Skip to content

Fix rsyslog OVAL patterns to support RainerScript syntax #14317

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
Mab879 merged 4 commits into from
Jan 22, 2026
Merged

Fix rsyslog OVAL patterns to support RainerScript syntax #14317

Mab879 merged 4 commits into from
Jan 22, 2026
+10 −10

Conversation

@Arden97
Copy link
Contributor

@Arden97 Arden97 commented Jan 21, 2026
edited
Loading

Description:

  • Updated OVAL pattern matching rules in the DISA STIG RHEL9 v2r6 XCCDF/SCAP reference file to properly detect rsyslog configurations that use comma-separated lists and RainerScript syntax format. The changes affect pattern matching for auth.*, authpriv.*, and daemon.* log entries in both /etc/rsyslog.conf and /etc/rsyslog.d/*.conf files
  • SSG OVAL check for rsyslog_remote_access_monitoring was also updated to match entries with semicolon separator

Rationale:

  • The previous OVAL patterns only recognized semicolon-separated syntax, causing false negatives when systems used valid comma-separated configurations or RainerScript format entries. This resulted in compliant rsyslog configurations being incorrectly flagged as non-compliant during SCAP scans

  • The new regex pattern now also matches:

    • auth,authpriv.* /var/log/secure
    • authpriv.* action(file="/var/log/secure" type="omfile")
    • auth,authpriv.* action(type="omfile" file="/var/log/secure")

  • Fixes DISA Misalignment rsyslog_remote_access_monitoring SSG result: pass, DISA result(s): fail #14229

@openshift-ci openshift-ci bot added the do-not-merge/work-in-progress Used by openshift-ci bot. label Jan 21, 2026
@openshift-ci
Copy link

openshift-ci bot commented Jan 21, 2026

Skipping CI for Draft Pull Request.
If you want CI signal for your change, please convert it to an actual PR.
You can still manually trigger a test run with /test all

@github-actions
Copy link

github-actions bot commented Jan 21, 2026
edited
Loading

ATEX Test Results

Test artifacts have been submitted to Testing Farm.

Results: View Test Results
Workflow Run: View Workflow Details

This comment was automatically generated by the ATEX workflow.

@Mab879 Mab879 added this to the 0.1.80 milestone Jan 21, 2026
@Arden97 Arden97 marked this pull request as ready for review January 21, 2026 19:55
@openshift-ci openshift-ci bot removed the do-not-merge/work-in-progress Used by openshift-ci bot. label Jan 21, 2026
@Arden97 Arden97 changed the title Fix rsyslog OVAL patterns to support comma-separated syntax Fix rsyslog OVAL patterns to support RainerScript syntax Jan 21, 2026
@Arden97 Arden97 assigned Mab879 and unassigned Mab879 Jan 22, 2026
@Arden97 Arden97 requested a review from Mab879 January 22, 2026 08:36
@Mab879 Mab879 self-assigned this Jan 22, 2026
@Mab879 Mab879 merged commit a2a4ca2 into ComplianceAsCode:master Jan 22, 2026
143 of 144 checks passed
@Arden97 Arden97 deleted the disa_stig_rsyslog_syntax_mismatch branch January 23, 2026 08:41
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@Mab879 Mab879 Mab879 approved these changes

Assignees

@Mab879 Mab879

Labels

None yet

Projects

None yet

Milestone

0.1.80

Development

Successfully merging this pull request may close these issues.

DISA Misalignment rsyslog_remote_access_monitoring SSG result: pass, DISA result(s): fail

2 participants

@Arden97 @Mab879