content
content copied to clipboard
ComplianceAsCode
Rsyslog files permissions fix wildcard path
- A simple test case as follows:
/etc/rsyslog.conf
include(file="/etc/rsyslog.d/*/*.conf" mode="optional")
include(file="/etc/rsyslog.d/*.conf" mode="optional")
/etc/rsyslog.d/subdir/custom1.conf
local1.* /tmp/local1.out
/etc/rsyslog.d/custom2.conf
local2.* /tmp/local2.out
- Rationale:
With current code, the RSYSLOG_INCLUDE or RSYSLOG_INCLUDE_CONFIG will be read as a string '/etc/rsyslog.d/*.conf' in the for loop. This patch ensures the wildcard path is expanded to suitable files and then added to the array.
Hi @lonicerae. Thanks for your PR.
I'm waiting for a ComplianceAsCode member to verify that this patch is reasonable to test. If it is, they should reply with /ok-to-test on its own line. Until that is done, I will not automatically test new commits in this PR, but the usual testing commands by org members will still work. Regular contributors should join the org to skip this step.
Once the patch is verified, the new status will be reflected by the ok-to-test label.
I understand the commands that are listed here.
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository.
![openshift-ci[bot] avatar](https://avatars.githubusercontent.com/in/91280?v=4 "Published by a pub.dev verified publisher"){kind=small}
Hello. This PR contains the identical fix to the old one https://github.com/ComplianceAsCode/content/pull/8543 .Test files have been added, please check. Thanks.
@lonicerae: Cannot trigger testing until a trusted user reviews the PR and leaves an /ok-to-test message.
In response to this:
/ok-to-test
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository.
This datastream diff is auto generated by the check Compare DS/Generate Diff
Click here to see the full diff
bash remediation for rule 'xccdf_org.ssgproject.content_rule_rsyslog_files_permissions' differs:
--- old datastream
+++ new datastream
@@ -6,28 +6,39 @@
RSYSLOG_ETC_CONFIG="/etc/rsyslog.conf"
# CMakeGraphVizOptions.cmake CMakeLists.txt CODEOWNERS CONTRIBUTING.md Contributors.md Contributors.xml DISCLAIMER Dockerfiles LICENSE README.md apple_os applications build build-scripts build_config.yml.in build_product cmake controls ctf diff.log docs linux_os ocp-resources output.json packit.fmf products scap-security-guide.spec shared ssg ssg-rhel8-ds.xml tests utils And also the log file paths listed after rsyslog's $IncludeConfig directive
# (store the result into array for the case there's shell glob used as value of IncludeConfig)
-readarray -t RSYSLOG_INCLUDE_CONFIG < <(grep -e "\$IncludeConfig[[:space:]]\+[^[:space:];]\+" /etc/rsyslog.conf | cut -d ' ' -f 2)
-readarray -t RSYSLOG_INCLUDE < <(awk '/)/{f=0} /include\(/{f=1} f{nf=gensub("^(include\\(|\\s*)file=\"(\\S+)\".*","\\2",1); if($0!=nf){print nf}}' /etc/rsyslog.conf)
+readarray -t OLD_INC < <(grep -e "\$IncludeConfig[[:space:]]\+[^[:space:];]\+" /etc/rsyslog.conf | cut -d ' ' -f 2)
+readarray -t RSYSLOG_INCLUDE_CONFIG < <(for INCPATH in "${OLD_INC[@]}"; do eval printf '%s\\n' "${INCPATH}"; done)
+readarray -t NEW_INC < <(awk '/)/{f=0} /include\(/{f=1} f{nf=gensub("^(include\\(|\\s*)file=\"(\\S+)\".*","\\2",1); if($0!=nf){print nf}}' /etc/rsyslog.conf)
+readarray -t RSYSLOG_INCLUDE < <(for INCPATH in "${NEW_INC[@]}"; do eval printf '%s\\n' "${INCPATH}"; done)
# Declare an array to hold the final list of different log file paths
declare -a LOG_FILE_PATHS
-RSYSLOG_CONFIGS=()
-RSYSLOG_CONFIGS=("${RSYSLOG_ETC_CONFIG}" "${RSYSLOG_INCLUDE_CONFIG[@]}" "${RSYSLOG_INCLUDE[@]}")
+# Array to hold all rsyslog config entries
+declare -a RSYSLOG_CONFIGS
+RSYSLOG_CONFIGS+=("${RSYSLOG_ETC_CONFIG}" "${RSYSLOG_INCLUDE_CONFIG[@]}" "${RSYSLOG_INCLUDE[@]}")
-# Get full list of files to be checked
-# RSYSLOG_CONFIGS may contain globs such as
-# /etc/rsyslog.d/*.conf /etc/rsyslog.d/*.frule
-# So, loop over the entries in RSYSLOG_CONFIGS and use find to get the list of included files.
-RSYSLOG_FILES=()
+# Array to hold all rsyslog config files
+declare -a RSYSLOG_CONFIG_FILES
for ENTRY in "${RSYSLOG_CONFIGS[@]}"
do
- mapfile -t FINDOUT < <(find "$(dirname "${ENTRY}")" -maxdepth 1 -name "$(basename "${ENTRY}")")
- RSYSLOG_FILES+=("${FINDOUT[@]}")
+ # If directory, rsyslog will search for config files in recursively.
+ # However, files in hidden sub-directories or hidden files will be ignored.
+ if [ -d "${ENTRY}" ]
+ then
+ readarray -t FINDOUT < <(find "${ENTRY}" -not -path '*/.*' -type f)
+ RSYSLOG_CONFIG_FILES+=("${FINDOUT[@]}")
+ elif [ -f "${ENTRY}" ]
+ then
+ RSYSLOG_CONFIG_FILES+=("${ENTRY}")
+ else
+ echo "Invalid include object: ${ENTRY}"
+ fi
done
-# Check file and fix if needed.
-for LOG_FILE in "${RSYSLOG_FILES[@]}"
+# Browse each file selected above as containing paths of log files
+# ('/etc/rsyslog.conf' and '/etc/rsyslog.d/*.conf' in the default configuration)
+for LOG_FILE in "${RSYSLOG_CONFIG_FILES[@]}"
do
# From each of these files extract just particular log file path(s), thus:
# CMakeGraphVizOptions.cmake CMakeLists.txt CODEOWNERS CONTRIBUTING.md Contributors.md Contributors.xml DISCLAIMER Dockerfiles LICENSE README.md apple_os applications build build-scripts build_config.yml.in build_product cmake controls ctf diff.log docs linux_os ocp-resources output.json packit.fmf products scap-security-guide.spec shared ssg ssg-rhel8-ds.xml tests utils Ignore lines starting with space (' '), comment ('#"), or variable syntax ('$') characters,
@@ -44,7 +55,7 @@
then
NORMALIZED_CONFIG_FILE_LINES=$(sed -e "/^[#|$]/d" "${LOG_FILE}")
LINES_WITH_PATHS=$(grep '[^/]*\s\+\S*/\S\+$' <<< "${NORMALIZED_CONFIG_FILE_LINES}")
- FILTERED_PATHS=$(sed -e 's/[^\/]*[[:space:]]*\([^:;[:space:]]*\)/\1/g' <<< "${LINES_WITH_PATHS}")
+ FILTERED_PATHS=$(awk '{if(NF>=2&&($2~/^\//||$2~/^-\//)){sub(/^-\//,"/",$2);print $2}}' <<< "${LINES_WITH_PATHS}")
CLEANED_PATHS=$(sed -e "s/[\"')]//g; /\\/etc.*\.conf/d; /\\/dev\\//d" <<< "${FILTERED_PATHS}")
MATCHED_ITEMS=$(sed -e "/^$/d" <<< "${CLEANED_PATHS}")
# Since above sed command might return more than one item (delimited by newline), split the particular
![github-actions[bot] avatar](https://avatars.githubusercontent.com/in/15368?v=4 "Published by a pub.dev verified publisher"){kind=small}
Start a new ephemeral environment with changes proposed in this pull request:
@brett060102 Hi, you recently made changes to this remediation. Would you have any comments?
Generally, I don't see anything obviously wrong or suspicious in the Bash code, so I would stick to the general recommendation of relying on test scenarios.
@yuumasato @lonicerae It is very clever bit a shell coding, and yes I think it would handle the cases. I don't really understand what this addresses that is not handled by the current code though. Unless it is the case where the included file is a directory or where the included files have includes. I have never tried either of those, but I does not look like including a directory is permitted. For nested includes, I am not sure this would fully address that.
So, I would really like to see what is being addressed here that is not handled in the current code.
Since the current code uses find, an include of a file that does not exist, won't be passed into the "# Check file and fix if needed." loop. That might be a bug or a feature. In my testing I was seeing file not found errors in the loop. So, find made sense to me. So, we may want to keep that. It will also handle an additional level of wildcards. I am not even sure nested includes are supported. If they are and if wild cards are support there as well, then we most likely need an issue, since I am not sure the oval would catch that.
After that tangent, I think the comments should be updated as well. Something like the following
# * And also the log file paths listed after rsyslog's $IncludeConfig and include directive
# (store the result into array for the case there's shell glob used as value of IncludeConfig or include)
# handle $IncludeConfig
readarray -t OLD_INC < <(grep -e "\$IncludeConfig[[:space:]]\+[^[:space:];]\+" /etc/rsyslog.conf | cut -d ' ' -f 2)
# expand any wildcards in $IncludeConfig
readarray -t RSYSLOG_INCLUDE_CONFIG < <(for INCPATH in "${OLD_INC[@]}"; do eval printf '%s\\n' "${INCPATH}"; done)
# handle include directives
readarray -t NEW_INC < <(awk '/)/{f=0} /include\(/{f=1} f{nf=gensub("^(include\\(|\\s*)file=\"(\\S+)\".*","\\2",1); if($0!=nf){print nf}}' /etc/rsyslog.conf)
# expand any wildcards in include directives
readarray -t RSYSLOG_INCLUDE < <(for INCPATH in "${NEW_INC[@]}"; do eval printf '%s\\n' "${INCPATH}"; done)
I know the code says the same thing, and I should have made at least some of those comments when I updated the code. I did the most recent changes and it was not that long ago, but I was still trying to figure out what was going on in those regexes and why.
Not an issue for this review, but couple flavors of the following are supported.
include(
file=`echo $ENV_VAR`
mode="optional"
)
''''
Which I don't find amusing.
And should have check during previous comment but directories are supported via:
$IncludeConfig /etc/rsyslog.d/
We might just want to drop the depth limit on the find. But still not sure oval will handle that and I am not an expert there.
I think that the find should stay. Mode optional in following means that the no error generated if file not present.
include(
file="/path/to/include.conf"
mode="optional"
)
So, trying to remediated that file could result on an error in remediation. Depending on how it is run, it could terminate remediation which would mean that later remediations are not done. I think this would only effect running the generated build/bash scripts directly and then only with "set -e", but we were doing exactly that.
Hi @brett060102 , thanks for your comment. In fact I've submitted the code a month ago, however in the old PR it's not accepted because I did not create the testing code in time. I did a comparison here https://github.com/ComplianceAsCode/content/pull/8543#issuecomment-1116458344 , maybe this can help to understand the differences.
Hello @lonicerae! Thanks for updating this PR. We checked the lines you've touched for PEP 8 issues, and found:
- In the file
tests/ssg_test_suite/common.py:
Line 48:16: E225 missing whitespace around operator Line 707:100: E501 line too long (117 > 99 characters)
- In the file
tests/test_suite.py:
- In the file
utils/controleval.py:
Line 151:100: E501 line too long (111 > 99 characters) Line 152:100: E501 line too long (104 > 99 characters)
Hi @yuumasato , thanks for your review. Please help to check the latest one which I have adjusted. Thank you.
@lonicerae I had looked over your initial PR. You and I were working on the same issue from different angles and came up with what I think are relatively equivalent solutions. Your "do eval printf '%s\n' "${INCPATH}"" will expand the glob into a list of files for each wild carded element. The find does the same thing. I can't think of a case that your solution handles that the existing code doesn't. If you have one, I would love to see it, because I can't think of it.
I tried this
ip-10-0-0-69:/home/ec2-user # cat /tmp/rsyslog.conf
##
## === When you're using remote logging, enable on-disk queues ===
#
$IncludeConfig /etc/rsyslog.d/*.conf
$IncludeConfig /etc/rsyslog.d/*.xxxx
$IncludeConfig /etc/rsyslog.d/*.frule
$IncludeConfig /etc/rsyslog.d/
include(
file="/path/to/include.conf"
mode="optional"
)
and the result from your change is:
/etc/rsyslog.conf /etc/rsyslog.d/remote.conf /etc/rsyslog.d/*.xxxx /etc/rsyslog.d/NetworkManager.frule /etc/rsyslog.d/acpid.frule /etc/rsyslog.d/firewall.frule /etc/rsyslog.d/ /path/to/include.conf
the same input with the current code gives:
/etc/rsyslog.conf /etc/rsyslog.d/remote.conf /etc/rsyslog.d/NetworkManager.frule /etc/rsyslog.d/acpid.frule /etc/rsyslog.d/firewall.frule /etc/rsyslog.d
The difference is that the files that don't exist were filtered out by the find. I created /etc/rsyslog.d/foo.tmp and neither code base caught that file. I did not test nested includes. I know the exiting code does not handle those and I can't see how your change would either.
changing the find loop to:
RSYSLOG_FILES=()
for ENTRY in "${RSYSLOG_CONFIGS[@]}"
do
echo "$(dirname "${ENTRY}")" " " "$(basename "${ENTRY}")"
if [[ -d "${ENTRY}" ]]; then
mapfile -t FINDOUT < <(find "${ENTRY}" -maxdepth 2 )
else
mapfile -t FINDOUT < <(find "$(dirname "${ENTRY}")" -maxdepth 2 -name "$(basename "${ENTRY}")")
fi
RSYSLOG_FILES+=("${FINDOUT[@]}")
done
fixes the directory problem, but does not address the nested include problem.
Hi @brett060102 , if the config files in this pattern /etc/rsyslog.d/*.conf we give the same results. But things will be different if the pattern is /etc/rsyslog.d/*/*.conf.
@lonicerae Thank you. That is case I did not think of and yes. The eval prints do handle that case. @yuumasato @lonicerae what about the following?
# platform = Red Hat Virtualization 4,multi_platform_fedora,multi_platform_ol,multi_platform_rhel,multi_platform_sle
# List of log file paths to be inspected for correct permissions
# * Primarily inspect log file paths listed in /etc/rsyslog.conf
RSYSLOG_ETC_CONFIG="/etc/rsyslog.conf"
# * And also the log file paths listed after rsyslog's $IncludeConfig or include directive
# (store the result into array for the case there's shell glob used as value of IncludeConfig or include)
# Handle $IncludeConfig
readarray -t OLD_INC < <(grep -e "\$IncludeConfig[[:space:]]\+[^[:space:];]\+" /tmp/rsyslog.conf | cut -d ' ' -f 2)
# expand and wildcards in $IncludeConfig
readarray -t RSYSLOG_INCLUDE_CONFIG < <(for INCPATH in "${OLD_INC[@]}"; do eval printf '%s\\n' "${INCPATH}"; done)
# Handle include block
readarray -t NEW_INC < <(awk '/)/{f=0} /include\(/{f=1} f{nf=gensub("^(include\\(|\\s*)file=\"(\\S+)\".*","\\2",1); if($0!=nf){print nf}}' /tmp/rsyslog.conf)
# expand and wildcards in include block
readarray -t RSYSLOG_INCLUDE < <(for INCPATH in "${NEW_INC[@]}"; do eval printf '%s\\n' "${INCPATH}"; done)
# Declare an array to hold the final list of different log file paths
declare -a LOG_FILE_PATHS
declare -a RSYSLOG_CONFIGS
RSYSLOG_CONFIGS+=("${RSYSLOG_ETC_CONFIG}" "${RSYSLOG_INCLUDE_CONFIG[@]}" "${RSYSLOG_INCLUDE[@]}")
# Get full list of files to be checked
# RSYSLOG_CONFIGS may contain globs or directories such as
# /etc/rsyslog.d/*.conf
# /etc/rsyslog.d/*.frule
# /etc/rsyslog.d/*/*.conf
# /etc/rsyslog.d/
#
# So, loop over the entries in RSYSLOG_CONFIGS and use find to get the list of included files.
RSYSLOG_FILES=()
for ENTRY in "${RSYSLOG_CONFIGS[@]}"
do
SE_PATH="$(dirname "${ENTRY}")"
SE_FILE="$(basename "${ENTRY}")"
if [[ -d "${SE_PATH}" ]]; then
if [[ -d "${ENTRY}" ]]; then
mapfile -t FINDOUT < <(find "${ENTRY}" -maxdepth 2 )
else
mapfile -t FINDOUT < <(find "$(dirname "${ENTRY}")" -maxdepth 2 -name "$(basename "${ENTRY}")")
fi
fi
RSYSLOG_FILES+=("${FINDOUT[@]}")
done
echo "${RSYSLOG_FILES[@]}"
given input of:
ip-10-0-0-69:/home/ec2-user # cat /tmp/rsyslog.conf
##
## === When you're using remote logging, enable on-disk queues ===
#
$IncludeConfig /etc/rsyslog.d/*.conf
$IncludeConfig /etc/rsyslog.d/*.xxxx
# Additional filter rules
#
$IncludeConfig /etc/rsyslog.d/*.frule
$IncludeConfig /etc/rsyslog.d/
$IncludeConfig /tmp/test/*/*.conf
include(
file="/path/to/include.conf"
mode="optional"
)
it returns
/etc/rsyslog.conf /etc/rsyslog.d/remote.conf /etc/rsyslog.d/NetworkManager.frule /etc/rsyslog.d/acpid.frule /etc/rsyslog.d/firewall.frule /etc/rsyslog.d/ /etc/rsyslog.d/NetworkManager.frule /etc/rsyslog.d/acpid.frule /etc/rsyslog.d/firewall.frule /etc/rsyslog.d/remote.conf /etc/rsyslog.d/foo.tmp /tmp/test/test1/remote.conf /tmp/test/test2/remote.conf /tmp/test/test3/remote.conf /tmp/test/test3/remote.conf
This way, directories are handled and wildcards within paths are handled. And any non existent paths or files are excluded. The duplicate entries occur because my test file has "/etc/rsyslog.d/" along with "/etc/rsyslog.d/.conf" and "/etc/rsyslog.d/.frule"
It does not handle nested includes though. The only way to handle that is to put all of this in a loop and keep until changes stop. Taking care do not get tapped by A includes B and B includes A.
I am not sure how far to go here. I think I can see what the complete solution is, but it addresses issues that no sane user should every create. On the other hand, a lot of security is about making sure edge cases like this are covered.
I have not checked the ansible, so I don't know it it handles this or not. I also don't know if the oval will catch these cases. Do either of you know? I did the original change because the oval was catching an issue handled by ansible that was not handled by bash.
Hi @brett060102 , I think if the simple way works we should keep it simple. In fact I believe this is a special usage of quoting, that's why I suggest using eval to show out the elements of the array.
As to the rsyslog.conf the pattern it can be /etc/rsyslog.d/*/*/*.conf etc. Hope this can make things clear.
@lonicerae I am OK with that and I defer to @yuumasato and @matejak My concern is that we won't be handling: $IncludeConfig /etc/rsyslog.d/
@brett060102 Good catch! Thanks for pointing out this case. Please help to review the latest commit which I 'steal' part of your code. Thank you!
Looks very good just a couple of things: Based on: https://www.rsyslog.com/doc/v8-stable/configuration/global/options/rsconf1_includeconfig.html $IncludeConfig /directory/ will include all regular files not starting with dot "." and should not follow subdirs So, I think: readarray -t FINDOUT < <(find "${ENTRY}" -type f -name '.conf') should be readarray -t FINDOUT < <(find "${ENTRY}" -( ! -regex './..*' ) -maxdepth 1 -type f )
which seems to do the right thing in my test case.
Also, I am not sure about the:
else
echo "Invalid include object: ${ENTRY}"
action. Since the following block in the config file:
include(
file="/path/to/include.conf"
mode="optional"
)
means include it if it exists, and ignore it if it doesn't then it is really not invalid. How about: echo "Skipping ${ENTRY}: file not found"
I updated my previous comment find example to add maxdepth since based on my reading of the rysyslog.conf docs the direct include does not follow subdirs.
That's strange.. The rsyslog behaves different against the doc. The logic is based on the testing results. I'll look into the code of rsyslog.
I believe the feature:
Based on: https://www.rsyslog.com/doc/v8-stable/configuration/global/options/rsconf1_includeconfig.html
$IncludeConfig /directory/ will include all regular files not starting with dot "." and should not follow subdirs
Should have been removed long time ago by this commit: https://github.com/rsyslog/rsyslog/commit/5e2b03a31c312e6cd6a7f4cb0bca1f062668dc52 , maybe a bug for the document can be opened with rsyslog.
Also, I am not sure about the:
else echo "Invalid include object: ${ENTRY}"action. Since the following block in the config file:
include( file="/path/to/include.conf" mode="optional" )means include it if it exists, and ignore it if it doesn't then it is really not invalid. How about: echo "Skipping ${ENTRY}: file not found"
Let's think about this pattern:
include(file="/dev/ttyS10" mode="optional")
include(
file="/path/to/include.conf"
mode="optional"
)
Apparently the /dev/ttyS10 is not a regular file and should not be included. This is a defensive code, we should send out a meaningful message.
@lonicerae I have checked two systems Ubuntu 20.04 and SLE15 SP3, Both are running some version of rsyslogd version 8, But the manpage version for rsyslog.conf in both cases is: Version 7.2.0 22 October 2012
Man on rsyslogd shows. Version 8..... 28 May 2014 what follows the 8 is vendor specific, but big point is that your guess about stale docs looks correct. I did not actually play around with syslog. Are you stating that in your syslog testing that: $IncludeConfig /etc/rsyslog.d/ Is no longer supported? Or if the check for regular files was removed?
You change addresses the issues that I hit and in cloud deployments. Which is my primary concern.
I am going to defer to the yuumasato and @matejak on: echo "Invalid include object: ${ENTRY}" We are creeping into more global topic that I don't feel competent to address. Should we be doing validation of the config files at remediation time or should that be being done at via the test oval. I have always thought of remediation as pretty quiet. Fix what we can and then retest.
Hi @brett060102 ,
I compared relevant functions in last 10 years in rsyslog's repo and now indeed there're more changes..
I have checked two systems Ubuntu 20.04 and SLE15 SP3, Both are running some version of rsyslogd version 8,
But the manpage version for rsyslog.conf in both cases is:
Version 7.2.0 22 October 2012
It would be good if you could give me the links to the source of these versions, I can help to look into them. The upstream should be using the glob() to detect the wildcard since this commit:
- https://github.com/rsyslog/rsyslog/commit/0f6300f1e6a038f37c406b2362218ea043def55b
In this case I need to update the find command accordingly. Please help to check the new commit https://github.com/ComplianceAsCode/content/pull/8726/commits/c947cae1d4c77c41c14349cea784905e9d115b1b and its test files, there I listed several different include patterns.
Are you stating that in your syslog testing that:
$IncludeConfig /etc/rsyslog.d/
Is no longer supported? Or if the check for regular files was removed?
No no, seems I was not explaining the issue clearly. The $IncludeConfig /etc/rsyslog.d/ is absolutely supported. What we need is to carefully match the behavior of how rsyslog scanning and loading valid config files.
You change addresses the issues that I hit and in cloud deployments. Which is my primary concern.
May I know your use case? Could you share me an example?
We are creeping into more global topic that I don't feel competent to address. Should we be doing validation of the config files at remediation time or should that be being done at via the test oval. I have always thought of remediation as pretty quiet. Fix what we can and then retest.
No worries, as I work and test rsyslog a lot in my job so I may see lots of strange issues. :stuck_out_tongue: I'm sorry that I don't now much of the framework design of this ComplianceAsCode/content project. I also would like to learn more about this project, that's interesting!
--UPDATED--
Should have been removed long time ago by this commit: https://github.com/rsyslog/rsyslog/commit/5e2b03a31c312e6cd6a7f4cb0bca1f062668dc52 , maybe a bug for the document can be opened with rsyslog.
The dot file handling has been handled by the above code after rsyslog refactoring. Now not only the hidden files .xxxx but also the files in hidden directories .xxxx/yyyy should be ignored if we use a directory in file option with include() or IncludeConfig directives.