Skip to content

Commit

Permalink
Merge pull request ComplianceAsCode#12433 from Mab879/update_rsyslog_…
Browse files Browse the repository at this point in the history
…remote_access_monitoring

Move daemon.* to /var/log/messages
  • Loading branch information
jan-cerny authored Oct 2, 2024
2 parents 00ac2b4 + 17ba62c commit 3568eae
Show file tree
Hide file tree
Showing 4 changed files with 40 additions and 4 deletions.
Original file line number Diff line number Diff line change
Expand Up @@ -10,10 +10,13 @@
remote_methods:
- selector: 'auth.*'
regexp: ^.*auth\.\*.*$
location: "/var/log/secure"
- selector: 'authpriv.*'
regexp: ^.*authpriv\.\*.*$
location: "/var/log/secure"
- selector: 'daemon.*'
regexp: ^.*daemon\.\*.*$
location: "/var/log/messages"

- name: "{{{ rule_title }}}: Ensure rsyslog.conf exists"
file:
Expand Down Expand Up @@ -47,7 +50,7 @@
- name: "{{{ rule_title }}}: Configure"
lineinfile:
path: /etc/rsyslog.conf
line: "{{ item.item.0.selector }} /var/log/secure"
line: "{{ item.item.0.selector }} {{ item.item.0.location }}"
insertafter: ^.*\/var\/log\/secure.*$
create: yes
loop: '{{ remote_method_values.results }}'
Expand Down
Original file line number Diff line number Diff line change
@@ -1,25 +1,26 @@
# platform = multi_platform_all

declare -A REMOTE_METHODS=( ['auth.*']='^[^#]*auth\.\*.*$' ['authpriv.*']='^[^#]*authpriv\.\*.*$' ['daemon.*']='^[^#]*daemon\.\*.*$' )
declare -A LOCATIONS=( ['auth.*']='/var/log/secure' ['authpriv.*']='/var/log/secure' ['daemon.*']='/var/log/messages' )

if [[ ! -f /etc/rsyslog.conf ]]; then
# Something is not right, create the file
touch /etc/rsyslog.conf
fi

APPEND_LINE=$(sed -rn '/^\S+\s+\/var\/log\/secure$/p' /etc/rsyslog.conf)

# Loop through the remote methods associative array
for K in "${!REMOTE_METHODS[@]}"
do
# Check to see if selector/value exists
if ! grep -rq "${REMOTE_METHODS[$K]}" /etc/rsyslog.*; then
APPEND_LINE=$(sed -rn "/^\S+\s+\${LOCATIONS[$K]}$/p" /etc/rsyslog.conf)
# Make sure we have a line to insert after, otherwise append to end
if [[ ! -z ${APPEND_LINE} ]]; then
# Add selector to file
sed -r -i "0,/^(\S+\s+\/var\/log\/secure$)/s//\1\n${K} \/var\/log\/secure/" /etc/rsyslog.conf
else
echo "${K} /var/log/secure" >> /etc/rsyslog.conf
echo "${K} ${LOCATIONS[$K]}" >> /etc/rsyslog.conf
fi
fi
done
Original file line number Diff line number Diff line change
Expand Up @@ -12,7 +12,10 @@ description: |-
<tt>/etc/rsyslog.d/*.conf</tt> file should contain a match for the following
selectors: <tt>auth.*</tt>, <tt>authpriv.*</tt>, and <tt>daemon.*</tt>. If
not, use the following as an example configuration:
<pre>auth.*;authpriv.*;daemon.* /var/log/secure</pre>
<code>
auth.*;authpriv.* /var/log/secure
daemon.* /var/log/messages
</code>
rationale: |-
Logging remote access methods can be used to trace the decrease the risks
Expand Down
Original file line number Diff line number Diff line change
@@ -0,0 +1,29 @@
#!/bin/bash
# platform = multi_platform_all

declare -A REMOTE_METHODS=( ['auth.*']='^.*auth\.\*.*$' ['authpriv.*']='^.*authpriv\.\*.*$' ['daemon.*']='^.*daemon\.\*.*$' )
RSYSLOG_CONF='/etc/rsyslog.conf'
RSYSLOG_D_FOLDER='/etc/rsyslog.d'
RSYSLOG_D_FILES='/etc/rsyslog.d/*'


# clean up .d conf files (if applicable)
if [[ -d ${RSYSLOG_D_FOLDER} ]]; then
for rsyslog_d_file in ${RSYSLOG_D_FILES}
do
for K in ${!REMOTE_METHODS[@]}
do
if grep -q "$K" ${rsyslog_d_file}; then
sed -i "/$K/d" ${rsyslog_d_file}
fi
done
done
fi

if [[ ! -f /etc/rsyslog.conf ]]; then
# Something is not right, create the file
touch /etc/rsyslog.conf
fi

echo "auth.*;authpriv.* /var/log/secure" >> $RSYSLOG_CONF
echo "daemon.* /var/log/messages" >> $RSYSLOG_CONF

0 comments on commit 3568eae

Please sign in to comment.