Bug 2176548

Summary: [RHEL8.7/SCAP/Rsyslog] Rainier syntax not valid for cron and netstreamdriver parameters
Product: Red Hat Enterprise Linux 8 Reporter: Ravindra Patil <ravpatil>
Component: scap-security-guideAssignee: Vojtech Polasek <vpolasek>
Status: NEW --- QA Contact: BaseOS QE Security Team <qe-baseos-security>
Severity: unspecified Docs Contact:
Priority: unspecified    
Version: 8.7CC: ggasparb, mhaicman, mlysonek, peter.vreman, sbalasub, vpolasek, wsato
Target Milestone: rcKeywords: Triaged
Target Release: ---   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Ravindra Patil 2023-03-08 16:14:44 UTC 
Description of problem:

Latest scap-security-guide 0.1.66, the rainer syntax is still not fully supported yet. 

The SCAP rule xccdf_org.ssgproject.content_rule_rsyslog_cron_logging is not accepting the following  rainer syntax line:
~~~
cron.*          action(name="local-cron" type="omfile" FileCreateMode="0600" fileOwner="root" fileGroup="root" File="/var/log/cron")
~~~

Version-Release number of selected component (if applicable):
0.1.66-2.el8_7.noarch

How reproducible:

- Configure rainier syntax for collecting cron logs. 

# vi /etc/rsyslog.conf 
cron.*          action(name="local-cron" type="omfile" FileCreateMode="0600" fileOwner="root" fileGroup="root" File="/var/log/cron")


Steps to Reproduce:
1. Replace legacy configuration for cron logs with Rainier script syntax

# vi /etc/rsyslog.conf

2. Restart rsyslog to load changes. 

3. Scan the system for SCAP rule : xccdf_org.ssgproject.content_rule_rsyslog_cron_logging  

Actual results:
The rainier syntax is not validated

Expected results:
The rainier syntax for cron log configuration should be validated. 

Additional info:

Similarly, netstreamdriver parameters should be validated if configured in rainier syntax. 

Following rules are impacted. 

- xccdf_org.ssgproject.content_rule_rsyslog_cron_logging
- xccdf_org.ssgproject.content_rule_rsyslog_encrypt_offload_actionsendstreamdriverauthmode
- xccdf_org.ssgproject.content_rule_rsyslog_encrypt_offload_actionsendstreamdrivermode
- xccdf_org.ssgproject.content_rule_rsyslog_encrypt_offload_defaultnetstreamdriver