* checks/rsyslog_nolisten.xml: When checking /etc/rsyslog.conf that there is none of ($UDPServerRun | $InputTCPServerRun | $InputRELPServerRun) directives present, check also their versions possibly prefixed with starting whitespace characters (otherwise we can report system is safe wrt to this check, when it actually wasn't).
* RHEL/6/input/system/logging.xml Use $ModLoad imtcp (as stated in manual page) rather than $ModLoad imtcp.so form when checking for loaded UDP / TCP / RELP modules. Also, fix typo in the UDP directive (there's no such $InputUDPServerRun rsyslogd option). * RHEL/7/input/system/logging.xml Changes same as in RHEL/6's case. Please review. Thank you && Regards, Jan. -- Jan iankko Lieskovsky / Red Hat Security Technologies Team
From 14202259ecf895461afca27e84038d9ba6687cba Mon Sep 17 00:00:00 2001 From: Jan Lieskovsky <[email protected]> Date: Mon, 7 Apr 2014 16:15:11 +0200 Subject: [PATCH] [RHEL/6] rsyslog_nolisten - when checking if rsyslogd rejects remote messages check also particular configuration directives prefixed with whitespace [RHEL/6] system/logging.xml - fix $UDPServerRun directive typo [RHEL/7] system/logging.xml - ditto Signed-off-by: Jan Lieskovsky <[email protected]> --- RHEL/6/input/checks/rsyslog_nolisten.xml | 8 ++++---- RHEL/6/input/system/logging.xml | 14 +++++++------- RHEL/7/input/system/logging.xml | 14 +++++++------- 3 files changed, 18 insertions(+), 18 deletions(-) diff --git a/RHEL/6/input/checks/rsyslog_nolisten.xml b/RHEL/6/input/checks/rsyslog_nolisten.xml index d9376b6..00a346b 100644 --- a/RHEL/6/input/checks/rsyslog_nolisten.xml +++ b/RHEL/6/input/checks/rsyslog_nolisten.xml @@ -1,5 +1,5 @@ <def-group> - <definition class="compliance" id="rsyslog_nolisten" version="1"> + <definition class="compliance" id="rsyslog_nolisten" version="2"> <metadata> <title>Disable Rsyslogd from Accepting Remote Messages on Loghosts Only</title> @@ -7,7 +7,7 @@ <platform>Red Hat Enterprise Linux 6</platform> </affected> <description>rsyslogd should reject remote messages</description> - <reference source="MED" ref_id="20130819" ref_url="test_attestation" /> + <reference source="JL" ref_id="20140407" ref_url="test_attestation" /> </metadata> <criteria> <criterion comment="Conditions are satisfied" @@ -19,10 +19,10 @@ id="test_rsyslog_nolisten" version="1"> <ind:object object_ref="object_rsyslog_nolisten" /> </ind:textfilecontent54_test> - <ind:textfilecontent54_object id="object_rsyslog_nolisten" version="1"> + <ind:textfilecontent54_object id="object_rsyslog_nolisten" version="2"> <ind:path>/etc</ind:path> <ind:filename>rsyslog.conf</ind:filename> - <ind:pattern operation="pattern match">^\$(?:Input(?:TCP|RELP)|UDP)ServerRun</ind:pattern> + <ind:pattern operation="pattern match">^[\s]*\$(?:Input(?:TCP|RELP)|UDP)ServerRun</ind:pattern> <ind:instance datatype="int">1</ind:instance> </ind:textfilecontent54_object> </def-group> diff --git a/RHEL/6/input/system/logging.xml b/RHEL/6/input/system/logging.xml index 0e4dec9..82455d6 100644 --- a/RHEL/6/input/system/logging.xml +++ b/RHEL/6/input/system/logging.xml @@ -276,11 +276,11 @@ should remain commented out. unless the system acts as a log server. To ensure that it is not listening on the network, ensure the following lines are <i>not</i> found in <tt>/etc/rsyslog.conf</tt>: -<pre>$ModLoad imtcp.so +<pre>$ModLoad imtcp $InputTCPServerRun <i>port</i> -$ModLoad imudp.so -$InputUDPServerRun <i>port</i> -$ModLoad imrelp.so +$ModLoad imudp +$UDPServerRun <i>port</i> +$ModLoad imrelp $InputRELPServerRun <i>port</i></pre> </description> <rationale> @@ -299,7 +299,7 @@ rsyslog by configuring it not to listen on the network. unless the system acts as a log server. If the system needs to act as a central log server, add the following lines to <tt>/etc/rsyslog.conf</tt> to enable reception of messages over TCP: -<pre>$ModLoad imtcp.so +<pre>$ModLoad imtcp $InputTCPServerRun 514</pre> </description> <rationale> @@ -317,8 +317,8 @@ messages over a reliable TCP connection. unless the system acts as a log server. If the system needs to act as a central log server, add the following lines to <tt>/etc/rsyslog.conf</tt> to enable reception of messages over UDP: -<pre>$ModLoad imudp.so -$InputUDPServerRun 514</pre> +<pre>$ModLoad imudp +$UDPServerRun 514</pre> </description> <rationale> Many devices, such as switches, routers, and other Unix-like systems, may only support diff --git a/RHEL/7/input/system/logging.xml b/RHEL/7/input/system/logging.xml index c41b6ac..36c2fb0 100644 --- a/RHEL/7/input/system/logging.xml +++ b/RHEL/7/input/system/logging.xml @@ -276,11 +276,11 @@ should remain commented out. unless the system acts as a log server. To ensure that it is not listening on the network, ensure the following lines are <i>not</i> found in <tt>/etc/rsyslog.conf</tt>: -<pre>$ModLoad imtcp.so +<pre>$ModLoad imtcp $InputTCPServerRun <i>port</i> -$ModLoad imudp.so -$InputUDPServerRun <i>port</i> -$ModLoad imrelp.so +$ModLoad imudp +$UDPServerRun <i>port</i> +$ModLoad imrelp $InputRELPServerRun <i>port</i></pre> </description> <rationale> @@ -299,7 +299,7 @@ rsyslog by configuring it not to listen on the network. unless the system acts as a log server. If the system needs to act as a central log server, add the following lines to <tt>/etc/rsyslog.conf</tt> to enable reception of messages over TCP: -<pre>$ModLoad imtcp.so +<pre>$ModLoad imtcp $InputTCPServerRun 514</pre> </description> <rationale> @@ -317,8 +317,8 @@ messages over a reliable TCP connection. unless the system acts as a log server. If the system needs to act as a central log server, add the following lines to <tt>/etc/rsyslog.conf</tt> to enable reception of messages over UDP: -<pre>$ModLoad imudp.so -$InputUDPServerRun 514</pre> +<pre>$ModLoad imudp +$UDPServerRun 514</pre> </description> <rationale> Many devices, such as switches, routers, and other Unix-like systems, may only support -- 1.8.3.1
_______________________________________________ scap-security-guide mailing list [email protected] https://lists.fedorahosted.org/mailman/listinfo/scap-security-guide
