From 32bbdecc7dda86f71f16cc8f0a47a02e959c717e Mon Sep 17 00:00:00 2001
From: Jan Lieskovsky <[email protected]>
Date: Fri, 6 Jun 2014 14:09:33 +0200
Subject: [PATCH 0/2] Finish logrotate_rotate_all_files =>
ensure_logrotate_activated transition. Replace
ensure_logrotate_activated unknown test stub with actual OVAL check
implementation.
Based on promise in:
[1]
https://lists.fedorahosted.org/pipermail/scap-security-guide/2014-June/005649.html
the following patchset finishes the logrotate_rotate_all_files to
ensure_logrotate_activated
transition. The first patch [1/2] is identical with the original one from:
[2]
https://lists.fedorahosted.org/pipermail/scap-security-guide/2014-May/005640.html
But in addition to that one, the ensure_logrotate_activated.xml OVAL
check in [shared]
has been modified via patch [2/2] to properly honour the syntax /
behaviour of /etc/
logrotate.conf file (last rotate log setting uncommented option present
is actually the
honoured one).
Implement the test it was pretty challenging (considering the
possibilities OVAL language
brings to check complex configuration files). Needed to try couple of
alternatives, but
the one following seems to be working properly.
Note: When testing the change, be sure to comment out the
'test_cron_daily_logrotate_existence'
sub-test (or move /etc/cron.daily/logrotate file under temporary backup
with different
name) to actually see, how behaviour of
'test_logrotate_conf_daily_setting' OVAL check
changed (to actually see when making changes to /etc/logrotate.conf they
to have impact
on the final result of XCCDF rule scan).
Testing status: Proposed change has been tested on both (RHEL-6, RHEL-7)
products,
and works properly in all various cases of /etc/logrotate.conf config
file format, that might
occur (as far as I have tested & can tell).
The underlying regular expressions are pretty complex, but hopefully the
comments before /
around them will clarify the idea behind the test's work. Should there
be a need to clarify
some part of them, feel free to ask.
Please review.
Thank you && Regards, Jan.
--
Jan iankko Lieskovsky / Red Hat Security Technologies Team
Jan Lieskovsky (2):
[RHEL/6, RHEL/7, shared] Finish logrotate_rotate_all_files =>
ensure_logrotate_activated transition. Replace
ensure_logrotate_activated unknown test stub with actual OVAL check
implementation.
[shared] Fix ensure_logrotate_activated OVAL check to properly handle
/etc/logrotate.conf format (last occurred rotate log
directive to be the by the check honoured one)
RHEL/6/input/checks/ensure_logrotate_activated.xml | 21 +------
RHEL/6/input/system/logging.xml | 2 +-
RHEL/7/input/checks/ensure_logrotate_activated.xml | 1 +
RHEL/7/input/system/logging.xml | 2 +-
shared/oval/ensure_logrotate_activated.xml | 72
++++++++++++++++++++++
5 files changed, 76 insertions(+), 22 deletions(-)
mode change 100644 => 120000
RHEL/6/input/checks/ensure_logrotate_activated.xml
create mode 120000 RHEL/7/input/checks/ensure_logrotate_activated.xml
create mode 100644 shared/oval/ensure_logrotate_activated.xml
--
1.8.3.1
_______________________________________________
scap-security-guide mailing list
[email protected]
https://lists.fedorahosted.org/mailman/listinfo/scap-security-guide
