content icon indicating copy to clipboard operation
content copied to clipboard

Published 20 hours ago verified publisher icon ComplianceAsCode

Improve Rsyslog rules to support Rainer script syntax

Open jan-cerny opened this issue 1 year ago • 4 comments

Description:

Improve OVAL checks so that the rule will pass if the modern Rainer script syntax is used. Up until now these rules passed only when the legacy configuration is used.

This changes OVAL in the following rules:

  • rsyslog_cron_logging
  • rsyslog_encrypt_offload_actionsendstreamdriverauthmode
  • rsyslog_encrypt_offload_actionsendstreamdrivermode
  • rsyslog_encrypt_offload_defaultnetstreamdriver

For more details, please read commit messages of all commits.

Rationale:

Fixes: https://issues.redhat.com/browse/RHEL-1816

jan-cerny avatar May 20 '24 15:05 jan-cerny

Start a new ephemeral environment with changes proposed in this pull request:

rhel8 (from CTF) Environment (using Fedora as testing environment) Open in Gitpod

Fedora Testing Environment Open in Gitpod

Oracle Linux 8 Environment Open in Gitpod

github-actions[bot] avatar May 20 '24 15:05 github-actions[bot]

This datastream diff is auto generated by the check Compare DS/Generate Diff

Click here to see the full diff 
New content has different text for rule 'xccdf_org.ssgproject.content_rule_rsyslog_cron_logging'.
--- xccdf_org.ssgproject.content_rule_rsyslog_cron_logging
+++ xccdf_org.ssgproject.content_rule_rsyslog_cron_logging
@@ -7,7 +7,10 @@
 cron job status. If cron is not logging to rsyslog, it
 can be implemented by adding the following to the RULES section of
 /etc/rsyslog.conf:
+If the legacy syntax is used:
 cron.*                                                  /var/log/cron
+If the modern syntax (RainerScript) is used:
+cron.* action(type="omfile" file="/var/log/cron")
 
 [reference]:
 1

OVAL for rule 'xccdf_org.ssgproject.content_rule_rsyslog_cron_logging' differs.
--- oval:ssg-rsyslog_cron_logging:def:1
+++ oval:ssg-rsyslog_cron_logging:def:1
@@ -1,3 +1,5 @@
 criteria OR
 criterion oval:ssg-test_cron_logging_rsyslog:tst:1
+criterion oval:ssg-test_cron_logging_rsyslog_rainer:tst:1
 criterion oval:ssg-test_cron_logging_rsyslog_dir:tst:1
+criterion oval:ssg-test_cron_logging_rsyslog_dir_rainer:tst:1

OCIL for rule 'xccdf_org.ssgproject.content_rule_rsyslog_cron_logging' differs.
--- ocil:ssg-rsyslog_cron_logging_ocil:questionnaire:1
+++ ocil:ssg-rsyslog_cron_logging_ocil:questionnaire:1
@@ -2,5 +2,7 @@
 run the following command:
 grep -rni "cron\.\*" /etc/rsyslog.*
 cron.*                                                  /var/log/cron
+or
+cron.* action(type="omfile" file="/var/log/cron")
       Is it the case that cron is not logging to rsyslog?
       
New content has different text for rule 'xccdf_org.ssgproject.content_rule_rsyslog_encrypt_offload_actionsendstreamdriverauthmode'.
--- xccdf_org.ssgproject.content_rule_rsyslog_encrypt_offload_actionsendstreamdriverauthmode
+++ xccdf_org.ssgproject.content_rule_rsyslog_encrypt_offload_actionsendstreamdriverauthmode
@@ -10,6 +10,11 @@
 encrypt and off-load auditing.
 
 When using rsyslogd to off-load logs the remote system must be authenticated.
+
+Set the following configuration option in /etc/rsyslog.conf or in a file in /etc/rsyslog.d (using legacy syntax):
+$ActionSendStreamDriverAuthMode x509/name
+Alternatively, use the RainerScript syntax:
+action(type="omfwd" Target="some.example.com" StreamDriverAuthMode="x509/name")
 
 [reference]:
 CCI-001851

OVAL for rule 'xccdf_org.ssgproject.content_rule_rsyslog_encrypt_offload_actionsendstreamdriverauthmode' differs.
--- oval:ssg-rsyslog_encrypt_offload_actionsendstreamdriverauthmode:def:1
+++ oval:ssg-rsyslog_encrypt_offload_actionsendstreamdriverauthmode:def:1
@@ -1,4 +1,6 @@
 criteria AND
 criteria OR
 criterion oval:ssg-test_rsyslog_encrypt_offload_actionsendstreamdriverauthmode_action_send_stream_driver_auth_mode:tst:1
+criterion oval:ssg-test_rsyslog_encrypt_offload_actionsendstreamdriverauthmode_action_send_stream_driver_auth_mode_rainer:tst:1
 criterion oval:ssg-test_rsyslog_encrypt_offload_actionsendstreamdriverauthmode_action_send_stream_driver_auth_mode_dir:tst:1
+criterion oval:ssg-test_rsyslog_encrypt_offload_actionsendstreamdriverauthmode_action_send_stream_driver_auth_mode_dir_rainer:tst:1

New content has different text for rule 'xccdf_org.ssgproject.content_rule_rsyslog_encrypt_offload_actionsendstreamdrivermode'.
--- xccdf_org.ssgproject.content_rule_rsyslog_encrypt_offload_actionsendstreamdrivermode
+++ xccdf_org.ssgproject.content_rule_rsyslog_encrypt_offload_actionsendstreamdrivermode
@@ -10,6 +10,12 @@
 encrypt and off-load auditing.
 
 When using rsyslogd to off-load logs off a encrpytion system must be used.
+
+Set the following configuration option in /etc/rsyslog.conf or in a file in /etc/rsyslog.d (using legacy syntax):
+$ActionSendStreamDriverMode 1
+
+Alternatively, use the RainerScript syntax:
+action(type="omfwd" ... StreamDriverMode="1")
 
 [reference]:
 CCI-001851

OVAL for rule 'xccdf_org.ssgproject.content_rule_rsyslog_encrypt_offload_actionsendstreamdrivermode' differs.
--- oval:ssg-rsyslog_encrypt_offload_actionsendstreamdrivermode:def:1
+++ oval:ssg-rsyslog_encrypt_offload_actionsendstreamdrivermode:def:1
@@ -1,4 +1,6 @@
 criteria AND
 criteria OR
 criterion oval:ssg-test_rsyslog_encrypt_offload_actionsendstreamdrivermode_action_send_stream_driver_mode_rsyslog:tst:1
+criterion oval:ssg-test_rsyslog_encrypt_offload_actionsendstreamdrivermode_action_send_stream_driver_mode_rsyslog_rainer:tst:1
 criterion oval:ssg-test_rsyslog_encrypt_offload_actionsendstreamdrivermode_action_send_stream_driver_mode_rsyslog_dir:tst:1
+criterion oval:ssg-test_rsyslog_encrypt_offload_actionsendstreamdrivermode_action_send_stream_driver_mode_rsyslog_dir_rainer:tst:1

New content has different text for rule 'xccdf_org.ssgproject.content_rule_rsyslog_encrypt_offload_defaultnetstreamdriver'.
--- xccdf_org.ssgproject.content_rule_rsyslog_encrypt_offload_defaultnetstreamdriver
+++ xccdf_org.ssgproject.content_rule_rsyslog_encrypt_offload_defaultnetstreamdriver
@@ -10,6 +10,12 @@
 encrypt and off-load auditing.
 
 When using rsyslogd to off-load logs off an encryption system must be used.
+
+Set the following configuration option in /etc/rsyslog.conf or in a file in /etc/rsyslog.d (using legacy syntax):
+$DefaultNetstreamDriver gtls
+
+Alternatively, use the RainerScript syntax:
+global(DefaultNetstreamDriver="gtls")
 
 [reference]:
 CCI-001851

OVAL for rule 'xccdf_org.ssgproject.content_rule_rsyslog_encrypt_offload_defaultnetstreamdriver' differs.
--- oval:ssg-rsyslog_encrypt_offload_defaultnetstreamdriver:def:1
+++ oval:ssg-rsyslog_encrypt_offload_defaultnetstreamdriver:def:1
@@ -1,4 +1,6 @@
 criteria AND
 criteria OR
 criterion oval:ssg-test_rsyslog_encrypt_offload_defaultnetstreamdriver_default_netstream_rsyslog:tst:1
+criterion oval:ssg-test_rsyslog_encrypt_offload_defaultnetstreamdriver_default_netstream_rsyslog_rainer:tst:1
 criterion oval:ssg-test_rsyslog_encrypt_offload_defaultnetstreamdriver_default_netstream_rsyslog_dir:tst:1
+criterion oval:ssg-test_rsyslog_encrypt_offload_defaultnetstreamdriver_default_netstream_rsyslog_dir_rainer:tst:1

github-actions[bot] avatar May 20 '24 15:05 github-actions[bot]

:robot: A k8s content image for this PR is available at: ghcr.io/complianceascode/k8scontent:12010 This image was built from commit: e5bfb406ce0cad611f4a5544d64950c5b09bc02c

Click here to see how to deploy it

If you alread have Compliance Operator deployed: utils/build_ds_container.py -i ghcr.io/complianceascode/k8scontent:12010

Otherwise deploy the content and operator together by checking out ComplianceAsCode/compliance-operator and: CONTENT_IMAGE=ghcr.io/complianceascode/k8scontent:12010 make deploy-local

github-actions[bot] avatar May 20 '24 15:05 github-actions[bot]

@marcusburghardt

Besides the comments in specific files, the remediation for rule rsyslog_cron_logging is not working when the /etc/rsyslog.conf file is deleted, more specifically in the test scenario no_rsyslog_file.fail.sh. After the remediation, the rsyslog service can't be started. This issue was not introduced by this PR, but was revealed now. Could you take a look on it, please?

Isn't the test scenario no_rsyslog_file.fail.sh stupid? It completely deletes the configuration files. I don't know if we can expect that the remediation for the rule will restore the configuration file and configure all other options that aren't directly mentioned in the rule.

jan-cerny avatar May 27 '24 15:05 jan-cerny

rsyslog_cron_logging

Yes, I agree this test scenario is very weak. It is fine to remove the files in /etc/rsyslog.d but is not fine to remove the whole rsyslog.conf. The test scenario no_cron_logging.fail.sh seems enough to me.

Perhaps, just to keep a test without rsyslog.d files, we could just rename the no_rsyslog_file.fail.sh to no_rsyslog_d_files.fail.sh with a content similar to this:

#!/bin/bash

rm -rf /etc/rsyslog.d
sed -i '/^[[:space:]]*cron\.\*/d' /etc/rsyslog.conf

marcusburghardt avatar May 28 '24 06:05 marcusburghardt

/retest

jan-cerny avatar May 28 '24 08:05 jan-cerny

I have changed and renamed the test scenario no_rsyslog_file.fail.sh. I have changed occurrences to RainerScript.

jan-cerny avatar May 28 '24 08:05 jan-cerny

Code Climate has analyzed commit e5bfb406 and detected 0 issues on this pull request.

The test coverage on the diff in this pull request is 100.0% (50% is the threshold).

This pull request will bring the total coverage in the repository to 59.4% (0.0% change).

View more on Code Climate.

qlty-cloud-legacy[bot] avatar May 28 '24 11:05 qlty-cloud-legacy[bot]