Debian 8 XCCDF content enhancement

[pthierry38]

• add logging xccdf content in Debian 8 directory
• Cleaning old xccdf content to templated oval based one
• deleted some residual auto-generated file from git
• merged 'install' xccdf part into system part for better homogeneity between distro

[iankko]

ACK. Verified on Jessie guest (with libopenscap8 version installed from Stretch [to get rid of systemdunitdependency not supported warning / error messages]) that the newly added checks work fine:

root@jessie:~# lsb_release -a
No LSB modules are available.
Distributor ID: Debian
Description:    Debian GNU/Linux 8.2 (jessie)
Release:    8.2
Codename:   jessie

root@jessie:~# dpkg -l libopenscap8
Desired=Unknown/Install/Remove/Purge/Hold
| Status=Not/Inst/Conf-files/Unpacked/halF-conf/Half-inst/trig-aWait/Trig-pend
|/ Err?=(none)/Reinst-required (Status,Err: uppercase=bad)
||/ Name                                Version                Architecture           Description
+++-===================================-======================-======================-============================================================================
ii  libopenscap8                        1.2.7-1+b1             amd64                  Set of libraries enabling integration of the SCAP line of standards

root@jessie:~# grep 'Profile' ssg-debian8-ds-tailoring.xml 
  <xccdf:Profile id="xccdf_org.ssgproject.content_profile_common_customized" extends="xccdf_org.ssgproject.content_profile_common">
    <xccdf:title xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">Common Profile for General-Purpose Debian Systems [CUSTOMIZED]</xccdf:title>
  </xccdf:Profile>

root@jessie:~# oscap xccdf eval --profile xccdf_org.ssgproject.content_profile_common_customized --tailoring-file ssg-debian8-ds-tailoring.xml --report /tmp/jessie_report.html ssg-debian8-ds.xml
Title   Ensure rsyslog is Installed
Rule    xccdf_org.ssgproject.content_rule_package_rsyslog_installed
Result  fail

Title   Enable rsyslog Service
Rule    xccdf_org.ssgproject.content_rule_service_rsyslog_enabled
Result  fail

Title   Ensure Log Files Are Owned By Appropriate User
Rule    xccdf_org.ssgproject.content_rule_rsyslog_files_ownership
Result  pass

Title   Ensure Log Files Are Owned By Appropriate Group
Rule    xccdf_org.ssgproject.content_rule_rsyslog_files_groupownership
Result  pass

Title   Ensure System Log Files Have Correct Permissions
Rule    xccdf_org.ssgproject.content_rule_rsyslog_files_permissions
Result  pass

Just the Ensure rsyslog is Installed and Enable rsyslog Service doesn't seem to be working properly:

root@jessie:~# dpkg -l rsyslog
Desired=Unknown/Install/Remove/Purge/Hold
| Status=Not/Inst/Conf-files/Unpacked/halF-conf/Half-inst/trig-aWait/Trig-pend
|/ Err?=(none)/Reinst-required (Status,Err: uppercase=bad)
||/ Name                                Version                Architecture           Description
+++-===================================-======================-======================-============================================================================
ii  rsyslog                             8.4.2-1+deb8u1         amd64                  reliable system and kernel logging daemon

root@jessie:~# systemctl is-enabled rsyslog
enabled

But I would consider those two changes as subject for future PRs / future bugfix.

[pthierry38]

Hello @iankko, I'm working on the service enable check on jessie. Though the install check is working fine. I'll deploy the same configuration as you to compare (I've used a custom build of openscap, not the one from stretch).