8000 rsyslog_remote_loghost: support Rainer Script in OVAL by vojtapolasek · Pull Request #13274 · ComplianceAsCode/content · GitHub
[go: up one dir, main page]
More Web Proxy on the site http://driver.im/
Skip to content

rsyslog_remote_loghost: support Rainer Script in OVAL #13274

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 4 commits into from
Apr 2, 2025
Merged

rsyslog_remote_loghost: support Rainer Script in OVAL #13274

merged 4 commits into from
Apr 2, 2025

Conversation

vojtapolasek
Copy link
Collaborator

Description:

  • extend OVAL check to support Rainer Script syntax
  • add Rainer Script examples to rule.yml next to the old syntax
  • Note that I did not change remediations... I think this is out of scope of the reported issue. Also the old and new syntax should work together in Rsyslog and it will be probably quite complex to decide what syntax to use.

Rationale:

  • new syntax is definitely valid and we should not discourage users from using it

fixes: OPENSCAP-5467

Review Hints:

  • use Automatus

@vojtapolasek vojtapolasek added bugfix Fixes to reported bugs. OVAL OVAL update. Related to the systems assessments. Update Rule Issues or pull requests related to Rules updates. labels Apr 2, 2025
@vojtapolasek vojtapolasek added this to the 0.1.77 milestone Apr 2, 2025
@github-actions GitHub Actions
Copy link
github-actions bot commented Apr 2, 2025

This datastream diff is auto generated by the check Compare DS/Generate Diff

Click here to see the full diff 
New content has different text for rule 'xccdf_org.ssgproject.content_rule_rsyslog_remote_loghost'.
--- xccdf_org.ssgproject.content_rule_rsyslog_remote_loghost
+++ xccdf_org.ssgproject.content_rule_rsyslog_remote_loghost
@@ -19,13 +19,22 @@
 *.* @'xccdf_org.ssgproject.content_value_rsyslog_remote_loghost_address'
         
         
+Or in RainerScript:
+*.* action(type="omfwd" ... target="'xccdf_org.ssgproject.content_value_rsyslog_remote_loghost_address'" protocol="udp")
+        
 To use TCP for log message delivery:
 *.* @@'xccdf_org.ssgproject.content_value_rsyslog_remote_loghost_address'
         
         
+Or in RainerScript:
+*.* action(type="omfwd" ... target="'xccdf_org.ssgproject.content_value_rsyslog_remote_loghost_address'" protocol="tcp")
+        
 To use RELP for log message delivery:
 *.* :omrelp:'xccdf_org.ssgproject.content_value_rsyslog_remote_loghost_address'
         
+        
+Or in RainerScript:
+*.* action(type="omfwd" ... target="'xccdf_org.ssgproject.content_value_rsyslog_remote_loghost_address'" protocol="relp")
         
 There must be a resolvable DNS CNAME or Alias record set to "'xccdf_org.ssgproject.content_value_rsyslog_remote_loghost_address'" for logs to be sent correctly to the centralized logging utility.
 
@@ -44,6 +53,9 @@
 $ActionQueueSaveOnShutdown on
 $ActionResumeRetryCount -1
 
+Or if using Rainer Script syntax, it could be:
+*.* action(type="omfwd" queue.type="linkedlist" queue.filename="example_fwd" action.resumeRetryCount="-1" queue.saveOnShutdown="on" target="example.com" port="30514" protocol="tcp")
+
 [reference]:
 1
 

OVAL for rule 'xccdf_org.ssgproject.content_rule_rsyslog_remote_loghost' differs.
--- oval:ssg-rsyslog_remote_loghost:def:1
+++ oval:ssg-rsyslog_remote_loghost:def:1
@@ -1,3 +1,5 @@
 criteria OR
 criterion oval:ssg-test_remote_rsyslog_conf:tst:1
 criterion oval:ssg-test_remote_rsyslog_d:tst:1
+criterion oval:ssg-test_remote_rsyslog_conf_rainer:tst:1
+criterion oval:ssg-test_remote_rsyslog_d_rainer:tst:1

OCIL for rule 'xccdf_org.ssgproject.content_rule_rsyslog_remote_loghost' differs.
--- ocil:ssg-rsyslog_remote_loghost_ocil:questionnaire:1
+++ ocil:ssg-rsyslog_remot
8000
e_loghost_ocil:questionnaire:1
@@ -2,9 +2,15 @@
 /etc/rsyslog.conf.
 If using UDP, a line similar to the following should be present:
  *.* @
+or
+*.* action(type="omfwd" ... target="" protocol="udp")
 If using TCP, a line similar to the following should be present:
  *.* @@
+or
+*.* action(type="omfwd" ... target="" protocol="tcp")
 If using RELP, a line similar to the following should be present:
  *.* :omrelp:
+or
+*.* action(type="omfwd" ... target="" protocol="relp")
       Is it the case that no evidence that the audit logs are being off-loaded to another system or media?

@codeclimate CodeClimate
Copy link
codeclimate bot commented Apr 2, 2025

Code Climate has analyzed commit 79cd474 and detected 0 issues on this pull request.

The test coverage on the diff in this pull request is 100.0% (50% is the threshold).

This pull request will bring the total coverage in the repository to 61.9% (0.0% change).

View more on Code Climate.

@jan-cerny jan-cerny self-assigned this Apr 2, 2025
jan-cerny
jan-cerny approved these changes Apr 2, 2025
View reviewed changes
Copy link
Collaborator
@jan-cerny jan-cerny left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The TSs have run locally and pass:

jcerny@fedora:~/work/git/scap-security-guide (pr/13274)$ python3 tests/automatus.py rule --libvirt qemu:///system ssgts_rhel10 rsyslog_remote_loghost
Setting console output to log level INFO
INFO - The base image option has not been specified, choosing libvirt-based test environment.
INFO - Logging into /home/jcerny/work/git/scap-security-guide/logs/rule-custom-2025-04-02-1606/test_suite.log
INFO - xccdf_org.ssgproject.content_rule_rsyslog_remote_loghost
INFO - Script line_commented.fail.sh using profile (all) OK
INFO - Script line_not_there.fail.sh using profile (all) OK
INFO - Script remote_configured.pass.sh using profile (all) OK
INFO - Script remote_configured_rainer.pass.sh using profile (all) OK
jcerny@fedora:~/work/git/scap-security-guide (pr/13274)$ python3 tests/automatus.py rule --libvirt qemu:///system ssgts_rhel10 --remediate-using ansible rsyslog_remote_loghost
Setting console output to log level INFO
INFO - The base image option has not been specified, choosing libvirt-based test environment.
INFO - Logging into /home/jcerny/work/git/scap-security-guide/logs/rule-custom-2025-04-02-1607/test_suite.log
INFO - xccdf_org.ssgproject.content_rule_rsyslog_remote_loghost
INFO - Script line_commented.fail.sh using profile (all) OK
INFO - Script line_not_there.fail.sh using profile (all) OK
INFO - Script remote_configured.pass.sh using profile (all) OK
INFO - Script remote_configured_rainer.pass.sh using profile (all) OK

@jan-cerny jan-cerny merged commit 8490733 into ComplianceAsCode:master Apr 2, 2025
109 of 110 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@jan-cerny jan-cerny jan-cerny approved these changes

Assignees

@jan-cerny jan-cerny

Labels
bugfix Fixes to reported bugs. OVAL OVAL update. Related to the systems assessments. Update Rule Issues or pull requests related to Rules updates.
Projects
None yet
Milestone
0.1.77
Development

Successfully merging this pull request may close these issues.
2 participants
@vojtapolasek @jan-cerny
0