Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

[Enhancement] [RHEL/7] New RHEL-7 remediation for 'rsyslog_files_permissions' rule #791

Merged

Conversation

iankko
Copy link

@iankko iankko commented Oct 13, 2015

  • NOTE Test #1: The machine in question needs to be rebooted before the system is put into the true compliance (this is due to handling of "/var/log/boot.log" case), therefore IT IS EXPECTED this remediation when run will return ERROR when attempted in openscap. To truly verify if the system is corrected, the system needs to be rebooted, and the scan for the 'rsyslog_files_permissions' rule repeated.

Since right now there's isn't a way how to instruct combinefixes.py SSG transformation it to include the reboot=true attribute into the remediation script (filed RFE for this for the future under:

    [1] #790

), we as of right now don't have a way how to transmit the information that a reboot is required in order the remediation to be truly completed to the user, for now we will not include the reboot attribute in the remediation.

This situation might be corrected in the future once the fix for [1] is implemented in SSG.

  • NOTE Sample Merge Request #2: Running shellcheck on the proposed remediation script will return one failure as follows:
$ shellcheck RHEL/7/input/fixes/bash/rsyslog_files_permissions.sh 

In RHEL/7/input/fixes/bash/rsyslog_files_permissions.sh line 27:
    MATCHED_ITEMS=$(sed -e "/^[[:space:]|#|$]/d ; s/[^\/]*[[:space:]]*\([^:;[:space:]]*\)/\1/g ; /^$/d" $LOG_FILE)
                                                                                                            ^-- SC2086: Double quote to prevent globbing and word splitting.

The $LOG_FILE variable has been intentionally / on purpose kept unquoted. This is to properly handle the case, when rsyslog]s $IncludeConfig directive's value would contain some shell glob expression (this glob to be first properly expanded before further processing), like it is the case in the default RHEL-7 configuration (default $IncludeConfig directive value is set to /etc/rsyslog.d/*.conf -- here we want to inspect all of the file names matching that pattern for potential log file paths definitions).

So it is EXPECTED the shellcheck warning to be present when checking this script, and added a note to prevent possible quoting of that $LOG_FILE variable in the future (which would break the proper work of the script).

Testing report:

Verified on RHEL-7 system the proposed change works fine (after reboot the rsyslog_files_permissions rule passes).

Please review.

Thank you, Jan.

'rsyslog_files_permissions' rule

NOTE: The machine in question needs to be rebooted before
the system is put into the true compliance (this is due to
handling of "/var/log/boot.log" case), therefore IT IS EXPECTED
this remediation when run will return ERROR when attempted in
openscap. To truly verify if the system is corrected, the system
needs to be rebooted, and the scan for the 'rsyslog_files_permissions'
rule repeated.

Testing report:
---------------
Verified on RHEL-7 system the proposed change works fine (after reboot
the 'rsyslog_files_permissions' rule passes).
@iankko iankko added enhancement General enhancements to the project. BLOCKER Impediments to release, like failure to build content, or content built is out of standard's syntax RHEL Red Hat Enterprise Linux product related. labels Oct 13, 2015
@iankko iankko added this to the 0.1.26 milestone Oct 13, 2015
@mpreisler mpreisler self-assigned this Oct 13, 2015
@mpreisler
Copy link
Member

LGTM

mpreisler added a commit that referenced this pull request Oct 13, 2015
[Enhancement] [RHEL/7] New RHEL-7 remediation for 'rsyslog_files_permissions' rule
@mpreisler mpreisler merged commit 7747752 into ComplianceAsCode:master Oct 13, 2015
@iankko iankko deleted the rsyslog_files_permissions_rem branch October 14, 2015 10:02
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
BLOCKER Impediments to release, like failure to build content, or content built is out of standard's syntax enhancement General enhancements to the project. RHEL Red Hat Enterprise Linux product related.
Projects
None yet
Development

Successfully merging this pull request may close these issues.

2 participants