From d9efc55bea1d0b9bb326d700c31a033ec8862a2c Mon Sep 17 00:00:00 2001
From: Gabriel Becker <ggasparb@redhat.com>
Date: Wed, 10 Dec 2025 15:08:36 +0100
Subject: [PATCH 1/7] Fix rsyslog rules due to change in how the configuration
 files are written.

rsyslog_files_groupownership
rsyslog_files_ownership
rsyslog_files_permissions

Most likely this is what caused the change: https://gitlab.com/redhat/centos-stream/rpms/rsyslog/-/merge_requests/49/diffs
---
 .../rsyslog_logfiles_attributes_modify/oval.template        | 6 ++++--
 1 file changed, 4 insertions(+), 2 deletions(-)

diff --git a/shared/templates/rsyslog_logfiles_attributes_modify/oval.template b/shared/templates/rsyslog_logfiles_attributes_modify/oval.template
index dcca7cb92ec..f1b801529ed 100644
--- a/shared/templates/rsyslog_logfiles_attributes_modify/oval.template
+++ b/shared/templates/rsyslog_logfiles_attributes_modify/oval.template
@@ -82,9 +82,11 @@
             * contains at least one slash '/' character, and simultaneously doesn't contain any
               of ';', ':' and space characters,
             * the chunk was retrieved from a row not starting with space, '#', or '$' characters
+            * for newer versions of Rsyslog, there is now only the RainerScript syntax and the
+              regex now matches both syntaxes.
       -->
     <ind:pattern
-      operation="pattern match">^\s*[^(\s|#|\$)]+\s+.*(?:\bFile="|\s|\/|-)(\/[^:;\s"]+).*$</ind:pattern>
+      operation="pattern match">^\s*[^#$].*?(?:[Ff]ile="([^"\s]+)"|[\s]+-?(\/[^:;\s]+)).*$</ind:pattern>
     <ind:instance datatype="int" operation="greater than or equal">1</ind:instance>
     <filter action="exclude">state_{{{ _RULE_ID }}}_ignore_include_paths</filter>
   </ind:textfilecontent54_object>
@@ -96,7 +98,7 @@
          Their properties don't need to be as required for log files, thus, lets exclude them
          from the list of objects found. -->
     <ind:text
-    operation="pattern match">(?:file="[^\s;]+"|\$IncludeConfig[\s]+[^\s;]+|\/dev\/.*)</ind:text>
+    operation="pattern match">(?:include\([\n\s]*file="[^\s;]+"|\$IncludeConfig[\s]+[^\s;]+|\/dev\/.*)</ind:text>
   </ind:textfilecontent54_state>
 
   <!-- Define OVAL variable to hold all the various system log files locations

From 24aa962652a587cd3c7cde61661f63aade3132aa Mon Sep 17 00:00:00 2001
From: Gabriel Becker <ggasparb@redhat.com>
Date: Thu, 11 Dec 2025 13:35:17 +0100
Subject: [PATCH 2/7] Add new test scenarios for
 rsyslog_logfiles_attributes_modify template.

---
 ...ner_correct_new_format_with_action.pass.sh | 72 +++++++++++++++++
 ...ner_lenient_new_format_with_action.fail.sh | 80 +++++++++++++++++++
 2 files changed, 152 insertions(+)
 create mode 100644 shared/templates/rsyslog_logfiles_attributes_modify/tests/rainer_correct_new_format_with_action.pass.sh
 create mode 100644 shared/templates/rsyslog_logfiles_attributes_modify/tests/rainer_lenient_new_format_with_action.fail.sh

diff --git a/shared/templates/rsyslog_logfiles_attributes_modify/tests/rainer_correct_new_format_with_action.pass.sh b/shared/templates/rsyslog_logfiles_attributes_modify/tests/rainer_correct_new_format_with_action.pass.sh
new file mode 100644
index 00000000000..651b39ebdd7
--- /dev/null
+++ b/shared/templates/rsyslog_logfiles_attributes_modify/tests/rainer_correct_new_format_with_action.pass.sh
@@ -0,0 +1,72 @@
+#!/bin/bash
+# platform = multi_platform_rhel,multi_platform_fedora,multi_platform_ol,multi_platform_sle,multi_platform_almalinux
+
+# Declare variables used for the tests and define the create_rsyslog_test_logs function
+source $SHARED/rsyslog_log_utils.sh
+
+{{% if ATTRIBUTE == "owner" %}}
+CHATTR="chown"
+ATTR_VALUE="root"
+{{% elif ATTRIBUTE == "groupowner" %}}
+CHATTR="chgrp"
+ATTR_VALUE="root"
+{{% else %}}
+CHATTR="chmod"
+ATTR_VALUE="0640"
+{{% endif %}}
+
+touch /var/log/messages
+
+$CHATTR $ATTR_VALUE /var/log/messages
+
+cat <<EOF >$RSYSLOG_CONF
+# rsyslog configuration file
+
+# For more information see /usr/share/doc/rsyslog-*/rsyslog_conf.html
+# or latest version online at http://www.rsyslog.com/doc/rsyslog_conf.html 
+# If you experience problems, see http://www.rsyslog.com/doc/troubleshoot.html
+
+#### GLOBAL DIRECTIVES ####
+
+# Where to place auxiliary files
+global(workDirectory="/var/lib/rsyslog")
+
+#### MODULES ####
+
+# Use default timestamp format
+module(load="builtin:omfile" Template="RSYSLOG_TraditionalFileFormat")
+
+module(load="imuxsock"    # provides support for local system logging (e.g. via logger command)
+       SysSock.Use="off") # Turn off message reception via local log socket; 
+                          # local messages are retrieved through imjournal now.
+module(load="imjournal"             # provides access to the systemd journal
+       UsePid="system" # PID nummber is retrieved as the ID of the process the journal entry originates from
+       FileCreateMode="0644" # Set the access permissions for the state file
+       StateFile="imjournal.state") # File to store the position in the journal
+
+# Include all config files in /etc/rsyslog.d/
+include(file="/etc/rsyslog.d/*.conf" mode="optional")
+
+#module(load="imklog") # reads kernel messages (the same are read from journald)
+#module(load="immark") # provides --MARK-- message capability
+
+# Provides UDP syslog reception
+# for parameters see http://www.rsyslog.com/doc/imudp.html
+#module(load="imudp") # needs to be done just once
+#input(type="imudp" port="514")
+
+# Provides TCP syslog reception
+# for parameters see http://www.rsyslog.com/doc/imtcp.html
+#module(load="imtcp") # needs to be done just once
+#input(type="imtcp" port="514")
+
+#### RULES ####
+
+# Log all kernel messages to the console.
+# Logging much else clutters up the screen.
+#kern.* action(type="omfile" file="/dev/console")
+
+# Log anything (except mail) of level info or higher.
+# Don't log private authentication messages!
+*.info;mail.none;authpriv.none;cron.none action(type="omfile" file="/var/log/messages")
+EOF
diff --git a/shared/templates/rsyslog_logfiles_attributes_modify/tests/rainer_lenient_new_format_with_action.fail.sh b/shared/templates/rsyslog_logfiles_attributes_modify/tests/rainer_lenient_new_format_with_action.fail.sh
new file mode 100644
index 00000000000..7d2ca95fd77
--- /dev/null
+++ b/shared/templates/rsyslog_logfiles_attributes_modify/tests/rainer_lenient_new_format_with_action.fail.sh
@@ -0,0 +1,80 @@
+#!/bin/bash
+# platform = multi_platform_rhel,multi_platform_fedora,multi_platform_ol,multi_platform_sle,multi_platform_almalinux
+
+# Declare variables used for the tests and define the create_rsyslog_test_logs function
+source $SHARED/rsyslog_log_utils.sh
+
+{{% if ATTRIBUTE == "owner" %}}
+CHATTR="chown"
+ATTR_VALUE="root"
+ATTR_INCORRECT_VALUE="cac_testuser"
+useradd $ATTR_INCORRECT_VALUE
+{{% elif ATTRIBUTE == "groupowner" %}}
+CHATTR="chgrp"
+ATTR_VALUE="root"
+ATTR_INCORRECT_VALUE="cac_testgroup"
+groupadd $ATTR_INCORRECT_VALUE
+{{% else %}}
+CHATTR="chmod"
+ATTR_VALUE="0640"
+ATTR_INCORRECT_VALUE="0666"
+{{% endif %}}
+
+touch /var/log/messages
+
+$CHATTR $ATTR_VALUE /var/log/maillog
+$CHATTR $ATTR_INCORRECT_VALUE /var/log/messages
+
+cat <<EOF >$RSYSLOG_CONF
+# rsyslog configuration file
+
+# For more information see /usr/share/doc/rsyslog-*/rsyslog_conf.html
+# or latest version online at http://www.rsyslog.com/doc/rsyslog_conf.html 
+# If you experience problems, see http://www.rsyslog.com/doc/troubleshoot.html
+
+#### GLOBAL DIRECTIVES ####
+
+# Where to place auxiliary files
+global(workDirectory="/var/lib/rsyslog")
+
+#### MODULES ####
+
+# Use default timestamp format
+module(load="builtin:omfile" Template="RSYSLOG_TraditionalFileFormat")
+
+module(load="imuxsock"    # provides support for local system logging (e.g. via logger command)
+       SysSock.Use="off") # Turn off message reception via local log socket; 
+                          # local messages are retrieved through imjournal now.
+module(load="imjournal"             # provides access to the systemd journal
+       UsePid="system" # PID nummber is retrieved as the ID of the process the journal entry originates from
+       FileCreateMode="0644" # Set the access permissions for the state file
+       StateFile="imjournal.state") # File to store the position in the journal
+
+# Include all config files in /etc/rsyslog.d/
+include(file="/etc/rsyslog.d/*.conf" mode="optional")
+
+#module(load="imklog") # reads kernel messages (the same are read from journald)
+#module(load="immark") # provides --MARK-- message capability
+
+# Provides UDP syslog reception
+# for parameters see http://www.rsyslog.com/doc/imudp.html
+#module(load="imudp") # needs to be done just once
+#input(type="imudp" port="514")
+
+# Provides TCP syslog reception
+# for parameters see http://www.rsyslog.com/doc/imtcp.html
+#module(load="imtcp") # needs to be done just once
+#input(type="imtcp" port="514")
+
+#### RULES ####
+
+# Log all kernel messages to the console.
+# Logging much else clutters up the screen.
+#kern.* action(type="omfile" file="/dev/console")
+
+# Log anything (except mail) of level info or higher.
+# Don't log private authentication messages!
+*.info;mail.none;authpriv.none;cron.none action(type="omfile" file="/var/log/messages")
+# Log all the mail messages in one place.
+mail.* action(type="omfile" file="/var/log/maillog" sync="on")
+EOF

From bbe3ad3f712b0d15c3b5c13205ce6d2353fc0094 Mon Sep 17 00:00:00 2001
From: Gabriel Becker <ggasparb@redhat.com>
Date: Thu, 11 Dec 2025 14:06:26 +0100
Subject: [PATCH 3/7] Exclude more types of files in the rsyslog files
 permissions remediation.

A line in the rsyslog conf file as such

  #kern.* action(type="omfile" file="/dev/console")

Would get in the way of the remediation and be considered a valid log
file, with this modification such files are excluded.
---
 .../rsyslog_logfiles_attributes_modify/ansible.template    | 7 ++++---
 .../rsyslog_logfiles_attributes_modify/bash.template       | 3 ++-
 2 files changed, 6 insertions(+), 4 deletions(-)

diff --git a/shared/templates/rsyslog_logfiles_attributes_modify/ansible.template b/shared/templates/rsyslog_logfiles_attributes_modify/ansible.template
index 2ebf9b3cf1f..d8b427edcbf 100644
--- a/shared/templates/rsyslog_logfiles_attributes_modify/ansible.template
+++ b/shared/templates/rsyslog_logfiles_attributes_modify/ansible.template
@@ -62,10 +62,11 @@
   ansible.builtin.shell: |
     {{%- if not 'debian' in product %}}
     set -o pipefail{{% endif %}}
-    grep -ozP "action\s*\(\s*type\s*=\s*\"omfile\"[^\)]*\)" {{ item.1.path }} | \
-    grep -aoP "\bFile\s*=\s*\"([/[:alnum:][:punct:]]*)\"\s*\)" | \
+    grep -iozP "action\s*\(\s*type\s*=\s*\"omfile\"[^\)]*\)" {{ item.1.path }} | \
+    grep -iaoP "\bFile\s*=\s*\"([/[:alnum:][:punct:]]*)\"\s*\)" | \
     grep -oE "\"([/[:alnum:][:punct:]]*)\"" | \
-    tr -d "\""|| true
+    tr -d "\"" | \
+    grep -v '^/dev/' || true
   loop: "{{ rsyslog_config_files.results | default([]) | subelements('files') }}"
   register: log_files_new
   changed_when: False
diff --git a/shared/templates/rsyslog_logfiles_attributes_modify/bash.template b/shared/templates/rsyslog_logfiles_attributes_modify/bash.template
index 338360f75d4..7a9e8824707 100644
--- a/shared/templates/rsyslog_logfiles_attributes_modify/bash.template
+++ b/shared/templates/rsyslog_logfiles_attributes_modify/bash.template
@@ -77,11 +77,12 @@ done
 # extract possibly multiline action omfile expressions
 # extract File="logfile" expression
 # match only "logfile" expression
+# exclude /dev/* paths (e.g., /dev/console)
 for LOG_FILE in "${RSYSLOG_CONFIG_FILES[@]}"
 do
 	ACTION_OMFILE_LINES=$(grep -iozP "action\s*\(\s*type\s*=\s*\"omfile\"[^\)]*\)" "${LOG_FILE}")
 	OMFILE_LINES=$(echo "${ACTION_OMFILE_LINES}"| grep -iaoP "\bFile\s*=\s*\"([/[:alnum:][:punct:]]*)\"\s*\)")
-	LOG_FILE_PATHS+=("$(echo "${OMFILE_LINES}"| grep -oE "\"([/[:alnum:][:punct:]]*)\""|tr -d "\"")")
+	LOG_FILE_PATHS+=("$(echo "${OMFILE_LINES}"| grep -oE "\"([/[:alnum:][:punct:]]*)\""|tr -d "\"" | grep -v "^/dev/")")
 done
 
 # Ensure the correct attribute if file exists

From 05bed9da61c0a94c20b959325f36a9e0a14ceeb0 Mon Sep 17 00:00:00 2001
From: Gabriel Becker <ggasparb@redhat.com>
Date: Thu, 11 Dec 2025 15:50:21 +0100
Subject: [PATCH 4/7] Update rsyslog_logfiles_attributes_modify

Cover cases where File can be part of some other longer word, so the
regex consider File as a whole word, also make it case insensitive.
---
 .../rsyslog_logfiles_attributes_modify/oval.template       | 7 ++++---
 1 file changed, 4 insertions(+), 3 deletions(-)

diff --git a/shared/templates/rsyslog_logfiles_attributes_modify/oval.template b/shared/templates/rsyslog_logfiles_attributes_modify/oval.template
index f1b801529ed..50ecec6a078 100644
--- a/shared/templates/rsyslog_logfiles_attributes_modify/oval.template
+++ b/shared/templates/rsyslog_logfiles_attributes_modify/oval.template
@@ -86,7 +86,7 @@
               regex now matches both syntaxes.
       -->
     <ind:pattern
-      operation="pattern match">^\s*[^#$].*?(?:[Ff]ile="([^"\s]+)"|[\s]+-?(\/[^:;\s]+)).*$</ind:pattern>
+      operation="pattern match">^\s*[^#$].*?(?:\b[Ff]ile="([^"\s]+)"|[\s]+-?(\/[^:;\s]+)).*$</ind:pattern>
     <ind:instance datatype="int" operation="greater than or equal">1</ind:instance>
     <filter action="exclude">state_{{{ _RULE_ID }}}_ignore_include_paths</filter>
   </ind:textfilecontent54_object>
@@ -96,9 +96,10 @@
     <!-- Among the paths matched in object_{{{ _RULE_ID }}}_log_files_paths there can be paths
          from include() or $IncludeConfig statements. These paths are conf files, not log files.
          Their properties don't need to be as required for log files, thus, lets exclude them
-         from the list of objects found. -->
+         from the list of objects found. Also exclude lines that are part of multiline include
+         statements (lines starting with whitespace followed by file=) and /dev/* device files. -->
     <ind:text
-    operation="pattern match">(?:include\([\n\s]*file="[^\s;]+"|\$IncludeConfig[\s]+[^\s;]+|\/dev\/.*)</ind:text>
+    operation="pattern match">(?:include\([\n\s]*\b[Ff]ile="[^\s;]+"|\$IncludeConfig[\s]+[^\s;]+|^\s+\b[Ff]ile="|\/dev\/.*)</ind:text>
   </ind:textfilecontent54_state>
 
   <!-- Define OVAL variable to hold all the various system log files locations

From b2e2659eb1257dc5eb7e2424b0344047668d1ba7 Mon Sep 17 00:00:00 2001
From: Gabriel Becker <ggasparb@redhat.com>
Date: Thu, 11 Dec 2025 17:14:12 +0100
Subject: [PATCH 5/7] Minor fix for idempotency when ansible creates a file.

---
 shared/macros/10-ansible.jinja | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/shared/macros/10-ansible.jinja b/shared/macros/10-ansible.jinja
index 7d600a4d20a..8f3d19a3afc 100644
--- a/shared/macros/10-ansible.jinja
+++ b/shared/macros/10-ansible.jinja
@@ -274,6 +274,9 @@ value: :code:`Setting={{ varname1 }}`
   ansible.builtin.file:
     path: {{{ config_file }}}
     mode: '0600'
+    state: touch
+    modification_time: preserve
+    access_time: preserve
 {{%- else %}}
 {{{ ansible_set_config_file(msg, "/etc/ssh/ssh_config", parameter, value=value, create="yes", prefix_regex='(?i)^\s*', validate="", insert_before="BOF", rule_title=rule_title) }}}
 {{%- endif %}}

From 628b2b2b4ffae18d6c7c840b2339eab1eb47a06a Mon Sep 17 00:00:00 2001
From: Gabriel Becker <ggasparb@redhat.com>
Date: Thu, 11 Dec 2025 17:49:54 +0100
Subject: [PATCH 6/7] Change the spacing required from >1 to >=1.

Our ansible remediation that includes the line /var/log/cron
add the line with only one space, and the previous regex was not
matching the line with one space only. This update will catch also the
case where the line has only one space between the first and second
parameters. For example: "cron.* /var/log/cron".
---
 .../rsyslog_logfiles_attributes_modify/ansible.template         | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/shared/templates/rsyslog_logfiles_attributes_modify/ansible.template b/shared/templates/rsyslog_logfiles_attributes_modify/ansible.template
index d8b427edcbf..5fe77f3903e 100644
--- a/shared/templates/rsyslog_logfiles_attributes_modify/ansible.template
+++ b/shared/templates/rsyslog_logfiles_attributes_modify/ansible.template
@@ -50,7 +50,7 @@
   ansible.builtin.shell: |
     {{%- if not 'debian' in product %}}
     set -o pipefail{{% endif %}}
-    grep -oP '^[^(\s|#|\$)]+[\s]+.*[\s]+-?(/+[^:;\s]+);*\.*$' {{ item.1.path }} | \
+    grep -oP '^[^(\s|#|\$)]+[\s]*.*[\s]+-?(/+[^:;\s]+);*\.*$' {{ item.1.path }} | \
     awk '{print $NF}' | \
     sed -e 's/^-//' || true
   loop: "{{ rsyslog_config_files.results | default([]) | subelements('files') }}"

From 0b77174b7b5278e47dbb00332e7f4832bd753fca Mon Sep 17 00:00:00 2001
From: Gabriel Becker <ggasparb@redhat.com>
Date: Thu, 11 Dec 2025 18:01:43 +0100
Subject: [PATCH 7/7] Add new test scenario to cover a case where only one
 space is found.

In the rsyslog configuration it's also possible to use a single space
between parameters and our ansible remediation for rsyslog_cron_logging
does that.

https://github.com/ComplianceAsCode/content/blob/2185de1165a2af8daab63acaa6d73503dc89fbc0/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_cron_logging/ansible/shared.yml#L23
---
 ...legacy_lenient_attr_only_one_space.fail.sh | 33 +++++++++++++++++++
 1 file changed, 33 insertions(+)
 create mode 100644 shared/templates/rsyslog_logfiles_attributes_modify/tests/legacy_lenient_attr_only_one_space.fail.sh

diff --git a/shared/templates/rsyslog_logfiles_attributes_modify/tests/legacy_lenient_attr_only_one_space.fail.sh b/shared/templates/rsyslog_logfiles_attributes_modify/tests/legacy_lenient_attr_only_one_space.fail.sh
new file mode 100644
index 00000000000..af745baad6d
--- /dev/null
+++ b/shared/templates/rsyslog_logfiles_attributes_modify/tests/legacy_lenient_attr_only_one_space.fail.sh
@@ -0,0 +1,33 @@
+#!/bin/bash
+# platform = multi_platform_rhel,multi_platform_fedora,multi_platform_ol,multi_platform_sle,multi_platform_almalinux
+
+# Declare variables used for the tests and define the create_rsyslog_test_logs function
+source $SHARED/rsyslog_log_utils.sh
+
+{{% if ATTRIBUTE == "owner" %}}
+CHATTR="chown"
+ATTR_INCORRECT_VALUE="cac_testuser"
+useradd $ATTR_INCORRECT_VALUE
+{{% elif ATTRIBUTE == "groupowner" %}}
+CHATTR="chgrp"
+ATTR_INCORRECT_VALUE="cac_testgroup"
+groupadd $ATTR_INCORRECT_VALUE
+{{% else %}}
+CHATTR="chmod"
+ATTR_INCORRECT_VALUE="0666"
+{{% endif %}}
+
+# create one test log file
+create_rsyslog_test_logs 1
+
+# setup test log file property
+$CHATTR $ATTR_INCORRECT_VALUE ${RSYSLOG_TEST_LOGS[0]}
+
+# add rule with test log file
+cat << EOF > $RSYSLOG_CONF
+# rsyslog configuration file
+
+#### RULES ####
+*.* ${RSYSLOG_TEST_LOGS[0]}
+
+EOF