Add syslog-ng rules as an alternative logging framework#14766
Add syslog-ng rules as an alternative logging framework#14766israel-villar wants to merge 3 commits into
Conversation
Add four new rules for the syslog-ng logging framework under
linux_os/guide/system/logging/syslogng/:
- package_syslogng_installed: ensure syslog-ng is installed
- service_syslogng_enabled: ensure the syslog-ng service is enabled
- syslogng_nolisten: ensure syslog-ng is not configured to accept
remote messages (OVAL checks for absence of tcp()/udp() source
directives in /etc/syslog-ng/syslog-ng.conf)
- syslogng_filecreatemode: ensure syslog-ng sets file creation mode
to 0640 or more restrictive (OVAL uses direct regex match on the
options { } block)
syslog-ng is an alternative to rsyslog and systemd-journal. These rules
provide coverage for systems that use syslog-ng as their logging daemon,
complementing the existing rsyslog rules.
Map the new rules to the existing syslog-ng component.
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
|
Hi @israel-villar. Thanks for your PR. I'm waiting for a ComplianceAsCode member to verify that this patch is reasonable to test. If it is, they should reply with Regular contributors should join the org to skip this step. Once the patch is verified, the new status will be reflected by the I understand the commands that are listed here. DetailsInstructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. |
| @@ -0,0 +1,29 @@ | |||
| documentation_complete: true | |||
There was a problem hiding this comment.
This rule already exists in the project (linux_os/guide/system/logging/rsyslog_accepting_remote_messages/package_syslogng_installed/rule.yml). Also, the service_syslongng_enabled exists as well.
It makes sense to move these rules to a new directory, however, please make sure that the old location is removed in the PR.
There was a problem hiding this comment.
You are right. I removed package_syslogng_installed and service_syslogng_enabled from syslog_accepting_remote_messages/; the canonical location is now linux_os/guide/system/logging/syslogng/
There was a problem hiding this comment.
There is also a yamllint error in the components/syslog-ng.yml (missing list indentation) and there are two long lines in service_syslogng_enabled/rule.yml which were fixed in a follow-up commit.
| The regex 0[0-6][0-4][0-7] covers octal values 0000-0647, all of which | ||
| are 0640 or more restrictive (no extra bits beyond owner=rw, group=r). --> |
There was a problem hiding this comment.
0647 isn't more restrictive than 0640
There was a problem hiding this comment.
You are right again, 0647 grants world read+write+execute and is not more restrictive than 0640. Fixed the regex from 0[0-6][0-4][0-7] to 0[0-6][0-4]0 so world bits are always zero
| system thus to act as a log server. | ||
| If the system is not a log server, then such source entries should not | ||
| appear in the syslog-ng configuration files. | ||
| <br /><br /> |
There was a problem hiding this comment.
Remove the excess br tags
| @@ -0,0 +1,40 @@ | |||
| documentation_complete: true | |||
|
|
|||
| title: 'Ensure syslog-ng Does Not Accept Remote Messages Unless Acting As Log Server' | |||
There was a problem hiding this comment.
Please add test scenarios for this rule. It isn't templated and it contains non-trivial checks and remeditaions, therefore the project would strongly benefit from having some test scenarios.
There was a problem hiding this comment.
Now There are test scenarios for syslogng_nolisten: added no_network_drivers.pass.sh, tcp_driver_in_source.fail.sh, udp_driver_in_source.fail.sh, and network_driver_in_source.fail.sh
| @@ -0,0 +1,34 @@ | |||
| documentation_complete: true | |||
|
|
|||
| title: 'Ensure syslog-ng Default File Permissions Configured' | |||
There was a problem hiding this comment.
Please add test scenarios for this rule.
There was a problem hiding this comment.
Test scenarios for syslogng_filecreatemode: added perm_set_0640.pass.sh, perm_set_more_restrictive.pass.sh, perm_not_set.fail.sh, and perm_too_permissive.fail.sh
- Remove duplicate package_syslogng_installed and service_syslogng_enabled rules from rsyslog_accepting_remote_messages/; the canonical location is now linux_os/guide/system/logging/syslogng/ - Fix syslogng_filecreatemode OVAL: change perm() regex from 0[0-6][0-4][0-7] to 0[0-6][0-4]0 so world bits are always zero (0647 is not more restrictive than 0640) - Remove trailing <br /> tags from syslogng_accepting_remote_messages/group.yml - Add test scenarios for syslogng_nolisten: no_network_drivers.pass, tcp_driver_in_source.fail, udp_driver_in_source.fail, network_driver_in_source.fail - Add test scenarios for syslogng_filecreatemode: perm_set_0640.pass, perm_set_more_restrictive.pass, perm_not_set.fail, perm_too_permissive.fail Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
israel-villar
requested review from
Mab879,
matusmarhefka and
vojtapolasek
as code owners
Add 2-space indentation to list items in components/syslog-ng.yml and add yamllint disable comments for long reference lines in service_syslogng_enabled/rule.yml. Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
|
This datastream diff is auto generated by the check Click here to see the full diffNew content has different text for rule 'xccdf_org.ssgproject.content_rule_service_syslogng_enabled'.
--- xccdf_org.ssgproject.content_rule_service_syslogng_enabled
+++ xccdf_org.ssgproject.content_rule_service_syslogng_enabled
@@ -3,7 +3,8 @@
Enable syslog-ng Service
[description]:
-The syslog-ng service (in replacement of rsyslog) provides syslog-style logging by default on Debian.
+The syslog-ng service (in replacement of rsyslog) provides syslog-style logging
+by default on Debian.
The syslog-ng service can be enabled with the following command:
$ sudo systemctl enable syslog-ng.service |
2 participants
Add four new rules for the syslog-ng logging framework under linux_os/guide/system/logging/syslogng/:
syslog-ng is an alternative to rsyslog and systemd-journal. These rules provide coverage for systems that use syslog-ng as their logging daemon, complementing the existing rsyslog rules.
Map the new rules to the existing syslog-ng component.
Description:
linux_os/guide/system/logging/syslogng/:package_syslogng_installed: ensure syslog-ng is installedservice_syslogng_enabled: ensure the syslog-ng service is enabledsyslogng_nolisten: ensure syslog-ng is not configured to acceptremote messages (OVAL checks for absence of
tcp()/udp()sourcedirectives in
/etc/syslog-ng/syslog-ng.conf)syslogng_filecreatemode: ensure syslog-ng sets file creation modeto
0640or more restrictive (OVAL uses direct regex match on theoptions { }block)syslog-ngcomponent.Rationale:
provide coverage for systems that use syslog-ng as their logging daemon,
complementing the existing rsyslog rules.
Review Hints:
linux_os/guide/system/logging/syslogng/with twogroup.ymlfiles and four rule directories.syslogng_filecreatemodeOVAL uses a direct regex match instead of shellarithmetic to avoid the SCE
/tmp noexecproblem../build_product debian13 --datastream-only