On 4/7/14, 7:30 AM, Jan Lieskovsky wrote:
* checks/rsyslog_nolisten.xml:
When checking /etc/rsyslog.conf that there is none of
($UDPServerRun | $InputTCPServerRun | $InputRELPServerRun)
directives present, check also their versions possibly
prefixed with starting whitespace characters (otherwise
we can report system is safe wrt to this check, when it
actually wasn't).
* RHEL/6/input/system/logging.xml
Use $ModLoad imtcp (as stated in manual page) rather than
$ModLoad imtcp.so form when checking for loaded UDP / TCP / RELP
modules. Also, fix typo in the UDP directive (there's no such
$InputUDPServerRun rsyslogd option).
* RHEL/7/input/system/logging.xml
Changes same as in RHEL/6's case.
Please review.
Thank you && Regards, Jan.
--
Jan iankko Lieskovsky / Red Hat Security Technologies Team
0001-RHEL-6-rsyslog_nolisten-when-checking-if-rsyslogd-re.patch
From 14202259ecf895461afca27e84038d9ba6687cba Mon Sep 17 00:00:00 2001
From: Jan Lieskovsky<[email protected]>
Date: Mon, 7 Apr 2014 16:15:11 +0200
Subject: [PATCH] [RHEL/6] rsyslog_nolisten - when checking if rsyslogd rejects
remote messages check also particular configuration directives
prefixed with whitespace [RHEL/6] system/logging.xml - fix $UDPServerRun
directive typo [RHEL/7] system/logging.xml - ditto
Signed-off-by: Jan Lieskovsky<[email protected]>
---
RHEL/6/input/checks/rsyslog_nolisten.xml | 8 ++++----
RHEL/6/input/system/logging.xml | 14 +++++++-------
RHEL/7/input/system/logging.xml | 14 +++++++-------
3 files changed, 18 insertions(+), 18 deletions(-)
diff --git a/RHEL/6/input/checks/rsyslog_nolisten.xml
b/RHEL/6/input/checks/rsyslog_nolisten.xml
index d9376b6..00a346b 100644
--- a/RHEL/6/input/checks/rsyslog_nolisten.xml
+++ b/RHEL/6/input/checks/rsyslog_nolisten.xml
@@ -1,5 +1,5 @@
<def-group>
- <definition class="compliance" id="rsyslog_nolisten" version="1">
+ <definition class="compliance" id="rsyslog_nolisten" version="2">
<metadata>
<title>Disable Rsyslogd from Accepting Remote Messages on Loghosts
Only</title>
@@ -7,7 +7,7 @@
<platform>Red Hat Enterprise Linux 6</platform>
</affected>
<description>rsyslogd should reject remote messages</description>
- <reference source="MED" ref_id="20130819" ref_url="test_attestation" />
+ <reference source="JL" ref_id="20140407" ref_url="test_attestation" />
</metadata>
<criteria>
<criterion comment="Conditions are satisfied"
@@ -19,10 +19,10 @@
id="test_rsyslog_nolisten" version="1">
<ind:object object_ref="object_rsyslog_nolisten" />
</ind:textfilecontent54_test>
- <ind:textfilecontent54_object id="object_rsyslog_nolisten" version="1">
+ <ind:textfilecontent54_object id="object_rsyslog_nolisten" version="2">
<ind:path>/etc</ind:path>
<ind:filename>rsyslog.conf</ind:filename>
- <ind:pattern operation="pattern
match">^\$(?:Input(?:TCP|RELP)|UDP)ServerRun</ind:pattern>
+ <ind:pattern operation="pattern
match">^[\s]*\$(?:Input(?:TCP|RELP)|UDP)ServerRun</ind:pattern>
<ind:instance datatype="int">1</ind:instance>
</ind:textfilecontent54_object>
</def-group>
diff --git a/RHEL/6/input/system/logging.xml b/RHEL/6/input/system/logging.xml
index 0e4dec9..82455d6 100644
--- a/RHEL/6/input/system/logging.xml
+++ b/RHEL/6/input/system/logging.xml
@@ -276,11 +276,11 @@ should remain commented out.
unless the system acts as a log server.
To ensure that it is not listening on the network, ensure the following lines
are
<i>not</i> found in <tt>/etc/rsyslog.conf</tt>:
-<pre>$ModLoad imtcp.so
+<pre>$ModLoad imtcp
$InputTCPServerRun <i>port</i>
-$ModLoad imudp.so
-$InputUDPServerRun <i>port</i>
-$ModLoad imrelp.so
+$ModLoad imudp
+$UDPServerRun <i>port</i>
+$ModLoad imrelp
$InputRELPServerRun <i>port</i></pre>
</description>
<rationale>
@@ -299,7 +299,7 @@ rsyslog by configuring it not to listen on the network.
unless the system acts as a log server.
If the system needs to act as a central log server, add the following lines to
<tt>/etc/rsyslog.conf</tt> to enable reception of messages over TCP:
-<pre>$ModLoad imtcp.so
+<pre>$ModLoad imtcp
$InputTCPServerRun 514</pre>
</description>
<rationale>
@@ -317,8 +317,8 @@ messages over a reliable TCP connection.
unless the system acts as a log server.
If the system needs to act as a central log server, add the following lines to
<tt>/etc/rsyslog.conf</tt> to enable reception of messages over UDP:
-<pre>$ModLoad imudp.so
-$InputUDPServerRun 514</pre>
+<pre>$ModLoad imudp
+$UDPServerRun 514</pre>
</description>
<rationale>
Many devices, such as switches, routers, and other Unix-like systems, may
only support
diff --git a/RHEL/7/input/system/logging.xml b/RHEL/7/input/system/logging.xml
index c41b6ac..36c2fb0 100644
--- a/RHEL/7/input/system/logging.xml
+++ b/RHEL/7/input/system/logging.xml
@@ -276,11 +276,11 @@ should remain commented out.
unless the system acts as a log server.
To ensure that it is not listening on the network, ensure the following lines
are
<i>not</i> found in <tt>/etc/rsyslog.conf</tt>:
-<pre>$ModLoad imtcp.so
+<pre>$ModLoad imtcp
$InputTCPServerRun <i>port</i>
-$ModLoad imudp.so
-$InputUDPServerRun <i>port</i>
-$ModLoad imrelp.so
+$ModLoad imudp
+$UDPServerRun <i>port</i>
+$ModLoad imrelp
$InputRELPServerRun <i>port</i></pre>
</description>
<rationale>
@@ -299,7 +299,7 @@ rsyslog by configuring it not to listen on the network.
unless the system acts as a log server.
If the system needs to act as a central log server, add the following lines to
<tt>/etc/rsyslog.conf</tt> to enable reception of messages over TCP:
-<pre>$ModLoad imtcp.so
+<pre>$ModLoad imtcp
$InputTCPServerRun 514</pre>
</description>
<rationale>
@@ -317,8 +317,8 @@ messages over a reliable TCP connection.
unless the system acts as a log server.
If the system needs to act as a central log server, add the following lines to
<tt>/etc/rsyslog.conf</tt> to enable reception of messages over UDP:
-<pre>$ModLoad imudp.so
-$InputUDPServerRun 514</pre>
+<pre>$ModLoad imudp
+$UDPServerRun 514</pre>
</description>
<rationale>
Many devices, such as switches, routers, and other Unix-like systems, may
only support
-- 1.8.3.1
Yet another that slipped through the cracks.
Ack
Feel free to move the OVAL to shared/
_______________________________________________
scap-security-guide mailing list
[email protected]
https://lists.fedorahosted.org/mailman/listinfo/scap-security-guide
