Hi Ray, ----- Original Message ----- > From: "Ray V CTR USARMY ARL Shaw (US)" <[email protected]> > To: "SCAP Security Guide" <[email protected]> > Sent: Friday, June 20, 2014 2:57:55 PM > Subject: RE: [PATCH] [RHEL/6, RHEL/7, shared] Replace > rsyslog_files_permissions OVAL unknown test stub with actual > check implementation (UNCLASSIFIED) > > Classification: UNCLASSIFIED > Caveats: NONE > > Should it also search /etc/rsyslog.d/*.conf? It's possible that additional > files could be specified there.
Right, good catch. Not just /etc/rsyslog.d/*.conf, but whatever file / directory path (possibly) specified after $IncludeConfig directive (under assumption it's not commented out): http://www.rsyslog.com/doc/rsconf1_includeconfig.html Will come with another patch. > > [There are a couple of rules I've been wanting to add this to, but have > unfortunately not been able to make time at work.] That's another good point (check rules that might be recursively nesting settings / another config files for their proper work. Will review the current content for cases like this). Thank you && Regards, Jan. -- Jan iankko Lieskovsky / Red Hat Security Technologies Team > > -- > Ray Shaw (Contractor, STG) > Army Research Laboratory > CIO, Unix Support > > > > -----Original Message----- > > From: [email protected] [mailto:scap- > > [email protected]] On Behalf Of Jan > > Lieskovsky > > Sent: Friday, June 20, 2014 5:51 AM > > To: SCAP Security Guide > > Subject: [PATCH] [RHEL/6, RHEL/7, shared] Replace > > rsyslog_files_permissions OVAL unknown test stub with actual check > > implementation > > > > > > The proposed patch replaces rsyslog_files_permissions OVAL unknown test > > stub with actual check implementation. > > > > The check: > > * first searches /etc/rsyslog.conf for (uncommented) presence of > > /var/log/* > > log files paths and stores these paths into list, > > * then selects just file objects (from all the system ones) having path > > matching > > some of the selected ones, > > * lastly compares (via file object state) if the permissions are 0600 > > or stronger. > > > > The change has been tested on both, RHEL-6 & RHEL-7 & seems to work > > properly (=> update the test_attestations, created links & moved the > > test to shared within the patch proposal too). > > > > Please review. > > > > Thank you && Regards, Jan. > > -- > > Jan iankko Lieskovsky / Red Hat Security Technologies Team > > Classification: UNCLASSIFIED > Caveats: NONE > > > > _______________________________________________ > scap-security-guide mailing list > [email protected] > https://lists.fedorahosted.org/mailman/listinfo/scap-security-guide > _______________________________________________ scap-security-guide mailing list [email protected] https://lists.fedorahosted.org/mailman/listinfo/scap-security-guide
