From 97aa6209b04bcf6e2db82dea22374e5288fbc700 Mon Sep 17 00:00:00 2001
From: Miha Purg <miha.purg@canonical.com>
Date: Thu, 16 Jan 2025 14:51:05 +0100
Subject: [PATCH 1/3] Add new rule logging_services_active

Checks that one of rsyslog/systemd-journald is active.
Satisfies Ubuntu 24.04 CIS control 6.1.1.4
---
 components/rsyslog.yml                        |  1 +
 components/systemd.yml                        |  1 +
 .../logging_services_active/oval/shared.xml   | 47 +++++++++++++++++++
 .../logging/logging_services_active/rule.yml  | 23 +++++++++
 .../tests/journald.pass.sh                    |  8 ++++
 .../tests/multiple.pass.sh                    |  7 +++
 .../tests/none.fail.sh                        |  8 ++++
 7 files changed, 95 insertions(+)
 create mode 100644 linux_os/guide/system/logging/logging_services_active/oval/shared.xml
 create mode 100644 linux_os/guide/system/logging/logging_services_active/rule.yml
 create mode 100644 linux_os/guide/system/logging/logging_services_active/tests/journald.pass.sh
 create mode 100644 linux_os/guide/system/logging/logging_services_active/tests/multiple.pass.sh
 create mode 100644 linux_os/guide/system/logging/logging_services_active/tests/none.fail.sh

diff --git a/components/rsyslog.yml b/components/rsyslog.yml
index 32163ad5dea..2659542e666 100644
--- a/components/rsyslog.yml
+++ b/components/rsyslog.yml
@@ -14,6 +14,7 @@ rules:
 - journald_compress
 - journald_forward_to_syslog
 - journald_storage
+- logging_services_active
 - logwatch_configured_hostlimit
 - logwatch_configured_splithosts
 - package_logrotate_installed
diff --git a/components/systemd.yml b/components/systemd.yml
index 82f86d71e8b..63e370d936b 100644
--- a/components/systemd.yml
+++ b/components/systemd.yml
@@ -25,6 +25,7 @@ rules:
 - journald_forward_to_syslog
 - journald_disable_forward_to_syslog
 - journald_storage
+- logging_services_active
 - package_systemd-journal-remote_installed
 - package_timesyncd_installed
 - package_timesyncd_removed
diff --git a/linux_os/guide/system/logging/logging_services_active/oval/shared.xml b/linux_os/guide/system/logging/logging_services_active/oval/shared.xml
new file mode 100644
index 00000000000..c63eef2c35c
--- /dev/null
+++ b/linux_os/guide/system/logging/logging_services_active/oval/shared.xml
@@ -0,0 +1,47 @@
+<def-group>
+  <!-- Check that one logging service is active -->
+  <definition class="compliance" id="{{{ rule_id }}}" version="1">
+    {{{ oval_metadata("Ensure one logging service is in use") }}}
+    <criteria>
+        <criterion comment="one logging service is active"
+            test_ref="test_{{{ rule_id }}}_single_active_logging_service"/>
+    </criteria>
+  </definition>
+
+  <!-- Objects and states to identify active logging_service services -->
+  <linux:systemdunitproperty_object id="obj_{{{ rule_id }}}_logging_services" version="1"
+      comment="All active logging_service services">
+    <linux:unit operation="pattern match">^(rsyslog|systemd-journald).service$</linux:unit>
+    <linux:property>ActiveState</linux:property>
+    <filter action="include">ste_{{{ rule_id }}}_logging_services</filter>
+  </linux:systemdunitproperty_object>
+
+  <linux:systemdunitproperty_state id="ste_{{{ rule_id }}}_logging_services" version="1">
+    <linux:value>active</linux:value>
+  </linux:systemdunitproperty_state>
+
+  <!-- Count active logging_service services -->
+  <local_variable id="var_{{{ rule_id }}}_logging_service_active_count" datatype="int" version="1"
+                 comment="Number of currently active logging_service services">
+   <count>
+     <regex_capture pattern="^active$">
+       <object_component item_field="value" object_ref="obj_{{{ rule_id }}}_logging_services"/>
+     </regex_capture>
+   </count>
+  </local_variable>
+
+  <!-- Test that count is at least one -->
+  <ind:variable_test id="test_{{{ rule_id }}}_single_active_logging_service" version="1" check="all"
+                     comment="Verify one logging_service service is active">
+    <ind:object object_ref="obj_{{{ rule_id }}}_count"/>
+    <ind:state state_ref="ste_{{{ rule_id }}}_count"/>
+  </ind:variable_test>
+
+  <ind:variable_object id="obj_{{{ rule_id }}}_count" version="1">
+    <ind:var_ref>var_{{{ rule_id }}}_logging_service_active_count</ind:var_ref>
+  </ind:variable_object>
+
+  <ind:variable_state id="ste_{{{ rule_id }}}_count" version="1">
+    <ind:value operation="greater than or equal" datatype="int">1</ind:value>
+  </ind:variable_state>
+</def-group>
diff --git a/linux_os/guide/system/logging/logging_services_active/rule.yml b/linux_os/guide/system/logging/logging_services_active/rule.yml
new file mode 100644
index 00000000000..7aba35cbd2e
--- /dev/null
+++ b/linux_os/guide/system/logging/logging_services_active/rule.yml
@@ -0,0 +1,23 @@
+documentation_complete: true
+
+title: 'Ensure One Logging Service Is In Use'
+
+description: |-
+    Ensure that a logging system is active and in use.
+    <pre>
+    systemctl is-active rsyslog systemd-journald
+    </pre>
+    The command should return at least one <tt>active</tt>.
+
+rationale: |-
+    The system should have one active logging service to avoid conflicts
+    and ensure consistency.
+
+severity: medium
+
+platform: machine
+
+warnings:
+    - general: |-
+        This rule does not come with a remediation. There are specific rules
+        for enabling each logging service which should be enabled instead.
diff --git a/linux_os/guide/system/logging/logging_services_active/tests/journald.pass.sh b/linux_os/guide/system/logging/logging_services_active/tests/journald.pass.sh
new file mode 100644
index 00000000000..9477273f676
--- /dev/null
+++ b/linux_os/guide/system/logging/logging_services_active/tests/journald.pass.sh
@@ -0,0 +1,8 @@
+#!/bin/bash
+#
+# packages = rsyslog
+# remediation = none
+
+systemctl stop syslog*
+systemctl stop rsyslog*
+systemctl start systemd-journald
diff --git a/linux_os/guide/system/logging/logging_services_active/tests/multiple.pass.sh b/linux_os/guide/system/logging/logging_services_active/tests/multiple.pass.sh
new file mode 100644
index 00000000000..7ff39625108
--- /dev/null
+++ b/linux_os/guide/system/logging/logging_services_active/tests/multiple.pass.sh
@@ -0,0 +1,7 @@
+#!/bin/bash
+#
+# packages = rsyslog
+# remediation = none
+
+systemctl start rsyslog
+systemctl start systemd-journald
diff --git a/linux_os/guide/system/logging/logging_services_active/tests/none.fail.sh b/linux_os/guide/system/logging/logging_services_active/tests/none.fail.sh
new file mode 100644
index 00000000000..7c518755f90
--- /dev/null
+++ b/linux_os/guide/system/logging/logging_services_active/tests/none.fail.sh
@@ -0,0 +1,8 @@
+#!/bin/bash
+#
+# packages = rsyslog
+# remediation = none
+
+systemctl stop systemd-journald*
+systemctl stop syslog*
+systemctl stop rsyslog*

From aeeaee2812ce3ee4711f86df69ac5344026c1e3e Mon Sep 17 00:00:00 2001
From: Miha Purg <miha.purg@canonical.com>
Date: Thu, 16 Jan 2025 15:29:19 +0100
Subject: [PATCH 2/3] Add rule to ubuntu2404 CIS control 6.1.1.4

---
 controls/cis_ubuntu2404.yml | 12 ++++++++++--
 1 file changed, 10 insertions(+), 2 deletions(-)

diff --git a/controls/cis_ubuntu2404.yml b/controls/cis_ubuntu2404.yml
index 89ec9ea2219..c0b809c6ca8 100644
--- a/controls/cis_ubuntu2404.yml
+++ b/controls/cis_ubuntu2404.yml
@@ -2272,8 +2272,16 @@ controls:
     levels:
       - l1_server
       - l1_workstation
-    status: planned
-    notes: TODO. Rule does not seem to be implemented, nor does it map to any rules in ubuntu2204 profile.
+    rules:
+      - logging_services_active
+    status: automated
+    notes: |
+      The title of this rule is misleading. The actual audit checks that at least
+      one of "rsyslogd" and "systemd-journald" is active.
+      See https://workbench.cisecurity.org/benchmarks/18959/tickets/23601
+
+      Remediation is not automated as the choice of correct logging service
+      is dependent on site policy.
 
   - id: 6.1.2.1.1
     title: Ensure systemd-journal-remote is installed (Automated)

From 32dbd43459b728d442732dfe709dfea312f256b0 Mon Sep 17 00:00:00 2001
From: Miha Purg <miha.purg@canonical.com>
Date: Fri, 17 Jan 2025 14:50:10 +0100
Subject: [PATCH 3/3] Fix metadata in firewall_single_service_active rule

---
 .../firewall_single_service_active/oval/shared.xml        | 8 +-------
 .../firewall_single_service_active/tests/multiple.fail.sh | 2 +-
 .../firewall_single_service_active/tests/none.fail.sh     | 2 +-
 .../firewall_single_service_active/tests/single.pass.sh   | 2 +-
 4 files changed, 4 insertions(+), 10 deletions(-)

diff --git a/linux_os/guide/system/network/firewall_single_service_active/oval/shared.xml b/linux_os/guide/system/network/firewall_single_service_active/oval/shared.xml
index 0b34ebf54ec..b8254289c93 100644
--- a/linux_os/guide/system/network/firewall_single_service_active/oval/shared.xml
+++ b/linux_os/guide/system/network/firewall_single_service_active/oval/shared.xml
@@ -1,13 +1,7 @@
 <def-group>
   <!-- Check that exactly one firewall service is active -->
   <definition class="compliance" id="{{{ rule_id }}}" version="1">
-    <metadata>
-      <title>Ensure Only One Firewall Service is Active</title>
-      <affected family="unix">
-        <platform>multi_platform_all</platform>
-      </affected>
-      <description>Only one firewall service (ufw, iptables, or nftables) should be active.</description>
-    </metadata>
+    {{{ oval_metadata("Ensure Only One Firewall Service is Active") }}}
     <criteria>
         <criterion comment="exactly one firewall service is active" 
             test_ref="test_{{{ rule_id }}}_single_active_firewall"/>
diff --git a/linux_os/guide/system/network/firewall_single_service_active/tests/multiple.fail.sh b/linux_os/guide/system/network/firewall_single_service_active/tests/multiple.fail.sh
index 2d26611b842..6097d9e5f6a 100644
--- a/linux_os/guide/system/network/firewall_single_service_active/tests/multiple.fail.sh
+++ b/linux_os/guide/system/network/firewall_single_service_active/tests/multiple.fail.sh
@@ -1,4 +1,4 @@
-#!?bin/bash
+#!/bin/bash
 #
 # remediation = none
 
diff --git a/linux_os/guide/system/network/firewall_single_service_active/tests/none.fail.sh b/linux_os/guide/system/network/firewall_single_service_active/tests/none.fail.sh
index 52ad7034fd5..809898a6aae 100644
--- a/linux_os/guide/system/network/firewall_single_service_active/tests/none.fail.sh
+++ b/linux_os/guide/system/network/firewall_single_service_active/tests/none.fail.sh
@@ -1,4 +1,4 @@
-#!?bin/bash
+#!/bin/bash
 #
 # remediation = none
 
diff --git a/linux_os/guide/system/network/firewall_single_service_active/tests/single.pass.sh b/linux_os/guide/system/network/firewall_single_service_active/tests/single.pass.sh
index 1d181c5660b..2cc7697ae7a 100644
--- a/linux_os/guide/system/network/firewall_single_service_active/tests/single.pass.sh
+++ b/linux_os/guide/system/network/firewall_single_service_active/tests/single.pass.sh
@@ -1,4 +1,4 @@
-#!?bin/bash
+#!/bin/bash
 #
 # remediation = none