Uploaded image for project: 'RHEL'
  1. RHEL
  2. RHEL-1816

[RHEL8.7/SCAP/Rsyslog] Rainier syntax not valid for cron and netstreamdriver parameters

    • scap-security-guide-0.1.74-1.el8_10
    • None
    • None
    • rhel-sst-security-compliance
    • ssg_security
    • 3
    • False
    • Hide

      None

      Show
      None
    • No
    • None
    • Hide

      TEST_PARAM:RULE=rsyslog_cron_logging rsyslog_encrypt_offload_actionsendstreamdriverauthmode rsyslog_encrypt_offload_actionsendstreamdrivermode rsyslog_encrypt_offload_defaultnetstreamdriver

      Show
      TEST_PARAM:RULE=rsyslog_cron_logging rsyslog_encrypt_offload_actionsendstreamdriverauthmode rsyslog_encrypt_offload_actionsendstreamdrivermode rsyslog_encrypt_offload_defaultnetstreamdriver
    • Pass
    • None
    • None

      Description of problem:

      Latest scap-security-guide 0.1.66, the rainer syntax is still not fully supported yet.

      The SCAP rule xccdf_org.ssgproject.content_rule_rsyslog_cron_logging is not accepting the following rainer syntax line:
      ~~~
      cron.* action(name="local-cron" type="omfile" FileCreateMode="0600" fileOwner="root" fileGroup="root" File="/var/log/cron")
      ~~~

      Version-Release number of selected component (if applicable):
      0.1.66-2.el8_7.noarch

      How reproducible:

      • Configure rainier syntax for collecting cron logs.
      1. vi /etc/rsyslog.conf
        cron.* action(name="local-cron" type="omfile" FileCreateMode="0600" fileOwner="root" fileGroup="root" File="/var/log/cron")

      Steps to Reproduce:
      1. Replace legacy configuration for cron logs with Rainier script syntax

      1. vi /etc/rsyslog.conf

      2. Restart rsyslog to load changes.

      3. Scan the system for SCAP rule : xccdf_org.ssgproject.content_rule_rsyslog_cron_logging

      Actual results:
      The rainier syntax is not validated

      Expected results:
      The rainier syntax for cron log configuration should be validated.

      Additional info:

      Similarly, netstreamdriver parameters should be validated if configured in rainier syntax.

      Following rules are impacted.

      • xccdf_org.ssgproject.content_rule_rsyslog_cron_logging
      • xccdf_org.ssgproject.content_rule_rsyslog_encrypt_offload_actionsendstreamdriverauthmode
      • xccdf_org.ssgproject.content_rule_rsyslog_encrypt_offload_actionsendstreamdrivermode
      • xccdf_org.ssgproject.content_rule_rsyslog_encrypt_offload_defaultnetstreamdriver

              jcerny@redhat.com Jan Cerny
              rhn-support-ravpatil Ravindra Patil
              Marcus Burghardt
              Jan Cerny Jan Cerny
              Milan Lysonek Milan Lysonek
              Votes:
              0 Vote for this issue
              Watchers:
              14 Start watching this issue

                Created:
                Updated:
                Resolved: