From: "Shawn Wells" <shawn(a)redhat.com>
To: scap-security-guide(a)lists.fedorahosted.org
Sent: Saturday, June 7, 2014 6:59:05 AM
Subject: Re: [Patch set #v2] [PATCH 0/2] Finish logrotate_rotate_all_files =>
ensure_logrotate_activated transition.
Replace ensure_logrotate_activated unknown test stub with actual OVAL check
implementation.
On 6/6/14, 5:37 AM, Jan Lieskovsky wrote:
> From 32bbdecc7dda86f71f16cc8f0a47a02e959c717e Mon Sep 17 00:00:00 2001
> From: Jan Lieskovsky <jlieskov(a)redhat.com>
> Date: Fri, 6 Jun 2014 14:09:33 +0200
> Subject: [PATCH 0/2] Finish logrotate_rotate_all_files =>
> ensure_logrotate_activated transition. Replace
> ensure_logrotate_activated unknown test stub with actual OVAL check
> implementation.
>
> Based on promise in:
> [1]
>
https://lists.fedorahosted.org/pipermail/scap-security-guide/2014-June/00...
>
> the following patchset finishes the logrotate_rotate_all_files to
> ensure_logrotate_activated
> transition. The first patch [1/2] is identical with the original one
> from:
> [2]
>
https://lists.fedorahosted.org/pipermail/scap-security-guide/2014-May/005...
>
> But in addition to that one, the ensure_logrotate_activated.xml OVAL
> check in [shared]
> has been modified via patch [2/2] to properly honour the syntax /
> behaviour of /etc/
> logrotate.conf file (last rotate log setting uncommented option
> present is actually the
> honoured one).
>
> Implement the test it was pretty challenging (considering the
> possibilities OVAL language
> brings to check complex configuration files). Needed to try couple of
> alternatives, but
> the one following seems to be working properly.
>
> Note: When testing the change, be sure to comment out the
> 'test_cron_daily_logrotate_existence'
> sub-test (or move /etc/cron.daily/logrotate file under temporary
> backup with different
> name) to actually see, how behaviour of
> 'test_logrotate_conf_daily_setting' OVAL check
> changed (to actually see when making changes to /etc/logrotate.conf
> they to have impact
> on the final result of XCCDF rule scan).
>
> Testing status: Proposed change has been tested on both (RHEL-6,
> RHEL-7) products,
> and works properly in all various cases of /etc/logrotate.conf config
> file format, that might
> occur (as far as I have tested & can tell).
>
> The underlying regular expressions are pretty complex, but hopefully
> the comments before /
> around them will clarify the idea behind the test's work. Should there
> be a need to clarify
> some part of them, feel free to ask.
>
> Please review.
>
> Thank you && Regards, Jan.
> --
> Jan iankko Lieskovsky / Red Hat Security Technologies Team
>
> Jan Lieskovsky (2):
> [RHEL/6, RHEL/7, shared] Finish logrotate_rotate_all_files =>
> ensure_logrotate_activated transition. Replace
> ensure_logrotate_activated unknown test stub with actual OVAL check
> implementation.
> [shared] Fix ensure_logrotate_activated OVAL check to properly handle
> /etc/logrotate.conf format (last occurred rotate log
> directive to be the by the check honoured one)
>
> RHEL/6/input/checks/ensure_logrotate_activated.xml | 21 +------
> RHEL/6/input/system/logging.xml | 2 +-
> RHEL/7/input/checks/ensure_logrotate_activated.xml | 1 +
> RHEL/7/input/system/logging.xml | 2 +-
> shared/oval/ensure_logrotate_activated.xml | 72
> ++++++++++++++++++++++
> 5 files changed, 76 insertions(+), 22 deletions(-)
> mode change 100644 => 120000
> RHEL/6/input/checks/ensure_logrotate_activated.xml
> create mode 120000 RHEL/7/input/checks/ensure_logrotate_activated.xml
> create mode 100644 shared/oval/ensure_logrotate_activated.xml
Applied locally & created various stanzas, placing monthly|daily between
them. Behaves as expected. Really novel idea to read in the stanza as
singleline=true. That approach might help with other OVAL rules,
particularly audit rule regex.
Yeah, will have a look yet how this approach could be applied to other checks
(where appropriate).
Thanks, Shawn. Pushed to master.
Regards, Jan.
--
Jan iankko Lieskovsky / Red Hat Security Technologies Team
_______________________________________________
scap-security-guide mailing list
scap-security-guide(a)lists.fedorahosted.org
https://lists.fedorahosted.org/mailman/listinfo/scap-security-guide