[PATCH] Improbably, the input line for UDP is $UDPServerRun, not $InputUDPServerRun. Also, the check forgot to include the port number, so it always gave a false positive.

Maura Dailey Mon, 19 Aug 2013 11:19:09 -0700

This regex will match on $InputTCPServerRun, $InputRELPServerRun, and 
$UDPServerRun.


- Maura Dailey

Signed-off-by: Maura Dailey <[email protected]>
---
 RHEL6/input/checks/rsyslog_nolisten.xml |   21 +++++++++------------
 1 files changed, 9 insertions(+), 12 deletions(-)

diff --git a/RHEL6/input/checks/rsyslog_nolisten.xml 
b/RHEL6/input/checks/rsyslog_nolisten.xml
index 46cc285..d9376b6 100644
--- a/RHEL6/input/checks/rsyslog_nolisten.xml
+++ b/RHEL6/input/checks/rsyslog_nolisten.xml
@@ -1,31 +1,28 @@
 <def-group>
-  <definition class="compliance"
-  id="rsyslog_nolisten" version="1">
+  <definition class="compliance" id="rsyslog_nolisten" version="1">
     <metadata>
-      <title>Disable Rsyslogd from Accepting Remote Messages on
-      Loghosts Only</title>
+      <title>Disable Rsyslogd from Accepting Remote Messages on Loghosts
+      Only</title>
       <affected family="unix">
         <platform>Red Hat Enterprise Linux 6</platform>
       </affected>
-      <description>RSyslogd should reject remote
-      messages</description>
+      <description>rsyslogd should reject remote messages</description>
+      <reference source="MED" ref_id="20130819" ref_url="test_attestation" />
     </metadata>
     <criteria>
       <criterion comment="Conditions are satisfied"
       test_ref="test_rsyslog_nolisten" />
     </criteria>
   </definition>
-  <ind:textfilecontent54_test check="all"
-  check_existence="none_exist"
-  comment="Ensure that the /etc/rsyslog.conf does not contain 
$InputTCPServerRun | $InputUDPServerRun | $InputRELPServerRun"
+  <ind:textfilecontent54_test check="all" check_existence="none_exist"
+  comment="Ensure that the /etc/rsyslog.conf does not contain 
$InputTCPServerRun | $UDPServerRun | $InputRELPServerRun"
   id="test_rsyslog_nolisten" version="1">
     <ind:object object_ref="object_rsyslog_nolisten" />
   </ind:textfilecontent54_test>
-  <ind:textfilecontent54_object id="object_rsyslog_nolisten"
-  version="1">
+  <ind:textfilecontent54_object id="object_rsyslog_nolisten" version="1">
     <ind:path>/etc</ind:path>
     <ind:filename>rsyslog.conf</ind:filename>
-    <ind:pattern operation="pattern 
match">^\$Input(?:(TCP)|(UDP)|(RELP))ServerRun\s*$</ind:pattern>
+    <ind:pattern operation="pattern 
match">^\$(?:Input(?:TCP|RELP)|UDP)ServerRun</ind:pattern>
     <ind:instance datatype="int">1</ind:instance>
   </ind:textfilecontent54_object>
 </def-group>
-- 
1.7.1

_______________________________________________
scap-security-guide mailing list
[email protected]
https://lists.fedorahosted.org/mailman/listinfo/scap-security-guide

[PATCH] Improbably, the input line for UDP is $UDPServerRun, not $InputUDPServerRun. Also, the check forgot to include the port number, so it always gave a false positive.

Reply via email to