[Enhancement] [RHEL/7] New RHEL-7 remediation for 'rsyslog_files_permissions' rule #791
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Since right now there's isn't a way how to instruct
combinefixes.py
SSG transformation it to include thereboot=true
attribute into the remediation script (filed RFE for this for the future under:[1] #790
), we as of right now don't have a way how to transmit the information that a reboot is required in order the remediation to be truly completed to the user, for now we will not include the
reboot
attribute in the remediation.This situation might be corrected in the future once the fix for [1] is implemented in SSG.
shellcheck
on the proposed remediation script will return one failure as follows:The
$LOG_FILE
variable has been intentionally / on purpose kept unquoted. This is to properly handle the case, when rsyslog]s$IncludeConfig
directive's value would contain some shell glob expression (this glob to be first properly expanded before further processing), like it is the case in the default RHEL-7 configuration (default$IncludeConfig
directive value is set to/etc/rsyslog.d/*.conf
-- here we want to inspect all of the file names matching that pattern for potential log file paths definitions).So it is EXPECTED the
shellcheck
warning to be present when checking this script, and added a note to prevent possible quoting of that$LOG_FILE
variable in the future (which would break the proper work of the script).Testing report:
Verified on RHEL-7 system the proposed change works fine (after reboot the
rsyslog_files_permissions
rule passes).Please review.
Thank you, Jan.