Re: CCE-26801-1 - rsyslog suggestion/question (UNCLASSIFIED)

Fri, 25 Oct 2013 18:32:43 -0700 

On 10/25/13, 9:02 PM, Shawn Wells wrote:

On 10/25/13, 8:25 AM, Shaw, Ray V CTR USARMY ARL (US) wrote:

Classification: UNCLASSIFIED
Caveats: NONE
There's more than one instance of things like this (e.g. /etc/security/limits.d versus limits.conf), and this applies to us too. I'd like both to be valid; when possible, we prefer to configuration-manage a small, unique file in a foo.d directory than make changes to existing config files. I'm not certain how best to do this in OVAL; write a check for each location, with a condition of "at least one of these must be true"?
Good find. Just submitted a patch to address this, pending ack will be picked up in next build: https://lists.fedorahosted.org/pipermail/scap-security-guide/2013-October/004387.html
Ray - Perhaps you could use this as a template for limits.conf vs limits.d?
OK, patch got ack'd, it'll show up if you 'git pull'. Think you could use it as a template? :) 






-----Original Message-----
From: [email protected] [mailto:scap-
[email protected]] On Behalf Of wm-lists
Sent: Friday, October 25, 2013 7:47 AM
To: [email protected]
Subject: CCE-26801-1 - rsyslog suggestion/question

It appears the requirement check /etc/rsyslog.conf for an entry such as

*.* @loghost.example.com <http://loghost.example.com/>
or


*.* @@loghost.example.com <http://loghost.example.com/>

     <ind:textfilecontent54_object id="oval:ssg:obj:1907" version="1">
       <ind:path>/etc</ind:path>
       <ind:filename>rsyslog.conf</ind:filename>
       <ind:pattern operation="pattern
match">^\*\.\*[\s]+(?:@|\:omrelp\:)</ind:pattern>
       <ind:instance datatype="int">1</ind:instance>
     </ind:textfilecontent54_object>


However in my case, we utilize multiple .conf files under
/etc/rsyslog.d for destinations (log aggregators, etc...)

I'm guessing the scap software doesn't follow include Directives?


_______________________________________________
scap-security-guide mailing list
[email protected]
https://lists.fedorahosted.org/mailman/listinfo/scap-security-guide



--
Shawn Wells
Director, Innovation Programs
[email protected] | 443.534.0130
@shawndwells

_______________________________________________
scap-security-guide mailing list
[email protected]
https://lists.fedorahosted.org/mailman/listinfo/scap-security-guide

Reply via email to