11", "ubuntu1604", "ubuntu1804"] %}}
+ <extend_definition comment="rsyslog daemon is used as local logging daemon" definition_ref="package_rsyslog_installed" />
+ {{% endif %}}
+ <criteria operator="OR">
+ <criterion comment="Logging configured within /etc/rsyslog.conf" test_ref="test_logging_configured_rsyslog_conf" />
+ <criterion comment="Remote logging set within /etc/rsyslog.d" test_ref="test_logging_configured_rsyslog_d" />
+ </criteria>
+ </criteria>
+ </definition>
+
+ <ind:textfilecontent54_test check="all" check_existence="all_exist"
+ comment="Ensures system logging configured in main conf file"
+ id="test_logging_configured_rsyslog_conf" version="1">
+ <ind:object object_ref="object_logging_configured_rsyslog_conf" />
+ </ind:textfilecontent54_test>
+
+ <ind:textfilecontent54_test check="all" check_existence="all_exist"
+ comment="Ensures system logging_configured in .d files"
+ id="test_logging_configured_rsyslog_d" version="1">
+ <ind:object object_ref="object_logging_configured_rsyslog_d" />
+ </ind:textfilecontent54_test>
+
+ <ind:textfilecontent54_object id="object_logging_configured_rsyslog_conf" version="1">
+ <ind:filepath>/etc/rsyslog.conf</ind:filepath>
+ <ind:pattern operation="pattern match">^[^(\s|#|\$)]+[\s]+.*[\s]+(\:\w+\:\S*|-?(\/+[^:;\s]+);*\.*)$</ind:pattern>
+ <ind:instance datatype="int">1</ind:instance>
+ </ind:textfilecontent54_object>
+
+ <ind:textfilecontent54_object id="object_logging_configured_rsyslog_d" version="1">
+ <ind:path>/etc/rsyslog.d</ind:path>
+ <ind:filename operation="pattern match">^.+\.conf$</ind:filename>
+ <ind:pattern operation="pattern match">^[^(\s|#|\$)]+[\s]+.*[\s]+(\:\w+\:\S*|-?(\/+[^:;\s]+);*\.*)$</ind:pattern>
+ <ind:instance datatype="int">1</ind:instance>
+ </ind:textfilecontent54_object>
+
+</def-group>
diff --git a/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_logging_configured/rule.yml b/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_logging_configured/rule.yml
new file mode 100644
index 0000000000..f9477de9e9
--- /dev/null
+++ b/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_logging_configured/rule.yml
@@ -0,0 +1,34 @@
+documentation_complete: true
+
+title: 'Ensure logging is configured'
+
+description: |-
+ The <tt>/etc/rsyslog.conf</tt> and <tt>/etc/rsyslog.d/*.conf</tt> files
+ specifies rules for logging and which files are to be used to log certain
+ classes of messages.
+
+rationale: |-
+ A great deal of important security-related information is sent via
+ rsyslog (e.g., successful and failed su attempts, failed login attempts,
+ root login attempts, etc.).
+
+severity: medium
+
+identifiers:
+ cce@sle12: CCE-92379-7
+ cce@sle15: CCE-92497-7
+
+references:
+ cis@sle12: 4.2.1.4
+ cis@sle15: 4.2.1.4
+
+ocil_clause: 'no logging is configured'
+
+ocil: |-
+ Review the contents of the <tt>/etc/rsyslog.conf</tt> and <tt>/etc/rsyslog.d/*.conf</tt>
+ files to ensure appropriate logging is set. In addition, run the following command:
+ <pre>ls -l /var/log/</pre>
+ and verify that the log files are logging information
+
+fixtext: |-
+ Configure logging with selectors covering each priority
diff --git a/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_logging_configured/tests/rsyslog_file_with_everything_logged_to_messages.pass.sh b/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_logging_configured/tests/rsyslog_file_with_everything_logged_to_messages.pass.sh
new file mode 100644
index 0000000000..a4fb1cf07a
--- /dev/null
+++ b/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_logging_configured/tests/rsyslog_file_with_everything_logged_to_messages.pass.sh
@@ -0,0 +1,13 @@
+#!/bin/bash
+# platform = multi_platform_sle
+
+# Check rsyslog.conf with no includes and all loggging facility/priority configured to go to /var/log/messages
+
+source $SHARED/rsyslog_log_utils.sh
+cat << EOF > ${RSYSLOG_CONF}
+# rsyslog configuration file
+
+#### RULES ####
+
+*.* /var/log/messages
+EOF
diff --git a/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_logging_configured/tests/rsyslog_file_with_no_logging.fail.sh b/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_logging_configured/tests/rsyslog_file_with_no_logging.fail.sh
new file mode 100644
index 0000000000..158cf4c98d
--- /dev/null
+++ b/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_logging_configured/tests/rsyslog_file_with_no_logging.fail.sh
@@ -0,0 +1,12 @@
+#!/bin/bash
+# platform = multi_platform_sle
+
+# Check rsyslog.conf with no includes and no loggging facility/priority configured
+
+source $SHARED/rsyslog_log_utils.sh
+cat << EOF > ${RSYSLOG_CONF}
+# rsyslog configuration file
+
+#### RULES ####
+
+EOF
diff --git a/products/debian10/profiles/anssi_np_nt28_average.profile b/products/debian10/profiles/anssi_np_nt28_average.profile
index 600f1a6f71..4c42814719 100644
--- a/products/debian10/profiles/anssi_np_nt28_average.profile
+++ b/products/debian10/profiles/anssi_np_nt28_average.profile
@@ -22,9 +22,7 @@ selections:
- sshd_allow_only_protocol2
- var_sshd_set_keepalive=0
- sshd_set_keepalive_0
- - file_owner_logfiles_value=adm
- rsyslog_files_ownership
- - file_groupowner_logfiles_value=adm
- rsyslog_files_groupownership
- rsyslog_files_permissions
- "!rsyslog_remote_loghost"
diff --git a/products/debian10/profiles/standard.profile b/products/debian10/profiles/standard.profile
index 3784182fa1..446f5aca1d 100644
--- a/products/debian10/profiles/standard.profile
+++ b/products/debian10/profiles/standard.profile
@@ -33,9 +33,7 @@ selections:
- sshd_allow_only_protocol2
- var_sshd_set_keepalive=0
- sshd_set_keepalive_0
- - file_owner_logfiles_value=adm
- rsyslog_files_ownership
- - file_groupowner_logfiles_value=adm
- rsyslog_files_groupownership
- rsyslog_files_permissions
- "!rsyslog_remote_loghost"
diff --git a/products/debian11/profiles/anssi_np_nt28_average.profile b/products/debian11/profiles/anssi_np_nt28_average.profile
index 600f1a6f71..4c42814719 100644
--- a/products/debian11/profiles/anssi_np_nt28_average.profile
+++ b/products/debian11/profiles/anssi_np_nt28_average.profile
@@ -22,9 +22,7 @@ selections:
- sshd_allow_only_protocol2
- var_sshd_set_keepalive=0
- sshd_set_keepalive_0
- - file_owner_logfiles_value=adm
- rsyslog_files_ownership
- - file_groupowner_logfiles_value=adm
- rsyslog_files_groupownership
- rsyslog_files_permissions
- "!rsyslog_remote_loghost"
diff --git a/products/debian11/profiles/standard.profile b/products/debian11/profiles/standard.profile
index e1b2c718df..c21f8d592b 100644
--- a/products/debian11/profiles/standard.profile
+++ b/products/debian11/profiles/standard.profile
@@ -33,9 +33,7 @@ selections:
- sshd_allow_only_protocol2
- var_sshd_set_keepalive=0
- sshd_set_keepalive_0
- - file_owner_logfiles_value=adm
- rsyslog_files_ownership
- - file_groupowner_logfiles_value=adm
- rsyslog_files_groupownership
- rsyslog_files_permissions
- "!rsyslog_remote_loghost"
diff --git a/products/rhel7/profiles/rht-ccp.profile b/products/rhel7/profiles/rht-ccp.profile
index 12a3a25013..a246d5a094 100644
--- a/products/rhel7/profiles/rht-ccp.profile
+++ b/products/rhel7/profiles/rht-ccp.profile
@@ -11,8 +11,6 @@ description: |-
selections:
- var_selinux_state=enforcing
- var_selinux_policy_name=targeted
- - file_owner_logfiles_value=root
- - file_groupowner_logfiles_value=root
- sshd_idle_timeout_value=5_minutes
- var_accounts_minimum_age_login_defs=7
- var_accounts_passwords_pam_faillock_deny=5
diff --git a/products/rhel8/profiles/rht-ccp.profile b/products/rhel8/profiles/rht-ccp.profile
index ae1e7d5a15..0a00d2f46b 100644
--- a/products/rhel8/profiles/rht-ccp.profile
+++ b/products/rhel8/profiles/rht-ccp.profile
@@ -11,8 +11,6 @@ description: |-
selections:
- var_selinux_state=enforcing
- var_selinux_policy_name=targeted
- - file_owner_logfiles_value=root
- - file_groupowner_logfiles_value=root
- sshd_idle_timeout_value=5_minutes
- var_logind_session_timeout=5_minutes
- var_accounts_minimum_age_login_defs=7
diff --git a/products/sle12/profiles/anssi_bp28_intermediary.profile b/products/sle12/profiles/anssi_bp28_intermediary.profile
index 24a98fd824..22498b6b6f 100644
--- a/products/sle12/profiles/anssi_bp28_intermediary.profile
+++ b/products/sle12/profiles/anssi_bp28_intermediary.profile
@@ -23,3 +23,4 @@ description: |-
selections:
- anssi:all:intermediary
+
diff --git a/products/sle15/profiles/standard.profile b/products/sle15/profiles/standard.profile
index 204804c2ee..1af0a865ef 100644
--- a/products/sle15/profiles/standard.profile
+++ b/products/sle15/profiles/standard.profile
@@ -29,9 +29,7 @@ selections:
- service_cron_enabled
- service_ntp_enabled
- service_rsyslog_enabled
- - file_owner_logfiles_value=adm
- rsyslog_files_ownership
- - file_groupowner_logfiles_value=adm
- rsyslog_files_groupownership
- rsyslog_files_permissions
- ensure_logrotate_activated
diff --git a/products/ubuntu1604/profiles/anssi_np_nt28_average.profile b/products/ubuntu1604/profiles/anssi_np_nt28_average.profile
index 600f1a6f71..4c42814719 100644
--- a/products/ubuntu1604/profiles/anssi_np_nt28_average.profile
+++ b/products/ubuntu1604/profiles/anssi_np_nt28_average.profile
@@ -22,9 +22,7 @@ selections:
- sshd_allow_only_protocol2
- var_sshd_set_keepalive=0
- sshd_set_keepalive_0
- - file_owner_logfiles_value=adm
- rsyslog_files_ownership
- - file_groupowner_logfiles_value=adm
- rsyslog_files_groupownership
- rsyslog_files_permissions
- "!rsyslog_remote_loghost"
diff --git a/products/ubuntu1604/profiles/standard.profile b/products/ubuntu1604/profiles/standard.profile
index 6fd70f0da6..93001f3bfe 100644
--- a/products/ubuntu1604/profiles/standard.profile
+++ b/products/ubuntu1604/profiles/standard.profile
@@ -34,9 +34,7 @@ selections:
- sshd_allow_only_protocol2
- var_sshd_set_keepalive=0
- sshd_set_keepalive_0
- - file_owner_logfiles_value=adm
- rsyslog_files_ownership
- - file_groupowner_logfiles_value=adm
- rsyslog_files_groupownership
- rsyslog_files_permissions
- "!rsyslog_remote_loghost"
diff --git a/products/ubuntu1804/profiles/anssi_np_nt28_average.profile b/products/ubuntu1804/profiles/anssi_np_nt28_average.profile
index 600f1a6f71..4c42814719 100644
--- a/products/ubuntu1804/profiles/anssi_np_nt28_average.profile
+++ b/products/ubuntu1804/profiles/anssi_np_nt28_average.profile
@@ -22,9 +22,7 @@ selections:
- sshd_allow_only_protocol2
- var_sshd_set_keepalive=0
- sshd_set_keepalive_0
- - file_owner_logfiles_value=adm
- rsyslog_files_ownership
- - file_groupowner_logfiles_value=adm
- rsyslog_files_groupownership
- rsyslog_files_permissions
- "!rsyslog_remote_loghost"
diff --git a/products/ubuntu1804/profiles/standard.profile b/products/ubuntu1804/profiles/standard.profile
index d587d499d8..a17117818e 100644
--- a/products/ubuntu1804/profiles/standard.profile
+++ b/products/ubuntu1804/profiles/standard.profile
@@ -32,9 +32,7 @@ selections:
- sshd_allow_only_protocol2
- var_sshd_set_keepalive=0
- sshd_set_keepalive_0
- - file_owner_logfiles_value=adm
- rsyslog_files_ownership
- - file_groupowner_logfiles_value=adm
- rsyslog_files_groupownership
- rsyslog_files_permissions
- "!rsyslog_remote_loghost"
diff --git a/products/ubuntu2004/profiles/standard.profile b/products/ubuntu2004/profiles/standard.profile
index 823a69a5d9..6ed27aa16d 100644
--- a/products/ubuntu2004/profiles/standard.profile
+++ b/products/ubuntu2004/profiles/standard.profile
@@ -31,9 +31,7 @@ selections:
- sshd_disable_empty_passwords
- var_sshd_set_keepalive=0
- sshd_set_keepalive
- - file_owner_logfiles_value=syslog
- rsyslog_files_ownership
- - file_groupowner_logfiles_value=adm
- rsyslog_files_groupownership
- rsyslog_files_permissions
- "!rsyslog_remote_loghost"
diff --git a/products/ubuntu2204/profiles/standard.profile b/products/ubuntu2204/profiles/standard.profile
index c8bc5369c9..1bb9f43e7d 100644
--- a/products/ubuntu2204/profiles/standard.profile
+++ b/products/ubuntu2204/profiles/standard.profile
@@ -31,9 +31,7 @@ selections:
- sshd_disable_empty_passwords
- var_sshd_set_keepalive=0
- sshd_set_keepalive
- - file_owner_logfiles_value=syslog
- rsyslog_files_ownership
- - file_groupowner_logfiles_value=adm
- rsyslog_files_groupownership
- rsyslog_files_permissions
- "!rsyslog_remote_loghost"
diff --git a/shared/references/cce-sle12-avail.txt b/shared/references/cce-sle12-avail.txt
index c119834759..4e0a76f8de 100644
--- a/shared/references/cce-sle12-avail.txt
+++ b/shared/references/cce-sle12-avail.txt
@@ -54,7 +54,6 @@ CCE-92375-5
CCE-92376-3
CCE-92377-1
CCE-92378-9
-CCE-92379-7
CCE-92380-5
CCE-92381-3
CCE-92382-1
diff --git a/shared/references/cce-sle15-avail.txt b/shared/references/cce-sle15-avail.txt
index d04c40d31f..e39dae033e 100644
--- a/shared/references/cce-sle15-avail.txt
+++ b/shared/references/cce-sle15-avail.txt
@@ -17,7 +17,6 @@ CCE-92492-8
CCE-92493-6
CCE-92495-1
CCE-92496-9
-CCE-92497-7
CCE-92498-5
CCE-92499-3
CCE-92500-8
diff --git a/shared/templates/rsyslog_logfiles_attributes_modify/ansible.template b/shared/templates/rsyslog_logfiles_attributes_modify/ansible.template
new file mode 100644
index 0000000000..fc9e8844b6
--- /dev/null
+++ b/shared/templates/rsyslog_logfiles_attributes_modify/ansible.template
@@ -0,0 +1,68 @@
+# platform = multi_platform_all
+# reboot = false
+# strategy = configure
+# complexity = low
+# disruption = medium
+
+- name: '{{{ rule_title }}} - Set rsyslog logfile configuration facts'
+ ansible.builtin.set_fact:
+ rsyslog_etc_config: "/etc/rsyslog.conf"
+
+# * And also the log file paths listed after rsyslog's $IncludeConfig directive
+# (store the result into array for the case there's shell glob used as value of IncludeConfig)
+- name: '{{{ rule_title }}} - Get IncludeConfig directive'
+ ansible.builtin.shell: |
+ set -o pipefail
+ grep -e '$IncludeConfig' {{ rsyslog_etc_config }} | cut -d ' ' -f 2 || true
+ register: rsyslog_old_inc
+ changed_when: False
+
+- name: '{{{ rule_title }}} - Get include files directives'
+ ansible.builtin.shell: |
+ set -o pipefail
+ grep -oP '^\s*include\s*\(\s*file.*' {{ rsyslog_etc_config }} |cut -d"\"" -f 2 || true
+ register: rsyslog_new_inc
+ changed_when: False
+
+- name: '{{{ rule_title }}} - Aggregate rsyslog includes'
+ ansible.builtin.set_fact:
+ include_config_output: "{{ rsyslog_old_inc.stdout_lines + rsyslog_new_inc.stdout_lines }}"
+
+- name: '{{{ rule_title }}} - List all config files'
+ ansible.builtin.find:
+ paths: "{{ include_config_output | list | map('dirname') }}"
+ patterns: "{{ include_config_output | list | map('basename') }}"
+ hidden: no
+ follow: yes
+ register: rsyslog_config_files
+ failed_when: False
+ changed_when: False
+
+- name: '{{{ rule_title }}} - Extract log files old format'
+ ansible.builtin.shell: |
+ set -o pipefail
+ grep -oP '^[^(\s|#|\$)]+[\s]+.*[\s]+-?(/+[^:;\s]+);*\.*$' {{ item }} |awk '{print $NF}'|sed -e 's/^-//' || true
+ loop: "{{ rsyslog_config_files.files|map(attribute='path')|list|flatten|unique + [ rsyslog_etc_config ] }}"
+ register: log_files_old
+ changed_when: False
+
+- name: '{{{ rule_title }}} - Extract log files new format'
+ ansible.builtin.shell: |
+ set -o pipefail
+ grep -ozP "action\s*\(\s*type\s*=\s*\"omfile\"[^\)]*\)" {{ item }} | grep -aoP "File\s*=\s*\"([/[:alnum:][:punct:]]*)\"\s*\)"|grep -oE "\"([/[:alnum:][:punct:]]*)\"" |tr -d "\""|| true
+ loop: "{{ rsyslog_config_files.files|map(attribute='path')|list|flatten|unique + [ rsyslog_etc_config ] }}"
+ register: log_files_new
+ changed_when: False
+
+- name: '{{{ rule_title }}} - Sum all log files found'
+ ansible.builtin.set_fact:
+ log_files: "{{ log_files_new.results|map(attribute='stdout_lines')|list|flatten|unique + log_files_old.results|map(attribute='stdout_lines')|list|flatten|unique }}"
+
+- name: '{{{ rule_title }}} -Setup log files attribute'
+ ansible.builtin.file:
+ path: "{{ item }}"
+ owner: '{{ ( "{{{ ATTRIBUTE }}}" is match("owner")) | ternary({{{ VALUE }}}, omit) }}'
+ group: '{{ ( "{{{ ATTRIBUTE }}}" is match("groupowner")) | ternary({{{ VALUE }}} , omit) }}'
+ state: file
+ loop: "{{ log_files | list | flatten | unique }}"
+ failed_when: false
diff --git a/shared/templates/rsyslog_logfiles_attributes_modify/bash.template b/shared/templates/rsyslog_logfiles_attributes_modify/bash.template
new file mode 100644
index 0000000000..ab4a563dc5
--- /dev/null
+++ b/shared/templates/rsyslog_logfiles_attributes_modify/bash.template
@@ -0,0 +1,110 @@
+# platform = multi_platform_all
+
+# List of log file paths to be inspected for correct permissions
+# * Primarily inspect log file paths listed in /etc/rsyslog.conf
+RSYSLOG_ETC_CONFIG="/etc/rsyslog.conf"
+# * And also the log file paths listed after rsyslog's $IncludeConfig directive
+# (store the result into array for the case there's shell glob used as value of IncludeConfig)
+readarray -t OLD_INC < <(grep -e "\$IncludeConfig[[:space:]]\+[^[:space:];]\+" /etc/rsyslog.conf | cut -d ' ' -f 2)
+readarray -t RSYSLOG_INCLUDE_CONFIG < <(for INCPATH in "${OLD_INC[@]}"; do eval printf '%s\\n' "${INCPATH}"; done)
+readarray -t NEW_INC < <(awk '/)/{f=0} /include\(/{f=1} f{nf=gensub("^(include\\(|\\s*)file=\"(\\S+)\".*","\\2",1); if($0!=nf){print nf}}' /etc/rsyslog.conf)
+readarray -t RSYSLOG_INCLUDE < <(for INCPATH in "${NEW_INC[@]}"; do eval printf '%s\\n' "${INCPATH}"; done)
+
+# Declare an array to hold the final list of different log file paths
+declare -a LOG_FILE_PATHS
+
+# Array to hold all rsyslog config entries
+RSYSLOG_CONFIGS=()
+RSYSLOG_CONFIGS=("${RSYSLOG_ETC_CONFIG}" "${RSYSLOG_INCLUDE_CONFIG[@]}" "${RSYSLOG_INCLUDE[@]}")
+
+# Get full list of files to be checked
+# RSYSLOG_CONFIGS may contain globs such as
+# /etc/rsyslog.d/*.conf /etc/rsyslog.d/*.frule
+# So, loop over the entries in RSYSLOG_CONFIGS and use find to get the list of included files.
+RSYSLOG_CONFIG_FILES=()
+for ENTRY in "${RSYSLOG_CONFIGS[@]}"
+do
+ # If directory, rsyslog will search for config files in recursively.
+ # However, files in hidden sub-directories or hidden files will be ignored.
+ if [ -d "${ENTRY}" ]
+ then
+ readarray -t FINDOUT < <(find "${ENTRY}" -not -path '*/.*' -type f)
+ RSYSLOG_CONFIG_FILES+=("${FINDOUT[@]}")
+ elif [ -f "${ENTRY}" ]
+ then
+ RSYSLOG_CONFIG_FILES+=("${ENTRY}")
+ else
+ echo "Invalid include object: ${ENTRY}"
+ fi
+done
+
+# Browse each file selected above as containing paths of log files
+# ('/etc/rsyslog.conf' and '/etc/rsyslog.d/*.conf' in the default configuration)
+for LOG_FILE in "${RSYSLOG_CONFIG_FILES[@]}"
+do
+ # From each of these files extract just particular log file path(s), thus:
+ # * Ignore lines starting with space (' '), comment ('#"), or variable syntax ('$') characters,
+ # * Ignore empty lines,
+ # * Strip quotes and closing brackets from paths.
+ # * Ignore paths that match /dev|/etc.*\.conf, as those are paths, but likely not log files
+ # * From the remaining valid rows select only fields constituting a log file path
+ # Text file column is understood to represent a log file path if and only if all of the following are met:
+ # * it contains at least one slash '/' character,
+ # * it is preceded by space
+ # * it doesn't contain space (' '), colon (':'), and semicolon (';') characters
+ # Search log file for path(s) only in case it exists!
+ if [[ -f "${LOG_FILE}" ]]
+ then
+ NORMALIZED_CONFIG_FILE_LINES=$(sed -e "/^[#|$]/d" "${LOG_FILE}")
+ LINES_WITH_PATHS=$(grep '[^/]*\s\+\S*/\S\+$' <<< "${NORMALIZED_CONFIG_FILE_LINES}")
+ FILTERED_PATHS=$(awk '{if(NF>=2&&($NF~/^\//||$NF~/^-\//)){sub(/^-\//,"/",$NF);print $NF}}' <<< "${LINES_WITH_PATHS}")
+ CLEANED_PATHS=$(sed -e "s/[\"')]//g; /\\/etc.*\.conf/d; /\\/dev\\//d" <<< "${FILTERED_PATHS}")
+ MATCHED_ITEMS=$(sed -e "/^$/d" <<< "${CLEANED_PATHS}")
+ # Since above sed command might return more than one item (delimited by newline), split the particular
+ # matches entries into new array specific for this log file
+ readarray -t ARRAY_FOR_LOG_FILE <<< "$MATCHED_ITEMS"
+ # Concatenate the two arrays - previous content of $LOG_FILE_PATHS array with
+ # items from newly created array for this log file
+ LOG_FILE_PATHS+=("${ARRAY_FOR_LOG_FILE[@]}")
+ # Delete the temporary array
+ unset ARRAY_FOR_LOG_FILE
+ fi
+done
+
+# Check for RainerScript action log format which might be also multiline so grep regex is a bit curly
+# extract possibly multiline action omfile expressions
+# extract File="logfile" expression
+# match only "logfile" expression
+for LOG_FILE in "${RSYSLOG_CONFIG_FILES[@]}"
+do
+ ACTION_OMFILE_LINES=$(grep -ozP "action\s*\(\s*type\s*=\s*\"omfile\"[^\)]*\)" "${LOG_FILE}")
+ OMFILE_LINES=$(echo "${ACTION_OMFILE_LINES}"| grep -aoP "File\s*=\s*\"([/[:alnum:][:punct:]]*)\"\s*\)")
+ LOG_FILE_PATHS+=("$(echo "${OMFILE_LINES}"| grep -oE "\"([/[:alnum:][:punct:]]*)\""|tr -d "\"")")
+done
+
+FILE_PARAM="{{{ ATTRIBUTE }}}"
+FILE_CMD=""
+case "$FILE_PARAM" in
+ "groupowner")
+ FILE_CMD=$(which chgrp)
+ ;;
+ "owner")
+ FILE_CMD=$(which chown)
+ ;;
+ *)
+ echo -n "Not supported file attribute! "
+ exit 1
+ ;;
+esac
+
+# Correct the form o
+for LOG_FILE_PATH in "${LOG_FILE_PATHS[@]}"
+do
+ # Sanity check - if particular $LOG_FILE_PATH is empty string, skip it from further processing
+ if [ -z "$LOG_FILE_PATH" ]
+ then
+ continue
+ fi
+
+ $FILE_CMD "+{{{ VALUE }}}" "$LOG_FILE_PATH"
+done
diff --git a/shared/templates/rsyslog_logfiles_attributes_modify/oval.template b/shared/templates/rsyslog_logfiles_attributes_modify/oval.template
new file mode 100644
index 0000000000..4f288df1c9
--- /dev/null
+++ b/shared/templates/rsyslog_logfiles_attributes_modify/oval.template
@@ -0,0 +1,137 @@
+<def-group oval_version="5.11">
+ <definition class="compliance" id="{{{_RULE_ID }}}" version="1">
+ {{{ oval_metadata("All syslog log files should have appropriate ownership.") }}}
+ <criteria operator="AND">
+ {{% if product in ["debian10", "debian11", "ubuntu1604"] %}}
+ <extend_definition comment="rsyslog daemon is used as local logging daemon"
+ definition_ref="package_rsyslog_installed" />
+ {{% endif %}}
+ <criterion comment="Check if all system log files are owned by the appropriate
+ {{{ ATTRIBUTE }}}" test_ref="test_{{{ _RULE_ID }}}" />
+ </criteria>
+
+ </definition>
+
+ <!-- First obtain rsyslog's $IncludeConfig directive and include() object (introduced in rsyslog
+ v8.33.0) values. -->
+
+ <ind:textfilecontent54_object id="object_{{{ _RULE_ID }}}_include_config_value"
+ comment="rsyslog's $IncludeConfig directive and include() object values" version="1">
+ <ind:filepath>/etc/rsyslog.conf</ind:filepath>
+ <ind:pattern
+ operation="pattern match">^(?:include\([\n\s]*file="([^\s;]+)".*|\$IncludeConfig[\s]+([^\s;]+))$</ind:pattern>
+ <ind:instance datatype="int" operation="greater than or equal">1</ind:instance>
+ </ind:textfilecontent54_object>
+
+ <!-- Turn that glob value into Perl's regex so it can be used as filepath pattern below -->
+ <local_variable id="var_{{{ _RULE_ID }}}_include_config_regex" datatype="string" version="1"
+ comment="$IncludeConfig value converted to regex">
+ <unique>
+ <glob_to_regex>
+ <object_component item_field="subexpression"
+ object_ref="object_{{{ _RULE_ID }}}_include_config_value" />
+ </glob_to_regex>
+ </unique>
+ </local_variable>
+
+ <!-- Create a variable_object from the regex variable
+ If the variable has no values, there won't be any objects -->
+ <ind:variable_object id="object_var_{{{ _RULE_ID }}}_include_config_regex"
+ comment="Make variable object from regex variable" version="1">
+ <ind:var_ref>var_{{{ _RULE_ID }}}_include_config_regex</ind:var_ref>
+ </ind:variable_object>
+
+ <local_variable id="var_{{{ _RULE_ID }}}_syslog_config" datatype="string"
+ version="1" comment="Locations of all rsyslog configuration files as collection">
+ <literal_component datatype="string">^/etc/rsyslog.conf$</literal_component>
+ </local_variable>
+
+ <ind:variable_object id="object_var_{{{ _RULE_ID }}}_syslog_config"
+ comment="Make variable object for use" version="1">
+ <ind:var_ref>var_{{{ _RULE_ID }}}_syslog_config</ind:var_ref>
+ </ind:variable_object>
+
+ <!-- Combine the two variable_objects into one variable_object
+ We do it this way to avoid referencing an empty variable in a state comparison, which
+ will cause a test to evaluate to fail. Combining an empty set of objects is fine though -->
+ <ind:variable_object id="object_var_{{{ _RULE_ID }}}_all_log_files"
+ comment="Filter out empty string" version="1">
+ <set>
+ <object_reference>object_var_{{{ _RULE_ID }}}_include_config_regex</object_reference>
+ <object_reference>object_var_{{{ _RULE_ID }}}_syslog_config</object_reference>
+ </set>
+ </ind:variable_object>
+
+ <!-- In element filepath of object_rfg_log_files_paths we need to pass a list of values,
+ a list of objects won't do. So we make a local_variable from the variable_objects. -->
+ <local_variable id="var_{{{ _RULE_ID }}}_all_log_files" datatype="string" version="1"
+ comment="Locations of all rsyslog configuration files as collection">
+ <object_component object_ref="object_var_{{{ _RULE_ID }}}_all_log_files" item_field="value"/>
+ </local_variable>
+
+ <!-- For each item from that collection (particular rsyslog's configuration file path) search
+ that rsyslog's configuration file to select file paths for log files directives
+ -->
+ <ind:textfilecontent54_object id="object_{{{ _RULE_ID }}}_log_files_paths"
+ comment="All rsyslog configuration files" version="1">
+ <ind:filepath operation="pattern match" var_ref="var_{{{ _RULE_ID }}}_all_log_files"
+ var_check="at least one" />
+ <!-- Chunk of text retrieved from rsyslog's configuration file is considered
+ to constitute a log file path if all of the following conditions are met:
+ * the string represents a regular file on particular file system
+ (verified via corresponding file_state below),
+ * the chunk of text is in the last column in the row,
+ (possibly suffixed by ';' character and rsyslog Template name),
+ * contains at least one slash '/' character, and simultaneously
+ doesn't contain any of ';', ':' and space characters,
+ * the chunk was retrieved from a row not starting with space, '#',
+ or '$' characters
+ -->
+ <ind:pattern
+ operation="pattern match">^\s*[^(\s|#|\$)]+\s+-?[\w\(="\s]*(\/[^:;\s"]+)+.*$</ind:pattern>
+ <ind:instance datatype="int" operation="greater than or equal">1</ind:instance>
+ <filter action="exclude">state_{{{ _RULE_ID }}}_ownership_ignore_include_paths</filter>
+ </ind:textfilecontent54_object>
+
+ <ind:textfilecontent54_state id="state_{{{ _RULE_ID }}}_ownership_ignore_include_paths"
+ comment="ignore" version="1">
+ <!-- Among the paths matched in object_rfp_log_files_paths there can be paths from
+ include() or $IncludeConfig statements.
+ These paths are conf files, not log files. Their groupownership don't need to be as
+ required for log files, thus, lets exclude them from the list of objects found
+ -->
+ <ind:text
+ operation="pattern match">(?:file="[^\s;]+"|\$IncludeConfig[\s]+[^\s;]+|\/dev\/.*)</ind:text>
+ </ind:textfilecontent54_state>
+
+ <!-- Define OVAL variable to hold all the various system log files locations
+ retrieved from the different rsyslog configuration files
+ -->
+ <local_variable id="var_{{{ _RULE_ID }}}_log_files_paths" datatype="string" version="1"
+ comment="File paths of all rsyslog configuration files">
+ <object_component item_field="subexpression" object_ref="object_{{{ _RULE_ID }}}_log_files_paths" />
+ </local_variable>
+
+ <!-- Perform the test if all rsyslog system log files are owned by the appropriate group -->
+ <unix:file_test check="all" check_existence="all_exist" id="test_{{{ _RULE_ID }}}" version="1"
+ comment="System log files are owned by the appropriate group">
+ <unix:object object_ref="object_rsyslog_files_{{{ _RULE_ID }}}_ownership" />
+ <unix:state state_ref="state_{{{ _RULE_ID }}}" />
+ </unix:file_test>
+
+ <unix:file_object id="object_rsyslog_files_{{{ _RULE_ID }}}_ownership"
+ comment="Various system log files" version="1">
+ <unix:filepath datatype="string" var_ref="var_{{{ _RULE_ID }}}_log_files_paths"
+ var_check="at least one" />
+ </unix:file_object>
+
+ <unix:file_state id="state_{{{ _RULE_ID }}}" version="1">
+ <unix:type operation="equals">regular</unix:type>
+ {{% if ATTRIBUTE == "groupowner" %}}
+ <unix:group_id datatype="int">{{{ VALUE }}}</unix:group_id>
+ {{% else %}}
+ <unix:user_id datatype="int">{{{ VALUE }}}</unix:user_id>
+ {{% endif %}}
+ </unix:file_state>
+
+</def-group>
diff --git a/shared/templates/rsyslog_logfiles_attributes_modify/template.yml b/shared/templates/rsyslog_logfiles_attributes_modify/template.yml
new file mode 100644
index 0000000000..b57de6fbb6
--- /dev/null
+++ b/shared/templates/rsyslog_logfiles_attributes_modify/template.yml
@@ -0,0 +1,4 @@
+supported_languages:
+ - ansible
+ - bash
+ - oval
diff --git a/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_files_ownership/tests/IncludeConfig_is_other.fail.sh b/shared/templates/rsyslog_logfiles_attributes_modify/tests/IncludeConfig_is_other.fail.sh
similarity index 75%
rename from linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_files_ownership/tests/IncludeConfig_is_other.fail.sh
rename to shared/templates/rsyslog_logfiles_attributes_modify/tests/IncludeConfig_is_other.fail.sh
index 6c82a1942f..db7e5261eb 100755
--- a/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_files_ownership/tests/IncludeConfig_is_other.fail.sh
+++ b/shared/templates/rsyslog_logfiles_attributes_modify/tests/IncludeConfig_is_other.fail.sh
@@ -6,8 +6,16 @@
source $SHARED/rsyslog_log_utils.sh
+{{% if ATTRIBUTE == "owner" %}}
+ADDCOMMAND="useradd"
+CHATTR="chown"
+{{% else %}}
+ADDCOMMAND="groupadd"
+CHATTR="chgrp"
+{{% endif %}}
+
USER_TEST=testssg
-useradd $USER_TEST
+$ADDCOMMAND $USER_TEST
USER_ROOT=root
@@ -15,8 +23,8 @@ USER_ROOT=root
create_rsyslog_test_logs 2
# setup test log files ownership
-chown $USER_ROOT ${RSYSLOG_TEST_LOGS[0]}
-chown $USER_TEST ${RSYSLOG_TEST_LOGS[1]}
+$CHATTR $USER_ROOT ${RSYSLOG_TEST_LOGS[0]}
+$CHATTR $USER_TEST ${RSYSLOG_TEST_LOGS[1]}
# create test configuration file
test_conf=${RSYSLOG_TEST_DIR}/test1.conf
diff --git a/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_files_ownership/tests/IncludeConfig_is_root.pass.sh b/shared/templates/rsyslog_logfiles_attributes_modify/tests/IncludeConfig_is_root.pass.sh
similarity index 81%
rename from linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_files_ownership/tests/IncludeConfig_is_root.pass.sh
rename to shared/templates/rsyslog_logfiles_attributes_modify/tests/IncludeConfig_is_root.pass.sh
index b24e5e1699..b03268fe3e 100755
--- a/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_files_ownership/tests/IncludeConfig_is_root.pass.sh
+++ b/shared/templates/rsyslog_logfiles_attributes_modify/tests/IncludeConfig_is_root.pass.sh
@@ -6,14 +6,20 @@
source $SHARED/rsyslog_log_utils.sh
+{{% if ATTRIBUTE == "owner" %}}
+CHATTR="chown"
+{{% else %}}
+CHATTR="chgrp"
+{{% endif %}}
+
USER=root
# setup test data
create_rsyslog_test_logs 2
# setup test log files ownership
-chown $USER ${RSYSLOG_TEST_LOGS[0]}
-chown $USER ${RSYSLOG_TEST_LOGS[1]}
+$CHATTR $USER ${RSYSLOG_TEST_LOGS[0]}
+$CHATTR $USER ${RSYSLOG_TEST_LOGS[1]}
# create test configuration file
test_conf=${RSYSLOG_TEST_DIR}/test1.conf
diff --git a/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_files_ownership/tests/include_is_other.fail.sh b/shared/templates/rsyslog_logfiles_attributes_modify/tests/include_is_other.fail.sh
similarity index 75%
rename from linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_files_ownership/tests/include_is_other.fail.sh
rename to shared/templates/rsyslog_logfiles_attributes_modify/tests/include_is_other.fail.sh
index 18f43c6927..d79ae23cfc 100755
--- a/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_files_ownership/tests/include_is_other.fail.sh
+++ b/shared/templates/rsyslog_logfiles_attributes_modify/tests/include_is_other.fail.sh
@@ -6,8 +6,16 @@
source $SHARED/rsyslog_log_utils.sh
+{{% if ATTRIBUTE == "owner" %}}
+ADDCOMMAND="useradd"
+CHATTR="chown"
+{{% else %}}
+ADDCOMMAND="groupadd"
+CHATTR="chgrp"
+{{% endif %}}
+
USER_TEST=testssg
-useradd $USER_TEST
+$ADDCOMMAND $USER_TEST
USER_ROOT=root
@@ -15,8 +23,8 @@ USER_ROOT=root
create_rsyslog_test_logs 2
# setup test log files ownership
-chown $USER_ROOT ${RSYSLOG_TEST_LOGS[0]}
-chown $USER_TEST ${RSYSLOG_TEST_LOGS[1]}
+$CHATTR $USER_ROOT ${RSYSLOG_TEST_LOGS[0]}
+$CHATTR $USER_TEST ${RSYSLOG_TEST_LOGS[1]}
# create test configuration file
test_conf=${RSYSLOG_TEST_DIR}/test1.conf
diff --git a/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_files_groupownership/tests/include_is_root_IncludeConfig_is_root.pass.sh b/shared/templates/rsyslog_logfiles_attributes_modify/tests/include_is_other_IncludeConfig_is_other_RainerLogClause.fail.sh
old mode 100755
new mode 100644
similarity index 50%
rename from linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_files_groupownership/tests/include_is_root_IncludeConfig_is_root.pass.sh
rename to shared/templates/rsyslog_logfiles_attributes_modify/tests/include_is_other_IncludeConfig_is_other_RainerLogClause.fail.sh
index 05dd50ed24..7869a180a8
--- a/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_files_groupownership/tests/include_is_root_IncludeConfig_is_root.pass.sh
+++ b/shared/templates/rsyslog_logfiles_attributes_modify/tests/include_is_other_IncludeConfig_is_other_RainerLogClause.fail.sh
@@ -1,20 +1,31 @@
#!/bin/bash
# platform = Red Hat Enterprise Linux 8,multi_platform_fedora,Oracle Linux 8,multi_platform_sle
-# Check rsyslog.conf with root group-owner log from rules and
-# root group-owner log from include() passes.
+# Check rsyslog.conf with root user log from rules and
+# root user log from include() passes.
source $SHARED/rsyslog_log_utils.sh
-GROUP=root
+{{% if ATTRIBUTE == "owner" %}}
+ADDCOMMAND="useradd"
+CHATTR="chown"
+{{% else %}}
+ADDCOMMAND="groupadd"
+CHATTR="chgrp"
+{{% endif %}}
+
+USER_TEST=testssg
+$ADDCOMMAND $USER_TEST
+
+USER=root
# setup test data
create_rsyslog_test_logs 3
# setup test log files ownership
-chgrp $GROUP ${RSYSLOG_TEST_LOGS[0]}
-chgrp $GROUP ${RSYSLOG_TEST_LOGS[1]}
-chgrp $GROUP ${RSYSLOG_TEST_LOGS[2]}
+$CHATTR $USER_TEST ${RSYSLOG_TEST_LOGS[0]}
+$CHATTR $USER_TEST ${RSYSLOG_TEST_LOGS[1]}
+$CHATTR $USER_TEST ${RSYSLOG_TEST_LOGS[2]}
# create test configuration file
test_conf=${RSYSLOG_TEST_DIR}/test1.conf
@@ -28,13 +39,25 @@ EOF
# create test2 configuration file
test_conf2=${RSYSLOG_TEST_DIR}/test2.conf
+{{% if ATTRIBUTE == "owner" %}}
+cat << EOF > ${test_conf2}
+# rsyslog configuration file
+
+#### RULES ####
+
+
+*.* action(type="omfile" FileCreateMode="0640" fileOwner="$USER_TEST" fileGroup="root" File="${RSYSLOG_TEST_LOGS[2]}")
+EOF
+{{% else %}}
cat << EOF > ${test_conf2}
# rsyslog configuration file
#### RULES ####
-*.* ${RSYSLOG_TEST_LOGS[2]}
+
+*.* action(type="omfile" FileCreateMode="0640" fileOwner="root" fileGroup="$USER_TEST" File="${RSYSLOG_TEST_LOGS[2]}")
EOF
+{{% endif %}}
# create rsyslog.conf configuration file
cat << EOF > $RSYSLOG_CONF
diff --git a/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_files_ownership/tests/include_is_root.pass.sh b/shared/templates/rsyslog_logfiles_attributes_modify/tests/include_is_root.pass.sh
similarity index 81%
rename from linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_files_ownership/tests/include_is_root.pass.sh
rename to shared/templates/rsyslog_logfiles_attributes_modify/tests/include_is_root.pass.sh
index 69dead5135..e80395ca99 100755
--- a/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_files_ownership/tests/include_is_root.pass.sh
+++ b/shared/templates/rsyslog_logfiles_attributes_modify/tests/include_is_root.pass.sh
@@ -6,14 +6,21 @@
source $SHARED/rsyslog_log_utils.sh
+
+{{% if ATTRIBUTE == "owner" %}}
+CHATTR="chown"
+{{% else %}}
+CHATTR="chgrp"
+{{% endif %}}
+
USER=root
# setup test data
create_rsyslog_test_logs 2
# setup test log files ownership
-chown $USER ${RSYSLOG_TEST_LOGS[0]}
-chown $USER ${RSYSLOG_TEST_LOGS[1]}
+$CHATTR $USER ${RSYSLOG_TEST_LOGS[0]}
+$CHATTR $USER ${RSYSLOG_TEST_LOGS[1]}
# create test configuration file
test_conf=${RSYSLOG_TEST_DIR}/test1.conf
diff --git a/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_files_ownership/tests/include_is_root_IncludeConfig_is_other.fail.sh b/shared/templates/rsyslog_logfiles_attributes_modify/tests/include_is_root_IncludeConfig_is_other.fail.sh
similarity index 77%
rename from linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_files_ownership/tests/include_is_root_IncludeConfig_is_other.fail.sh
rename to shared/templates/rsyslog_logfiles_attributes_modify/tests/include_is_root_IncludeConfig_is_other.fail.sh
index e725fb4d54..e7b4905dc5 100755
--- a/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_files_ownership/tests/include_is_root_IncludeConfig_is_other.fail.sh
+++ b/shared/templates/rsyslog_logfiles_attributes_modify/tests/include_is_root_IncludeConfig_is_other.fail.sh
@@ -6,18 +6,26 @@
source $SHARED/rsyslog_log_utils.sh
+{{% if ATTRIBUTE == "owner" %}}
+ADDCOMMAND="useradd"
+CHATTR="chown"
+{{% else %}}
+ADDCOMMAND="groupadd"
+CHATTR="chgrp"
+{{% endif %}}
+
USER_ROOT=root
USER_TEST=testssg
-useradd $USER_TEST
+$ADDCOMMAND $USER_TEST
# setup test data
create_rsyslog_test_logs 3
# setup test log files ownership
-chown $USER_ROOT ${RSYSLOG_TEST_LOGS[0]}
-chown $USER_ROOT ${RSYSLOG_TEST_LOGS[1]}
-chown $USER_TEST ${RSYSLOG_TEST_LOGS[2]}
+$CHATTR $USER_ROOT ${RSYSLOG_TEST_LOGS[0]}
+$CHATTR $USER_ROOT ${RSYSLOG_TEST_LOGS[1]}
+$CHATTR $USER_TEST ${RSYSLOG_TEST_LOGS[2]}
# create test configuration file
test_conf=${RSYSLOG_TEST_DIR}/test1.conf
diff --git a/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_files_ownership/tests/include_is_root_IncludeConfig_is_root.pass.sh b/shared/templates/rsyslog_logfiles_attributes_modify/tests/include_is_root_IncludeConfig_is_root.pass.sh
similarity index 82%
rename from linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_files_ownership/tests/include_is_root_IncludeConfig_is_root.pass.sh
rename to shared/templates/rsyslog_logfiles_attributes_modify/tests/include_is_root_IncludeConfig_is_root.pass.sh
index ca47d453c1..6389e6ea3b 100755
--- a/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_files_ownership/tests/include_is_root_IncludeConfig_is_root.pass.sh
+++ b/shared/templates/rsyslog_logfiles_attributes_modify/tests/include_is_root_IncludeConfig_is_root.pass.sh
@@ -6,15 +6,21 @@
source $SHARED/rsyslog_log_utils.sh
+{{% if ATTRIBUTE == "owner" %}}
+CHATTR="chown"
+{{% else %}}
+CHATTR="chgrp"
+{{% endif %}}
+
USER=root
# setup test data
create_rsyslog_test_logs 3
# setup test log files ownership
-chown $USER ${RSYSLOG_TEST_LOGS[0]}
-chown $USER ${RSYSLOG_TEST_LOGS[1]}
-chown $USER ${RSYSLOG_TEST_LOGS[2]}
+$CHATTR $USER ${RSYSLOG_TEST_LOGS[0]}
+$CHATTR $USER ${RSYSLOG_TEST_LOGS[1]}
+$CHATTR $USER ${RSYSLOG_TEST_LOGS[2]}
# create test configuration file
test_conf=${RSYSLOG_TEST_DIR}/test1.conf
diff --git a/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_files_groupownership/tests/include_is_root_IncludeConfig_is_other.fail.sh b/shared/templates/rsyslog_logfiles_attributes_modify/tests/include_is_root_IncludeConfig_is_root_RainerLogClause.pass.sh
similarity index 65%
rename from linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_files_groupownership/tests/include_is_root_IncludeConfig_is_other.fail.sh
rename to shared/templates/rsyslog_logfiles_attributes_modify/tests/include_is_root_IncludeConfig_is_root_RainerLogClause.pass.sh
index 9747e0b28b..6b81a77c2f 100755
--- a/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_files_groupownership/tests/include_is_root_IncludeConfig_is_other.fail.sh
+++ b/shared/templates/rsyslog_logfiles_attributes_modify/tests/include_is_root_IncludeConfig_is_root_RainerLogClause.pass.sh
@@ -1,23 +1,26 @@
#!/bin/bash
# platform = Red Hat Enterprise Linux 8,multi_platform_fedora,Oracle Linux 8,multi_platform_sle
-# Check rsyslog.conf with root group-owner log from rules and
-# non root group-owner log from include() fails.
+# Check rsyslog.conf with root user log from rules and
+# root user log from include() passes.
source $SHARED/rsyslog_log_utils.sh
-GROUP_ROOT=root
+{{% if ATTRIBUTE == "owner" %}}
+CHATTR="chown"
+{{% else %}}
+CHATTR="chgrp"
+{{% endif %}}
-GROUP_TEST=testssg
-groupadd $GROUP_TEST
+USER=root
# setup test data
create_rsyslog_test_logs 3
# setup test log files ownership
-chgrp $GROUP_ROOT ${RSYSLOG_TEST_LOGS[0]}
-chgrp $GROUP_ROOT ${RSYSLOG_TEST_LOGS[1]}
-chgrp $GROUP_TEST ${RSYSLOG_TEST_LOGS[2]}
+$CHATTR $USER ${RSYSLOG_TEST_LOGS[0]}
+$CHATTR $USER ${RSYSLOG_TEST_LOGS[1]}
+$CHATTR $USER ${RSYSLOG_TEST_LOGS[2]}
# create test configuration file
test_conf=${RSYSLOG_TEST_DIR}/test1.conf
@@ -36,7 +39,8 @@ cat << EOF > ${test_conf2}
#### RULES ####
-*.* ${RSYSLOG_TEST_LOGS[2]}
+
+*.* action(type="omfile" FileCreateMode="0640" fileOwner="root" fileGroup="root" File="${RSYSLOG_TEST_LOGS[2]}")
EOF
# create rsyslog.conf configuration file
diff --git a/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_files_ownership/tests/include_multiline_is_root.pass.sh b/shared/templates/rsyslog_logfiles_attributes_modify/tests/include_multiline_is_root.pass.sh
similarity index 81%
rename from linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_files_ownership/tests/include_multiline_is_root.pass.sh
rename to shared/templates/rsyslog_logfiles_attributes_modify/tests/include_multiline_is_root.pass.sh
index d68cc2e67d..78b105abf3 100755
--- a/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_files_ownership/tests/include_multiline_is_root.pass.sh
+++ b/shared/templates/rsyslog_logfiles_attributes_modify/tests/include_multiline_is_root.pass.sh
@@ -6,14 +6,20 @@
source $SHARED/rsyslog_log_utils.sh
+{{% if ATTRIBUTE == "owner" %}}
+CHATTR="chown"
+{{% else %}}
+CHATTR="chgrp"
+{{% endif %}}
+
USER=root
# setup test data
create_rsyslog_test_logs 2
# setup test log files ownership
-chown $USER ${RSYSLOG_TEST_LOGS[0]}
-chown $USER ${RSYSLOG_TEST_LOGS[1]}
+$CHATTR $USER ${RSYSLOG_TEST_LOGS[0]}
+$CHATTR $USER ${RSYSLOG_TEST_LOGS[1]}
# create test configuration file
test_conf=${RSYSLOG_TEST_DIR}/test1.conf
diff --git a/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_files_ownership/tests/is_other.fail.sh b/shared/templates/rsyslog_logfiles_attributes_modify/tests/is_other.fail.sh
similarity index 70%
rename from linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_files_ownership/tests/is_other.fail.sh
rename to shared/templates/rsyslog_logfiles_attributes_modify/tests/is_other.fail.sh
index 7edbb17ea1..1afe20823c 100755
--- a/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_files_ownership/tests/is_other.fail.sh
+++ b/shared/templates/rsyslog_logfiles_attributes_modify/tests/is_other.fail.sh
@@ -5,15 +5,23 @@
source $SHARED/rsyslog_log_utils.sh
+{{% if ATTRIBUTE == "owner" %}}
+ADDCOMMAND="useradd"
+CHATTR="chown"
+{{% else %}}
+ADDCOMMAND="groupadd"
+CHATTR="chgrp"
+{{% endif %}}
+
USER=testssg
-useradd $USER
+$ADDCOMMAND $USER
# setup test data
create_rsyslog_test_logs 1
# setup test log file ownership
-chown $USER ${RSYSLOG_TEST_LOGS[0]}
+$CHATTR $USER ${RSYSLOG_TEST_LOGS[0]}
# add rule with non-root user owned log file
cat << EOF > $RSYSLOG_CONF
diff --git a/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_files_ownership/tests/is_root.pass.sh b/shared/templates/rsyslog_logfiles_attributes_modify/tests/is_root.pass.sh
similarity index 77%
rename from linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_files_ownership/tests/is_root.pass.sh
rename to shared/templates/rsyslog_logfiles_attributes_modify/tests/is_root.pass.sh
index e0e518bc50..afce21fa27 100755
--- a/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_files_ownership/tests/is_root.pass.sh
+++ b/shared/templates/rsyslog_logfiles_attributes_modify/tests/is_root.pass.sh
@@ -5,13 +5,19 @@
source $SHARED/rsyslog_log_utils.sh
+{{% if ATTRIBUTE == "owner" %}}
+CHATTR="chown"
+{{% else %}}
+CHATTR="chgrp"
+{{% endif %}}
+
USER=root
# setup test data
create_rsyslog_test_logs 1
# setup test log file ownership
-chown $USER ${RSYSLOG_TEST_LOGS[0]}
+$CHATTR $USER ${RSYSLOG_TEST_LOGS[0]}
# add rule with root user owned log file
cat << EOF > $RSYSLOG_CONF
--
2.39.1