From f986b7a2a13c6a4479e5c9c293f4f0f043a9cd80 Mon Sep 17 00:00:00 2001
From: Matthew Burket <mburket@redhat.com>
Date: Thu, 26 Sep 2024 17:05:23 -0500
Subject: [PATCH] Move daemon.* to /var/log/messages

---
 .../ansible/shared.yml                        |  5 +++-
 .../bash/shared.sh                            |  5 ++--
 .../rsyslog_remote_access_monitoring/rule.yml |  5 +++-
 .../tests/differnt_files.pass.sh              | 29 +++++++++++++++++++
 4 files changed, 40 insertions(+), 4 deletions(-)
 create mode 100644 linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_remote_access_monitoring/tests/differnt_files.pass.sh

diff --git a/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_remote_access_monitoring/ansible/shared.yml b/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_remote_access_monitoring/ansible/shared.yml
index 9ee228df2de..d52e9e25413 100644
--- a/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_remote_access_monitoring/ansible/shared.yml
+++ b/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_remote_access_monitoring/ansible/shared.yml
@@ -10,10 +10,13 @@
     remote_methods:
       - selector: 'auth.*'
         regexp: ^.*auth\.\*.*$
+        location: "/var/log/secure"
       - selector: 'authpriv.*'
         regexp: ^.*authpriv\.\*.*$
+        location: "/var/log/secure"
       - selector: 'daemon.*'
         regexp: ^.*daemon\.\*.*$
+        location: "/var/log/messages"
 
 - name: "{{{ rule_title }}}: Ensure rsyslog.conf exists"
   file:
@@ -47,7 +50,7 @@
 - name: "{{{ rule_title }}}: Configure"
   lineinfile:
     path: /etc/rsyslog.conf
-    line: "{{ item.item.0.selector }} /var/log/secure"
+    line: "{{ item.item.0.selector }} {{ item.item.0.location }}"
     insertafter: ^.*\/var\/log\/secure.*$
     create: yes
   loop: '{{ remote_method_values.results }}'
diff --git a/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_remote_access_monitoring/bash/shared.sh b/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_remote_access_monitoring/bash/shared.sh
index d0172a96388..e736f6c1ed8 100644
--- a/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_remote_access_monitoring/bash/shared.sh
+++ b/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_remote_access_monitoring/bash/shared.sh
@@ -1,25 +1,26 @@
 # platform = multi_platform_all
 
 declare -A REMOTE_METHODS=( ['auth.*']='^[^#]*auth\.\*.*$' ['authpriv.*']='^[^#]*authpriv\.\*.*$' ['daemon.*']='^[^#]*daemon\.\*.*$' )
+declare -A LOCATIONS=( ['auth.*']='/var/log/secure' ['authpriv.*']='/var/log/secure' ['daemon.*']='/var/log/messages' )
 
 if [[ ! -f /etc/rsyslog.conf ]]; then
 	# Something is not right, create the file
 	touch /etc/rsyslog.conf
 fi
 
-APPEND_LINE=$(sed -rn '/^\S+\s+\/var\/log\/secure$/p' /etc/rsyslog.conf)
 
 # Loop through the remote methods associative array
 for K in "${!REMOTE_METHODS[@]}"
 do
 	# Check to see if selector/value exists
 	if ! grep -rq "${REMOTE_METHODS[$K]}" /etc/rsyslog.*; then
+        APPEND_LINE=$(sed -rn "/^\S+\s+\${LOCATIONS[$K]}$/p" /etc/rsyslog.conf)
 		# Make sure we have a line to insert after, otherwise append to end
 		if [[ ! -z ${APPEND_LINE} ]]; then
 			# Add selector to file
 			sed -r -i "0,/^(\S+\s+\/var\/log\/secure$)/s//\1\n${K} \/var\/log\/secure/" /etc/rsyslog.conf
 		else
-			echo "${K} /var/log/secure" >> /etc/rsyslog.conf
+			echo "${K} ${LOCATIONS[$K]}" >> /etc/rsyslog.conf
 		fi
 	fi
 done
diff --git a/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_remote_access_monitoring/rule.yml b/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_remote_access_monitoring/rule.yml
index 98805b2023e..c1f2165a1ef 100644
--- a/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_remote_access_monitoring/rule.yml
+++ b/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_remote_access_monitoring/rule.yml
@@ -12,7 +12,10 @@ description: |-
     <tt>/etc/rsyslog.d/*.conf</tt> file should contain a match for the following
     selectors: <tt>auth.*</tt>, <tt>authpriv.*</tt>, and <tt>daemon.*</tt>. If
     not, use the following as an example configuration:
-    <pre>auth.*;authpriv.*;daemon.*                              /var/log/secure</pre>
+    <code>
+        auth.*;authpriv.*                              /var/log/secure
+        daemon.*                                       /var/log/messages
+    </code>
 
 rationale: |-
     Logging remote access methods can be used to trace the decrease the risks
diff --git a/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_remote_access_monitoring/tests/differnt_files.pass.sh b/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_remote_access_monitoring/tests/differnt_files.pass.sh
new file mode 100644
index 00000000000..782b9dec440
--- /dev/null
+++ b/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_remote_access_monitoring/tests/differnt_files.pass.sh
@@ -0,0 +1,29 @@
+#!/bin/bash
+# platform = multi_platform_all
+
+declare -A REMOTE_METHODS=( ['auth.*']='^.*auth\.\*.*$' ['authpriv.*']='^.*authpriv\.\*.*$' ['daemon.*']='^.*daemon\.\*.*$' )
+RSYSLOG_CONF='/etc/rsyslog.conf'
+RSYSLOG_D_FOLDER='/etc/rsyslog.d'
+RSYSLOG_D_FILES='/etc/rsyslog.d/*'
+
+
+# clean up .d conf files (if applicable)
+if [[ -d ${RSYSLOG_D_FOLDER} ]]; then
+	for rsyslog_d_file in ${RSYSLOG_D_FILES}
+	do
+		for K in ${!REMOTE_METHODS[@]}
+		do
+			if grep -q "${REMOTE_METHODS[$K]}" ${rsyslog_d_file}; then
+				sed -i "/${REMOTE_METHODS[$K]}/d" ${rsyslog_d_file}
+			fi
+		done
+	done
+fi
+
+if [[ ! -f /etc/rsyslog.conf ]]; then
+	# Something is not right, create the file
+	touch /etc/rsyslog.conf
+fi
+
+echo "auth.*,authpriv.* /var/log/secure" >> $RSYSLOG_CONF
+echo "daemon.* /var/log/messages" >> $RSYSLOG_CONF