Fixed the remediation for rsyslog_files_permissions #4906
Conversation
|
@matejak Thanks for the fix, would you consider adding test scenarios? |
|
Oops, accidental branch removal |
- Stripped quotes and brackets from extracted paths. - Dropped apparent config files from extracted list of logfile paths. - Improved test scenarios.
matejak
force-pushed
the
rsyslog_perms
branch
from
c369b98
to
e5379fa
Compare
|
I have updated some test scenarios, but existing scenarios fail unexpectedly, and it is not trivial to fix them. So we can either merge the PR as-is, or wait a bit until the OVAL is fixed to be more robust. |
| @@ -9,10 +9,13 @@ source $SHARED/rsyslog_log_utils.sh | |||
| PERMS=0600 | |||
|
|
|||
| # setup test data | |||
| create_rsyslog_test_logs 1 | |||
| create_rsyslog_test_logs 4 | |||
There was a problem hiding this comment.
This scenario also fails for me on RHEL 8.
ERROR - Script perms_0600.pass.sh using profile xccdf_org.ssgproject.content_profile_pci-dss found issue:
ERROR - Rule evaluation resulted in fail, instead of expected pass during initial stage
ERROR - The initial scan failed for rule 'xccdf_org.ssgproject.content_rule_rsyslog_files_permissions'.
The verbose log contains:
Variable 'oval:ssg-var_rfp_include_config_regex:var:1' has no values.
This should contain the matches of ^\$IncludeConfig[\s]+([^\s;]+) on /etc/rsyslog.conf. However, on RHEL8 this regex doesn't work because rsyslog in RHEL8 uses the modern syntax,
eg.
# Include all config files in /etc/rsyslog.d/
include(file="/etc/rsyslog.d/*.conf" mode="optional")
From this I guess RHEL8 is out of scope of this rule. However, I can see this rule in RHEL8 profile in rhel8/profiles/pci-dss.profile. Could you please check if this rule applies to RHEL8 or should apply to RHEL8 or shouldn't apply to RHEL8? Then we can decide on further steps.
There was a problem hiding this comment.
Aha, I see that this will be addressed by #4379
There was a problem hiding this comment.
Yes, that another PR is what I was referring to as waiting for more robust OVAL.
However, this PR fixes errors in remediation, so I propose to get it merged as-is.
| @@ -22,4 +25,12 @@ cat << EOF > $RSYSLOG_CONF | |||
|
|
|||
| *.* ${RSYSLOG_TEST_LOGS[0]} | |||
|
|
|||
| *.* ${RSYSLOG_TEST_LOGS[1]} | |||
There was a problem hiding this comment.
I think that there is a problem that the OVAL for this rule always returns false if /etc/rsyslog.conf doesn't contain any inlcusion. Please add \$IncludeConfig /etc/rsyslog.d/*.conf to both test scenarios.
There was a problem hiding this comment.
@matejak this is the problem
There was a problem hiding this comment.
I think that there is a problem that the OVAL for this rule always returns false if
/etc/rsyslog.confdoesn't contain any inlcusion.
This may be an actual finding in the OVAL check.
If rsyslog.conf or /etc/rsyslog.d/*.conf without includes are correct, the OVAL check should just pass.
@jvymazal Are includes for rsyslog *.conf file mandatory?
There was a problem hiding this comment.
After consulting with @jvymazal, rsystlog will run even if there is no include directive present. So the test case is valid, and it is our OVAL which is not able to cope with this configuration.
As an interesting fact, in a default installation, the directive is there, but it doesn't do anything, because the /etc/rsyslog.d/ directory is empty.
|
We have discussed this with @matejak . We think that the remediation fix is basically a display fix. Currently, by looking to the HTML report people might think that the remediation is defective. If the patch is applied, it will not make the rule passing. The report from We think that it isn't a release blocker, and it's not a regression from previous released version of RHEL8 content. |
|
On my F30 laptop it doesn't produce the weird messages s. a. |
The old remediation shows errors on a fresh RHEL8 install.