Improve Rsyslog rules to support RainerScript syntax

[jan-cerny]

Description:

Improve OVAL checks so that the rule will pass if the modern Rainer script syntax is used. Up until now these rules passed only when the legacy configuration is used.

This changes OVAL in the following rules:

• rsyslog_cron_logging
• rsyslog_encrypt_offload_actionsendstreamdriverauthmode
• rsyslog_encrypt_offload_actionsendstreamdrivermode
• rsyslog_encrypt_offload_defaultnetstreamdriver

For more details, please read commit messages of all commits.

Rationale:

Fixes: https://issues.redhat.com/browse/RHEL-1816

[github-actions]

Start a new ephemeral environment with changes proposed in this pull request:

rhel8 (from CTF) Environment (using Fedora as testing environment)

Fedora Testing Environment

Oracle Linux 8 Environment

[github-actions]

This datastream diff is auto generated by the check Compare DS/Generate Diff

Click here to see the full diff

New content has different text for rule 'xccdf_org.ssgproject.content_rule_rsyslog_cron_logging'.
--- xccdf_org.ssgproject.content_rule_rsyslog_cron_logging
+++ xccdf_org.ssgproject.content_rule_rsyslog_cron_logging
@@ -7,7 +7,10 @@
 cron job status. If cron is not logging to rsyslog, it
 can be implemented by adding the following to the RULES section of
 /etc/rsyslog.conf:
+If the legacy syntax is used:
 cron.*                                                  /var/log/cron
+If the modern syntax (RainerScript) is used:
+cron.* action(type="omfile" file="/var/log/cron")
 
 [reference]:
 1

OVAL for rule 'xccdf_org.ssgproject.content_rule_rsyslog_cron_logging' differs.
--- oval:ssg-rsyslog_cron_logging:def:1
+++ oval:ssg-rsyslog_cron_logging:def:1
@@ -1,3 +1,5 @@
 criteria OR
 criterion oval:ssg-test_cron_logging_rsyslog:tst:1
+criterion oval:ssg-test_cron_logging_rsyslog_rainer:tst:1
 criterion oval:ssg-test_cron_logging_rsyslog_dir:tst:1
+criterion oval:ssg-test_cron_logging_rsyslog_dir_rainer:tst:1

OCIL for rule 'xccdf_org.ssgproject.content_rule_rsyslog_cron_logging' differs.
--- ocil:ssg-rsyslog_cron_logging_ocil:questionnaire:1
+++ ocil:ssg-rsyslog_cron_logging_ocil:questionnaire:1
@@ -2,5 +2,7 @@
 run the following command:
 grep -rni "cron\.\*" /etc/rsyslog.*
 cron.*                                                  /var/log/cron
+or
+cron.* action(type="omfile" file="/var/log/cron")
       Is it the case that cron is not logging to rsyslog?
       
New content has different text for rule 'xccdf_org.ssgproject.content_rule_rsyslog_encrypt_offload_actionsendstreamdriverauthmode'.
--- xccdf_org.ssgproject.content_rule_rsyslog_encrypt_offload_actionsendstreamdriverauthmode
+++ xccdf_org.ssgproject.content_rule_rsyslog_encrypt_offload_actionsendstreamdriverauthmode
@@ -10,6 +10,11 @@
 encrypt and off-load auditing.
 
 When using rsyslogd to off-load logs the remote system must be authenticated.
+
+Set the following configuration option in /etc/rsyslog.conf or in a file in /etc/rsyslog.d (using legacy syntax):
+$ActionSendStreamDriverAuthMode x509/name
+Alternatively, use the RainerScript syntax:
+action(type="omfwd" Target="some.example.com" StreamDriverAuthMode="x509/name")
 
 [reference]:
 CCI-001851

OVAL for rule 'xccdf_org.ssgproject.content_rule_rsyslog_encrypt_offload_actionsendstreamdriverauthmode' differs.
--- oval:ssg-rsyslog_encrypt_offload_actionsendstreamdriverauthmode:def:1
+++ oval:ssg-rsyslog_encrypt_offload_actionsendstreamdriverauthmode:def:1
@@ -1,4 +1,6 @@
 criteria AND
 criteria OR
 criterion oval:ssg-test_rsyslog_encrypt_offload_actionsendstreamdriverauthmode_action_send_stream_driver_auth_mode:tst:1
+criterion oval:ssg-test_rsyslog_encrypt_offload_actionsendstreamdriverauthmode_action_send_stream_driver_auth_mode_rainer:tst:1
 criterion oval:ssg-test_rsyslog_encrypt_offload_actionsendstreamdriverauthmode_action_send_stream_driver_auth_mode_dir:tst:1
+criterion oval:ssg-test_rsyslog_encrypt_offload_actionsendstreamdriverauthmode_action_send_stream_driver_auth_mode_dir_rainer:tst:1

New content has different text for rule 'xccdf_org.ssgproject.content_rule_rsyslog_encrypt_offload_actionsendstreamdrivermode'.
--- xccdf_org.ssgproject.content_rule_rsyslog_encrypt_offload_actionsendstreamdrivermode
+++ xccdf_org.ssgproject.content_rule_rsyslog_encrypt_offload_actionsendstreamdrivermode
@@ -10,6 +10,12 @@
 encrypt and off-load auditing.
 
 When using rsyslogd to off-load logs off a encrpytion system must be used.
+
+Set the following configuration option in /etc/rsyslog.conf or in a file in /etc/rsyslog.d (using legacy syntax):
+$ActionSendStreamDriverMode 1
+
+Alternatively, use the RainerScript syntax:
+action(type="omfwd" ... StreamDriverMode="1")
 
 [reference]:
 CCI-001851

OVAL for rule 'xccdf_org.ssgproject.content_rule_rsyslog_encrypt_offload_actionsendstreamdrivermode' differs.
--- oval:ssg-rsyslog_encrypt_offload_actionsendstreamdrivermode:def:1
+++ oval:ssg-rsyslog_encrypt_offload_actionsendstreamdrivermode:def:1
@@ -1,4 +1,6 @@
 criteria AND
 criteria OR
 criterion oval:ssg-test_rsyslog_encrypt_offload_actionsendstreamdrivermode_action_send_stream_driver_mode_rsyslog:tst:1
+criterion oval:ssg-test_rsyslog_encrypt_offload_actionsendstreamdrivermode_action_send_stream_driver_mode_rsyslog_rainer:tst:1
 criterion oval:ssg-test_rsyslog_encrypt_offload_actionsendstreamdrivermode_action_send_stream_driver_mode_rsyslog_dir:tst:1
+criterion oval:ssg-test_rsyslog_encrypt_offload_actionsendstreamdrivermode_action_send_stream_driver_mode_rsyslog_dir_rainer:tst:1

New content has different text for rule 'xccdf_org.ssgproject.content_rule_rsyslog_encrypt_offload_defaultnetstreamdriver'.
--- xccdf_org.ssgproject.content_rule_rsyslog_encrypt_offload_defaultnetstreamdriver
+++ xccdf_org.ssgproject.content_rule_rsyslog_encrypt_offload_defaultnetstreamdriver
@@ -10,6 +10,12 @@
 encrypt and off-load auditing.
 
 When using rsyslogd to off-load logs off an encryption system must be used.
+
+Set the following configuration option in /etc/rsyslog.conf or in a file in /etc/rsyslog.d (using legacy syntax):
+$DefaultNetstreamDriver gtls
+
+Alternatively, use the RainerScript syntax:
+global(DefaultNetstreamDriver="gtls")
 
 [reference]:
 CCI-001851

OVAL for rule 'xccdf_org.ssgproject.content_rule_rsyslog_encrypt_offload_defaultnetstreamdriver' differs.
--- oval:ssg-rsyslog_encrypt_offload_defaultnetstreamdriver:def:1
+++ oval:ssg-rsyslog_encrypt_offload_defaultnetstreamdriver:def:1
@@ -1,4 +1,6 @@
 criteria AND
 criteria OR
 criterion oval:ssg-test_rsyslog_encrypt_offload_defaultnetstreamdriver_default_netstream_rsyslog:tst:1
+criterion oval:ssg-test_rsyslog_encrypt_offload_defaultnetstreamdriver_default_netstream_rsyslog_rainer:tst:1
 criterion oval:ssg-test_rsyslog_encrypt_offload_defaultnetstreamdriver_default_netstream_rsyslog_dir:tst:1
+criterion oval:ssg-test_rsyslog_encrypt_offload_defaultnetstreamdriver_default_netstream_rsyslog_dir_rainer:tst:1

[github-actions]

🤖 A k8s content image for this PR is available at:
ghcr.io/complianceascode/k8scontent:12010
This image was built from commit: e5bfb40

Click here to see how to deploy it

If you alread have Compliance Operator deployed:
utils/build_ds_container.py -i ghcr.io/complianceascode/k8scontent:12010

Otherwise deploy the content and operator together by checking out ComplianceAsCode/compliance-operator and:
CONTENT_IMAGE=ghcr.io/complianceascode/k8scontent:12010 make deploy-local

[marcusburghardt]

Besides the comments in specific files, the remediation for rule rsyslog_cron_logging is not working when the /etc/rsyslog.conf file is deleted, more specifically in the test scenario no_rsyslog_file.fail.sh. After the remediation, the rsyslog service can't be started. This issue was not introduced by this PR, but was revealed now. Could you take a look on it, please?

[jan-cerny]

@marcusburghardt

Besides the comments in specific files, the remediation for rule rsyslog_cron_logging is not working when the /etc/rsyslog.conf file is deleted, more specifically in the test scenario no_rsyslog_file.fail.sh. After the remediation, the rsyslog service can't be started. This issue was not introduced by this PR, but was revealed now. Could you take a look on it, please?

Isn't the test scenario no_rsyslog_file.fail.sh stupid? It completely deletes the configuration files. I don't know if we can expect that the remediation for the rule will restore the configuration file and configure all other options that aren't directly mentioned in the rule.

[marcusburghardt]

rsyslog_cron_logging

Yes, I agree this test scenario is very weak. It is fine to remove the files in /etc/rsyslog.d but is not fine to remove the whole rsyslog.conf. The test scenario no_cron_logging.fail.sh seems enough to me.

Perhaps, just to keep a test without rsyslog.d files, we could just rename the no_rsyslog_file.fail.sh to no_rsyslog_d_files.fail.sh with a content similar to this:

#!/bin/bash

rm -rf /etc/rsyslog.d
sed -i '/^[[:space:]]*cron\.\*/d' /etc/rsyslog.conf

[marcusburghardt]

Thanks @jan-cerny . It is much better after using variables for regex. Nice!!
I only suggested some comments to align the name of this rsyslog syntax to the official documentation: RainerScript

Once we solve the test scenario issue I believe we are good to merge.

[jan-cerny]

/retest

[jan-cerny]

I have changed and renamed the test scenario no_rsyslog_file.fail.sh. I have changed occurrences to RainerScript.

[codeclimate]

Code Climate has analyzed commit e5bfb40 and detected 0 issues on this pull request.

The test coverage on the diff in this pull request is 100.0% (50% is the threshold).

This pull request will bring the total coverage in the repository to 59.4% (0.0% change).

View more on Code Climate.

[marcusburghardt]

Nice work. Thanks