|
|
9be3b2 |
From fbaa0ae639fbb001e4c9e92d9e35f9dd9309d605 Mon Sep 17 00:00:00 2001
|
|
|
9be3b2 |
From: Matthew Burket <mburket@redhat.com>
|
|
|
9be3b2 |
Date: Mon, 9 Aug 2021 10:56:36 -0500
|
|
|
9be3b2 |
Subject: [PATCH 1/2] Allow set_config_file bash macro and lineinfile to set a
|
|
|
9be3b2 |
custom sed path separator
|
|
|
9be3b2 |
|
|
|
9be3b2 |
So that if the text has '/' in it the sed path separator can be changed.
|
|
|
9be3b2 |
---
|
|
|
9be3b2 |
.../developer/06_contributing_with_content.md | 3 +++
|
|
|
9be3b2 |
shared/macros-bash.jinja | 23 ++++++++++---------
|
|
|
9be3b2 |
shared/templates/lineinfile/bash.template | 6 ++++-
|
|
|
9be3b2 |
3 files changed, 20 insertions(+), 12 deletions(-)
|
|
|
9be3b2 |
|
|
|
9be3b2 |
diff --git a/docs/manual/developer/06_contributing_with_content.md b/docs/manual/developer/06_contributing_with_content.md
|
|
|
9be3b2 |
index 245db1550de..c0d62bef5ca 100644
|
|
|
9be3b2 |
--- a/docs/manual/developer/06_contributing_with_content.md
|
|
|
9be3b2 |
+++ b/docs/manual/developer/06_contributing_with_content.md
|
|
|
9be3b2 |
@@ -1572,6 +1572,9 @@ the following to `rule.yml`:
|
|
|
9be3b2 |
- **oval_extend_definitions** - optional, list of additional OVAL
|
|
|
9be3b2 |
definitions that have to pass along the generated check.
|
|
|
9be3b2 |
|
|
|
9be3b2 |
+ **sed_path_separator** - optional, default is `/`, sets the sed path separator. Set this
|
|
|
9be3b2 |
+ to a character like `#` if `/` is in use in your text.
|
|
|
9be3b2 |
+
|
|
|
9be3b2 |
- Languages: Ansible, Bash, OVAL
|
|
|
9be3b2 |
|
|
|
9be3b2 |
|
|
|
9be3b2 |
diff --git a/shared/macros-bash.jinja b/shared/macros-bash.jinja
|
|
|
9be3b2 |
index d654a0e0e89..7af8038a783 100644
|
|
|
9be3b2 |
--- a/shared/macros-bash.jinja
|
|
|
9be3b2 |
+++ b/shared/macros-bash.jinja
|
|
|
9be3b2 |
@@ -444,11 +444,12 @@ printf '%s\n' "{{{ message | replace('"', '\\"') }}}" >&2
|
|
|
9be3b2 |
# separator_regex: regular expression that describes the separator and surrounding whitespace
|
|
|
9be3b2 |
# prefix_regex: regular expression describing allowed leading characters at each line
|
|
|
9be3b2 |
#}}
|
|
|
9be3b2 |
-{{%- macro set_config_file(path, parameter, value, create, insert_after, insert_before, insensitive=true, separator=" ", separator_regex="\s\+", prefix_regex="^\s*") -%}}
|
|
|
9be3b2 |
- {{%- set line_regex = prefix_regex + ((parameter | escape_regex) | replace("/", "\/")) + separator_regex -%}}
|
|
|
9be3b2 |
+
|
|
|
9be3b2 |
+{{%- macro set_config_file(path, parameter, value, create, insert_after, insert_before, insensitive=true, separator=" ", separator_regex="\s\+", prefix_regex="^\s*", sed_path_separator="/") -%}}
|
|
|
9be3b2 |
{{%- set new_line = parameter+separator+value -%}}
|
|
|
9be3b2 |
+ {{%- set line_regex = prefix_regex + ((parameter | escape_regex) | replace("/", "\/")) + separator_regex -%}}
|
|
|
9be3b2 |
if [ -e "{{{ path }}}" ] ; then
|
|
|
9be3b2 |
- {{{ lineinfile_absent(path, line_regex, insensitive) | indent(4) }}}
|
|
|
9be3b2 |
+ {{{ lineinfile_absent(path, line_regex, insensitive, sed_path_separator=sed_path_separator) | indent(4) }}}
|
|
|
9be3b2 |
else
|
|
|
9be3b2 |
{{%- if create %}}
|
|
|
9be3b2 |
touch "{{{ path }}}"
|
|
|
9be3b2 |
@@ -456,19 +457,19 @@ else
|
|
|
9be3b2 |
{{{ die("Path '" + path + "' wasn't found on this system. Refusing to continue.", action="return") | indent(4) }}}
|
|
|
9be3b2 |
{{%- endif %}}
|
|
|
9be3b2 |
fi
|
|
|
9be3b2 |
-{{{ lineinfile_present(path, new_line, insert_after, insert_before, insensitive) }}}
|
|
|
9be3b2 |
+{{{ lineinfile_present(path, new_line, insert_after, insert_before, insensitive, sed_path_separator=sed_path_separator) }}}
|
|
|
9be3b2 |
{{%- endmacro -%}}
|
|
|
9be3b2 |
|
|
|
9be3b2 |
-{{%- macro lineinfile_absent(path, regex, insensitive=true) -%}}
|
|
|
9be3b2 |
+{{%- macro lineinfile_absent(path, regex, insensitive=true, sed_path_separator="/") -%}}
|
|
|
9be3b2 |
{{%- if insensitive -%}}
|
|
|
9be3b2 |
{{%- set modifier="Id" -%}}
|
|
|
9be3b2 |
{{%- else -%}}
|
|
|
9be3b2 |
{{%- set modifier="d" -%}}
|
|
|
9be3b2 |
{{%- endif -%}}
|
|
|
9be3b2 |
- {{% if '/' in regex %}}
|
|
|
9be3b2 |
- {{{ raise("regex (" + regex + ") uses sed path separator (/) in " + rule_id) }}}
|
|
|
9be3b2 |
+ {{% if sed_path_separator in regex %}}
|
|
|
9be3b2 |
+ {{{ raise("regex (" + regex + ") uses sed path separator (" + sed_path_separator + ") in " + rule_id) }}}
|
|
|
9be3b2 |
{{% endif %}}
|
|
|
9be3b2 |
-LC_ALL=C sed -i "/{{{ regex }}}/{{{ modifier }}}" "{{{ path }}}"
|
|
|
9be3b2 |
+LC_ALL=C sed -i "{{{ sed_path_separator }}}{{{ regex }}}{{{ sed_path_separator }}}{{{ modifier }}}" "{{{ path }}}"
|
|
|
9be3b2 |
{{%- endmacro -%}}
|
|
|
9be3b2 |
|
|
|
9be3b2 |
{{%- macro lineinfile_absent_in_directory(dirname, regex, insensitive=true) -%}}
|
|
|
9be3b2 |
@@ -480,7 +481,7 @@ LC_ALL=C sed -i "/{{{ regex }}}/{{{ modifier }}}" "{{{ path }}}"
|
|
|
9be3b2 |
LC_ALL=C sed -i "/{{{ regex }}}/{{{ modifier }}}" "{{{ dirname }}}"/*
|
|
|
9be3b2 |
{{%- endmacro -%}}
|
|
|
9be3b2 |
|
|
|
9be3b2 |
-{{%- macro lineinfile_present(path, line, insert_after="", insert_before="", insensitive=true) -%}}
|
|
|
9be3b2 |
+{{%- macro lineinfile_present(path, line, insert_after="", insert_before="", insensitive=true, sed_path_separator="/") -%}}
|
|
|
9be3b2 |
{{%- if insensitive -%}}
|
|
|
9be3b2 |
{{%- set grep_args="-q -m 1 -i" -%}}
|
|
|
9be3b2 |
{{%- else -%}}
|
|
|
9be3b2 |
@@ -496,7 +497,7 @@ printf '%s\n' "{{{ line }}}" > "{{{ path }}}"
|
|
|
9be3b2 |
cat "{{{ path }}}.bak" >> "{{{ path }}}"
|
|
|
9be3b2 |
{{%- elif insert_after %}}
|
|
|
9be3b2 |
# Insert after the line matching the regex '{{{ insert_after }}}'
|
|
|
9be3b2 |
-line_number="$(LC_ALL=C grep -n "{{{ insert_after }}}" "{{{ path }}}.bak" | LC_ALL=C sed 's/:.*//g')"
|
|
|
9be3b2 |
+line_number="$(LC_ALL=C grep -n "{{{ insert_after }}}" "{{{ path }}}.bak" | LC_ALL=C sed 's{{{sed_path_separator}}}:.*{{{sed_path_separator}}}{{{sed_path_separator}}}g')"
|
|
|
9be3b2 |
if [ -z "$line_number" ]; then
|
|
|
9be3b2 |
# There was no match of '{{{ insert_after }}}', insert at
|
|
|
9be3b2 |
# the end of the file.
|
|
|
9be3b2 |
@@ -508,7 +509,7 @@ else
|
|
|
9be3b2 |
fi
|
|
|
9be3b2 |
{{%- elif insert_before %}}
|
|
|
9be3b2 |
# Insert before the line matching the regex '{{{ insert_before }}}'.
|
|
|
9be3b2 |
-line_number="$(LC_ALL=C grep -n "{{{ insert_before }}}" "{{{ path }}}.bak" | LC_ALL=C sed 's/:.*//g')"
|
|
|
9be3b2 |
+line_number="$(LC_ALL=C grep -n "{{{ insert_before }}}" "{{{ path }}}.bak" | LC_ALL=C sed 's{{{sed_path_separator}}}:.*{{{sed_path_separator}}}{{{sed_path_separator}}}g')"
|
|
|
9be3b2 |
if [ -z "$line_number" ]; then
|
|
|
9be3b2 |
# There was no match of '{{{ insert_before }}}', insert at
|
|
|
9be3b2 |
# the end of the file.
|
|
|
9be3b2 |
diff --git a/shared/templates/lineinfile/bash.template b/shared/templates/lineinfile/bash.template
|
|
|
9be3b2 |
index 0e43e88842a..6d1ca349268 100644
|
|
|
9be3b2 |
--- a/shared/templates/lineinfile/bash.template
|
|
|
9be3b2 |
+++ b/shared/templates/lineinfile/bash.template
|
|
|
9be3b2 |
@@ -4,4 +4,8 @@
|
|
|
9be3b2 |
# complexity = low
|
|
|
9be3b2 |
# disruption = low
|
|
|
9be3b2 |
|
|
|
9be3b2 |
-{{{ set_config_file(PATH, TEXT, value="", create='yes', insert_after="", insert_before="", separator="", separator_regex="", prefix_regex="^\s*") -}}}
|
|
|
9be3b2 |
+{{% if SED_PATH_SEPARATOR %}}
|
|
|
9be3b2 |
+ {{{ set_config_file(PATH, TEXT, value="", create='yes', insert_after="", insert_before="", separator="", separator_regex="", prefix_regex="^\s*", sed_path_separator=SED_PATH_SEPARATOR) -}}}
|
|
|
9be3b2 |
+{{% else %}}
|
|
|
9be3b2 |
+ {{{ set_config_file(PATH, TEXT, value="", create='yes', insert_after="", insert_before="", separator="", separator_regex="", prefix_regex="^\s*") -}}}
|
|
|
9be3b2 |
+{{% endif %}}
|
|
|
9be3b2 |
|
|
|
9be3b2 |
From 4b3182bd5d5308fed16f58da9656aa76a4275569 Mon Sep 17 00:00:00 2001
|
|
|
9be3b2 |
From: Matthew Burket <mburket@redhat.com>
|
|
|
9be3b2 |
Date: Mon, 9 Aug 2021 13:56:32 -0500
|
|
|
9be3b2 |
Subject: [PATCH 2/2] Add new rule for RHEL-08-030720
|
|
|
9be3b2 |
|
|
|
9be3b2 |
---
|
|
|
9be3b2 |
.../ansible/shared.yml | 9 ++++
|
|
|
9be3b2 |
.../bash/shared.sh | 11 +++++
|
|
|
9be3b2 |
.../oval/shared.xml | 43 +++++++++++++++++++
|
|
|
9be3b2 |
.../rule.yml | 40 +++++++++++++++++
|
|
|
9be3b2 |
.../tests/default_no_pass.fail.sh | 7 +++
|
|
|
9be3b2 |
.../tests/rsyslog.pass.sh | 4 ++
|
|
|
9be3b2 |
.../tests/rsyslog_wrong_value.fail.sh | 4 ++
|
|
|
9be3b2 |
.../tests/rsyslogd.pass.sh | 4 ++
|
|
|
9be3b2 |
.../tests/rsyslogd_wrong_value.fail.sh | 4 ++
|
|
|
9be3b2 |
.../tests/setup.sh | 9 ++++
|
|
|
9be3b2 |
products/rhel8/profiles/stig.profile | 1 +
|
|
|
9be3b2 |
shared/references/cce-redhat-avail.txt | 1 -
|
|
|
9be3b2 |
.../data/profile_stability/rhel8/stig.profile | 1 +
|
|
|
9be3b2 |
.../profile_stability/rhel8/stig_gui.profile | 1 +
|
|
|
9be3b2 |
14 files changed, 138 insertions(+), 1 deletion(-)
|
|
|
9be3b2 |
create mode 100644 linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_encrypt_offload_actionsendstreamdriverauthmode/ansible/shared.yml
|
|
|
9be3b2 |
create mode 100644 linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_encrypt_offload_actionsendstreamdriverauthmode/bash/shared.sh
|
|
|
9be3b2 |
create mode 100644 linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_encrypt_offload_actionsendstreamdriverauthmode/oval/shared.xml
|
|
|
9be3b2 |
create mode 100644 linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_encrypt_offload_actionsendstreamdriverauthmode/rule.yml
|
|
|
9be3b2 |
create mode 100644 linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_encrypt_offload_actionsendstreamdriverauthmode/tests/default_no_pass.fail.sh
|
|
|
9be3b2 |
create mode 100644 linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_encrypt_offload_actionsendstreamdriverauthmode/tests/rsyslog.pass.sh
|
|
|
9be3b2 |
create mode 100644 linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_encrypt_offload_actionsendstreamdriverauthmode/tests/rsyslog_wrong_value.fail.sh
|
|
|
9be3b2 |
create mode 100644 linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_encrypt_offload_actionsendstreamdriverauthmode/tests/rsyslogd.pass.sh
|
|
|
9be3b2 |
create mode 100644 linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_encrypt_offload_actionsendstreamdriverauthmode/tests/rsyslogd_wrong_value.fail.sh
|
|
|
9be3b2 |
create mode 100644 linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_encrypt_offload_actionsendstreamdriverauthmode/tests/setup.sh
|
|
|
9be3b2 |
|
|
|
9be3b2 |
diff --git a/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_encrypt_offload_actionsendstreamdriverauthmode/ansible/shared.yml b/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_encrypt_offload_actionsendstreamdriverauthmode/ansible/shared.yml
|
|
|
9be3b2 |
new file mode 100644
|
|
|
9be3b2 |
index 00000000000..637f90003b2
|
|
|
9be3b2 |
--- /dev/null
|
|
|
9be3b2 |
+++ b/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_encrypt_offload_actionsendstreamdriverauthmode/ansible/shared.yml
|
|
|
9be3b2 |
@@ -0,0 +1,9 @@
|
|
|
9be3b2 |
+# platform = Red Hat Virtualization 4,multi_platform_fedora,multi_platform_rhel
|
|
|
9be3b2 |
+# reboot = false
|
|
|
9be3b2 |
+# strategy = configure
|
|
|
9be3b2 |
+# complexity = low
|
|
|
9be3b2 |
+# disruption = low
|
|
|
9be3b2 |
+
|
|
|
9be3b2 |
+{{{ ansible_set_config_file_dir(msg, "/etc/rsyslog.conf", "/etc/rsyslog.d", "/etc/rsyslog.conf",
|
|
|
9be3b2 |
+ "$ActionSendStreamDriverAuthMode", separator=' ', separator_regex='\s',
|
|
|
9be3b2 |
+ value="x509/name", create='yes') }}}
|
|
|
9be3b2 |
diff --git a/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_encrypt_offload_actionsendstreamdriverauthmode/bash/shared.sh b/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_encrypt_offload_actionsendstreamdriverauthmode/bash/shared.sh
|
|
|
9be3b2 |
new file mode 100644
|
|
|
9be3b2 |
index 00000000000..71d312f332f
|
|
|
9be3b2 |
--- /dev/null
|
|
|
9be3b2 |
+++ b/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_encrypt_offload_actionsendstreamdriverauthmode/bash/shared.sh
|
|
|
9be3b2 |
@@ -0,0 +1,11 @@
|
|
|
9be3b2 |
+# platform = Red Hat Virtualization 4,multi_platform_fedora,multi_platform_rhel
|
|
|
9be3b2 |
+# reboot = false
|
|
|
9be3b2 |
+# strategy = configure
|
|
|
9be3b2 |
+# complexity = low
|
|
|
9be3b2 |
+# disruption = low
|
|
|
9be3b2 |
+
|
|
|
9be3b2 |
+if ! grep -s "\$ActionSendStreamDriverAuthMode\s*x509/name" /etc/rsyslog.conf /etc/rsyslog.d/*.conf; then
|
|
|
9be3b2 |
+ mkdir -p /etc/rsyslog.d
|
|
|
9be3b2 |
+ sed -i '/^.*\$ActionSendStreamDriverAuthMode.*/d' /etc/rsyslog.conf /etc/rsyslog.d/*.conf
|
|
|
9be3b2 |
+ echo "\$ActionSendStreamDriverAuthMode x509/name" > /etc/rsyslog.d/stream_driver_auth.conf
|
|
|
9be3b2 |
+fi
|
|
|
9be3b2 |
diff --git a/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_encrypt_offload_actionsendstreamdriverauthmode/oval/shared.xml b/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_encrypt_offload_actionsendstreamdriverauthmode/oval/shared.xml
|
|
|
9be3b2 |
new file mode 100644
|
|
|
9be3b2 |
index 00000000000..8e1ec48a974
|
|
|
9be3b2 |
--- /dev/null
|
|
|
9be3b2 |
+++ b/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_encrypt_offload_actionsendstreamdriverauthmode/oval/shared.xml
|
|
|
9be3b2 |
@@ -0,0 +1,43 @@
|
|
|
9be3b2 |
+<def-group>
|
|
|
9be3b2 |
+ <definition class="compliance" id="{{{ rule_id }}}" version="1">
|
|
|
9be3b2 |
+ {{{ oval_metadata("Rsyslogd must authenticate remote system its sending logs to.") }}}
|
|
|
9be3b2 |
+ <criteria operator="AND">
|
|
|
9be3b2 |
+ <criteria operator="OR">
|
|
|
9be3b2 |
+
|
|
|
9be3b2 |
+ test_ref="test_{{{rule_id}}}_action_send_stream_driver_auth_mode" />
|
|
|
9be3b2 |
+
|
|
|
9be3b2 |
+ test_ref="test_{{{rule_id}}}_action_send_stream_driver_auth_mode_dir" />
|
|
|
9be3b2 |
+ </criteria>
|
|
|
9be3b2 |
+ </criteria>
|
|
|
9be3b2 |
+ </definition>
|
|
|
9be3b2 |
+
|
|
|
9be3b2 |
+
|
|
|
9be3b2 |
+ comment="Check if $ActionSendStreamDriverAuthMode x509/name is set in /etc/rsyslog.conf"
|
|
|
9be3b2 |
+ id="test_{{{rule_id}}}_action_send_stream_driver_auth_mode" version="1">
|
|
|
9be3b2 |
+
|
|
|
9be3b2 |
+ <ind:object object_ref="obj_{{{rule_id}}}_action_send_stream_driver_auth_mode" />
|
|
|
9be3b2 |
+ </ind:textfilecontent54_test>
|
|
|
9be3b2 |
+
|
|
|
9be3b2 |
+
|
|
|
9be3b2 |
+ comment="Check if $ActionSendStreamDriverAuthMode x509/name is set in /etc/rsyslog.conf"
|
|
|
9be3b2 |
+ version="1">
|
|
|
9be3b2 |
+ <ind:filepath>/etc/rsyslog.conf</ind:filepath>
|
|
|
9be3b2 |
+ <ind:pattern operation="pattern match">^\$ActionSendStreamDriverAuthMode x509/name$</ind:pattern>
|
|
|
9be3b2 |
+ <ind:instance datatype="int">1</ind:instance>
|
|
|
9be3b2 |
+ </ind:textfilecontent54_object>
|
|
|
9be3b2 |
+
|
|
|
9be3b2 |
+
|
|
|
9be3b2 |
+ comment="Check if $ActionSendStreamDriverAuthMode x509/name is set in /etc/rsyslog.conf"
|
|
|
9be3b2 |
+ id="test_{{{rule_id}}}_action_send_stream_driver_auth_mode_dir" version="1">
|
|
|
9be3b2 |
+ <ind:object object_ref="obj_{{{rule_id}}}_action_send_stream_driver_auth_mode_dir" />
|
|
|
9be3b2 |
+ </ind:textfilecontent54_test>
|
|
|
9be3b2 |
+
|
|
|
9be3b2 |
+
|
|
|
9be3b2 |
+ comment="Check if $ActionSendStreamDriverAuthMode x509/name is set in /etc/rsyslog.d"
|
|
|
9be3b2 |
+ version="1">
|
|
|
9be3b2 |
+ <ind:path>/etc/rsyslog.d</ind:path>
|
|
|
9be3b2 |
+ <ind:filename operation="pattern match">^.*conf$</ind:filename>
|
|
|
9be3b2 |
+ <ind:pattern operation="pattern match">^\$ActionSendStreamDriverAuthMode x509/name$</ind:pattern>
|
|
|
9be3b2 |
+ <ind:instance datatype="int">1</ind:instance>
|
|
|
9be3b2 |
+ </ind:textfilecontent54_object>
|
|
|
9be3b2 |
+</def-group>
|
|
|
9be3b2 |
diff --git a/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_encrypt_offload_actionsendstreamdriverauthmode/rule.yml b/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_encrypt_offload_actionsendstreamdriverauthmode/rule.yml
|
|
|
9be3b2 |
new file mode 100644
|
|
|
9be3b2 |
index 00000000000..beaf8ce96da
|
|
|
9be3b2 |
--- /dev/null
|
|
|
9be3b2 |
+++ b/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_encrypt_offload_actionsendstreamdriverauthmode/rule.yml
|
|
|
9be3b2 |
@@ -0,0 +1,40 @@
|
|
|
9be3b2 |
+documentation_complete: true
|
|
|
9be3b2 |
+
|
|
|
9be3b2 |
+title: Ensure Rsyslog Authenticates Off-Loaded Audit Records
|
|
|
9be3b2 |
+
|
|
|
9be3b2 |
+description: |-
|
|
|
9be3b2 |
+ Rsyslogd is a system utility providing support for message logging. Support
|
|
|
9be3b2 |
+ for both internet and UNIX domain sockets enables this utility to support both local
|
|
|
9be3b2 |
+ and remote logging. Couple this utility with <tt>gnutls</tt> (which is a secure communications
|
|
|
9be3b2 |
+ library implementing the SSL, TLS and DTLS protocols), and you have a method to securely
|
|
|
9be3b2 |
+ encrypt and off-load auditing.
|
|
|
9be3b2 |
+
|
|
|
9be3b2 |
+ When using <tt>rsyslogd</tt> to off-load logs the remote system must be authenticated.
|
|
|
9be3b2 |
+
|
|
|
9be3b2 |
+rationale: |-
|
|
|
9be3b2 |
+ The audit records generated by Rsyslog contain valuable information regarding system
|
|
|
9be3b2 |
+ configuration, user authentication, and other such information. Audit records should be
|
|
|
9be3b2 |
+ protected from unauthorized access.
|
|
|
9be3b2 |
+
|
|
|
9be3b2 |
+severity: medium
|
|
|
9be3b2 |
+
|
|
|
9be3b2 |
+identifiers:
|
|
|
9be3b2 |
+ cce@rhel8: CCE-86339-9
|
|
|
9be3b2 |
+
|
|
|
9be3b2 |
+references:
|
|
|
9be3b2 |
+ disa: CCI-001851
|
|
|
9be3b2 |
+ nist: AU-4(1)
|
|
|
9be3b2 |
+ srg: SRG-OS-000342-GPOS-00133,SRG-OS-000479-GPOS-00224
|
|
|
9be3b2 |
+ stigid@rhel8: RHEL-08-030720
|
|
|
9be3b2 |
+
|
|
|
9be3b2 |
+
|
|
|
9be3b2 |
+ocil_clause: '$ActionSendStreamDriverAuthMode in /etc/rsyslog.conf is not set to x509/name'
|
|
|
9be3b2 |
+
|
|
|
9be3b2 |
+ocil: |-
|
|
|
9be3b2 |
+ Verify the operating system authenticates the remote logging server for off-loading audit logs with the following command:
|
|
|
9be3b2 |
+
|
|
|
9be3b2 |
+ $ sudo grep -i '$ActionSendStreamDriverAuthMode' /etc/rsyslog.conf /etc/rsyslog.d/*.conf
|
|
|
9be3b2 |
+ The output should be
|
|
|
9be3b2 |
+ $/etc/rsyslog.conf:$ActionSendStreamDriverAuthMode x509/name
|
|
|
9be3b2 |
+
|
|
|
9be3b2 |
+
|
|
|
9be3b2 |
diff --git a/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_encrypt_offload_actionsendstreamdriverauthmode/tests/default_no_pass.fail.sh b/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_encrypt_offload_actionsendstreamdriverauthmode/tests/default_no_pass.fail.sh
|
|
|
9be3b2 |
new file mode 100644
|
|
|
9be3b2 |
index 00000000000..54d70f6b85f
|
|
|
9be3b2 |
--- /dev/null
|
|
|
9be3b2 |
+++ b/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_encrypt_offload_actionsendstreamdriverauthmode/tests/default_no_pass.fail.sh
|
|
|
9be3b2 |
@@ -0,0 +1,7 @@
|
|
|
9be3b2 |
+#!/bin/bash
|
|
|
9be3b2 |
+bash -x setup.sh
|
|
|
9be3b2 |
+
|
|
|
9be3b2 |
+if [[ -f encrypt.conf ]]; then
|
|
|
9be3b2 |
+ sed -i "/^\$ActionSendStreamDriverMod.*/d" /etc/rsyslog.conf
|
|
|
9be3b2 |
+fi
|
|
|
9be3b2 |
+ sed -i "/^\$ActionSendStreamDriverMod.*/d" /etc/rsyslog.conf
|
|
|
9be3b2 |
diff --git a/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_encrypt_offload_actionsendstreamdriverauthmode/tests/rsyslog.pass.sh b/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_encrypt_offload_actionsendstreamdriverauthmode/tests/rsyslog.pass.sh
|
|
|
9be3b2 |
new file mode 100644
|
|
|
9be3b2 |
index 00000000000..fe3db6f9c41
|
|
|
9be3b2 |
--- /dev/null
|
|
|
9be3b2 |
+++ b/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_encrypt_offload_actionsendstreamdriverauthmode/tests/rsyslog.pass.sh
|
|
|
9be3b2 |
@@ -0,0 +1,4 @@
|
|
|
9be3b2 |
+#!/bin/bash
|
|
|
9be3b2 |
+bash -x setup.sh
|
|
|
9be3b2 |
+
|
|
|
9be3b2 |
+echo "\$ActionSendStreamDriverAuthMode x509/name" >> /etc/rsyslog.conf
|
|
|
9be3b2 |
diff --git a/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_encrypt_offload_actionsendstreamdriverauthmode/tests/rsyslog_wrong_value.fail.sh b/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_encrypt_offload_actionsendstreamdriverauthmode/tests/rsyslog_wrong_value.fail.sh
|
|
|
9be3b2 |
new file mode 100644
|
|
|
9be3b2 |
index 00000000000..bad06fba0e9
|
|
|
9be3b2 |
--- /dev/null
|
|
|
9be3b2 |
+++ b/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_encrypt_offload_actionsendstreamdriverauthmode/tests/rsyslog_wrong_value.fail.sh
|
|
|
9be3b2 |
@@ -0,0 +1,4 @@
|
|
|
9be3b2 |
+#!/bin/bash
|
|
|
9be3b2 |
+bash -x setup.sh
|
|
|
9be3b2 |
+
|
|
|
9be3b2 |
+echo "\$ActionSendStreamDriverAuthMode 0" >> /etc/rsyslog.conf
|
|
|
9be3b2 |
diff --git a/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_encrypt_offload_actionsendstreamdriverauthmode/tests/rsyslogd.pass.sh b/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_encrypt_offload_actionsendstreamdriverauthmode/tests/rsyslogd.pass.sh
|
|
|
9be3b2 |
new file mode 100644
|
|
|
9be3b2 |
index 00000000000..ab511daecc7
|
|
|
9be3b2 |
--- /dev/null
|
|
|
9be3b2 |
+++ b/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_encrypt_offload_actionsendstreamdriverauthmode/tests/rsyslogd.pass.sh
|
|
|
9be3b2 |
@@ -0,0 +1,4 @@
|
|
|
9be3b2 |
+#!/bin/bash
|
|
|
9be3b2 |
+bash -x setup.sh
|
|
|
9be3b2 |
+
|
|
|
9be3b2 |
+echo "\$ActionSendStreamDriverAuthMode x509/name" >> /etc/rsyslog.d/encrypt.conf
|
|
|
9be3b2 |
diff --git a/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_encrypt_offload_actionsendstreamdriverauthmode/tests/rsyslogd_wrong_value.fail.sh b/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_encrypt_offload_actionsendstreamdriverauthmode/tests/rsyslogd_wrong_value.fail.sh
|
|
|
9be3b2 |
new file mode 100644
|
|
|
9be3b2 |
index 00000000000..02bf64747a7
|
|
|
9be3b2 |
--- /dev/null
|
|
|
9be3b2 |
+++ b/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_encrypt_offload_actionsendstreamdriverauthmode/tests/rsyslogd_wrong_value.fail.sh
|
|
|
9be3b2 |
@@ -0,0 +1,4 @@
|
|
|
9be3b2 |
+#!/bin/bash
|
|
|
9be3b2 |
+bash -x setup.sh
|
|
|
9be3b2 |
+
|
|
|
9be3b2 |
+echo "\$ActionSendStreamDriverAuthMode x509/certvalid" >> /etc/rsyslog.d/encrypt.conf
|
|
|
9be3b2 |
diff --git a/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_encrypt_offload_actionsendstreamdriverauthmode/tests/setup.sh b/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_encrypt_offload_actionsendstreamdriverauthmode/tests/setup.sh
|
|
|
9be3b2 |
new file mode 100644
|
|
|
9be3b2 |
index 00000000000..9686f16bcc9
|
|
|
9be3b2 |
--- /dev/null
|
|
|
9be3b2 |
+++ b/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_encrypt_offload_actionsendstreamdriverauthmode/tests/setup.sh
|
|
|
9be3b2 |
@@ -0,0 +1,9 @@
|
|
|
9be3b2 |
+#!/bin/bash
|
|
|
9be3b2 |
+# Use this script to ensure the rsyslog directory structure and rsyslog conf file
|
|
|
9be3b2 |
+# exist in the test env.
|
|
|
9be3b2 |
+config_file=/etc/rsyslog.conf
|
|
|
9be3b2 |
+
|
|
|
9be3b2 |
+# Ensure directory structure exists (useful for container based testing)
|
|
|
9be3b2 |
+test -f $config_file || touch $config_file
|
|
|
9be3b2 |
+
|
|
|
9be3b2 |
+test -d /etc/rsyslog.d/ || mkdir /etc/rsyslog.d/
|
|
|
9be3b2 |
diff --git a/products/rhel8/profiles/stig.profile b/products/rhel8/profiles/stig.profile
|
|
|
9be3b2 |
index ec0a3b17537..382247057cd 100644
|
|
|
9be3b2 |
--- a/products/rhel8/profiles/stig.profile
|
|
|
9be3b2 |
+++ b/products/rhel8/profiles/stig.profile
|
|
|
9be3b2 |
@@ -854,6 +854,7 @@ selections:
|
|
|
9be3b2 |
- rsyslog_encrypt_offload_actionsendstreamdrivermode
|
|
|
9be3b2 |
|
|
|
9be3b2 |
# RHEL-08-030720
|
|
|
9be3b2 |
+ - rsyslog_encrypt_offload_actionsendstreamdriverauthmode
|
|
|
9be3b2 |
|
|
|
9be3b2 |
# RHEL-08-030730
|
|
|
9be3b2 |
# this rule expects configuration in MB instead percentage as how STIG demands
|
|
|
9be3b2 |
diff --git a/shared/references/cce-redhat-avail.txt b/shared/references/cce-redhat-avail.txt
|
|
|
9be3b2 |
index 61384c108a0..03211442aba 100644
|
|
|
9be3b2 |
--- a/shared/references/cce-redhat-avail.txt
|
|
|
9be3b2 |
+++ b/shared/references/cce-redhat-avail.txt
|
|
|
9be3b2 |
@@ -460,7 +460,6 @@ CCE-86335-7
|
|
|
9be3b2 |
CCE-86336-5
|
|
|
9be3b2 |
CCE-86337-3
|
|
|
9be3b2 |
CCE-86338-1
|
|
|
9be3b2 |
-CCE-86339-9
|
|
|
9be3b2 |
CCE-86340-7
|
|
|
9be3b2 |
CCE-86341-5
|
|
|
9be3b2 |
CCE-86342-3
|
|
|
9be3b2 |
diff --git a/tests/data/profile_stability/rhel8/stig.profile b/tests/data/profile_stability/rhel8/stig.profile
|
|
|
9be3b2 |
index bffa509b698..481e7b28228 100644
|
|
|
9be3b2 |
--- a/tests/data/profile_stability/rhel8/stig.profile
|
|
|
9be3b2 |
+++ b/tests/data/profile_stability/rhel8/stig.profile
|
|
|
9be3b2 |
@@ -238,6 +238,7 @@ selections:
|
|
|
9be3b2 |
- require_singleuser_auth
|
|
|
9be3b2 |
- root_permissions_syslibrary_files
|
|
|
9be3b2 |
- rsyslog_cron_logging
|
|
|
9be3b2 |
+- rsyslog_encrypt_offload_actionsendstreamdriverauthmode
|
|
|
9be3b2 |
- rsyslog_encrypt_offload_actionsendstreamdrivermode
|
|
|
9be3b2 |
- rsyslog_encrypt_offload_defaultnetstreamdriver
|
|
|
9be3b2 |
- rsyslog_remote_access_monitoring
|
|
|
9be3b2 |
diff --git a/tests/data/profile_stability/rhel8/stig_gui.profile b/tests/data/profile_stability/rhel8/stig_gui.profile
|
|
|
9be3b2 |
index c84ac75c7bf..7fb3d892a30 100644
|
|
|
9be3b2 |
--- a/tests/data/profile_stability/rhel8/stig_gui.profile
|
|
|
9be3b2 |
+++ b/tests/data/profile_stability/rhel8/stig_gui.profile
|
|
|
9be3b2 |
@@ -249,6 +249,7 @@ selections:
|
|
|
9be3b2 |
- require_singleuser_auth
|
|
|
9be3b2 |
- root_permissions_syslibrary_files
|
|
|
9be3b2 |
- rsyslog_cron_logging
|
|
|
9be3b2 |
+- rsyslog_encrypt_offload_actionsendstreamdriverauthmode
|
|
|
9be3b2 |
- rsyslog_encrypt_offload_actionsendstreamdrivermode
|
|
|
9be3b2 |
- rsyslog_encrypt_offload_defaultnetstreamdriver
|
|
|
9be3b2 |
- rsyslog_remote_access_monitoring
|