On 04/16/2013 02:07 AM, Shawn Wells wrote:
On 4/15/13 3:13 PM, Tomas Heinrich wrote:
On 04/15/2013 04:15 PM, Jeffrey Blank wrote:
... but Leland (in conversation) pointed out that it should be possible
for OVAL to determine what files are actually written by rsyslog (by
looking in rsyslog.conf) and then performing the actual checks on those
files. That approach requires more complicated OVAL, though it is more
How reliable would you like this to be?
rsyslog is capable of generating file names based on message content
(e.g. embedding the sender IP in it). This cannot be parsed out of a
configuration file. Fixed-name log files would be possible.
rsyslog can also include config files recursively (through the
$IncludeConfig directive) and I'm not sure OVAL can handle this.
You can get some results, but not perfect. The easiest way would be to
include a list of log files provided by the rpm, which is the most
typical scenario.
desirable overall. I might consider asking Petr or Simon or Steve for
OVAL help here. I still find much of the OVAL documentation
incomprehensible.
I know a bit about rsyslog and OVAL if you have more questions.
Any suggestions on how to parse out the logfiles names as variables in
OVAL, then have it check the various user/group/file permissions? I
can't find sample code on this =/
Attached is a sketch of the relevant components.
And to ask a silly question, since we're creating the guidance, is there
a reason to not have rules which state "log authprive info to
/var/log/secure," "log uucp,news.crit to /var/log/spool," etc? This
would make things much easier. I can't imagine many people change away
from the defaults, and if they do, let them create exceptions in their
C&A docs.
I don't think OVAL is capable of checking for a specific facility +
severity combination with 100% certainty as there are many ways to
express it.
As I've mentioned previously, you can check a predefined list of files
for proper attributes plus check that the conf file contains the desired
selectors and maybe plus checking custom files' attrs via the mechanism
outlined in the attachement. There always will be cases that this can't
cover.
Tomas
<unix-def:file_test check_existence="any_exist" id="oval:com.asdf:tst:1"
version="1" check="all">
<unix-def:object object_ref="oval:com.asdf:obj:1"/>
<unix-def:state state_ref="oval:com.asdf:ste:1"/>
</unix-def:file_test>
<ind:textfilecontent54_object id="oval:com.asdf:obj:2" version="1"
comment="log file selectors">
<ind:path>/etc</ind:path>
<ind:filename>rsyslog.conf</ind:filename>
<ind:pattern operation="pattern
match">^[\s]*[^$#\s]+[\s]+-?(/[\S]+)$</ind:pattern>
<ind:instance operation="greater than or equal"
datatype="int">1</ind:instance>
</ind:textfilecontent54_object>
<local_variable id="oval:com.asdf:var:1" version="1" datatype="string"
comment="log file paths">
<object_component item_field="subexpression"
object_ref="oval:com.asdf:obj:2"/>
</local_variable>
<unix:file_object id="oval:com.asdf:obj:1" version="1">
<unix:filepath operation="equals" var_ref="oval:com.asdf:var:1"
var_check="at least one"/>
</unix:file_object>
<unix:file_state id="oval:com.asdf:ste:1" version="1">
<unix:suid datatype="boolean">false</unix:suid>
<unix:sgid datatype="boolean">false</unix:sgid>
<unix:sticky datatype="boolean">false</unix:sticky>
<unix:uread datatype="boolean">true</unix:uread>
<unix:uwrite datatype="boolean">true</unix:uwrite>
<unix:uexec datatype="boolean">false</unix:uexec>
<unix:gread datatype="boolean">true</unix:gread>
<unix:gwrite datatype="boolean">false</unix:gwrite>
<unix:gexec datatype="boolean">false</unix:gexec>
<unix:oread datatype="boolean">true</unix:oread>
<unix:owrite datatype="boolean">false</unix:owrite>
<unix:oexec datatype="boolean">false</unix:oexec>
</unix:file_state>
_______________________________________________
scap-security-guide mailing list
[email protected]
https://lists.fedorahosted.org/mailman/listinfo/scap-security-guide
