This is the unmodified / same version of the patch as provided in: https://lists.fedorahosted.org/pipermail/scap-security-guide/2014-May/005640.html
Please review. Thank you && Regards, Jan. -- Jan iankko Lieskovsky / Red Hat Security Technologies Team
>From 831f7380af949a84493bfadb7ff8e5eef6058c9d Mon Sep 17 00:00:00 2001 From: Jan Lieskovsky <[email protected]> Date: Fri, 30 May 2014 10:56:04 +0200 Subject: [PATCH 1/2] [RHEL/6, RHEL/7, shared] Finish logrotate_rotate_all_files => ensure_logrotate_activated transition. Replace ensure_logrotate_activated unknown test stub with actual OVAL check implementation. Signed-off-by: Jan Lieskovsky <[email protected]> --- RHEL/6/input/checks/ensure_logrotate_activated.xml | 21 +--------- RHEL/6/input/system/logging.xml | 2 +- RHEL/7/input/checks/ensure_logrotate_activated.xml | 1 + RHEL/7/input/system/logging.xml | 2 +- shared/oval/ensure_logrotate_activated.xml | 46 ++++++++++++++++++++++ 5 files changed, 50 insertions(+), 22 deletions(-) mode change 100644 => 120000 RHEL/6/input/checks/ensure_logrotate_activated.xml create mode 120000 RHEL/7/input/checks/ensure_logrotate_activated.xml create mode 100644 shared/oval/ensure_logrotate_activated.xml diff --git a/RHEL/6/input/checks/ensure_logrotate_activated.xml b/RHEL/6/input/checks/ensure_logrotate_activated.xml deleted file mode 100644 index aca539b..0000000 --- a/RHEL/6/input/checks/ensure_logrotate_activated.xml +++ /dev/null @@ -1,20 +0,0 @@ -<def-group> - <definition class="compliance" - id="ensure_logrotate_activated" version="1"> - <metadata> - <title>Ensure All Logs are Rotated by logrotate</title> - <affected family="unix"> - <platform>Red Hat Enterprise Linux 6</platform> - </affected> - <description>The logrotate (syslog rotater) service should be - enabled.</description> - </metadata> - <criteria> - <criterion comment="Find each file in /etc/syslog.conf in /etc/logrotate.d/syslog" - test_ref="test_20154" /> - </criteria> - </definition> - <ind:unknown_test check="all" - comment="use extended content to evaluated this test" - id="test_20154" version="1" /> -</def-group> diff --git a/RHEL/6/input/checks/ensure_logrotate_activated.xml b/RHEL/6/input/checks/ensure_logrotate_activated.xml new file mode 120000 index 0000000..1916c40 --- /dev/null +++ b/RHEL/6/input/checks/ensure_logrotate_activated.xml @@ -0,0 +1 @@ +../../../../shared/oval/ensure_logrotate_activated.xml \ No newline at end of file diff --git a/RHEL/6/input/system/logging.xml b/RHEL/6/input/system/logging.xml index 82455d6..c7fc389 100644 --- a/RHEL/6/input/system/logging.xml +++ b/RHEL/6/input/system/logging.xml @@ -374,7 +374,7 @@ If logrotate is configured properly, output should include references to <tt>/etc/cron.daily</tt>. </ocil> <ident cce="27014-0" /> -<oval id="logrotate_rotate_all_files" /> +<oval id="ensure_logrotate_activated" /> <ref nist="AU-9" disa="366" /> </Rule> </Group> diff --git a/RHEL/7/input/checks/ensure_logrotate_activated.xml b/RHEL/7/input/checks/ensure_logrotate_activated.xml new file mode 120000 index 0000000..1916c40 --- /dev/null +++ b/RHEL/7/input/checks/ensure_logrotate_activated.xml @@ -0,0 +1 @@ +../../../../shared/oval/ensure_logrotate_activated.xml \ No newline at end of file diff --git a/RHEL/7/input/system/logging.xml b/RHEL/7/input/system/logging.xml index 36c2fb0..993d214 100644 --- a/RHEL/7/input/system/logging.xml +++ b/RHEL/7/input/system/logging.xml @@ -374,7 +374,7 @@ If logrotate is configured properly, output should include references to <tt>/etc/cron.daily</tt>. </ocil> <ident cce="RHEL7-CCE-TBD" /> -<oval id="logrotate_rotate_all_files" /> +<oval id="ensure_logrotate_activated" /> <ref nist="AU-9" disa="366" /> </Rule> </Group> diff --git a/shared/oval/ensure_logrotate_activated.xml b/shared/oval/ensure_logrotate_activated.xml new file mode 100644 index 0000000..c82b3a3 --- /dev/null +++ b/shared/oval/ensure_logrotate_activated.xml @@ -0,0 +1,46 @@ +<def-group> + <definition class="compliance" id="ensure_logrotate_activated" version="1"> + <metadata> + <title>Ensure the logrotate utility performs the automatic rotation of log files on daily basis</title> + <affected family="unix"> + <platform>Red Hat Enterprise Linux 6</platform> + <platform>Red Hat Enterprise Linux 7</platform> + </affected> + <description> + The frequency of automatic log files rotation performed by the logrotate utility should be configured to run daily + </description> + <reference source="JL" ref_id="20140530" ref_url="test_attestation" /> + </metadata> + <criteria comment="/etc/logrotate.conf contains daily setting or /etc/cron.daily/logrotate file exists" operator="OR"> + <criterion comment="Check if daily is set in /etc/logrotate.conf" + test_ref="test_logrotate_conf_daily_setting" /> + <criterion comment="Check if /etc/cron.daily/logrotate file exists (and calls logrotate)" + test_ref="test_cron_daily_logrotate_existence" /> + </criteria> + </definition> + + <ind:textfilecontent54_test check="all" check_existence="all_exist" + comment="Tests the presence of daily setting in /etc/logrotate.conf file" + id="test_logrotate_conf_daily_setting" version="1"> + <ind:object object_ref="obj_logrotate_conf_daily_setting" /> + </ind:textfilecontent54_test> + + <ind:textfilecontent54_object id="obj_logrotate_conf_daily_setting" version="1"> + <ind:filepath>/etc/logrotate.conf</ind:filepath> + <ind:pattern operation="pattern match">^[\s]*daily[\s]*$</ind:pattern> + <ind:instance datatype="int">1</ind:instance> + </ind:textfilecontent54_object> + + <ind:textfilecontent54_test check="all" check_existence="all_exist" + comment="Tests the existence of /etc/cron.daily/logrotate file (and verify it actually calls logrotate utility)" + id="test_cron_daily_logrotate_existence" version="1"> + <ind:object object_ref="obj_cron_daily_logrotate_existence" /> + </ind:textfilecontent54_test> + + <ind:textfilecontent54_object id="obj_cron_daily_logrotate_existence" version="1"> + <ind:filepath>/etc/cron.daily/logrotate</ind:filepath> + <ind:pattern operation="pattern match">^[\s]*/usr/sbin/logrotate[\s]*/etc/logrotate.conf(?:.*)$</ind:pattern> + <ind:instance datatype="int">1</ind:instance> + </ind:textfilecontent54_object> + +</def-group> -- 1.8.3.1
_______________________________________________ scap-security-guide mailing list [email protected] https://lists.fedorahosted.org/mailman/listinfo/scap-security-guide
