From f986b7a2a13c6a4479e5c9c293f4f0f043a9cd80 Mon Sep 17 00:00:00 2001 From: Matthew Burket Date: Thu, 26 Sep 2024 17:05:23 -0500 Subject: [PATCH 1/2] Move daemon.* to /var/log/messages --- .../ansible/shared.yml | 5 +++- .../bash/shared.sh | 5 ++-- .../rsyslog_remote_access_monitoring/rule.yml | 5 +++- .../tests/differnt_files.pass.sh | 29 +++++++++++++++++++ 4 files changed, 40 insertions(+), 4 deletions(-) create mode 100644 linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_remote_access_monitoring/tests/differnt_files.pass.sh diff --git a/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_remote_access_monitoring/ansible/shared.yml b/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_remote_access_monitoring/ansible/shared.yml index 9ee228df2de..d52e9e25413 100644 --- a/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_remote_access_monitoring/ansible/shared.yml +++ b/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_remote_access_monitoring/ansible/shared.yml @@ -10,10 +10,13 @@ remote_methods: - selector: 'auth.*' regexp: ^.*auth\.\*.*$ + location: "/var/log/secure" - selector: 'authpriv.*' regexp: ^.*authpriv\.\*.*$ + location: "/var/log/secure" - selector: 'daemon.*' regexp: ^.*daemon\.\*.*$ + location: "/var/log/messages" - name: "{{{ rule_title }}}: Ensure rsyslog.conf exists" file: @@ -47,7 +50,7 @@ - name: "{{{ rule_title }}}: Configure" lineinfile: path: /etc/rsyslog.conf - line: "{{ item.item.0.selector }} /var/log/secure" + line: "{{ item.item.0.selector }} {{ item.item.0.location }}" insertafter: ^.*\/var\/log\/secure.*$ create: yes loop: '{{ remote_method_values.results }}' diff --git a/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_remote_access_monitoring/bash/shared.sh b/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_remote_access_monitoring/bash/shared.sh index d0172a96388..e736f6c1ed8 100644 --- a/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_remote_access_monitoring/bash/shared.sh +++ b/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_remote_access_monitoring/bash/shared.sh @@ -1,25 +1,26 @@ # platform = multi_platform_all declare -A REMOTE_METHODS=( ['auth.*']='^[^#]*auth\.\*.*$' ['authpriv.*']='^[^#]*authpriv\.\*.*$' ['daemon.*']='^[^#]*daemon\.\*.*$' ) +declare -A LOCATIONS=( ['auth.*']='/var/log/secure' ['authpriv.*']='/var/log/secure' ['daemon.*']='/var/log/messages' ) if [[ ! -f /etc/rsyslog.conf ]]; then # Something is not right, create the file touch /etc/rsyslog.conf fi -APPEND_LINE=$(sed -rn '/^\S+\s+\/var\/log\/secure$/p' /etc/rsyslog.conf) # Loop through the remote methods associative array for K in "${!REMOTE_METHODS[@]}" do # Check to see if selector/value exists if ! grep -rq "${REMOTE_METHODS[$K]}" /etc/rsyslog.*; then + APPEND_LINE=$(sed -rn "/^\S+\s+\${LOCATIONS[$K]}$/p" /etc/rsyslog.conf) # Make sure we have a line to insert after, otherwise append to end if [[ ! -z ${APPEND_LINE} ]]; then # Add selector to file sed -r -i "0,/^(\S+\s+\/var\/log\/secure$)/s//\1\n${K} \/var\/log\/secure/" /etc/rsyslog.conf else - echo "${K} /var/log/secure" >> /etc/rsyslog.conf + echo "${K} ${LOCATIONS[$K]}" >> /etc/rsyslog.conf fi fi done diff --git a/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_remote_access_monitoring/rule.yml b/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_remote_access_monitoring/rule.yml index 98805b2023e..c1f2165a1ef 100644 --- a/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_remote_access_monitoring/rule.yml +++ b/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_remote_access_monitoring/rule.yml @@ -12,7 +12,10 @@ description: |- /etc/rsyslog.d/*.conf file should contain a match for the following selectors: auth.*, authpriv.*, and daemon.*. If not, use the following as an example configuration: -
auth.*;authpriv.*;daemon.*                              /var/log/secure
+ + auth.*;authpriv.* /var/log/secure + daemon.* /var/log/messages + rationale: |- Logging remote access methods can be used to trace the decrease the risks diff --git a/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_remote_access_monitoring/tests/differnt_files.pass.sh b/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_remote_access_monitoring/tests/differnt_files.pass.sh new file mode 100644 index 00000000000..782b9dec440 --- /dev/null +++ b/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_remote_access_monitoring/tests/differnt_files.pass.sh @@ -0,0 +1,29 @@ +#!/bin/bash +# platform = multi_platform_all + +declare -A REMOTE_METHODS=( ['auth.*']='^.*auth\.\*.*$' ['authpriv.*']='^.*authpriv\.\*.*$' ['daemon.*']='^.*daemon\.\*.*$' ) +RSYSLOG_CONF='/etc/rsyslog.conf' +RSYSLOG_D_FOLDER='/etc/rsyslog.d' +RSYSLOG_D_FILES='/etc/rsyslog.d/*' + + +# clean up .d conf files (if applicable) +if [[ -d ${RSYSLOG_D_FOLDER} ]]; then + for rsyslog_d_file in ${RSYSLOG_D_FILES} + do + for K in ${!REMOTE_METHODS[@]} + do + if grep -q "${REMOTE_METHODS[$K]}" ${rsyslog_d_file}; then + sed -i "/${REMOTE_METHODS[$K]}/d" ${rsyslog_d_file} + fi + done + done +fi + +if [[ ! -f /etc/rsyslog.conf ]]; then + # Something is not right, create the file + touch /etc/rsyslog.conf +fi + +echo "auth.*,authpriv.* /var/log/secure" >> $RSYSLOG_CONF +echo "daemon.* /var/log/messages" >> $RSYSLOG_CONF From 17ba62c318a808ac9a89b86d67ab49d7627f12b6 Mon Sep 17 00:00:00 2001 From: Matthew Burket Date: Mon, 30 Sep 2024 11:01:59 -0500 Subject: [PATCH 2/2] Adjust tests based on feedback in #12433 --- .../{differnt_files.pass.sh => different_files.pass.sh} | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) rename linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_remote_access_monitoring/tests/{differnt_files.pass.sh => different_files.pass.sh} (77%) diff --git a/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_remote_access_monitoring/tests/differnt_files.pass.sh b/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_remote_access_monitoring/tests/different_files.pass.sh similarity index 77% rename from linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_remote_access_monitoring/tests/differnt_files.pass.sh rename to linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_remote_access_monitoring/tests/different_files.pass.sh index 782b9dec440..0eedb38a562 100644 --- a/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_remote_access_monitoring/tests/differnt_files.pass.sh +++ b/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_remote_access_monitoring/tests/different_files.pass.sh @@ -13,8 +13,8 @@ if [[ -d ${RSYSLOG_D_FOLDER} ]]; then do for K in ${!REMOTE_METHODS[@]} do - if grep -q "${REMOTE_METHODS[$K]}" ${rsyslog_d_file}; then - sed -i "/${REMOTE_METHODS[$K]}/d" ${rsyslog_d_file} + if grep -q "$K" ${rsyslog_d_file}; then + sed -i "/$K/d" ${rsyslog_d_file} fi done done @@ -25,5 +25,5 @@ if [[ ! -f /etc/rsyslog.conf ]]; then touch /etc/rsyslog.conf fi -echo "auth.*,authpriv.* /var/log/secure" >> $RSYSLOG_CONF +echo "auth.*;authpriv.* /var/log/secure" >> $RSYSLOG_CONF echo "daemon.* /var/log/messages" >> $RSYSLOG_CONF