RHEL Engineering is moving the tracking of its product development work on RHEL 6 through RHEL 9 to Red Hat Jira (issues.redhat.com). If you're a Red Hat customer, please continue to file support cases via the Red Hat customer portal. If you're not, please head to the "RHEL project" in Red Hat Jira and file new tickets here. Individual Bugzilla bugs in the statuses "NEW", "ASSIGNED", and "POST" are being migrated throughout September 2023. Bugs of Red Hat partners with an assigned Engineering Partner Manager (EPM) are migrated in late September as per pre-agreed dates. Bugs against components "kernel", "kernel-rt", and "kpatch" are only migrated if still in "NEW" or "ASSIGNED". If you cannot log in to RH Jira, please consult article #7032570. That failing, please send an e-mail to the RH Jira admins at rh-issues@redhat.com to troubleshoot your issue as a user management inquiry. The email creates a ServiceNow ticket with Red Hat. Individual Bugzilla bugs that are migrated will be moved to status "CLOSED", resolution "MIGRATED", and set with "MigratedToJIRA" in "Keywords". The link to the successor Jira issue will be found under "Links", have a little "two-footprint" icon next to it, and direct you to the "RHEL project" in Red Hat Jira (issue links are of type "https://issues.redhat.com/browse/RHEL-XXXX", where "X" is a digit). This same link will be available in a blue banner at the top of the page informing you that that bug has been migrated.
Bug 2072444 - [SCAP] PCI-DSS Rsyslog log files related rules fails for Rsyslog 8 RainerScript syntax
Summary: [SCAP] PCI-DSS Rsyslog log files related rules fails for Rsyslog 8 RainerScri...
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: Red Hat Enterprise Linux 8
Classification: Red Hat
Component: scap-security-guide
Version: 8.5
Hardware: All
OS: Linux
unspecified
urgent
Target Milestone: rc
: ---
Assignee: Marcus Burghardt
QA Contact: Jiri Jaburek
Jan Fiala
URL:
Whiteboard:
Depends On:
Blocks: 2168050 2168051 2168052
TreeView+ depends on / blocked
 
Reported: 2022-04-06 10:31 UTC by Ravindra Patil
Modified: 2023-05-16 10:03 UTC (History)
8 users (show)

Fixed In Version: scap-security-guide-0.1.66-1.el8
Doc Type: Enhancement
Doc Text:
.`scap-security-guide` rules for Rsyslog log files are compatible with RainerScript Rules in `scap-security-guide` for checking and remediating ownership, group ownership, and permissions of Rsyslog log files are now also compatible with log files defined by using the RainerScript syntax. Modern systems already use the RainerScript syntax in Rsyslog configuration files and the respective rules were not able to recognize this syntax. As a result, `scap-security-guide` rules can now check and remediate ownership, group ownership, and permissions of Rsyslog log files in both available syntaxes.
Clone Of:
: 2168050 2168051 2168052 2169414 (view as bug list)
Environment:
Last Closed: 2023-05-16 08:39:27 UTC
Type: Bug
Target Upstream Version:
Embargoed:


Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Red Hat Issue Tracker RHELPLAN-118035 0 None None None 2022-04-06 10:41:03 UTC
Red Hat Product Errata RHBA-2023:2869 0 None None None 2023-05-16 08:40:27 UTC

Description Ravindra Patil 2022-04-06 10:31:51 UTC
Description of problem:

The PCI-DSS profile has rules for checking owner, group and permissions on all log files generated by rsyslog utility in /var/log directory. 

Configure Syslog
-> Ensure Proper Configuration of Log Files
   -> Ensure Log Files Are Owned By Appropriate Group
   -> Ensure Log Files Are Owned By Appropriate User
   -> Ensure System Log Files Have Correct Permissions

These compliance rules are passed with legacy syntax in rsyslog.conf and files in /etc/rsyslog.d/ as these rules definition is able to find the log files from /var/log/ and able to check owner, group and permissions. 

However, with latest rainier script syntax on rsyslog-8, these rules are failing as they are unable to find the log files like /var/log/messages, /var/log/secure etc as syntax has changed. 

As per pci-dss scan compliance report : No items have been found conforming to the following objects:
Object oval:ssg-object_rsyslog_files_ownership:obj:1 of type file_object

Filepath
^/etc/rsyslog.conf$
^/etc/rsyslog\.d/(?=[^.])[^/]*\.conf$
^/etc/rsyslog.conf$
^/etc/rsyslog\.d/(?=[^.])[^/]*\.conf$

Referenced variable has no values (oval:ssg-var_rfo_log_files_paths:var:1).

>> These log files are determined by the second part of each Rule line in /etc/rsyslog.conf and /etc/rsyslog.d/*.conf.

Legacy Syntax :

*.info;mail.none;authpriv.none;cron.none                /var/log/messages
# The authpriv file has restricted access.
authpriv.*                                              /var/log/secure
# Log all the mail messages in one place.
mail.*                                                  -/var/log/maillog
# Log cron stuff
cron.*                                                  /var/log/cron

However with rsyslog-8 on (RHEL8) the default configuration uses RainierScript configuration, these 3 rules related to owner, group and ownership of log files always fail. 

Rainer Script Syntax : 

*.info;daemon.*;kern.*;mail,authpriv,cron.none   action(type="omfile" FileCreateMode="0640" fileOwner="root" fileGroup="hoiadm" File="/var/log/messages")

# The authpriv file has restricted access
authpriv.*      action(type="omfile" FileCreateMode="0600" fileOwner="root" fileGroup="root" File="/var/log/secure")

# Log all mail to maillog
mail.*          action(type="omfile" FileCreateMode="0640" fileOwner="root" fileGroup="hoiadm" sync="off" File="/var/log/maillog")

# Log all cron to cron
cron.*          action(type="omfile" FileCreateMode="0640" fileOwner="root" fileGroup="hoiadm" File="/var/log/cron")

Version-Release number of selected component (if applicable):
scap-security-guide-0.1.57-5.el8.noarch

How reproducible:
- Use RainerScript syntax or modern script for rsyslog configuration
- Scan system for PCI-DSS policy

Steps to Reproduce:
1. Change configuration in rsyslog.conf or /etc/rsyslog.d/*.conf files as per modern syntax as below :

*.info;daemon.*;kern.*;mail,authpriv,cron.none   action(type="omfile" FileCreateMode="0640" fileOwner="root" fileGroup="hoiadm" File="/var/log/messages")

# The authpriv file has restricted access
authpriv.*      action(type="omfile" FileCreateMode="0600" fileOwner="root" fileGroup="root" File="/var/log/secure")

2. Scan system for PCI-DSS profile using openscap scanner. 
3. Check rules status for Rsyslog log files. 

Actual results:

- All 3 rules fail even with correct owner, group and permissions. 

xccdf_org.ssgproject.content_rule_rsyslog_files_groupownership
xccdf_org.ssgproject.content_rule_rsyslog_files_ownership
xccdf_org.ssgproject.content_rule_rsyslog_files_permissions

Expected results:

- These rules should be able to detect modern syntax and should be able to find the log files generated by rsyslog to check its owner, group and permissions. 

Additional info:
- Rsyslog 8 uses rainier script to configure rsyslog log file creation. 
https://www.rsyslog.com/doc/master/index.html
https://www.rsyslog.com/doc/master/rainerscript/index.html

Comment 12 Marcus Burghardt 2023-02-03 07:23:31 UTC
The improvements to make the 3 mentioned rules compatible with RainerScript syntax are already merged in Upstream:
- https://github.com/ComplianceAsCode/content/pull/9789
- https://github.com/ComplianceAsCode/content/pull/10139

Comment 29 errata-xmlrpc 2023-05-16 08:39:27 UTC
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory (scap-security-guide bug fix and enhancement update), and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2023:2869


Note You need to log in before you can comment on or make changes to this bug.