Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Enable rsyslog_filecreatemode rule for RHEL #10328

Merged
merged 4 commits into from
Mar 13, 2023
Merged

Enable rsyslog_filecreatemode rule for RHEL #10328

merged 4 commits into from
Mar 13, 2023

Conversation

marcusburghardt
Copy link
Member

Description:

This rule covers the 4.2.1.4 CIS requirement for RHEL8 and RHEL9, and the 4.2.1.3 CIS requirement for RHEL7.
The prodtype and references parameters were updated and identifiers for RHEL were included.
The CIS control files were updated and finally an Ansible remediation was included.

Rationale:

@marcusburghardt
Small fix in Bash remediation
5e6e3c5 
In RHEL7 the remediation was reporting "invalid arithmetic operator".
This was fixed.
@marcusburghardt
Enable rsyslog_filecreatemode rule for RHEL
1b08e54 
This rule covers the 4.2.1.4 CIS requirement for RHEL8 and RHEL9, and
the 4.2.1.3 CIS requirement for RHEL7. The prodtype and references
paramenters were updated and identifiers for RHEL were included. The CIS
control files were updated.
@marcusburghardt
Include Ansible remediation for rsyslog_filecreatemode
965c37a 
Ansible remediation was included, aligned to the Bash remediation.
@marcusburghardt marcusburghardt added RHEL Red Hat Enterprise Linux product related. Ansible Ansible remediation update. CIS CIS Benchmark related. labels Mar 10, 2023
@marcusburghardt marcusburghardt added this to the 0.1.67 milestone Mar 10, 2023
@marcusburghardt marcusburghardt requested a review from a team as a code owner March 10, 2023 20:55
@github-actions
Copy link

Start a new ephemeral environment with changes proposed in this pull request:

rhel8 (from CTF) Environment (using Fedora as testing environment)
Open in Gitpod

Fedora Testing Environment
Open in Gitpod

Oracle Linux 8 Environment
Open in Gitpod

@marcusburghardt marcusburghardt mentioned this pull request Mar 10, 2023
Merged
@marcusburghardt
Remove systemctl restart command in test scenarios
31bd17e 
It is not necessary to restart the rsyslog for testing purposes since
the OVAL checks the configuration files content regardless of the
service state.
@marcusburghardt
Copy link
Member Author

Automatus tests are failing because the the service can't be restarted with systemctl in the test containers.

@codeclimate
Copy link

codeclimate bot commented Mar 13, 2023

Code Climate has analyzed commit 31bd17e and detected 0 issues on this pull request.

The test coverage on the diff in this pull request is 100.0% (50% is the threshold).

This pull request will bring the total coverage in the repository to 51.7% (0.0% change).

View more on Code Climate.

@jan-cerny jan-cerny self-assigned this Mar 13, 2023
jan-cerny
jan-cerny approved these changes Mar 13, 2023
View reviewed changes
Copy link
Collaborator

@jan-cerny jan-cerny left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more. 

[jcerny@thinkpad scap-security-guide{pr/10328}]$ python3 tests/automatus.py rule --libvirt qemu:///system ssgts_rhel8 rsyslog_filecreatemode
Setting console output to log level INFO
INFO - The base image option has not been specified, choosing libvirt-based test environment.
INFO - Logging into /home/jcerny/work/git/scap-security-guide/logs/rule-custom-2023-03-13-1457/test_suite.log
INFO - xccdf_org.ssgproject.content_rule_rsyslog_filecreatemode
INFO - Script filecreatemode_0600.pass.sh using profile (all) OK
INFO - Script filecreatemode_0601.fail.sh using profile (all) OK
INFO - Script filecreatemode_0640.pass.sh using profile (all) OK
INFO - Script filecreatemode_0755.fail.sh using profile (all) OK
INFO - Script filecreatemode_duplicate.fail.sh using profile (all) OK
INFO - Script filecreatemode_missing.fail.sh using profile (all) OK
[jcerny@thinkpad scap-security-guide{pr/10328}]$ python3 tests/automatus.py rule --remediate-using ansible --libvirt qemu:///system ssgts_rhel8 rsyslog_filecreatemode
Setting console output to log level INFO
INFO - The base image option has not been specified, choosing libvirt-based test environment.
INFO - Logging into /home/jcerny/work/git/scap-security-guide/logs/rule-custom-2023-03-13-1503/test_suite.log
INFO - xccdf_org.ssgproject.content_rule_rsyslog_filecreatemode
INFO - Script filecreatemode_0600.pass.sh using profile (all) OK
INFO - Script filecreatemode_0601.fail.sh using profile (all) OK
INFO - Script filecreatemode_0640.pass.sh using profile (all) OK
INFO - Script filecreatemode_0755.fail.sh using profile (all) OK
INFO - Script filecreatemode_duplicate.fail.sh using profile (all) OK
INFO - Script filecreatemode_missing.fail.sh using profile (all) OK

@jan-cerny jan-cerny merged commit 82ed673 into ComplianceAsCode:master Mar 13, 2023
@marcusburghardt marcusburghardt deleted the cis_rsyslog_filecreatemode branch March 13, 2023 14:10
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@jan-cerny jan-cerny jan-cerny approved these changes

Assignees

@jan-cerny jan-cerny

Labels
Ansible Ansible remediation update. CIS CIS Benchmark related. RHEL Red Hat Enterprise Linux product related.
Projects
None yet
Milestone
0.1.67
Development

Successfully merging this pull request may close these issues.

RHEL 8 CIS 4.2.1.3 Ensure rsyslog default file permissions configured (Automated)
2 participants
@marcusburghardt @jan-cerny