Add implementation for rsyslog_logging_configured rule #10063
Conversation
|
Hi @teacup-on-rockingchair. Thanks for your PR. I'm waiting for a ComplianceAsCode member to verify that this patch is reasonable to test. If it is, they should reply with Once the patch is verified, the new status will be reflected by the I understand the commands that are listed here. Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. |
|
Start a new ephemeral environment with changes proposed in this pull request: sle12 (from CTF) Environment (using Fedora as testing environment) Fedora Testing Environment Oracle Linux 8 Environment |
There was a problem hiding this comment.
While reviewing this PR, I was considering its robustness. The specific requirement in CIS is manual. Not only for SUSE, but for other distros as well. And the reason is probably the same. I can't see a reliable way to automate the check and the remediation for this. Since there is nothing specific about the expected rsyslog entries, it is difficult to find the correct assessment. For the same reason, there is no reliable way to remediate this requirement. In general, CIS requirements marked as manual are not expected to have an automated rule. I would consider to not even include a rule for this. What do you think @teacup-on-rockingchair ?
...ide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_logging_configured/rule.yml
Show resolved
Hide resolved
...tem/logging/ensure_rsyslog_log_file_configuration/rsyslog_logging_configured/oval/shared.xml
Outdated
Show resolved
Hide resolved
| # complexity = low | ||
| # disruption = low | ||
|
|
||
| {{{ bash_replace_or_append('/etc/rsyslog.conf', '^\*\.\*', "/var/log/messages", '%s %s') }}} |
There was a problem hiding this comment.
I don't think this is a good approach. This could create log duplication and probably could hit performance issues.
marcusburghardt
added
SLES
.../logging/ensure_rsyslog_log_file_configuration/rsyslog_logging_configured/ansible/shared.yml
Outdated
Show resolved
Hide resolved
| lineinfile: | ||
| dest: /etc/rsyslog.conf | ||
| regexp: "^\\*\\.\\*" | ||
| line: "*.* /var/log/messages" |
There was a problem hiding this comment.
Like in the Bash equivalent, I don't think this is a good approach. This could create log duplication and probably could hit performance issues. Is this rule necessary?
I tend to agree that the rule is kind of tricky to automate. Maybe the best compromise between user experience and robustness would be to have the check, which is generic enough, and drop the remediations, since those seem to enforce only one type of configuration and sysadmins can achieve the target in millions of other valid ways. |
Yes, a check generic enough should be helpful. If there is any relevant corner case which could generate false results during the assessment, they should also be documented in the rule Since the CIS is not specific about the remediation, I agree to drop the remediation and leave the admins to decide about their preferred approaches in alignment to their site policies. |
openshift-ci
bot
added
the
do-not-merge/work-in-progress
Add oval checks for the rsyslog_logging_configured rule - based on CIS specification for 'Ensure logging is configured' - add warning on the nature and automation of the rule
teacup-on-rockingchair
force-pushed
the
add_rsyslog_logging_configured
branch
from
47c7543
to
694f798
Compare
openshift-ci
bot
removed
the
do-not-merge/work-in-progress
|
This datastream diff is auto generated by the check Click here to see the full diffNew content has different text for rule 'xccdf_org.ssgproject.content_rule_rsyslog_logging_configured'.
--- xccdf_org.ssgproject.content_rule_rsyslog_logging_configured
+++ xccdf_org.ssgproject.content_rule_rsyslog_logging_configured
@@ -6,6 +6,13 @@
The /etc/rsyslog.conf and /etc/rsyslog.d/*.conf files
specifies rules for logging and which files are to be used to log certain
classes of messages.
+
+[warning]:
+This rule does not come with remediation as there is no one way to solve the problem, and
+the requirement from CIS specification does not require one particular way, but persuades
+the system administrator to perform configuration suitable for the specific environment.
+This also means that the OVAL check is too generic, and the user most probably should
+perform additional manual verification.
[reference]:
4.2.1.4
New datastream is missing bash remediation for rule 'xccdf_org.ssgproject.content_rule_rsyslog_logging_configured'.
New datastream is missing ansible remediation for rule 'xccdf_org.ssgproject.content_rule_rsyslog_logging_configured'. |
...ide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_logging_configured/rule.yml
Outdated
Show resolved
Hide resolved
…ation/rsyslog_logging_configured/rule.yml Co-authored-by: Marcus Burghardt <2074099+marcusburghardt@users.noreply.github.com>
|
Code Climate has analyzed commit ee4f4a5 and detected 0 issues on this pull request. The test coverage on the diff in this pull request is 100.0% (50% is the threshold). This pull request will bring the total coverage in the repository to 51.7% (0.0% change). View more on Code Climate. |
Description:
Rationale: