Move daemon.* to /var/log/messages #12433
Conversation
|
Start a new ephemeral environment with changes proposed in this pull request: rhel8 (from CTF) Environment (using Fedora as testing environment) Fedora Testing Environment Oracle Linux 8 Environment |
|
This datastream diff is auto generated by the check Click here to see the full diffNew content has different text for rule 'xccdf_org.ssgproject.content_rule_rsyslog_remote_access_monitoring'.
--- xccdf_org.ssgproject.content_rule_rsyslog_remote_access_monitoring
+++ xccdf_org.ssgproject.content_rule_rsyslog_remote_access_monitoring
@@ -11,7 +11,9 @@
/etc/rsyslog.d/*.conf file should contain a match for the following
selectors: auth.*, authpriv.*, and daemon.*. If
not, use the following as an example configuration:
-auth.*;authpriv.*;daemon.* /var/log/secure
+
+ auth.*;authpriv.* /var/log/secure
+ daemon.* /var/log/messages
[reference]:
CCI-000067
bash remediation for rule 'xccdf_org.ssgproject.content_rule_rsyslog_remote_access_monitoring' differs.
--- xccdf_org.ssgproject.content_rule_rsyslog_remote_access_monitoring
+++ xccdf_org.ssgproject.content_rule_rsyslog_remote_access_monitoring
@@ -2,25 +2,26 @@
if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then
declare -A REMOTE_METHODS=( ['auth.*']='^[^#]*auth\.\*.*$' ['authpriv.*']='^[^#]*authpriv\.\*.*$' ['daemon.*']='^[^#]*daemon\.\*.*$' )
+declare -A LOCATIONS=( ['auth.*']='/var/log/secure' ['authpriv.*']='/var/log/secure' ['daemon.*']='/var/log/messages' )
if [[ ! -f /etc/rsyslog.conf ]]; then
# Something is not right, create the file
touch /etc/rsyslog.conf
fi
-APPEND_LINE=$(sed -rn '/^\S+\s+\/var\/log\/secure$/p' /etc/rsyslog.conf)
# Loop through the remote methods associative array
for K in "${!REMOTE_METHODS[@]}"
do
# Check to see if selector/value exists
if ! grep -rq "${REMOTE_METHODS[$K]}" /etc/rsyslog.*; then
+ APPEND_LINE=$(sed -rn "/^\S+\s+\${LOCATIONS[$K]}$/p" /etc/rsyslog.conf)
# Make sure we have a line to insert after, otherwise append to end
if [[ ! -z ${APPEND_LINE} ]]; then
# Add selector to file
sed -r -i "0,/^(\S+\s+\/var\/log\/secure$)/s//\1\n${K} \/var\/log\/secure/" /etc/rsyslog.conf
else
- echo "${K} /var/log/secure" >> /etc/rsyslog.conf
+ echo "${K} ${LOCATIONS[$K]}" >> /etc/rsyslog.conf
fi
fi
done
ansible remediation for rule 'xccdf_org.ssgproject.content_rule_rsyslog_remote_access_monitoring' differs.
--- xccdf_org.ssgproject.content_rule_rsyslog_remote_access_monitoring
+++ xccdf_org.ssgproject.content_rule_rsyslog_remote_access_monitoring
@@ -5,10 +5,13 @@
remote_methods:
- selector: auth.*
regexp: ^.*auth\.\*.*$
+ location: /var/log/secure
- selector: authpriv.*
regexp: ^.*authpriv\.\*.*$
+ location: /var/log/secure
- selector: daemon.*
regexp: ^.*daemon\.\*.*$
+ location: /var/log/messages
when: ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
tags:
- CCE-83426-7
@@ -100,7 +103,7 @@
- name: 'Ensure remote access methods are monitored in Rsyslog: Configure'
lineinfile:
path: /etc/rsyslog.conf
- line: '{{ item.item.0.selector }} /var/log/secure'
+ line: '{{ item.item.0.selector }} {{ item.item.0.location }}'
insertafter: ^.*\/var\/log\/secure.*$
create: true
loop: '{{ remote_method_values.results }}' |
|
🤖 A k8s content image for this PR is available at: Click here to see how to deploy itIf you alread have Compliance Operator deployed: Otherwise deploy the content and operator together by checking out ComplianceAsCode/compliance-operator and: |
openshift-ci
bot
added
the
do-not-merge/work-in-progress
Mab879
force-pushed
the
update_rsyslog_remote_access_monitoring
branch
from
177f81a
to
f986b7a
Compare
openshift-ci
bot
removed
the
do-not-merge/work-in-progress
| @@ -0,0 +1,29 @@ | |||
| #!/bin/bash | |||
There was a problem hiding this comment.
typo in the test scenario file name
| for K in ${!REMOTE_METHODS[@]} | ||
| do | ||
| if grep -q "${REMOTE_METHODS[$K]}" ${rsyslog_d_file}; then | ||
| sed -i "/${REMOTE_METHODS[$K]}/d" ${rsyslog_d_file} |
There was a problem hiding this comment.
The curly braces aren't needed if the variable isn't an array.
| touch /etc/rsyslog.conf | ||
| fi | ||
|
|
||
| echo "auth.*,authpriv.* /var/log/secure" >> $RSYSLOG_CONF |
There was a problem hiding this comment.
Should there be a comma or a semicolon between the asterisk and a? The rule description has a semicolon and here you have a comma.
|
Code Climate has analyzed commit 17ba62c and detected 0 issues on this pull request. The test coverage on the diff in this pull request is 100.0% (50% is the threshold). This pull request will bring the total coverage in the repository to 59.5% (0.0% change). View more on Code Climate. |
|
/packit build |
Description:
Move daemon.* to /var/log/messages
Rationale:
Based on feedback from maintainers.