----- Original Message ----- > From: "Shawn Wells" <[email protected]> > To: [email protected] > Sent: Saturday, May 31, 2014 4:27:04 AM > Subject: Re: [PATCH] [RHEL/6, RHEL/7, shared] Finish > logrotate_rotate_all_files => ensure_logrotate_activated > transition. Replace ensure_logrotate_activated unknown test stub with > actual OVAL check implementation. > > > On 5/30/14, 5:09 AM, Jan Lieskovsky wrote: > > > > The change: > [1] > > https://git.fedorahosted.org/cgit/scap-security-guide.git/commit/?id=d2f99b0bd6dab889c5e023cf4df90df8bab8bc33 > attempted to replace "logrotate_rotate_all_files" OVAL check with > "ensure_logrotate_activated" OVAL check, > but failed (to do so in all locations): > > scap-security-guide]$ grep -rHn "logrotate_rotate_all_files" * > RHEL/6/input/system/logging.xml:377:<oval id="logrotate_rotate_all_files" > /> > RHEL/7/input/system/logging.xml:377:<oval id="logrotate_rotate_all_files" > /> > > resulting into the following new 'make validate' / verify-input-references.py > error message to appear: > Invalid OVAL definition referenced by XCCDF Rule: > ensure_logrotate_activated > > Fix that by referencing the new OVAL check name in > RHEL/{6,7}/input/system/logging.xml files too. > > Besides that the original RHEL/6/input/checks/ensure_logrotate_activated.xml > OVAL check was implemented just > as unknown OVAL test stub. Replace that stub definition with actual > implementation based on guide.html content, > move it to shared, and create links for RHEL/6 and RHEL/7. > > The proposal has been tested on RHEL/6 & RHEL/7 - rpm package builds > properly, make validate warning > disappeared & the check seems to be working properly on both of the products. > > Please review. > > Thank you && Regards, Jan. > -- > Jan iankko Lieskovsky / Red Hat Security Technologies Team > > 0001-RHEL-6-RHEL-7-shared-Finish-logrotate_rotate_all_fil.patch > From de1beb4d9137c24fd4e603b1a9e23c8d5eabc2cd Mon Sep 17 00:00:00 2001 > From: Jan Lieskovsky <[email protected]> Date: Fri, 30 May 2014 10:56:04 > +0200 > Subject: [PATCH] [RHEL/6, RHEL/7, shared] Finish logrotate_rotate_all_files > => > ensure_logrotate_activated transition. Replace > ensure_logrotate_activated unknown test stub with actual OVAL check > implementation. > > Signed-off-by: Jan Lieskovsky <[email protected]> --- > RHEL/6/input/checks/ensure_logrotate_activated.xml | 21 +--------- > RHEL/6/input/system/logging.xml | 2 +- > RHEL/7/input/checks/ensure_logrotate_activated.xml | 1 + > RHEL/7/input/system/logging.xml | 2 +- > shared/oval/ensure_logrotate_activated.xml | 46 > ++++++++++++++++++++++ > 5 files changed, 50 insertions(+), 22 deletions(-) > mode change 100644 => 120000 > RHEL/6/input/checks/ensure_logrotate_activated.xml > create mode 120000 RHEL/7/input/checks/ensure_logrotate_activated.xml > create mode 100644 shared/oval/ensure_logrotate_activated.xml > > diff --git a/RHEL/6/input/checks/ensure_logrotate_activated.xml > b/RHEL/6/input/checks/ensure_logrotate_activated.xml > deleted file mode 100644 > index aca539b..0000000 > --- a/RHEL/6/input/checks/ensure_logrotate_activated.xml > +++ /dev/null > @@ -1,20 +0,0 @@ > -<def-group> > - <definition class="compliance" > - id="ensure_logrotate_activated" version="1"> > - <metadata> > - <title>Ensure All Logs are Rotated by logrotate</title> > - <affected family="unix"> > - <platform>Red Hat Enterprise Linux 6</platform> > - </affected> > - <description>The logrotate (syslog rotater) service should be > - enabled.</description> > - </metadata> > - <criteria> > - <criterion comment="Find each file in /etc/syslog.conf in > /etc/logrotate.d/syslog" > - test_ref="test_20154" /> > - </criteria> > - </definition> > - <ind:unknown_test check="all" > - comment="use extended content to evaluated this test" > - id="test_20154" version="1" /> > -</def-group> > diff --git a/RHEL/6/input/checks/ensure_logrotate_activated.xml > b/RHEL/6/input/checks/ensure_logrotate_activated.xml > new file mode 120000 > index 0000000..1916c40 > --- /dev/null > +++ b/RHEL/6/input/checks/ensure_logrotate_activated.xml > @@ -0,0 +1 @@ > +../../../../shared/oval/ensure_logrotate_activated.xml > \ No newline at end of file > diff --git a/RHEL/6/input/system/logging.xml > b/RHEL/6/input/system/logging.xml > index 82455d6..c7fc389 100644 > --- a/RHEL/6/input/system/logging.xml > +++ b/RHEL/6/input/system/logging.xml > @@ -374,7 +374,7 @@ If logrotate is configured properly, output should > include references to > <tt>/etc/cron.daily</tt>. > </ocil> > <ident cce="27014-0" /> > -<oval id="logrotate_rotate_all_files" /> > +<oval id="ensure_logrotate_activated" /> > <ref nist="AU-9" disa="366" /> > </Rule> > </Group> > diff --git a/RHEL/7/input/checks/ensure_logrotate_activated.xml > b/RHEL/7/input/checks/ensure_logrotate_activated.xml > new file mode 120000 > index 0000000..1916c40 > --- /dev/null > +++ b/RHEL/7/input/checks/ensure_logrotate_activated.xml > @@ -0,0 +1 @@ > +../../../../shared/oval/ensure_logrotate_activated.xml > \ No newline at end of file > diff --git a/RHEL/7/input/system/logging.xml > b/RHEL/7/input/system/logging.xml > index 36c2fb0..993d214 100644 > --- a/RHEL/7/input/system/logging.xml > +++ b/RHEL/7/input/system/logging.xml > @@ -374,7 +374,7 @@ If logrotate is configured properly, output should > include references to > <tt>/etc/cron.daily</tt>. > </ocil> > <ident cce="RHEL7-CCE-TBD" /> > -<oval id="logrotate_rotate_all_files" /> > +<oval id="ensure_logrotate_activated" /> > <ref nist="AU-9" disa="366" /> > </Rule> > </Group> > diff --git a/shared/oval/ensure_logrotate_activated.xml > b/shared/oval/ensure_logrotate_activated.xml > new file mode 100644 > index 0000000..c82b3a3 > --- /dev/null > +++ b/shared/oval/ensure_logrotate_activated.xml > @@ -0,0 +1,46 @@ > +<def-group> > + <definition class="compliance" id="ensure_logrotate_activated" > version="1"> > + <metadata> > + <title>Ensure the logrotate utility performs the automatic rotation of > log files on daily basis</title> > + <affected family="unix"> > + <platform>Red Hat Enterprise Linux 6</platform> > + <platform>Red Hat Enterprise Linux 7</platform> > + </affected> > + <description> > + The frequency of automatic log files rotation performed by the > logrotate utility should be configured to run daily > + </description> > + <reference source="JL" ref_id="20140530" ref_url="test_attestation" /> > + </metadata> > + <criteria comment="/etc/logrotate.conf contains daily setting or > /etc/cron.daily/logrotate file exists" operator="OR"> > + <criterion comment="Check if daily is set in /etc/logrotate.conf" > + test_ref="test_logrotate_conf_daily_setting" /> > + <criterion comment="Check if /etc/cron.daily/logrotate file exists > (and calls logrotate)" > + test_ref="test_cron_daily_logrotate_existence" /> > + </criteria> > + </definition> > + > + <ind:textfilecontent54_test check="all" check_existence="all_exist" > + comment="Tests the presence of daily setting in /etc/logrotate.conf file" > + id="test_logrotate_conf_daily_setting" version="1"> > + <ind:object object_ref="obj_logrotate_conf_daily_setting" /> > + </ind:textfilecontent54_test> > + > + <ind:textfilecontent54_object id="obj_logrotate_conf_daily_setting" > version="1"> > + <ind:filepath>/etc/logrotate.conf</ind:filepath> > + <ind:pattern operation="pattern match">^[\s]*daily[\s]*$</ind:pattern> > + <ind:instance datatype="int">1</ind:instance> > + </ind:textfilecontent54_object> >
Thanks, Shawn. Good catch. > Is there configuration precedence in the logrotate.conf file? The last one will be used. logrotate will read its config from the start: [1] https://fedorahosted.org/logrotate/browser/trunk/config.c#L584 and each of: * hourly: https://fedorahosted.org/logrotate/browser/trunk/config.c#L996 * daily: https://fedorahosted.org/logrotate/browser/trunk/config.c#L998 * weekly: https://fedorahosted.org/logrotate/browser/trunk/config.c#L1003 * monthly: https://fedorahosted.org/logrotate/browser/trunk/config.c#L1001 * yearly: https://fedorahosted.org/logrotate/browser/trunk/config.c#L1005 options will reset the value of newlog->criterium flag (which can have values as listed in: https://fedorahosted.org/logrotate/browser/trunk/logrotate.h#L36 ). Yet logrotate will repeat this scenario for each of the files present in /etc/logrotate.d/ directory (+1 times for default /etc/logrotate.conf itself): https://fedorahosted.org/logrotate/browser/trunk/config.c#L472 > e.g. if you > have "daily" followed immediately by "weekly," which will the logrotate use? Testing a patched local RHEL-6 logrotate RPM instance revealed the latter one will be used. > Should we ensure that daily exists, and the other options do not? Yes, based on the above, the new patch version should ensure the 'daily' setting is present / being used as the last (from newlog->criterium flag enum ones) option in the logrotate.conf file. I will come with new patch version proposal. Thank you && Regards, Jan. -- Jan iankko Lieskovsky / Red Hat Security Technologies Team > > I tried looking through the manpage and google with no avail. > > > > > > > + > + <ind:textfilecontent54_test check="all" check_existence="all_exist" > + comment="Tests the existence of /etc/cron.daily/logrotate file (and verify > it actually calls logrotate utility)" > + id="test_cron_daily_logrotate_existence" version="1"> > + <ind:object object_ref="obj_cron_daily_logrotate_existence" /> > + </ind:textfilecontent54_test> > + > + <ind:textfilecontent54_object id="obj_cron_daily_logrotate_existence" > version="1"> > + <ind:filepath>/etc/cron.daily/logrotate</ind:filepath> > + <ind:pattern operation="pattern > match">^[\s]*/usr/sbin/logrotate[\s]*/etc/logrotate.conf(?:.*)$</ind:pattern> > + <ind:instance datatype="int">1</ind:instance> > + </ind:textfilecontent54_object> > + > +</def-group> > -- > 1.8.3.1 > > > > _______________________________________________ > scap-security-guide mailing list > [email protected] > https://lists.fedorahosted.org/mailman/listinfo/scap-security-guide > _______________________________________________ scap-security-guide mailing list [email protected] https://lists.fedorahosted.org/mailman/listinfo/scap-security-guide
