The change: [1] https://git.fedorahosted.org/cgit/scap-security-guide.git/commit/?id=d2f99b0...
attempted to replace "logrotate_rotate_all_files" OVAL check with "ensure_logrotate_activated" OVAL check, but failed (to do so in all locations):
scap-security-guide]$ grep -rHn "logrotate_rotate_all_files" * RHEL/6/input/system/logging.xml:377:<oval id="logrotate_rotate_all_files" /> RHEL/7/input/system/logging.xml:377:<oval id="logrotate_rotate_all_files" />
resulting into the following new 'make validate' / verify-input-references.py error message to appear: Invalid OVAL definition referenced by XCCDF Rule: ensure_logrotate_activated
Fix that by referencing the new OVAL check name in RHEL/{6,7}/input/system/logging.xml files too.
Besides that the original RHEL/6/input/checks/ensure_logrotate_activated.xml OVAL check was implemented just as unknown OVAL test stub. Replace that stub definition with actual implementation based on guide.html content, move it to shared, and create links for RHEL/6 and RHEL/7.
The proposal has been tested on RHEL/6 & RHEL/7 - rpm package builds properly, make validate warning disappeared & the check seems to be working properly on both of the products.
Please review.
Thank you && Regards, Jan. -- Jan iankko Lieskovsky / Red Hat Security Technologies Team
On 5/30/14, 5:09 AM, Jan Lieskovsky wrote:
The change: [1]https://git.fedorahosted.org/cgit/scap-security-guide.git/commit/?id=d2f99b0...
attempted to replace "logrotate_rotate_all_files" OVAL check with "ensure_logrotate_activated" OVAL check, but failed (to do so in all locations):
scap-security-guide]$ grep -rHn "logrotate_rotate_all_files" * RHEL/6/input/system/logging.xml:377:<oval id="logrotate_rotate_all_files" /> RHEL/7/input/system/logging.xml:377:<oval id="logrotate_rotate_all_files" />
resulting into the following new 'make validate' / verify-input-references.py error message to appear: Invalid OVAL definition referenced by XCCDF Rule: ensure_logrotate_activated
Fix that by referencing the new OVAL check name in RHEL/{6,7}/input/system/logging.xml files too.
Besides that the original RHEL/6/input/checks/ensure_logrotate_activated.xml OVAL check was implemented just as unknown OVAL test stub. Replace that stub definition with actual implementation based on guide.html content, move it to shared, and create links for RHEL/6 and RHEL/7.
The proposal has been tested on RHEL/6 & RHEL/7 - rpm package builds properly, make validate warning disappeared & the check seems to be working properly on both of the products.
Please review.
Thank you && Regards, Jan.
Jan iankko Lieskovsky / Red Hat Security Technologies Team
0001-RHEL-6-RHEL-7-shared-Finish-logrotate_rotate_all_fil.patch
From de1beb4d9137c24fd4e603b1a9e23c8d5eabc2cd Mon Sep 17 00:00:00 2001 From: Jan Lieskovskyjlieskov@redhat.com Date: Fri, 30 May 2014 10:56:04 +0200 Subject: [PATCH] [RHEL/6, RHEL/7, shared] Finish logrotate_rotate_all_files => ensure_logrotate_activated transition. Replace ensure_logrotate_activated unknown test stub with actual OVAL check implementation.
Signed-off-by: Jan Lieskovskyjlieskov@redhat.com
RHEL/6/input/checks/ensure_logrotate_activated.xml | 21 +--------- RHEL/6/input/system/logging.xml | 2 +- RHEL/7/input/checks/ensure_logrotate_activated.xml | 1 + RHEL/7/input/system/logging.xml | 2 +- shared/oval/ensure_logrotate_activated.xml | 46 ++++++++++++++++++++++ 5 files changed, 50 insertions(+), 22 deletions(-) mode change 100644 => 120000 RHEL/6/input/checks/ensure_logrotate_activated.xml create mode 120000 RHEL/7/input/checks/ensure_logrotate_activated.xml create mode 100644 shared/oval/ensure_logrotate_activated.xml
diff --git a/RHEL/6/input/checks/ensure_logrotate_activated.xml b/RHEL/6/input/checks/ensure_logrotate_activated.xml deleted file mode 100644 index aca539b..0000000 --- a/RHEL/6/input/checks/ensure_logrotate_activated.xml +++ /dev/null @@ -1,20 +0,0 @@ -<def-group>
- <definition class="compliance"
- id="ensure_logrotate_activated" version="1">
<metadata>
<title>Ensure All Logs are Rotated by logrotate</title>
<affected family="unix">
<platform>Red Hat Enterprise Linux 6</platform>
</affected>
<description>The logrotate (syslog rotater) service should be
enabled.</description>
</metadata>
<criteria>
<criterion comment="Find each file in /etc/syslog.conf in /etc/logrotate.d/syslog"
test_ref="test_20154" />
</criteria>
</definition>
- <ind:unknown_test check="all"
- comment="use extended content to evaluated this test"
- id="test_20154" version="1" />
-</def-group> diff --git a/RHEL/6/input/checks/ensure_logrotate_activated.xml b/RHEL/6/input/checks/ensure_logrotate_activated.xml new file mode 120000 index 0000000..1916c40 --- /dev/null +++ b/RHEL/6/input/checks/ensure_logrotate_activated.xml @@ -0,0 +1 @@ +../../../../shared/oval/ensure_logrotate_activated.xml \ No newline at end of file diff --git a/RHEL/6/input/system/logging.xml b/RHEL/6/input/system/logging.xml index 82455d6..c7fc389 100644 --- a/RHEL/6/input/system/logging.xml +++ b/RHEL/6/input/system/logging.xml @@ -374,7 +374,7 @@ If logrotate is configured properly, output should include references to <tt>/etc/cron.daily</tt>.
</ocil> <ident cce="27014-0" /> -<oval id="logrotate_rotate_all_files" /> +<oval id="ensure_logrotate_activated" /> <ref nist="AU-9" disa="366" /> </Rule> </Group> diff --git a/RHEL/7/input/checks/ensure_logrotate_activated.xml b/RHEL/7/input/checks/ensure_logrotate_activated.xml new file mode 120000 index 0000000..1916c40 --- /dev/null +++ b/RHEL/7/input/checks/ensure_logrotate_activated.xml @@ -0,0 +1 @@ +../../../../shared/oval/ensure_logrotate_activated.xml \ No newline at end of file diff --git a/RHEL/7/input/system/logging.xml b/RHEL/7/input/system/logging.xml index 36c2fb0..993d214 100644 --- a/RHEL/7/input/system/logging.xml +++ b/RHEL/7/input/system/logging.xml @@ -374,7 +374,7 @@ If logrotate is configured properly, output should include references to <tt>/etc/cron.daily</tt>. </ocil> <ident cce="RHEL7-CCE-TBD" /> -<oval id="logrotate_rotate_all_files" /> +<oval id="ensure_logrotate_activated" /> <ref nist="AU-9" disa="366" /> </Rule> </Group> diff --git a/shared/oval/ensure_logrotate_activated.xml b/shared/oval/ensure_logrotate_activated.xml new file mode 100644 index 0000000..c82b3a3 --- /dev/null +++ b/shared/oval/ensure_logrotate_activated.xml @@ -0,0 +1,46 @@ +<def-group> + <definition class="compliance" id="ensure_logrotate_activated" version="1"> + <metadata> + <title>Ensure the logrotate utility performs the automatic rotation of log files on daily basis</title> + <affected family="unix"> + <platform>Red Hat Enterprise Linux 6</platform> + <platform>Red Hat Enterprise Linux 7</platform> + </affected> + <description> + The frequency of automatic log files rotation performed by the logrotate utility should be configured to run daily + </description> + <reference source="JL" ref_id="20140530" ref_url="test_attestation" /> + </metadata> + <criteria comment="/etc/logrotate.conf contains daily setting or /etc/cron.daily/logrotate file exists" operator="OR"> + <criterion comment="Check if daily is set in /etc/logrotate.conf" + test_ref="test_logrotate_conf_daily_setting" /> + <criterion comment="Check if /etc/cron.daily/logrotate file exists (and calls logrotate)" + test_ref="test_cron_daily_logrotate_existence" /> + </criteria> + </definition> + + <ind:textfilecontent54_test check="all" check_existence="all_exist" + comment="Tests the presence of daily setting in /etc/logrotate.conf file" + id="test_logrotate_conf_daily_setting" version="1"> + <ind:object object_ref="obj_logrotate_conf_daily_setting" /> + </ind:textfilecontent54_test> + + <ind:textfilecontent54_object id="obj_logrotate_conf_daily_setting" version="1"> + <ind:filepath>/etc/logrotate.conf</ind:filepath> + <ind:pattern operation="pattern match">^[\s]*daily[\s]*$</ind:pattern> + <ind:instance datatype="int">1</ind:instance> + </ind:textfilecontent54_object>
Is there configuration precedence in the logrotate.conf file? e.g. if you have "daily" followed immediately by "weekly," which will the logrotate use? Should we ensure that daily exists, and the other options do not?
I tried looking through the manpage and google with no avail.
- <ind:textfilecontent54_test check="all" check_existence="all_exist"
- comment="Tests the existence of /etc/cron.daily/logrotate file (and verify it actually calls logrotate utility)"
- id="test_cron_daily_logrotate_existence" version="1">
- <ind:object object_ref="obj_cron_daily_logrotate_existence" />
- </ind:textfilecontent54_test>
- <ind:textfilecontent54_object id="obj_cron_daily_logrotate_existence" version="1">
- ind:filepath/etc/cron.daily/logrotate</ind:filepath>
- <ind:pattern operation="pattern match">^[\s]*/usr/sbin/logrotate[\s]*/etc/logrotate.conf(?:.*)$</ind:pattern>
- <ind:instance datatype="int">1</ind:instance>
- </ind:textfilecontent54_object>
+</def-group> -- 1.8.3.1
----- Original Message -----
From: "Shawn Wells" shawn@redhat.com To: scap-security-guide@lists.fedorahosted.org Sent: Saturday, May 31, 2014 4:27:04 AM Subject: Re: [PATCH] [RHEL/6, RHEL/7, shared] Finish logrotate_rotate_all_files => ensure_logrotate_activated transition. Replace ensure_logrotate_activated unknown test stub with actual OVAL check implementation.
On 5/30/14, 5:09 AM, Jan Lieskovsky wrote:
The change: [1] https://git.fedorahosted.org/cgit/scap-security-guide.git/commit/?id=d2f99b0... attempted to replace "logrotate_rotate_all_files" OVAL check with "ensure_logrotate_activated" OVAL check, but failed (to do so in all locations):
scap-security-guide]$ grep -rHn "logrotate_rotate_all_files" * RHEL/6/input/system/logging.xml:377:<oval id="logrotate_rotate_all_files" /> RHEL/7/input/system/logging.xml:377:<oval id="logrotate_rotate_all_files" />
resulting into the following new 'make validate' / verify-input-references.py error message to appear: Invalid OVAL definition referenced by XCCDF Rule: ensure_logrotate_activated
Fix that by referencing the new OVAL check name in RHEL/{6,7}/input/system/logging.xml files too.
Besides that the original RHEL/6/input/checks/ensure_logrotate_activated.xml OVAL check was implemented just as unknown OVAL test stub. Replace that stub definition with actual implementation based on guide.html content, move it to shared, and create links for RHEL/6 and RHEL/7.
The proposal has been tested on RHEL/6 & RHEL/7 - rpm package builds properly, make validate warning disappeared & the check seems to be working properly on both of the products.
Please review.
Thank you && Regards, Jan.
Jan iankko Lieskovsky / Red Hat Security Technologies Team
0001-RHEL-6-RHEL-7-shared-Finish-logrotate_rotate_all_fil.patch From de1beb4d9137c24fd4e603b1a9e23c8d5eabc2cd Mon Sep 17 00:00:00 2001 From: Jan Lieskovsky jlieskov@redhat.com Date: Fri, 30 May 2014 10:56:04 +0200 Subject: [PATCH] [RHEL/6, RHEL/7, shared] Finish logrotate_rotate_all_files => ensure_logrotate_activated transition. Replace ensure_logrotate_activated unknown test stub with actual OVAL check implementation.
Signed-off-by: Jan Lieskovsky jlieskov@redhat.com --- RHEL/6/input/checks/ensure_logrotate_activated.xml | 21 +--------- RHEL/6/input/system/logging.xml | 2 +- RHEL/7/input/checks/ensure_logrotate_activated.xml | 1 + RHEL/7/input/system/logging.xml | 2 +- shared/oval/ensure_logrotate_activated.xml | 46 ++++++++++++++++++++++ 5 files changed, 50 insertions(+), 22 deletions(-) mode change 100644 => 120000 RHEL/6/input/checks/ensure_logrotate_activated.xml create mode 120000 RHEL/7/input/checks/ensure_logrotate_activated.xml create mode 100644 shared/oval/ensure_logrotate_activated.xml
diff --git a/RHEL/6/input/checks/ensure_logrotate_activated.xml b/RHEL/6/input/checks/ensure_logrotate_activated.xml deleted file mode 100644 index aca539b..0000000 --- a/RHEL/6/input/checks/ensure_logrotate_activated.xml +++ /dev/null @@ -1,20 +0,0 @@ -<def-group>
- <definition class="compliance"
- id="ensure_logrotate_activated" version="1">
<metadata>
<title>Ensure All Logs are Rotated by logrotate</title>
<affected family="unix">
<platform>Red Hat Enterprise Linux 6</platform>
</affected>
<description>The logrotate (syslog rotater) service should be
enabled.</description>
</metadata>
<criteria>
<criterion comment="Find each file in /etc/syslog.conf in
/etc/logrotate.d/syslog"
test_ref="test_20154" />
</criteria>
</definition>
- <ind:unknown_test check="all"
- comment="use extended content to evaluated this test"
- id="test_20154" version="1" />
-</def-group> diff --git a/RHEL/6/input/checks/ensure_logrotate_activated.xml b/RHEL/6/input/checks/ensure_logrotate_activated.xml new file mode 120000 index 0000000..1916c40 --- /dev/null +++ b/RHEL/6/input/checks/ensure_logrotate_activated.xml @@ -0,0 +1 @@ +../../../../shared/oval/ensure_logrotate_activated.xml \ No newline at end of file diff --git a/RHEL/6/input/system/logging.xml b/RHEL/6/input/system/logging.xml index 82455d6..c7fc389 100644 --- a/RHEL/6/input/system/logging.xml +++ b/RHEL/6/input/system/logging.xml @@ -374,7 +374,7 @@ If logrotate is configured properly, output should include references to <tt>/etc/cron.daily</tt>.
</ocil> <ident cce="27014-0" /> -<oval id="logrotate_rotate_all_files" /> +<oval id="ensure_logrotate_activated" /> <ref nist="AU-9" disa="366" /> </Rule> </Group> diff --git a/RHEL/7/input/checks/ensure_logrotate_activated.xml b/RHEL/7/input/checks/ensure_logrotate_activated.xml new file mode 120000 index 0000000..1916c40 --- /dev/null +++ b/RHEL/7/input/checks/ensure_logrotate_activated.xml @@ -0,0 +1 @@ +../../../../shared/oval/ensure_logrotate_activated.xml \ No newline at end of file diff --git a/RHEL/7/input/system/logging.xml b/RHEL/7/input/system/logging.xml index 36c2fb0..993d214 100644 --- a/RHEL/7/input/system/logging.xml +++ b/RHEL/7/input/system/logging.xml @@ -374,7 +374,7 @@ If logrotate is configured properly, output should include references to <tt>/etc/cron.daily</tt>. </ocil> <ident cce="RHEL7-CCE-TBD" /> -<oval id="logrotate_rotate_all_files" /> +<oval id="ensure_logrotate_activated" /> <ref nist="AU-9" disa="366" /> </Rule> </Group> diff --git a/shared/oval/ensure_logrotate_activated.xml b/shared/oval/ensure_logrotate_activated.xml new file mode 100644 index 0000000..c82b3a3 --- /dev/null +++ b/shared/oval/ensure_logrotate_activated.xml @@ -0,0 +1,46 @@ +<def-group> + <definition class="compliance" id="ensure_logrotate_activated" version="1"> + <metadata> + <title>Ensure the logrotate utility performs the automatic rotation of log files on daily basis</title> + <affected family="unix"> + <platform>Red Hat Enterprise Linux 6</platform> + <platform>Red Hat Enterprise Linux 7</platform> + </affected> + <description> + The frequency of automatic log files rotation performed by the logrotate utility should be configured to run daily + </description> + <reference source="JL" ref_id="20140530" ref_url="test_attestation" /> + </metadata> + <criteria comment="/etc/logrotate.conf contains daily setting or /etc/cron.daily/logrotate file exists" operator="OR"> + <criterion comment="Check if daily is set in /etc/logrotate.conf" + test_ref="test_logrotate_conf_daily_setting" /> + <criterion comment="Check if /etc/cron.daily/logrotate file exists (and calls logrotate)" + test_ref="test_cron_daily_logrotate_existence" /> + </criteria> + </definition> + + <ind:textfilecontent54_test check="all" check_existence="all_exist" + comment="Tests the presence of daily setting in /etc/logrotate.conf file" + id="test_logrotate_conf_daily_setting" version="1"> + <ind:object object_ref="obj_logrotate_conf_daily_setting" /> + </ind:textfilecontent54_test> + + <ind:textfilecontent54_object id="obj_logrotate_conf_daily_setting" version="1"> + <ind:filepath>/etc/logrotate.conf</ind:filepath> + <ind:pattern operation="pattern match">^[\s]*daily[\s]*$</ind:pattern> + <ind:instance datatype="int">1</ind:instance> + </ind:textfilecontent54_object>
Thanks, Shawn. Good catch.
Is there configuration precedence in the logrotate.conf file?
The last one will be used. logrotate will read its config from the start: [1] https://fedorahosted.org/logrotate/browser/trunk/config.c#L584
and each of: * hourly: https://fedorahosted.org/logrotate/browser/trunk/config.c#L996 * daily: https://fedorahosted.org/logrotate/browser/trunk/config.c#L998 * weekly: https://fedorahosted.org/logrotate/browser/trunk/config.c#L1003 * monthly: https://fedorahosted.org/logrotate/browser/trunk/config.c#L1001 * yearly: https://fedorahosted.org/logrotate/browser/trunk/config.c#L1005
options will reset the value of newlog->criterium flag (which can have values as listed in: https://fedorahosted.org/logrotate/browser/trunk/logrotate.h#L36 ).
Yet logrotate will repeat this scenario for each of the files present in /etc/logrotate.d/ directory (+1 times for default /etc/logrotate.conf itself): https://fedorahosted.org/logrotate/browser/trunk/config.c#L472
e.g. if you have "daily" followed immediately by "weekly," which will the logrotate use?
Testing a patched local RHEL-6 logrotate RPM instance revealed the latter one will be used.
Should we ensure that daily exists, and the other options do not?
Yes, based on the above, the new patch version should ensure the 'daily' setting is present / being used as the last (from newlog->criterium flag enum ones) option in the logrotate.conf file.
I will come with new patch version proposal.
Thank you && Regards, Jan. -- Jan iankko Lieskovsky / Red Hat Security Technologies Team
I tried looking through the manpage and google with no avail.
- <ind:textfilecontent54_test check="all" check_existence="all_exist"
- comment="Tests the existence of /etc/cron.daily/logrotate file (and verify
it actually calls logrotate utility)"
- id="test_cron_daily_logrotate_existence" version="1">
- <ind:object object_ref="obj_cron_daily_logrotate_existence" />
- </ind:textfilecontent54_test>
- <ind:textfilecontent54_object id="obj_cron_daily_logrotate_existence"
version="1">
- ind:filepath/etc/cron.daily/logrotate</ind:filepath>
- <ind:pattern operation="pattern
match">^[\s]*/usr/sbin/logrotate[\s]*/etc/logrotate.conf(?:.*)$</ind:pattern>
- <ind:instance datatype="int">1</ind:instance>
- </ind:textfilecontent54_object>
+</def-group>
1.8.3.1
scap-security-guide mailing list scap-security-guide@lists.fedorahosted.org https://lists.fedorahosted.org/mailman/listinfo/scap-security-guide
scap-security-guide@lists.fedorahosted.org