Add syslog-ng rules as an alternative logging framework

components/syslog-ng.yml

@@ -1,6 +1,8 @@
 name: syslog-ng
 packages:
-- syslog-ng
+  - syslog-ng
 rules:
-- package_syslogng_installed
-- service_syslogng_enabled
+  - package_syslogng_installed
+  - service_syslogng_enabled
+  - syslogng_filecreatemode
+  - syslogng_nolisten

linux_os/guide/system/logging/syslogng/group.yml

@@ -0,0 +1,11 @@
+documentation_complete: true
+
+title: 'Configure syslog-ng'
+
+description: |-
+    syslog-ng is an enhanced syslog daemon that can be used as a replacement
+    for rsyslog. It provides advanced log routing, filtering, and forwarding
+    capabilities, including reliable and encrypted transport of log messages.
+    This section discusses how to configure syslog-ng for best effect.
+
+platform: system_with_kernel

linux_os/guide/system/logging/rsyslog_accepting_remote_messages/service_syslogng_enabled/rule.yml → linux_os/guide/system/logging/syslogng/service_syslogng_enabled/rule.yml

@@ -3,7 +3,8 @@ documentation_complete: true
 title: 'Enable syslog-ng Service'
 
 description: |-
-    The <tt>syslog-ng</tt> service (in replacement of rsyslog) provides syslog-style logging by default on Debian.
+    The <tt>syslog-ng</tt> service (in replacement of rsyslog) provides syslog-style logging
+    by default on Debian.
     {{{ describe_service_enable(service="syslog-ng") }}}
 
 rationale: |-
@@ -14,10 +15,10 @@ severity: medium
 
 references:
     cis-csc: 1,12,13,14,15,16,2,3,5,6,7,8,9
-    cobit5: APO10.01,APO10.03,APO10.04,APO10.05,APO11.04,APO13.01,BAI03.05,BAI04.04,DSS01.03,DSS03.05,DSS05.02,DSS05.04,DSS05.05,DSS05.07,MEA01.01,MEA01.02,MEA01.03,MEA01.04,MEA01.05,MEA02.01
+    cobit5: APO10.01,APO10.03,APO10.04,APO10.05,APO11.04,APO13.01,BAI03.05,BAI04.04,DSS01.03,DSS03.05,DSS05.02,DSS05.04,DSS05.05,DSS05.07,MEA01.01,MEA01.02,MEA01.03,MEA01.04,MEA01.05,MEA02.01  # yamllint disable-line rule:line-length
     isa-62443-2009: 4.3.2.6.7,4.3.3.3.9,4.3.3.5.8,4.3.4.4.7,4.4.2.1,4.4.2.2,4.4.2.4
     isa-62443-2013: 'SR 2.10,SR 2.11,SR 2.12,SR 2.8,SR 2.9,SR 6.1,SR 6.2,SR 7.1,SR 7.2'
-    iso27001-2013: A.12.1.3,A.12.4.1,A.12.4.2,A.12.4.3,A.12.4.4,A.12.7.1,A.14.2.7,A.15.2.1,A.15.2.2,A.17.2.1
+    iso27001-2013: A.12.1.3,A.12.4.1,A.12.4.2,A.12.4.3,A.12.4.4,A.12.7.1,A.14.2.7,A.15.2.1,A.15.2.2,A.17.2.1  # yamllint disable-line rule:line-length
     nist: CM-6(a),AU-4(1)
     nist-csf: DE.CM-1,DE.CM-3,DE.CM-7,ID.SC-4,PR.DS-4,PR.PT-1
 

linux_os/guide/system/logging/syslogng/syslogng_accepting_remote_messages/group.yml

@@ -0,0 +1,12 @@
+documentation_complete: true
+
+title: 'Configure syslog-ng to Accept Remote Messages If Acting as a Log Server'
+
+description: |-
+    By default, <tt>syslog-ng</tt> does not listen over the network
+    for log messages. If needed, network source drivers (<tt>tcp()</tt>,
+    <tt>udp()</tt>, or <tt>network()</tt>) can be added to allow
+    the syslog-ng daemon to receive messages from other systems and for the
+    system thus to act as a log server.
+    If the system is not a log server, then such source entries should not
+    appear in the syslog-ng configuration files.

linux_os/guide/system/logging/syslogng/syslogng_accepting_remote_messages/syslogng_nolisten/bash/shared.sh

@@ -0,0 +1,21 @@
+# platform = multi_platform_all
+# reboot = false
+# strategy = configure
+# complexity = low
+# disruption = low
+
+network_regex='^\s*(tcp|udp|network)\('
+
+readarray -t targets < <(grep -l -E -r "${network_regex}" /etc/syslog-ng/ 2>/dev/null)
+
+config_changed=false
+if [ ${#targets[@]} -gt 0 ]; then
+    for target in "${targets[@]}"; do
+        sed -E -i "/${network_regex}/ s/^/# /" "$target"
+    done
+    config_changed=true
+fi
+
+if $config_changed; then
+    systemctl restart syslog-ng.service
+fi

linux_os/guide/system/logging/syslogng/syslogng_accepting_remote_messages/syslogng_nolisten/oval/shared.xml

@@ -0,0 +1,49 @@
+<def-group>
+    <definition class="compliance" id="{{{ rule_id }}}" version="1">
+        {{{ oval_metadata("syslog-ng should not accept remote messages unless acting as a log server", rule_title=rule_title) }}}
+        <criteria operator="AND">
+            <criterion test_ref="test_syslogng_nolisten_tcp"
+                comment="syslog-ng is not configured to accept TCP messages"/>
+            <criterion test_ref="test_syslogng_nolisten_udp"
+                comment="syslog-ng is not configured to accept UDP messages"/>
+            <criterion test_ref="test_syslogng_nolisten_network"
+                comment="syslog-ng is not configured to accept generic network messages"/>
+        </criteria>
+    </definition>
+
+    <ind:textfilecontent54_test id="test_syslogng_nolisten_tcp" version="1"
+        check="all" check_existence="none_exist"
+        comment="syslog-ng configuration files don't contain tcp() source driver">
+        <ind:object object_ref="object_syslogng_nolisten_tcp"/>
+    </ind:textfilecontent54_test>
+
+    <ind:textfilecontent54_object id="object_syslogng_nolisten_tcp" version="1">
+        <ind:filepath operation="pattern match">^\/etc\/syslog-ng\/(syslog-ng\.conf|conf\.d\/.*\.conf)$</ind:filepath>
+        <ind:pattern operation="pattern match">^\s*tcp\(</ind:pattern>
+        <ind:instance datatype="int">1</ind:instance>
+    </ind:textfilecontent54_object>
+
+    <ind:textfilecontent54_test id="test_syslogng_nolisten_udp" version="1"
+        check="all" check_existence="none_exist"
+        comment="syslog-ng configuration files don't contain udp() source driver">
+        <ind:object object_ref="object_syslogng_nolisten_udp"/>
+    </ind:textfilecontent54_test>
+
+    <ind:textfilecontent54_object id="object_syslogng_nolisten_udp" version="1">
+        <ind:filepath operation="pattern match">^\/etc\/syslog-ng\/(syslog-ng\.conf|conf\.d\/.*\.conf)$</ind:filepath>
+        <ind:pattern operation="pattern match">^\s*udp\(</ind:pattern>
+        <ind:instance datatype="int">1</ind:instance>
+    </ind:textfilecontent54_object>
+
+    <ind:textfilecontent54_test id="test_syslogng_nolisten_network" version="1"
+        check="all" check_existence="none_exist"
+        comment="syslog-ng configuration files don't contain network() source driver">
+        <ind:object object_ref="object_syslogng_nolisten_network"/>
+    </ind:textfilecontent54_test>
+
+    <ind:textfilecontent54_object id="object_syslogng_nolisten_network" version="1">
+        <ind:filepath operation="pattern match">^\/etc\/syslog-ng\/(syslog-ng\.conf|conf\.d\/.*\.conf)$</ind:filepath>
+        <ind:pattern operation="pattern match">^\s*network\(</ind:pattern>
+        <ind:instance datatype="int">1</ind:instance>
+    </ind:textfilecontent54_object>
+</def-group>

linux_os/guide/system/logging/syslogng/syslogng_accepting_remote_messages/syslogng_nolisten/rule.yml

@@ -0,0 +1,40 @@
+documentation_complete: true
+
+title: 'Ensure syslog-ng Does Not Accept Remote Messages Unless Acting As Log Server'
+
+description: |-
+    The <tt>syslog-ng</tt> daemon should not accept remote messages unless the
+    system acts as a log server. To ensure that it is not listening on the
+    network, verify that none of the following source driver calls appear
+    uncommented in <tt>syslog-ng</tt> configuration files:
+    <pre>tcp()
+    udp()
+    network()</pre>
+
+rationale: |-
+    Any process which receives messages from the network incurs some risk of
+    receiving malicious messages. This risk can be eliminated for syslog-ng by
+    configuring it not to listen on the network.
+
+severity: medium
+
+references:
+    nist: CM-7(a),CM-7(b),CM-6(a)
+
+ocil_clause: 'syslog-ng accepts remote messages and is not documented as a log aggregation system'
+
+ocil: |-
+    Verify that the system is not accepting syslog-ng messages from other systems
+    unless it is documented as a log aggregation server.
+    Display the contents of the syslog-ng configuration files:
+    <pre>find /etc/syslog-ng -name "*.conf" -exec cat '{}' \;</pre>
+    If any <tt>source</tt> block contains <tt>tcp()</tt>, <tt>udp()</tt>, or
+    <tt>network()</tt> source drivers, ask to see the documentation for the
+    system being used for log aggregation.
+
+fixtext: |-
+    Edit the syslog-ng configuration files under <tt>/etc/syslog-ng/</tt> and
+    comment out or remove any <tt>tcp()</tt>, <tt>udp()</tt>, or
+    <tt>network()</tt> driver entries from <tt>source</tt> blocks.
+    Restart the service:
+    <pre># systemctl restart syslog-ng.service</pre>

linux_os/guide/system/logging/syslogng/syslogng_accepting_remote_messages/syslogng_nolisten/tests/network_driver_in_source.fail.sh

@@ -0,0 +1,16 @@
+#!/bin/bash
+# platform = multi_platform_all
+
+mkdir -p /etc/syslog-ng/conf.d
+
+cat << 'EOF' > /etc/syslog-ng/syslog-ng.conf
+@version: 4.2
+
+source s_net {
+    network(ip("0.0.0.0") port(514));
+};
+
+destination d_auth { file("/var/log/auth.log"); };
+
+log { source(s_net); destination(d_auth); };
+EOF

linux_os/guide/system/logging/syslogng/syslogng_accepting_remote_messages/syslogng_nolisten/tests/no_network_drivers.pass.sh

@@ -0,0 +1,22 @@
+#!/bin/bash
+# platform = multi_platform_all
+
+mkdir -p /etc/syslog-ng/conf.d
+
+cat << 'EOF' > /etc/syslog-ng/syslog-ng.conf
+@version: 4.2
+
+options {
+    flush_lines(0);
+    keep_hostname(yes);
+};
+
+source s_local {
+    systemd-journal();
+    internal();
+};
+
+destination d_auth { file("/var/log/auth.log"); };
+
+log { source(s_local); destination(d_auth); };
+EOF

linux_os/guide/system/logging/syslogng/syslogng_accepting_remote_messages/syslogng_nolisten/tests/tcp_driver_in_source.fail.sh

@@ -0,0 +1,16 @@
+#!/bin/bash
+# platform = multi_platform_all
+
+mkdir -p /etc/syslog-ng/conf.d
+
+cat << 'EOF' > /etc/syslog-ng/syslog-ng.conf
+@version: 4.2
+
+source s_net {
+    tcp(ip("0.0.0.0") port(514));
+};
+
+destination d_auth { file("/var/log/auth.log"); };
+
+log { source(s_net); destination(d_auth); };
+EOF

linux_os/guide/system/logging/syslogng/syslogng_accepting_remote_messages/syslogng_nolisten/tests/udp_driver_in_source.fail.sh

@@ -0,0 +1,16 @@
+#!/bin/bash
+# platform = multi_platform_all
+
+mkdir -p /etc/syslog-ng/conf.d
+
+cat << 'EOF' > /etc/syslog-ng/syslog-ng.conf
+@version: 4.2
+
+source s_net {
+    udp(ip("0.0.0.0") port(514));
+};
+
+destination d_auth { file("/var/log/auth.log"); };
+
+log { source(s_net); destination(d_auth); };
+EOF

linux_os/guide/system/logging/syslogng/syslogng_filecreatemode/bash/shared.sh

@@ -0,0 +1,14 @@
+# platform = multi_platform_all
+# reboot = false
+# strategy = configure
+# complexity = low
+# disruption = low
+
+# Remove any existing perm() directives to avoid duplicates
+sed -i '/^\s*perm(/d' /etc/syslog-ng/syslog-ng.conf
+find /etc/syslog-ng/conf.d/ -name "*.conf" -exec sed -i '/^\s*perm(/d' {} \;
+
+# Add perm(0640) via a drop-in options block
+echo 'options { perm(0640); };' > /etc/syslog-ng/conf.d/00-syslogng_filecreatemode.conf
+
+systemctl restart syslog-ng.service

linux_os/guide/system/logging/syslogng/syslogng_filecreatemode/oval/shared.xml

@@ -0,0 +1,24 @@
+<def-group>
+  <definition class="compliance" id="{{{ rule_id }}}" version="2">
+    {{{ oval_metadata("perm() setting controls permissions applied to newly created log files by syslog-ng.", rule_title=rule_title) }}}
+    <criteria>
+      <criterion test_ref="tst_{{{ rule_id }}}_perm_configured"
+          comment="perm() is set to 0640 or more restrictive in syslog-ng configuration"/>
+    </criteria>
+  </definition>
+
+  <!-- Pass if any syslog-ng config file contains an acceptable perm() value.
+       The regex 0[0-6][0-4]0 covers octal values 0000-0640; world bits are
+       always 0 and group bits are at most read-only (no write or execute). -->
+  <ind:textfilecontent54_test id="tst_{{{ rule_id }}}_perm_configured"
+      version="1" check="all" check_existence="at_least_one_exists"
+      comment="syslog-ng perm() is set to 0640 or more restrictive">
+    <ind:object object_ref="obj_{{{ rule_id }}}_perm" />
+  </ind:textfilecontent54_test>
+
+  <ind:textfilecontent54_object id="obj_{{{ rule_id }}}_perm" version="1">
+    <ind:filepath operation="pattern match">^/etc/syslog-ng/(syslog-ng\.conf|conf\.d/.*\.conf)$</ind:filepath>
+    <ind:pattern operation="pattern match">perm\(0[0-6][0-4]0\)</ind:pattern>
+    <ind:instance datatype="int">1</ind:instance>
+  </ind:textfilecontent54_object>
+</def-group>

linux_os/guide/system/logging/syslogng/syslogng_filecreatemode/rule.yml

@@ -0,0 +1,34 @@
+documentation_complete: true
+
+title: 'Ensure syslog-ng Default File Permissions Configured'
+
+description: |-
+    syslog-ng will create logfiles that do not already exist on the system.
+    The <tt>perm()</tt> option in the global <tt>options</tt> block controls
+    what permissions will be applied to these newly created files.
+
+rationale: |-
+    It is important to ensure that log files have the correct permissions
+    to ensure that sensitive data is archived and protected.
+
+severity: medium
+
+references:
+    nist: CM-6(a)
+
+ocil_clause: 'perm() is not set or is more permissive than 0640'
+
+ocil: |-
+    Run the following command:
+    <pre># grep -r 'perm(' /etc/syslog-ng/syslog-ng.conf /etc/syslog-ng/conf.d/</pre>
+    Verify the output contains <tt>perm(0640)</tt> or a more restrictive value
+    in the global <tt>options</tt> block.
+
+fixtext: |-
+    Edit <tt>/etc/syslog-ng/syslog-ng.conf</tt> or a dedicated file in
+    <tt>/etc/syslog-ng/conf.d/</tt> and ensure the global options block contains:
+    <pre>options {
+        perm(0640);
+    };</pre>
+    Restart the service:
+    <pre># systemctl restart syslog-ng.service</pre>

linux_os/guide/system/logging/syslogng/syslogng_filecreatemode/tests/perm_not_set.fail.sh

@@ -0,0 +1,16 @@
+#!/bin/bash
+# platform = multi_platform_all
+
+mkdir -p /etc/syslog-ng/conf.d
+
+cat << 'EOF' > /etc/syslog-ng/syslog-ng.conf
+@version: 4.2
+
+options {
+    flush_lines(0);
+};
+
+source s_local { systemd-journal(); internal(); };
+EOF
+
+find /etc/syslog-ng -name "*.conf" -exec sed -i '/^\s*perm(/d' {} \;

linux_os/guide/system/logging/syslogng/syslogng_filecreatemode/tests/perm_set_0640.pass.sh

@@ -0,0 +1,14 @@
+#!/bin/bash
+# platform = multi_platform_all
+
+mkdir -p /etc/syslog-ng/conf.d
+
+cat << 'EOF' > /etc/syslog-ng/syslog-ng.conf
+@version: 4.2
+
+options {
+    perm(0640);
+};
+
+source s_local { systemd-journal(); internal(); };
+EOF

linux_os/guide/system/logging/syslogng/syslogng_filecreatemode/tests/perm_set_more_restrictive.pass.sh

@@ -0,0 +1,14 @@
+#!/bin/bash
+# platform = multi_platform_all
+
+mkdir -p /etc/syslog-ng/conf.d
+
+cat << 'EOF' > /etc/syslog-ng/syslog-ng.conf
+@version: 4.2
+
+options {
+    perm(0600);
+};
+
+source s_local { systemd-journal(); internal(); };
+EOF

linux_os/guide/system/logging/syslogng/syslogng_filecreatemode/tests/perm_too_permissive.fail.sh

@@ -0,0 +1,14 @@
+#!/bin/bash
+# platform = multi_platform_all
+
+mkdir -p /etc/syslog-ng/conf.d
+
+cat << 'EOF' > /etc/syslog-ng/syslog-ng.conf
+@version: 4.2
+
+options {
+    perm(0644);
+};
+
+source s_local { systemd-journal(); internal(); };
+EOF