This patch modifies the behaviour of the original
ensure_logrotate_activated's
test_logrotate_conf_daily_setting sub-test it to:
* not just check if there's 'daily' setting present in /etc/logrotate.conf
(at least one uncommented occurrence of it),
* but also if it isn't followed by (uncommented) occurrence of some
of weekly / monthly / yearly rotate log directives, which have global
meaning (IOW aren't present in some of {} block sections).
Various possibilities / combinations of /etc/logrotate.conf file, that can
occur (wrt to multiple directives present) has been tested, and the check
seems to be working properly on both, RHEL-6 & RHEL-7 (more testing
appreciated of course).
Please review.
Thank you && Regards, Jan.
--
Jan iankko Lieskovsky / Red Hat Security Technologies Team
>From 32bbdecc7dda86f71f16cc8f0a47a02e959c717e Mon Sep 17 00:00:00 2001
From: Jan Lieskovsky <[email protected]>
Date: Fri, 6 Jun 2014 14:01:54 +0200
Subject: [PATCH 2/2] [shared] Fix ensure_logrotate_activated OVAL check to
properly handle /etc/logrotate.conf format (last occurred rotate log
directive to be the by the check honoured one)
Signed-off-by: Jan Lieskovsky <[email protected]>
---
shared/oval/ensure_logrotate_activated.xml | 38 +++++++++++++++++++++++++-----
1 file changed, 32 insertions(+), 6 deletions(-)
diff --git a/shared/oval/ensure_logrotate_activated.xml b/shared/oval/ensure_logrotate_activated.xml
index c82b3a3..b0ab789 100644
--- a/shared/oval/ensure_logrotate_activated.xml
+++ b/shared/oval/ensure_logrotate_activated.xml
@@ -9,7 +9,7 @@
<description>
The frequency of automatic log files rotation performed by the logrotate utility should be configured to run daily
</description>
- <reference source="JL" ref_id="20140530" ref_url="test_attestation" />
+ <reference source="JL" ref_id="20140606" ref_url="test_attestation" />
</metadata>
<criteria comment="/etc/logrotate.conf contains daily setting or /etc/cron.daily/logrotate file exists" operator="OR">
<criterion comment="Check if daily is set in /etc/logrotate.conf"
@@ -22,22 +22,48 @@
<ind:textfilecontent54_test check="all" check_existence="all_exist"
comment="Tests the presence of daily setting in /etc/logrotate.conf file"
id="test_logrotate_conf_daily_setting" version="1">
- <ind:object object_ref="obj_logrotate_conf_daily_setting" />
+ <ind:object object_ref="object_logrotate_conf_daily_setting" />
</ind:textfilecontent54_test>
- <ind:textfilecontent54_object id="obj_logrotate_conf_daily_setting" version="1">
+ <ind:textfilecontent54_object id="object_logrotate_conf_daily_setting" version="2">
+ <!-- Read whole /etc/logrotate.conf at once (as single line) -->
+ <ind:behaviors singleline="true" />
<ind:filepath>/etc/logrotate.conf</ind:filepath>
- <ind:pattern operation="pattern match">^[\s]*daily[\s]*$</ind:pattern>
+ <!-- From the content extract the text chunk after the last (uncommented)
+ occurrence of 'daily' keyword till the EOF (including the 'daily'
+ string itself) -->
+ <ind:pattern operation="pattern match">(?:daily)*.*(?=[\n][\s]*daily)(.*)$</ind:pattern>
<ind:instance datatype="int">1</ind:instance>
+ <!-- From the found object exclude that one containing some (uncommented)
+ occurrence of (weekly / monthly / yearly) outside the {} block section
+ of /etc/logrotate.conf -->
+ <filter action="exclude">state_another_rotate_interval_after_daily</filter>
</ind:textfilecontent54_object>
+ <!-- This filter selects from previously found objects those containing
+ another (uncommented occurrence of) log files rotate interval setting
+ (one of weekly / monthly / yearly) present outside the {} block section
+ of /etc/logrotate.conf -->
+ <ind:textfilecontent54_state id="state_another_rotate_interval_after_daily" version="1">
+ <!-- if some of (weekly / monthly / yearly) uncommented setting is found
+ (in the previously selected chunk of text) in one of the following
+ parts:
+ * before the first '{' character,
+ * somewhere after '}' character and before another '{' character,
+ * after final '}' character and before end of the chunk
+ exclude such object from the found ones (since in that case earlier
+ daily setting would be replaced with the found setting) -->
+ <ind:subexpression datatype="string"
+ operation="pattern match">}[^{]+[\n][\s]*(weekly|monthly|yearly)|[\n][\s]*(weekly|monthly|yearly)[^}]+{</ind:subexpression>
+ </ind:textfilecontent54_state>
+
<ind:textfilecontent54_test check="all" check_existence="all_exist"
comment="Tests the existence of /etc/cron.daily/logrotate file (and verify it actually calls logrotate utility)"
id="test_cron_daily_logrotate_existence" version="1">
- <ind:object object_ref="obj_cron_daily_logrotate_existence" />
+ <ind:object object_ref="object_cron_daily_logrotate_existence" />
</ind:textfilecontent54_test>
- <ind:textfilecontent54_object id="obj_cron_daily_logrotate_existence" version="1">
+ <ind:textfilecontent54_object id="object_cron_daily_logrotate_existence" version="1">
<ind:filepath>/etc/cron.daily/logrotate</ind:filepath>
<ind:pattern operation="pattern match">^[\s]*/usr/sbin/logrotate[\s]*/etc/logrotate.conf(?:.*)$</ind:pattern>
<ind:instance datatype="int">1</ind:instance>
--
1.8.3.1
_______________________________________________
scap-security-guide mailing list
[email protected]
https://lists.fedorahosted.org/mailman/listinfo/scap-security-guide
