Fix rsyslog CI issues#14754
Draft
Mab879 wants to merge 6 commits into
Draft
Conversation
Co-authored-by: Claude Sonnet 4.5 <claude-sonnet-4-5@anthropic.com>
The RainerScript action(type="omfile" ...) parser in both the bash and Ansible remediations had two bugs that prevented log file paths from being correctly extracted on default RHEL10/CS10 rsyslog configurations. In bash.template: - grep -iozP stored NUL-separated matches into a bash variable via $(...), which silently strips NUL bytes and collapses all matches into one corrupted string. Fixed by piping through tr '\0' '\n' to convert NUL separators to newlines before storing. - The extracted paths were appended as a single newline-joined string (one array element) instead of individual elements, so chmod/chown/ chgrp received a literal multi-line filename that does not exist. Fixed by using readarray to split output into individual elements. In ansible.template: - The File= capture regex had a trailing \s*\) that required the closing parenthesis to immediately follow the quoted value, failing to match any action() block where File= is not the last attribute (e.g. when sync="on" follows). Removed the suffix to match File= anywhere within the action() block. Co-authored-by: Claude Sonnet 4.5 <claude-sonnet-4-5@anthropic.com>
Only try and do the file_cmd if the file exists. Should cut down on odd failures. Co-authored-by: Claude Sonnet 4.5 <claude-sonnet-4-5@anthropic.com>
Co-authored-by: Claude Sonnet 4.5 <claude-sonnet-4-5@anthropic.com>
This should better handle log files that don't exist. Co-authored-by: Claude Sonnet 4.5 <claude-sonnet-4-5@anthropic.com>
openshift-ci
Bot
added
the
do-not-merge/work-in-progress
|
Skipping CI for Draft Pull Request. |
bash/shared.sh: - Replace bare glob `sed` with `find -exec` to avoid a non-zero exit when /etc/rsyslog.d/ is empty, which OpenSCAP --remediate treats as a failure - Guard `systemctl restart` with an is-system-running != "offline" check so the remediation does not fail in containers or kickstart environments - Make the restart conditional on changes actually having been made ansible/shared.yml: - Register results from the "Add" and "Ensure Correct Value" lineinfile tasks - Add a service restart task that fires only when any of the three config-modifying tasks report a change, matching the behaviour of the bash remediation Co-authored-by: Claude Sonnet 4.5 <claude-sonnet-4-5@anthropic.com>
|
This datastream diff is auto generated by the check Click here to see the full diffNew content has different text for rule 'xccdf_org.ssgproject.content_rule_rsyslog_filecreatemode'.
--- xccdf_org.ssgproject.content_rule_rsyslog_filecreatemode
+++ xccdf_org.ssgproject.content_rule_rsyslog_filecreatemode
@@ -8,6 +8,9 @@
created files.
[reference]:
+R71
+
+[reference]:
6.2.2.4
[rationale]:
bash remediation for rule 'xccdf_org.ssgproject.content_rule_rsyslog_filecreatemode' differs.
--- xccdf_org.ssgproject.content_rule_rsyslog_filecreatemode
+++ xccdf_org.ssgproject.content_rule_rsyslog_filecreatemode
@@ -1,17 +1,21 @@
# Remediation is applicable only in certain platforms
if rpm --quiet -q kernel-core; then
-sed -i '/^\s*$FileCreateMode/d' /etc/rsyslog.d/*
+find /etc/rsyslog.d/ -name '*.conf' -exec sed -i '/^\s*\$FileCreateMode/d' {} +
+changes_made=false
if ! grep -qE '^\s*\$FileCreateMode\s+0640' /etc/rsyslog.conf; then
if grep -qE '^\s*\$FileCreateMode' /etc/rsyslog.conf; then
sed -i '/^\s*\$FileCreateMode/ s/^/#/' /etc/rsyslog.conf
fi
## Assume there is no filter named as 00-, otherwise those filters might be included before this configuration and create file with different permissions
echo '$FileCreateMode 0640' > /etc/rsyslog.d/00-rsyslog_filecreatemode.conf
+ changes_made=true
fi
-systemctl restart rsyslog.service
+if [[ "$changes_made" == "true" ]] && [[ $(systemctl is-system-running) != "offline" ]]; then
+ systemctl restart rsyslog.service
+fi
else
>&2 echo 'Remediation is not applicable, nothing was done'
ansible remediation for rule 'xccdf_org.ssgproject.content_rule_rsyslog_filecreatemode' differs.
--- xccdf_org.ssgproject.content_rule_rsyslog_filecreatemode
+++ xccdf_org.ssgproject.content_rule_rsyslog_filecreatemode
@@ -87,6 +87,7 @@
line: $FileCreateMode 0640
mode: 416
create: true
+ register: result_rsyslog_filecreatemode_added
when:
- '"kernel-core" in ansible_facts.packages'
- rsyslog_filecreatemode_files | length == 0 or result_rsyslog_filecreatemode_removed
@@ -107,6 +108,7 @@
regexp: ^\$FileCreateMode
line: $FileCreateMode 0640
loop: '{{ rsyslog_filecreatemode_files }}'
+ register: result_rsyslog_filecreatemode_updated
when:
- '"kernel-core" in ansible_facts.packages'
- rsyslog_filecreatemode_files | length == 1
@@ -118,3 +120,21 @@
- medium_severity
- no_reboot_needed
- rsyslog_filecreatemode
+
+- name: Ensure rsyslog Default File Permissions Configured - Restart rsyslog to Apply
+ New $FileCreateMode Setting
+ ansible.builtin.service:
+ name: rsyslog
+ state: restarted
+ when:
+ - '"kernel-core" in ansible_facts.packages'
+ - result_rsyslog_filecreatemode_removed is changed or result_rsyslog_filecreatemode_added
+ is changed or result_rsyslog_filecreatemode_updated is changed
+ tags:
+ - CCE-88321-5
+ - configure_strategy
+ - low_complexity
+ - low_disruption
+ - medium_severity
+ - no_reboot_needed
+ - rsyslog_filecreatemode
bash remediation for rule 'xccdf_org.ssgproject.content_rule_rsyslog_files_groupownership' differs.
--- xccdf_org.ssgproject.content_rule_rsyslog_files_groupownership
+++ xccdf_org.ssgproject.content_rule_rsyslog_files_groupownership
@@ -81,9 +81,10 @@
# exclude /dev/* paths (e.g., /dev/console)
for LOG_FILE in "${RSYSLOG_CONFIG_FILES[@]}"
do
- ACTION_OMFILE_LINES=$(grep -iozP "action\s*\(\s*type\s*=\s*\"omfile\"[^\)]*\)" "${LOG_FILE}")
- OMFILE_LINES=$(echo "${ACTION_OMFILE_LINES}"| grep -iaoP "\bFile\s*=\s*\"([/[:alnum:][:punct:]]*)\"\s*\)")
- LOG_FILE_PATHS+=("$(echo "${OMFILE_LINES}"| grep -oE "\"([/[:alnum:][:punct:]]*)\""|tr -d "\"" | grep -v "^/dev/")")
+ ACTION_OMFILE_LINES=$(grep -ioPz "action\s*\(\s*type\s*=\s*\"omfile\"[^\)]*\)" "${LOG_FILE}" | tr '\0' '\n')
+ OMFILE_LINES=$(echo "${ACTION_OMFILE_LINES}"| grep -iaoP "\bFile\s*=\s*\"([/[:alnum:][:punct:]]*)\"")
+ readarray -t OMFILE_PATHS < <(echo "${OMFILE_LINES}" | grep -oE "\"([/[:alnum:][:punct:]]*)\"" | tr -d '"' | grep -v "^/dev/")
+ LOG_FILE_PATHS+=("${OMFILE_PATHS[@]}")
done
# Ensure the correct attribute if file exists
@@ -95,6 +96,12 @@
then
continue
fi
+ # Only operate on the file if it exists; non-existent files would cause the command to fail
+ # with a non-zero exit code, which oscap --remediate interprets as an error, skipping the fix.
+ if [ ! -f "$LOG_FILE_PATH" ]
+ then
+ continue
+ fi
$FILE_CMD "root" "$LOG_FILE_PATH"
done
ansible remediation for rule 'xccdf_org.ssgproject.content_rule_rsyslog_files_groupownership' differs.
--- xccdf_org.ssgproject.content_rule_rsyslog_files_groupownership
+++ xccdf_org.ssgproject.content_rule_rsyslog_files_groupownership
@@ -170,7 +170,7 @@
ansible.builtin.shell: |
set -o pipefail
grep -iozP "action\s*\(\s*type\s*=\s*\"omfile\"[^\)]*\)" {{ item.1.path }} | \
- grep -iaoP "\bFile\s*=\s*\"([/[:alnum:][:punct:]]*)\"\s*\)" | \
+ grep -iaoP "\bFile\s*=\s*\"([/[:alnum:][:punct:]]*)\"" | \
grep -oE "\"([/[:alnum:][:punct:]]*)\"" | \
tr -d "\"" | \
grep -v '^/dev/' || true
bash remediation for rule 'xccdf_org.ssgproject.content_rule_rsyslog_files_ownership' differs.
--- xccdf_org.ssgproject.content_rule_rsyslog_files_ownership
+++ xccdf_org.ssgproject.content_rule_rsyslog_files_ownership
@@ -81,9 +81,10 @@
# exclude /dev/* paths (e.g., /dev/console)
for LOG_FILE in "${RSYSLOG_CONFIG_FILES[@]}"
do
- ACTION_OMFILE_LINES=$(grep -iozP "action\s*\(\s*type\s*=\s*\"omfile\"[^\)]*\)" "${LOG_FILE}")
- OMFILE_LINES=$(echo "${ACTION_OMFILE_LINES}"| grep -iaoP "\bFile\s*=\s*\"([/[:alnum:][:punct:]]*)\"\s*\)")
- LOG_FILE_PATHS+=("$(echo "${OMFILE_LINES}"| grep -oE "\"([/[:alnum:][:punct:]]*)\""|tr -d "\"" | grep -v "^/dev/")")
+ ACTION_OMFILE_LINES=$(grep -ioPz "action\s*\(\s*type\s*=\s*\"omfile\"[^\)]*\)" "${LOG_FILE}" | tr '\0' '\n')
+ OMFILE_LINES=$(echo "${ACTION_OMFILE_LINES}"| grep -iaoP "\bFile\s*=\s*\"([/[:alnum:][:punct:]]*)\"")
+ readarray -t OMFILE_PATHS < <(echo "${OMFILE_LINES}" | grep -oE "\"([/[:alnum:][:punct:]]*)\"" | tr -d '"' | grep -v "^/dev/")
+ LOG_FILE_PATHS+=("${OMFILE_PATHS[@]}")
done
# Ensure the correct attribute if file exists
@@ -95,6 +96,12 @@
then
continue
fi
+ # Only operate on the file if it exists; non-existent files would cause the command to fail
+ # with a non-zero exit code, which oscap --remediate interprets as an error, skipping the fix.
+ if [ ! -f "$LOG_FILE_PATH" ]
+ then
+ continue
+ fi
$FILE_CMD "root" "$LOG_FILE_PATH"
done
ansible remediation for rule 'xccdf_org.ssgproject.content_rule_rsyslog_files_ownership' differs.
--- xccdf_org.ssgproject.content_rule_rsyslog_files_ownership
+++ xccdf_org.ssgproject.content_rule_rsyslog_files_ownership
@@ -170,7 +170,7 @@
ansible.builtin.shell: |
set -o pipefail
grep -iozP "action\s*\(\s*type\s*=\s*\"omfile\"[^\)]*\)" {{ item.1.path }} | \
- grep -iaoP "\bFile\s*=\s*\"([/[:alnum:][:punct:]]*)\"\s*\)" | \
+ grep -iaoP "\bFile\s*=\s*\"([/[:alnum:][:punct:]]*)\"" | \
grep -oE "\"([/[:alnum:][:punct:]]*)\"" | \
tr -d "\"" | \
grep -v '^/dev/' || true
bash remediation for rule 'xccdf_org.ssgproject.content_rule_rsyslog_files_permissions' differs.
--- xccdf_org.ssgproject.content_rule_rsyslog_files_permissions
+++ xccdf_org.ssgproject.content_rule_rsyslog_files_permissions
@@ -81,9 +81,10 @@
# exclude /dev/* paths (e.g., /dev/console)
for LOG_FILE in "${RSYSLOG_CONFIG_FILES[@]}"
do
- ACTION_OMFILE_LINES=$(grep -iozP "action\s*\(\s*type\s*=\s*\"omfile\"[^\)]*\)" "${LOG_FILE}")
- OMFILE_LINES=$(echo "${ACTION_OMFILE_LINES}"| grep -iaoP "\bFile\s*=\s*\"([/[:alnum:][:punct:]]*)\"\s*\)")
- LOG_FILE_PATHS+=("$(echo "${OMFILE_LINES}"| grep -oE "\"([/[:alnum:][:punct:]]*)\""|tr -d "\"" | grep -v "^/dev/")")
+ ACTION_OMFILE_LINES=$(grep -ioPz "action\s*\(\s*type\s*=\s*\"omfile\"[^\)]*\)" "${LOG_FILE}" | tr '\0' '\n')
+ OMFILE_LINES=$(echo "${ACTION_OMFILE_LINES}"| grep -iaoP "\bFile\s*=\s*\"([/[:alnum:][:punct:]]*)\"")
+ readarray -t OMFILE_PATHS < <(echo "${OMFILE_LINES}" | grep -oE "\"([/[:alnum:][:punct:]]*)\"" | tr -d '"' | grep -v "^/dev/")
+ LOG_FILE_PATHS+=("${OMFILE_PATHS[@]}")
done
# Ensure the correct attribute if file exists
@@ -95,6 +96,12 @@
then
continue
fi
+ # Only operate on the file if it exists; non-existent files would cause the command to fail
+ # with a non-zero exit code, which oscap --remediate interprets as an error, skipping the fix.
+ if [ ! -f "$LOG_FILE_PATH" ]
+ then
+ continue
+ fi
$FILE_CMD "0640" "$LOG_FILE_PATH"
done
ansible remediation for rule 'xccdf_org.ssgproject.content_rule_rsyslog_files_permissions' differs.
--- xccdf_org.ssgproject.content_rule_rsyslog_files_permissions
+++ xccdf_org.ssgproject.content_rule_rsyslog_files_permissions
@@ -170,7 +170,7 @@
ansible.builtin.shell: |
set -o pipefail
grep -iozP "action\s*\(\s*type\s*=\s*\"omfile\"[^\)]*\)" {{ item.1.path }} | \
- grep -iaoP "\bFile\s*=\s*\"([/[:alnum:][:punct:]]*)\"\s*\)" | \
+ grep -iaoP "\bFile\s*=\s*\"([/[:alnum:][:punct:]]*)\"" | \
grep -oE "\"([/[:alnum:][:punct:]]*)\"" | \
tr -d "\"" | \
grep -v '^/dev/' || true |
|
Change in Ansible Please consider using more suitable Ansible module than |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Description:
Adjust rsyslog template to fix CI errors and to be more resistant to error conditions.
Rationale:
Fixes #14570
Review Hints:
Run
/hardening/host-os/oscap/anssi_bp28_highin public testing farm ranch. Make sure that all subtest likerssylog%pass.