Merge pull request #12433 from Mab879/update_rsyslog_remote_access_mo…

…nitoring

Move daemon.* to /var/log/messages

linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_remote_access_monitoring/ansible/shared.yml

@@ -10,10 +10,13 @@
  remote_methods:
  - selector: 'auth.*'
  regexp: ^.*auth\.\*.*$
+ location: "/var/log/secure"
  - selector: 'authpriv.*'
  regexp: ^.*authpriv\.\*.*$
+ location: "/var/log/secure"
  - selector: 'daemon.*'
  regexp: ^.*daemon\.\*.*$
+ location: "/var/log/messages"
 
 - name: "{{{ rule_title }}}: Ensure rsyslog.conf exists"
  file:
@@ -47,7 +50,7 @@
 - name: "{{{ rule_title }}}: Configure"
  lineinfile:
  path: /etc/rsyslog.conf
- line: "{{ item.item.0.selector }} /var/log/secure"
+ line: "{{ item.item.0.selector }} {{ item.item.0.location }}"
  insertafter: ^.*\/var\/log\/secure.*$
  create: yes
  loop: '{{ remote_method_values.results }}'

linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_remote_access_monitoring/bash/shared.sh

@@ -1,25 +1,26 @@
 # platform = multi_platform_all
 
 declare -A REMOTE_METHODS=( ['auth.*']='^[^#]*auth\.\*.*$' ['authpriv.*']='^[^#]*authpriv\.\*.*$' ['daemon.*']='^[^#]*daemon\.\*.*$' )
+declare -A LOCATIONS=( ['auth.*']='/var/log/secure' ['authpriv.*']='/var/log/secure' ['daemon.*']='/var/log/messages' )
 
 if [[ ! -f /etc/rsyslog.conf ]]; then
  # Something is not right, create the file
  touch /etc/rsyslog.conf
 fi
 
-APPEND_LINE=$(sed -rn '/^\S+\s+\/var\/log\/secure$/p' /etc/rsyslog.conf)
 
 # Loop through the remote methods associative array
 for K in "${!REMOTE_METHODS[@]}"
 do
  # Check to see if selector/value exists
  if ! grep -rq "${REMOTE_METHODS[$K]}" /etc/rsyslog.*; then
+ APPEND_LINE=$(sed -rn "/^\S+\s+\${LOCATIONS[$K]}$/p" /etc/rsyslog.conf)
  # Make sure we have a line to insert after, otherwise append to end
  if [[ ! -z ${APPEND_LINE} ]]; then
  # Add selector to file
  sed -r -i "0,/^(\S+\s+\/var\/log\/secure$)/s//\1\n${K} \/var\/log\/secure/" /etc/rsyslog.conf
  else
- echo "${K} /var/log/secure" >> /etc/rsyslog.conf
+ echo "${K} ${LOCATIONS[$K]}" >> /etc/rsyslog.conf
  fi
  fi
 done

linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_remote_access_monitoring/rule.yml

@@ -12,7 +12,10 @@ description: |-
  <tt>/etc/rsyslog.d/*.conf</tt> file should contain a match for the following
  selectors: <tt>auth.*</tt>, <tt>authpriv.*</tt>, and <tt>daemon.*</tt>. If
  not, use the following as an example configuration:
- <pre>auth.*;authpriv.*;daemon.* /var/log/secure</pre>
+ <code>
+ auth.*;authpriv.* /var/log/secure
+ daemon.* /var/log/messages
+ </code>
 
 rationale: |-
  Logging remote access methods can be used to trace the decrease the risks

linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_remote_access_monitoring/tests/different_files.pass.sh

@@ -0,0 +1,29 @@
+#!/bin/bash
+# platform = multi_platform_all
+
+declare -A REMOTE_METHODS=( ['auth.*']='^.*auth\.\*.*$' ['authpriv.*']='^.*authpriv\.\*.*$' ['daemon.*']='^.*daemon\.\*.*$' )
+RSYSLOG_CONF='/etc/rsyslog.conf'
+RSYSLOG_D_FOLDER='/etc/rsyslog.d'
+RSYSLOG_D_FILES='/etc/rsyslog.d/*'
+
+
+# clean up .d conf files (if applicable)
+if [[ -d ${RSYSLOG_D_FOLDER} ]]; then
+ for rsyslog_d_file in ${RSYSLOG_D_FILES}
+ do
+ for K in ${!REMOTE_METHODS[@]}
+ do
+ if grep -q "$K" ${rsyslog_d_file}; then
+ sed -i "/$K/d" ${rsyslog_d_file}
+ fi
+ done
+ done
+fi
+
+if [[ ! -f /etc/rsyslog.conf ]]; then
+ # Something is not right, create the file
+ touch /etc/rsyslog.conf
+fi
+
+echo "auth.*;authpriv.* /var/log/secure" >> $RSYSLOG_CONF
+echo "daemon.* /var/log/messages" >> $RSYSLOG_CONF