TESTING: [root@SSG-RHEL6 checks]# grep ^@ /etc/rsyslog.conf [root@SSG-RHEL6 checks]# ./testcheck.py rsyslog_remote_loghost.xml Evaluating with OVAL tempfile : /tmp/rsyslog_remote_loghostiY1DX3.xml Writing results to : /tmp/rsyslog_remote_loghostiY1DX3.xml-results Definition oval:scap-security-guide.testing:def:192: false Evaluation done. [root@SSG-RHEL6 checks]# echo "*.* @@remote-host:514" >> /etc/rsyslog.conf ; ./testcheck.py rsyslog_remote_loghost.xml Evaluating with OVAL tempfile : /tmp/rsyslog_remote_loghostxSskWm.xml Writing results to : /tmp/rsyslog_remote_loghostxSskWm.xml-results Definition oval:scap-security-guide.testing:def:192: true Evaluation done. [root@SSG-RHEL6 checks]# sed -i '$ d' /etc/rsyslog.conf ; ./testcheck.py rsyslog_remote_loghost.xml Evaluating with OVAL tempfile : /tmp/rsyslog_remote_loghosts4KKRx.xml Writing results to : /tmp/rsyslog_remote_loghosts4KKRx.xml-results Definition oval:scap-security-guide.testing:def:192: false Evaluation done. [root@SSG-RHEL6 checks]# echo "*.* @@remote-host:514" > /etc/rsyslog.d/ilovetestingbugs ; ./testcheck.py rsyslog_remote_loghost.xml Evaluating with OVAL tempfile : /tmp/rsyslog_remote_loghosttZ8ody.xml Writing results to : /tmp/rsyslog_remote_loghosttZ8ody.xml-results Definition oval:scap-security-guide.testing:def:192: true Evaluation done. [root@SSG-RHEL6 checks]# rm /etc/rsyslog.d/ilovetestingbugs rm: remove regular file `/etc/rsyslog.d/ilovetestingbugs'? y
>From 61ab56032fc55dca0b3cf2c4a2934465c211dfc5 Mon Sep 17 00:00:00 2001 From: Shawn Wells <[email protected]> Date: Fri, 25 Oct 2013 20:53:59 -0400 Subject: [PATCH] bugfix - rsyslog_remote_loghost OVAL
Bug reported by nixpeeps [1], the rsyslog_remote_loghost was improperly checking only the /etc/rsyslog.conf file. Updated OVAL now scans *both* /etc/rsyslog.conf and /etc/rsyslog.d [1] https://lists.fedorahosted.org/pipermail/scap-security-guide/2013-October/004379.html --- RHEL6/input/checks/rsyslog_remote_loghost.xml | 34 +++++++++++++++++++------ scap-security-guide.spec | 5 +++- 2 files changed, 30 insertions(+), 9 deletions(-) diff --git a/RHEL6/input/checks/rsyslog_remote_loghost.xml b/RHEL6/input/checks/rsyslog_remote_loghost.xml index 81441eb..d5faf79 100644 --- a/RHEL6/input/checks/rsyslog_remote_loghost.xml +++ b/RHEL6/input/checks/rsyslog_remote_loghost.xml @@ -6,19 +6,37 @@ <platform>Red Hat Enterprise Linux 6</platform> </affected> <description>Syslog logs should be sent to a remote loghost</description> - <reference source="MED" ref_id="20130819" ref_url="test_attestation" /> + <reference source="SDW" ref_id="20131025" ref_url="test_attestation" /> </metadata> - <criteria> - <criterion comment="Conditions are satisfied" test_ref="test_rsyslog_remote_loghost" /> + <criteria operator="OR"> + <criterion comment="Remote logging set within /etc/rsyslog.conf" test_ref="test_remote_rsyslog_conf" /> + <criterion comment="Remote logging set within /etc/rsyslog.d" test_ref="test_remote_rsyslog_d" /> </criteria> </definition> - <ind:textfilecontent54_test check="all" check_existence="all_exist" comment="Tests the value of the \*\.\*[\s]+@ setting in the /etc/syslog.conf file" id="test_rsyslog_remote_loghost" version="1"> - <ind:object object_ref="object_rsyslog_remote_loghost" /> + + <ind:textfilecontent54_test check="all" check_existence="all_exist" + comment="Ensures system configured to export logs to remote host" + id="test_remote_rsyslog_conf" version="1"> + <ind:object object_ref="object_remote_loghost_rsyslog_conf" /> </ind:textfilecontent54_test> - <ind:textfilecontent54_object id="object_rsyslog_remote_loghost" version="1"> - <ind:path>/etc</ind:path> - <ind:filename>rsyslog.conf</ind:filename> + + <ind:textfilecontent54_test check="all" check_existence="all_exist" + comment="Ensures system configured to export logs to remote host" + id="test_remote_rsyslog_d" version="1"> + <ind:object object_ref="object_remote_loghost_rsyslog_d" /> + </ind:textfilecontent54_test> + + <ind:textfilecontent54_object id="object_remote_loghost_rsyslog_conf" version="1"> + <ind:filepath>/etc/rsyslog.conf</ind:filepath> + <ind:pattern operation="pattern match">^\*\.\*[\s]+(?:@|\:omrelp\:)</ind:pattern> + <ind:instance datatype="int">1</ind:instance> + </ind:textfilecontent54_object> + + <ind:textfilecontent54_object id="object_remote_loghost_rsyslog_d" version="1"> + <ind:path>/etc/rsyslog.d</ind:path> + <ind:filename operation="pattern match">.*</ind:filename> <ind:pattern operation="pattern match">^\*\.\*[\s]+(?:@|\:omrelp\:)</ind:pattern> <ind:instance datatype="int">1</ind:instance> </ind:textfilecontent54_object> + </def-group> diff --git a/scap-security-guide.spec b/scap-security-guide.spec index 78ce28a..a7f43f4 100644 --- a/scap-security-guide.spec +++ b/scap-security-guide.spec @@ -1,5 +1,5 @@ -%global redhatssgrelease 15.rc2 +%global redhatssgrelease 15.rc3 Name: scap-security-guide Version: 0.1 @@ -54,6 +54,9 @@ makewhatis %doc RHEL6/LICENSE RHEL6/output/rhel6-guide.html RHEL6/output/table-rhel6-cces.html RHEL6/output/table-rhel6-nistrefs-common.html RHEL6/output/table-rhel6-nistrefs.html RHEL6/output/table-rhel6-srgmap-flat.html RHEL6/output/table-rhel6-srgmap-flat.xhtml RHEL6/output/table-rhel6-srgmap.html RHEL6/output/table-rhel6-stig.html JBossEAP5/docs/JBossEAP5_Guide.html %changelog +* Fri Oct 25 2013 Shawn Wells <[email protected]> 0.1-15.rc3 +- [bugfix] Updated rsyslog_remote_loghost to scan /etc/rsyslog.conf and /etc/rsyslog.d/* + * Fri Oct 25 2013 Shawn Wells <[email protected]> 0.1-15.rc2 - Updated file permissions of JBossEAP5/eap5-cpe-dictionary.xml (chmod -x) to resolve rpmlint errors - RHEL6 HTML table naming bugfixes (table-rhel6-*, not table-*-rhel6) -- 1.7.1
_______________________________________________ scap-security-guide mailing list [email protected] https://lists.fedorahosted.org/mailman/listinfo/scap-security-guide
