On 5/30/14, 5:09 AM, Jan Lieskovsky wrote:
The change: [1]https://git.fedorahosted.org/cgit/scap-security-guide.git/commit/?id=d2f99b0bd6dab889c5e023cf4df90df8bab8bc33attempted to replace "logrotate_rotate_all_files" OVAL check with "ensure_logrotate_activated" OVAL check, but failed (to do so in all locations): scap-security-guide]$ grep -rHn "logrotate_rotate_all_files" * RHEL/6/input/system/logging.xml:377:<oval id="logrotate_rotate_all_files" /> RHEL/7/input/system/logging.xml:377:<oval id="logrotate_rotate_all_files" /> resulting into the following new 'make validate' / verify-input-references.py error message to appear: Invalid OVAL definition referenced by XCCDF Rule: ensure_logrotate_activated Fix that by referencing the new OVAL check name in RHEL/{6,7}/input/system/logging.xml files too. Besides that the original RHEL/6/input/checks/ensure_logrotate_activated.xml OVAL check was implemented just as unknown OVAL test stub. Replace that stub definition with actual implementation based on guide.html content, move it to shared, and create links for RHEL/6 and RHEL/7. The proposal has been tested on RHEL/6 & RHEL/7 - rpm package builds properly, make validate warning disappeared & the check seems to be working properly on both of the products. Please review. Thank you && Regards, Jan. -- Jan iankko Lieskovsky / Red Hat Security Technologies Team 0001-RHEL-6-RHEL-7-shared-Finish-logrotate_rotate_all_fil.patch From de1beb4d9137c24fd4e603b1a9e23c8d5eabc2cd Mon Sep 17 00:00:00 2001 From: Jan Lieskovsky<[email protected]> Date: Fri, 30 May 2014 10:56:04 +0200 Subject: [PATCH] [RHEL/6, RHEL/7, shared] Finish logrotate_rotate_all_files => ensure_logrotate_activated transition. Replace ensure_logrotate_activated unknown test stub with actual OVAL check implementation. Signed-off-by: Jan Lieskovsky<[email protected]> --- RHEL/6/input/checks/ensure_logrotate_activated.xml | 21 +--------- RHEL/6/input/system/logging.xml | 2 +- RHEL/7/input/checks/ensure_logrotate_activated.xml | 1 + RHEL/7/input/system/logging.xml | 2 +- shared/oval/ensure_logrotate_activated.xml | 46 ++++++++++++++++++++++ 5 files changed, 50 insertions(+), 22 deletions(-) mode change 100644 => 120000 RHEL/6/input/checks/ensure_logrotate_activated.xml create mode 120000 RHEL/7/input/checks/ensure_logrotate_activated.xml create mode 100644 shared/oval/ensure_logrotate_activated.xml diff --git a/RHEL/6/input/checks/ensure_logrotate_activated.xml b/RHEL/6/input/checks/ensure_logrotate_activated.xml deleted file mode 100644 index aca539b..0000000 --- a/RHEL/6/input/checks/ensure_logrotate_activated.xml +++ /dev/null @@ -1,20 +0,0 @@ -<def-group> - <definition class="compliance" - id="ensure_logrotate_activated" version="1"> - <metadata> - <title>Ensure All Logs are Rotated by logrotate</title> - <affected family="unix"> - <platform>Red Hat Enterprise Linux 6</platform> - </affected> - <description>The logrotate (syslog rotater) service should be - enabled.</description> - </metadata> - <criteria> - <criterion comment="Find each file in /etc/syslog.conf in /etc/logrotate.d/syslog" - test_ref="test_20154" /> - </criteria> - </definition> - <ind:unknown_test check="all" - comment="use extended content to evaluated this test" - id="test_20154" version="1" /> -</def-group> diff --git a/RHEL/6/input/checks/ensure_logrotate_activated.xml b/RHEL/6/input/checks/ensure_logrotate_activated.xml new file mode 120000 index 0000000..1916c40 --- /dev/null +++ b/RHEL/6/input/checks/ensure_logrotate_activated.xml @@ -0,0 +1 @@ +../../../../shared/oval/ensure_logrotate_activated.xml \ No newline at end of file diff --git a/RHEL/6/input/system/logging.xml b/RHEL/6/input/system/logging.xml index 82455d6..c7fc389 100644 --- a/RHEL/6/input/system/logging.xml +++ b/RHEL/6/input/system/logging.xml @@ -374,7 +374,7 @@ If logrotate is configured properly, output should include references to <tt>/etc/cron.daily</tt>. </ocil> <ident cce="27014-0" /> -<oval id="logrotate_rotate_all_files" /> +<oval id="ensure_logrotate_activated" /> <ref nist="AU-9" disa="366" /> </Rule> </Group> diff --git a/RHEL/7/input/checks/ensure_logrotate_activated.xml b/RHEL/7/input/checks/ensure_logrotate_activated.xml new file mode 120000 index 0000000..1916c40 --- /dev/null +++ b/RHEL/7/input/checks/ensure_logrotate_activated.xml @@ -0,0 +1 @@ +../../../../shared/oval/ensure_logrotate_activated.xml \ No newline at end of file diff --git a/RHEL/7/input/system/logging.xml b/RHEL/7/input/system/logging.xml index 36c2fb0..993d214 100644 --- a/RHEL/7/input/system/logging.xml +++ b/RHEL/7/input/system/logging.xml @@ -374,7 +374,7 @@ If logrotate is configured properly, output should include references to <tt>/etc/cron.daily</tt>. </ocil> <ident cce="RHEL7-CCE-TBD" /> -<oval id="logrotate_rotate_all_files" /> +<oval id="ensure_logrotate_activated" /> <ref nist="AU-9" disa="366" /> </Rule> </Group> diff --git a/shared/oval/ensure_logrotate_activated.xml b/shared/oval/ensure_logrotate_activated.xml new file mode 100644 index 0000000..c82b3a3 --- /dev/null +++ b/shared/oval/ensure_logrotate_activated.xml @@ -0,0 +1,46 @@ +<def-group> + <definition class="compliance" id="ensure_logrotate_activated" version="1"> + <metadata> + <title>Ensure the logrotate utility performs the automatic rotation of log files on daily basis</title> + <affected family="unix"> + <platform>Red Hat Enterprise Linux 6</platform> + <platform>Red Hat Enterprise Linux 7</platform> + </affected> + <description> + The frequency of automatic log files rotation performed by the logrotate utility should be configured to run daily + </description> + <reference source="JL" ref_id="20140530" ref_url="test_attestation" /> + </metadata> + <criteria comment="/etc/logrotate.conf contains daily setting or /etc/cron.daily/logrotate file exists" operator="OR"> + <criterion comment="Check if daily is set in /etc/logrotate.conf" + test_ref="test_logrotate_conf_daily_setting" /> + <criterion comment="Check if /etc/cron.daily/logrotate file exists (and calls logrotate)" + test_ref="test_cron_daily_logrotate_existence" /> + </criteria> + </definition> + + <ind:textfilecontent54_test check="all" check_existence="all_exist" + comment="Tests the presence of daily setting in /etc/logrotate.conf file" + id="test_logrotate_conf_daily_setting" version="1"> + <ind:object object_ref="obj_logrotate_conf_daily_setting" /> + </ind:textfilecontent54_test> + + <ind:textfilecontent54_object id="obj_logrotate_conf_daily_setting" version="1"> + <ind:filepath>/etc/logrotate.conf</ind:filepath> + <ind:pattern operation="pattern match">^[\s]*daily[\s]*$</ind:pattern> + <ind:instance datatype="int">1</ind:instance> + </ind:textfilecontent54_object>
Is there configuration precedence in the logrotate.conf file? e.g. if you have "daily" followed immediately by "weekly," which will the logrotate use? Should we ensure that daily exists, and the other options do not?
I tried looking through the manpage and google with no avail.
+ + <ind:textfilecontent54_test check="all" check_existence="all_exist" + comment="Tests the existence of /etc/cron.daily/logrotate file (and verify it actually calls logrotate utility)" + id="test_cron_daily_logrotate_existence" version="1"> + <ind:object object_ref="obj_cron_daily_logrotate_existence" /> + </ind:textfilecontent54_test> + + <ind:textfilecontent54_object id="obj_cron_daily_logrotate_existence" version="1"> + <ind:filepath>/etc/cron.daily/logrotate</ind:filepath> + <ind:pattern operation="pattern match">^[\s]*/usr/sbin/logrotate[\s]*/etc/logrotate.conf(?:.*)$</ind:pattern> + <ind:instance datatype="int">1</ind:instance> + </ind:textfilecontent54_object> + +</def-group> -- 1.8.3.1
_______________________________________________ scap-security-guide mailing list [email protected] https://lists.fedorahosted.org/mailman/listinfo/scap-security-guide
