Bug 2072444

Description of problem:

The PCI-DSS profile has rules for checking owner, group and permissions on all log files generated by rsyslog utility in /var/log directory. 

Configure Syslog
-> Ensure Proper Configuration of Log Files
   -> Ensure Log Files Are Owned By Appropriate Group
   -> Ensure Log Files Are Owned By Appropriate User
   -> Ensure System Log Files Have Correct Permissions

These compliance rules are passed with legacy syntax in rsyslog.conf and files in /etc/rsyslog.d/ as these rules definition is able to find the log files from /var/log/ and able to check owner, group and permissions. 

However, with latest rainier script syntax on rsyslog-8, these rules are failing as they are unable to find the log files like /var/log/messages, /var/log/secure etc as syntax has changed. 

As per pci-dss scan compliance report : No items have been found conforming to the following objects:
Object oval:ssg-object_rsyslog_files_ownership:obj:1 of type file_object

Filepath
^/etc/rsyslog.conf$
^/etc/rsyslog\.d/(?=[^.])[^/]*\.conf$
^/etc/rsyslog.conf$
^/etc/rsyslog\.d/(?=[^.])[^/]*\.conf$

Referenced variable has no values (oval:ssg-var_rfo_log_files_paths:var:1).

>> These log files are determined by the second part of each Rule line in /etc/rsyslog.conf and /etc/rsyslog.d/*.conf.

Legacy Syntax :

*.info;mail.none;authpriv.none;cron.none                /var/log/messages
# The authpriv file has restricted access.
authpriv.*                                              /var/log/secure
# Log all the mail messages in one place.
mail.*                                                  -/var/log/maillog
# Log cron stuff
cron.*                                                  /var/log/cron

However with rsyslog-8 on (RHEL8) the default configuration uses RainierScript configuration, these 3 rules related to owner, group and ownership of log files always fail. 

Rainer Script Syntax : 

*.info;daemon.*;kern.*;mail,authpriv,cron.none   action(type="omfile" FileCreateMode="0640" fileOwner="root" fileGroup="hoiadm" File="/var/log/messages")

# The authpriv file has restricted access
authpriv.*      action(type="omfile" FileCreateMode="0600" fileOwner="root" fileGroup="root" File="/var/log/secure")

# Log all mail to maillog
mail.*          action(type="omfile" FileCreateMode="0640" fileOwner="root" fileGroup="hoiadm" sync="off" File="/var/log/maillog")

# Log all cron to cron
cron.*          action(type="omfile" FileCreateMode="0640" fileOwner="root" fileGroup="hoiadm" File="/var/log/cron")

Version-Release number of selected component (if applicable):
scap-security-guide-0.1.57-5.el8.noarch

How reproducible:
- Use RainerScript syntax or modern script for rsyslog configuration
- Scan system for PCI-DSS policy

Steps to Reproduce:
1. Change configuration in rsyslog.conf or /etc/rsyslog.d/*.conf files as per modern syntax as below :

*.info;daemon.*;kern.*;mail,authpriv,cron.none   action(type="omfile" FileCreateMode="0640" fileOwner="root" fileGroup="hoiadm" File="/var/log/messages")

# The authpriv file has restricted access
authpriv.*      action(type="omfile" FileCreateMode="0600" fileOwner="root" fileGroup="root" File="/var/log/secure")

2. Scan system for PCI-DSS profile using openscap scanner. 
3. Check rules status for Rsyslog log files. 

Actual results:

- All 3 rules fail even with correct owner, group and permissions. 

xccdf_org.ssgproject.content_rule_rsyslog_files_groupownership
xccdf_org.ssgproject.content_rule_rsyslog_files_ownership
xccdf_org.ssgproject.content_rule_rsyslog_files_permissions

Expected results:

- These rules should be able to detect modern syntax and should be able to find the log files generated by rsyslog to check its owner, group and permissions. 

Additional info:
- Rsyslog 8 uses rainier script to configure rsyslog log file creation. 
https://www.rsyslog.com/doc/master/index.html
https://www.rsyslog.com/doc/master/rainerscript/index.html