Complete the CIS requirement to prevent rsyslog from receiving logs from remote clients #10619
Conversation
marcusburghardt
added
RHEL9
|
Start a new ephemeral environment with changes proposed in this pull request: rhel8 (from CTF) Environment (using Fedora as testing environment) Fedora Testing Environment Oracle Linux 8 Environment |
|
This datastream diff is auto generated by the check Click here to see the full diffNew content has different text for rule 'xccdf_org.ssgproject.content_rule_rsyslog_nolisten'.%0A--- xccdf_org.ssgproject.content_rule_rsyslog_nolisten%0A+++ xccdf_org.ssgproject.content_rule_rsyslog_nolisten%0A@@ -3,10 +3,11 @@%0A Ensure rsyslog Does Not Accept Remote Messages Unless Acting As Log Server%0A %0A [description]:%0A-The rsyslog daemon should not accept remote messages%0A-unless the system acts as a log server.%0A-To ensure that it is not listening on the network, ensure the following lines are%0A-not found in /etc/rsyslog.conf:%0A+The rsyslog daemon should not accept remote messages unless the system acts as a log%0A+server. To ensure that it is not listening on the network, ensure any of the following lines%0A+are not found in rsyslog configuration files.%0A+%0A+If using legacy syntax:%0A $ModLoad imtcp%0A $InputTCPServerRun port%0A $ModLoad imudp%0A@@ -14,6 +15,12 @@%0A $ModLoad imrelp%0A $InputRELPServerRun port%0A %0A+If using RainerScript syntax:%0A+module(load="imtcp")%0A+module(load="imudp")%0A+input(type="imtcp" port="514")%0A+input(type="imudp" port="514")%0A+%0A [reference]:%0A 1%0A %0A@@ -351,9 +358,9 @@%0A 4.2.1.7%0A %0A [rationale]:%0A-Any process which receives messages from the network incurs some risk%0A-of receiving malicious messages. This risk can be eliminated for%0A-rsyslog by configuring it not to listen on the network.%0A+Any process which receives messages from the network incurs some risk of receiving malicious%0A+messages. This risk can be eliminated for rsyslog by configuring it not to listen on the%0A+network.%0A %0A [ident]:%0A CCE-84275-7%0A%0AOVAL for rule 'xccdf_org.ssgproject.content_rule_rsyslog_nolisten' differs.%0A--- oval:ssg-rsyslog_nolisten:def:1%0A+++ oval:ssg-rsyslog_nolisten:def:1%0A@@ -1,2 +1,3 @@%0A-criteria None%0A-criterion oval:ssg-test_rsyslog_nolisten:tst:1%0A+criteria AND%0A+criterion oval:ssg-test_rsyslog_nolisten_legacy:tst:1%0A+criterion oval:ssg-test_rsyslog_nolisten_rainerscript:tst:1%0A%0AOCIL for rule 'xccdf_org.ssgproject.content_rule_rsyslog_nolisten' differs.%0A--- ocil:ssg-rsyslog_nolisten_ocil:questionnaire:1%0A+++ ocil:ssg-rsyslog_nolisten_ocil:questionnaire:1%0A@@ -1,6 +1,12 @@%0A-Verify that the system is not accepting "rsyslog" messages from other systems unless it is documented as a log aggregation server.%0A-Display the contents of the configuration file:%0A-cat /etc/rsyslog.conf%0A+Verify that the system is not accepting "rsyslog" messages from other systems unless it is%0A+documented as a log aggregation server.%0A+Display the contents of the rsyslog configuration files:%0A+find /etc -maxdepth 2 -regex '/etc/rsyslog\(\.conf\|\.d\/.*\.conf\)' -exec cat '{}' \;%0A+%0A+If any of the below lines are found, ask to see the documentation for the system being used%0A+for log aggregation:%0A+%0A+If using legacy syntax:%0A $ModLoad imtcp%0A $InputTCPServerRun port%0A $ModLoad imudp%0A@@ -8,6 +14,11 @@%0A $ModLoad imrelp%0A $InputRELPServerRun port%0A %0A-If any of the above modules are being loaded in the "/etc/rsyslog.conf" file, ask to see the documentation for the system being used for log aggregation.%0A+If using RainerScript syntax:%0A+module(load="imtcp")%0A+module(load="imudp")%0A+input(type="imtcp" port="514")%0A+input(type="imudp" port="514")%0A+%0A Is it the case that rsyslog accepts remote messages and is not documented as a log aggregation system?%0A %0ANew datastream adds bash remediation for rule 'xccdf_org.ssgproject.content_rule_rsyslog_nolisten'.%0ANew datastream adds ansible remediation for rule 'xccdf_org.ssgproject.content_rule_rsyslog_nolisten'. |
marcusburghardt
force-pushed
the
cis_rsyslog_nolisten_rainerscript
branch
from
f9eeb17 to
587a972
Compare
The OVAL was updated to also take in accound possible configuration using RainerScript syntax.
Besides Style Guide alignment, the description was updated to include RainerScript syntax.
New test scenario scripts were included to test RainerScript syntax. Existing test scenario scripts were refactored and renamed.
The 4.2.1.7 requirement is now automated.
marcusburghardt
force-pushed
the
cis_rsyslog_nolisten_rainerscript
branch
from
587a972 to
5b905ef
Compare
|
The codeclimate issue can be waived. Some variables are defined in that shared file used by different rules. The test scenario scripts in rules use those variables. |
There was a problem hiding this comment.
Hello @marcusburghardt, it looks good, thank you. Just one small thing - in the Bash remediation you restart the service, in the Ansible remediation you don't. Please align it.
The Ansible remediation was not restarting the rsyslog service after changing configuration files.
Fixed @vojtapolasek |
|
Hello @marcusburghardt, thanks for the fix. However, there is still a small discrepancy between Bash and Ansible. The Bash remediation will restart the service unconditionally, but the Ansible remediation will restart it only if some changes were applied... could you please also align this? |
I don't see this as necessary in Bash but I can make it better, of course. Just a minute. |
Done |
|
Code Climate has analyzed commit 8dc3884 and detected 1 issue on this pull request. Here's the issue category breakdown:
The test coverage on the diff in this pull request is 100.0% (50% is the threshold). This pull request will bring the total coverage in the repository to 52.5% (0.0% change). View more on Code Climate. |
Description:
The
rsyslog_nolistenrule was updated to also check RainerScript sysntax in rsyslog configuration files.In addition:
Rationale:
Better CIS coverage for RHEL 8 and RHEL 9.