Merge pull request #13328 from jan-cerny/rsyslog_remote_tls_cacert

Update CA file path

Author: Mab879

linux_os/guide/system/logging/rsyslog_sending_messages/rsyslog_remote_tls_cacert/rule.yml

@@ -1,15 +1,14 @@
 documentation_complete: true
 
-
 title: 'Configure CA certificate for rsyslog remote logging'
 
 description: |-
     Configure CA certificate for <tt>rsyslog</tt> logging
     to remote server using Transport Layer Security (TLS)
     using correct path for the <tt>DefaultNetstreamDriverCAFile</tt>
     global option in <tt>/etc/rsyslog.conf</tt>, for example with the following command:
-    <pre>echo 'global(DefaultNetstreamDriverCAFile="/etc/pki/tls/cert.pem")' >> /etc/rsyslog.conf</pre>
-    Replace the <tt>/etc/pki/tls/cert.pem</tt> in the above command with the path to the file with CA certificate generated for the purpose of remote logging.
+    <pre>echo 'global(DefaultNetstreamDriverCAFile="{{{ rsyslog_cafile }}}")' >> /etc/rsyslog.conf</pre>
+    Replace the <tt>{{{ rsyslog_cafile }}}</tt> in the above command with the path to the file with CA certificate generated for the purpose of remote logging.
 
 rationale: |-
     The CA certificate needs to be set or <tt>rsyslog.service</tt>
@@ -36,8 +35,8 @@ ocil: |-
     configured for its TLS connections to remote server, run the following command:
     <pre>$ grep DefaultNetstreamDriverCAFile /etc/rsyslog.conf /etc/rsyslog.d/*.conf</pre>
     The output should include record similar to
-    <pre>global(DefaultNetstreamDriverCAFile="/etc/pki/tls/cert.pem")</pre>
-    where the path to the CA file (<tt>/etc/pki/tls/cert.pem</tt> in case above) must point to the correct CA certificate.
+    <pre>global(DefaultNetstreamDriverCAFile="{{{ rsyslog_cafile }}}")</pre>
+    where the path to the CA file (<tt>{{{ rsyslog_cafile }}}</tt> in case above) must point to the correct CA certificate.
 
 warnings:
     - general: |-

linux_os/guide/system/logging/rsyslog_sending_messages/rsyslog_remote_tls_cacert/tests/cacert_configured.pass.sh

@@ -1,3 +1,3 @@
 #!/bin/bash
 
-echo 'global(DefaultNetstreamDriverCAFile="/etc/pki/tls/cert.pem")' >> /etc/rsyslog.conf
+echo 'global(DefaultNetstreamDriverCAFile="{{{ rsyslog_cafile }}}")' >> /etc/rsyslog.conf

linux_os/guide/system/logging/rsyslog_sending_messages/rsyslog_remote_tls_cacert/tests/syntax_error.fail.sh

@@ -1,4 +1,4 @@
 #!/bin/bash
 # remediation = none
 
-echo 'global(DefaultNetstreamDriverCAFile="/etc/pki/tls/cert.pem") *.*' >> /etc/rsyslog.conf
+echo 'global(DefaultNetstreamDriverCAFile="{{{ rsyslog_cafile }}}") *.*' >> /etc/rsyslog.conf

products/fedora/product.yml

@@ -94,3 +94,4 @@ platform_package_overrides:
   login_defs: "shadow-utils"
 
 journald_conf_dir_path: /etc/systemd/journald.conf.d
+rsyslog_cafile: /etc/pki/ca-trust/extracted/pem/tls-ca-bundle.pem

products/ol10/product.yml

@@ -46,3 +46,4 @@ platform_package_overrides:
 
 reference_uris:
   cis: ''
+rsyslog_cafile: /etc/pki/ca-trust/extracted/pem/tls-ca-bundle.pem

products/rhel10/product.yml

@@ -53,3 +53,4 @@ reference_uris:
 
 journald_conf_dir_path: /etc/systemd/journald.conf.d
 audit_watches_style: modern
+rsyslog_cafile: /etc/pki/ca-trust/extracted/pem/tls-ca-bundle.pem

ssg/constants.py

@@ -463,6 +463,7 @@
 DEFAULT_AIDE_CONF_PATH = '/etc/aide.conf'
 DEFAULT_AIDE_BIN_PATH = '/usr/sbin/aide'
 DEFAULT_AUDIT_WATCHES_STYLE = 'legacy'
+DEFAULT_RSYSLOG_CAFILE = '/etc/pki/tls/cert.pem'
 DEFAULT_FAILLOCK_PATH = '/var/run/faillock'
 DEFAULT_SSH_DISTRIBUTED_CONFIG = 'false'
 DEFAULT_PRODUCT = 'example'

ssg/products.py

@@ -15,6 +15,7 @@
                         DEFAULT_AIDE_CONF_PATH,
                         DEFAULT_AIDE_BIN_PATH,
                         DEFAULT_AUDIT_WATCHES_STYLE,
+                        DEFAULT_RSYSLOG_CAFILE,
                         DEFAULT_SSH_DISTRIBUTED_CONFIG,
                         DEFAULT_CHRONY_CONF_PATH,
                         DEFAULT_CHRONY_D_PATH,
@@ -100,6 +101,9 @@ def _get_implied_properties(existing_properties):
     if "audit_watches_style" not in existing_properties:
         result["audit_watches_style"] = DEFAULT_AUDIT_WATCHES_STYLE
 
+    if "rsyslog_cafile" not in existing_properties:
+        result["rsyslog_cafile"] = DEFAULT_RSYSLOG_CAFILE
+
     if "sshd_distributed_config" not in existing_properties:
         result["sshd_distributed_config"] = DEFAULT_SSH_DISTRIBUTED_CONFIG
 

tests/data/product_stability/alinux2.yml

@@ -74,6 +74,7 @@ reference_uris:
   pcidss4: https://docs-prv.pcisecuritystandards.org/PCI%20DSS/Standard/PCI-DSS-v4_0.pdf
   stigid: https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cunix-linux
   stigref: https://public.cyber.mil/stigs/srg-stig-tools/
+rsyslog_cafile: /etc/pki/tls/cert.pem
 sshd_distributed_config: 'false'
 sysctl_remediate_drop_in_file: 'false'
 type: platform

tests/data/product_stability/alinux3.yml

@@ -74,6 +74,7 @@ reference_uris:
   pcidss4: https://docs-prv.pcisecuritystandards.org/PCI%20DSS/Standard/PCI-DSS-v4_0.pdf
   stigid: https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cunix-linux
   stigref: https://public.cyber.mil/stigs/srg-stig-tools/
+rsyslog_cafile: /etc/pki/tls/cert.pem
 sshd_distributed_config: 'false'
 sysctl_remediate_drop_in_file: 'false'
 type: platform