diff --git a/controls/cis_rhel8.yml b/controls/cis_rhel8.yml
index 310d8c65faf..9cf8b6592d0 100644
--- a/controls/cis_rhel8.yml
+++ b/controls/cis_rhel8.yml
@@ -1752,10 +1752,9 @@ controls:
levels:
- l1_server
- l1_workstation
- status: partial
+ status: automated
rules:
- rsyslog_nolisten
- # This rule should be extended to consider rainerscript syntax
- id: 4.2.2.1.1
title: Ensure systemd-journal-remote is installed (Manual)
diff --git a/controls/cis_rhel9.yml b/controls/cis_rhel9.yml
index d788d788bbb..80193e23e57 100644
--- a/controls/cis_rhel9.yml
+++ b/controls/cis_rhel9.yml
@@ -1598,10 +1598,9 @@ controls:
levels:
- l1_server
- l1_workstation
- status: partial
+ status: automated
rules:
- rsyslog_nolisten
- # This rule should be extended to consider rainerscript syntax
- id: 4.2.2.1.1
title: Ensure systemd-journal-remote is installed (Manual)
diff --git a/linux_os/guide/system/logging/rsyslog_accepting_remote_messages/rsyslog_nolisten/ansible/shared.yml b/linux_os/guide/system/logging/rsyslog_accepting_remote_messages/rsyslog_nolisten/ansible/shared.yml
new file mode 100644
index 00000000000..98c2ffd1afb
--- /dev/null
+++ b/linux_os/guide/system/logging/rsyslog_accepting_remote_messages/rsyslog_nolisten/ansible/shared.yml
@@ -0,0 +1,81 @@
+# platform = multi_platform_all
+# reboot = false
+# strategy = configure
+# complexity = low
+# disruption = low
+
+- name: "{{{ rule_title }}} - Define Rsyslog Config Lines Regex in Legacy Syntax"
+ ansible.builtin.set_fact:
+ rsyslog_listen_legacy_regex:
+ '^\s*\$(((Input(TCP|RELP)|UDP)ServerRun)|ModLoad\s+(imtcp|imudp|imrelp))'
+
+- name: "{{{ rule_title }}} - Search for Legacy Config Lines in Rsyslog Main Config File"
+ ansible.builtin.find:
+ paths: "/etc"
+ pattern: "rsyslog.conf"
+ contains: "{{ rsyslog_listen_legacy_regex }}"
+ register: rsyslog_listen_legacy_main_file
+
+- name: "{{{ rule_title }}} - Search for Legacy Config Lines in Rsyslog Include Files"
+ ansible.builtin.find:
+ paths: "/etc/rsyslog.d/"
+ pattern: "*.conf"
+ contains: "{{ rsyslog_listen_legacy_regex }}"
+ register: rsyslog_listen_legacy_include_files
+
+- name: "{{{ rule_title }}} - Assemble List of Config Files With Listen Lines in Legacy Syntax"
+ ansible.builtin.set_fact:
+ rsyslog_legacy_remote_listen_files: >-
+ {{ rsyslog_listen_legacy_main_file.files | map(attribute='path') | list
+ + rsyslog_listen_legacy_include_files.files | map(attribute='path') | list }}
+
+- name: "{{{ rule_title }}} - Comment Listen Config Lines Wherever Defined Using Legacy Syntax"
+ ansible.builtin.replace:
+ path: "{{ item }}"
+ regexp: "{{ rsyslog_listen_legacy_regex }}"
+ replace: '# \1'
+ loop: "{{ rsyslog_legacy_remote_listen_files }}"
+ register: rsyslog_listen_legacy_comment
+ when:
+ - rsyslog_legacy_remote_listen_files | length > 0
+
+- name: "{{{ rule_title }}} - Define Rsyslog Config Lines Regex in RainerScript Syntax"
+ ansible.builtin.set_fact:
+ rsyslog_listen_rainer_regex: '^\s*(module|input)\((load|type)="(imtcp|imudp)".*$'
+
+- name: "{{{ rule_title }}} - Search for RainerScript Config Lines in Rsyslog Main Config File"
+ ansible.builtin.find:
+ paths: "/etc"
+ pattern: "rsyslog.conf"
+ contains: "{{ rsyslog_listen_rainer_regex }}"
+ register: rsyslog_rainer_remote_main_file
+
+- name: "{{{ rule_title }}} - Search for RainerScript Config Lines in Rsyslog Include Files"
+ ansible.builtin.find:
+ paths: "/etc/rsyslog.d/"
+ pattern: "*.conf"
+ contains: "{{ rsyslog_listen_rainer_regex }}"
+ register: rsyslog_rainer_remote_include_files
+
+- name: "{{{ rule_title }}} - Assemble List of Config Files With Listen Lines in RainerScript"
+ ansible.builtin.set_fact:
+ rsyslog_rainer_remote_listen_files: >-
+ {{ rsyslog_rainer_remote_main_file.files | map(attribute='path') | list
+ + rsyslog_rainer_remote_include_files.files | map(attribute='path') | list }}
+
+- name: "{{{ rule_title }}} - Comment Listen Config Lines Wherever Defined Using RainerScript"
+ ansible.builtin.replace:
+ path: "{{ item }}"
+ regexp: "{{ rsyslog_listen_rainer_regex }}"
+ replace: '# \1'
+ loop: "{{ rsyslog_rainer_remote_listen_files }}"
+ register: rsyslog_listen_rainer_comment
+ when:
+ - rsyslog_rainer_remote_listen_files | length > 0
+
+- name: "{{{ rule_title }}} - Restart Rsyslog if Any Line Were Commented Out"
+ ansible.builtin.service:
+ name: rsyslog
+ state: restarted
+ when:
+ - rsyslog_listen_legacy_comment is changed or rsyslog_listen_rainer_comment is changed
diff --git a/linux_os/guide/system/logging/rsyslog_accepting_remote_messages/rsyslog_nolisten/bash/shared.sh b/linux_os/guide/system/logging/rsyslog_accepting_remote_messages/rsyslog_nolisten/bash/shared.sh
new file mode 100644
index 00000000000..2d1006454f4
--- /dev/null
+++ b/linux_os/guide/system/logging/rsyslog_accepting_remote_messages/rsyslog_nolisten/bash/shared.sh
@@ -0,0 +1,30 @@
+# platform = multi_platform_all
+# reboot = false
+# strategy = configure
+# complexity = low
+# disruption = low
+
+legacy_regex='^\s*\$(((Input(TCP|RELP)|UDP)ServerRun)|ModLoad\s+(imtcp|imudp|imrelp))'
+rainer_regex='^\s*(module|input)\((load|type)="(imtcp|imudp)".*$'
+
+readarray -t legacy_targets < <(grep -l -E -r "${legacy_regex[@]}" /etc/rsyslog.conf /etc/rsyslog.d/)
+readarray -t rainer_targets < <(grep -l -E -r "${rainer_regex[@]}" /etc/rsyslog.conf /etc/rsyslog.d/)
+
+config_changed=false
+if [ ${#legacy_targets[@]} -gt 0 ]; then
+ for target in "${legacy_targets[@]}"; do
+ sed -E -i "/$legacy_regex/ s/^/# /" "$target"
+ done
+ config_changed=true
+fi
+
+if [ ${#rainer_targets[@]} -gt 0 ]; then
+ for target in "${rainer_targets[@]}"; do
+ sed -E -i "/$rainer_regex/ s/^/# /" "$target"
+ done
+ config_changed=true
+fi
+
+if $config_changed; then
+ systemctl restart rsyslog.service
+fi
diff --git a/linux_os/guide/system/logging/rsyslog_accepting_remote_messages/rsyslog_nolisten/oval/shared.xml b/linux_os/guide/system/logging/rsyslog_accepting_remote_messages/rsyslog_nolisten/oval/shared.xml
index b96a39c6653..3e5c05bff9f 100644
--- a/linux_os/guide/system/logging/rsyslog_accepting_remote_messages/rsyslog_nolisten/oval/shared.xml
+++ b/linux_os/guide/system/logging/rsyslog_accepting_remote_messages/rsyslog_nolisten/oval/shared.xml
@@ -1,19 +1,36 @@
-
- {{{ oval_metadata("rsyslogd should reject remote messages") }}}
-
-
-
-
-
-
-
-
- /etc/rsyslog.conf
- ^[\s]*\$((?:Input(?:TCP|RELP)|UDP)ServerRun|ModLoad[\s]+(imtcp|imudp|imrelp))
- 1
-
+
+ {{{ oval_metadata("rsyslogd should reject remote messages") }}}
+
+
+
+
+
+
+
+
+
+
+
+ ^\/etc\/rsyslog(\.conf|\.d\/.*\.conf)$
+ ^[\s]*\$((?:Input(?:TCP|RELP)|UDP)ServerRun|ModLoad[\s]+(imtcp|imudp|imrelp))
+ 1
+
+
+
+
+
+
+
+ ^\/etc\/rsyslog(\.conf|\.d\/.*\.conf)$
+ ^\s*(?:module|input)\((?:load|type)="(imtcp|imudp)".*$
+ 1
+
diff --git a/linux_os/guide/system/logging/rsyslog_accepting_remote_messages/rsyslog_nolisten/rule.yml b/linux_os/guide/system/logging/rsyslog_accepting_remote_messages/rsyslog_nolisten/rule.yml
index c2e7c0a8a05..1ff4d159cb9 100644
--- a/linux_os/guide/system/logging/rsyslog_accepting_remote_messages/rsyslog_nolisten/rule.yml
+++ b/linux_os/guide/system/logging/rsyslog_accepting_remote_messages/rsyslog_nolisten/rule.yml
@@ -5,10 +5,11 @@ prodtype: alinux3,fedora,ol7,ol8,ol9,rhel7,rhel8,rhel9,rhv4,sle12,sle15,ubuntu22
title: 'Ensure rsyslog Does Not Accept Remote Messages Unless Acting As Log Server'
description: |-
- The rsyslog daemon should not accept remote messages
- unless the system acts as a log server.
- To ensure that it is not listening on the network, ensure the following lines are
- not found in /etc/rsyslog.conf:
+ The rsyslog daemon should not accept remote messages unless the system acts as a log
+ server. To ensure that it is not listening on the network, ensure any of the following lines
+ are not found in rsyslog configuration files.
+
+ If using legacy syntax:
$ModLoad imtcp
$InputTCPServerRun port
$ModLoad imudp
@@ -16,10 +17,17 @@ description: |-
$ModLoad imrelp
$InputRELPServerRun port
+ If using RainerScript syntax:
+ module(load="imtcp")
+ module(load="imudp")
+ input(type="imtcp" port="514")
+ input(type="imudp" port="514")
+
+
rationale: |-
- Any process which receives messages from the network incurs some risk
- of receiving malicious messages. This risk can be eliminated for
- rsyslog by configuring it not to listen on the network.
+ Any process which receives messages from the network incurs some risk of receiving malicious
+ messages. This risk can be eliminated for rsyslog by configuring it not to listen on the
+ network.
severity: medium
@@ -54,9 +62,15 @@ references:
ocil_clause: "rsyslog accepts remote messages and is not documented as a log aggregation system"
ocil: |-
- Verify that the system is not accepting "rsyslog" messages from other systems unless it is documented as a log aggregation server.
- Display the contents of the configuration file:
- cat /etc/rsyslog.conf
+ Verify that the system is not accepting "rsyslog" messages from other systems unless it is
+ documented as a log aggregation server.
+ Display the contents of the rsyslog configuration files:
+ find /etc -maxdepth 2 -regex '/etc/rsyslog\(\.conf\|\.d\/.*\.conf\)' -exec cat '{}' \;
+
+ If any of the below lines are found, ask to see the documentation for the system being used
+ for log aggregation:
+
+ If using legacy syntax:
$ModLoad imtcp
$InputTCPServerRun port
$ModLoad imudp
@@ -64,9 +78,13 @@ ocil: |-
$ModLoad imrelp
$InputRELPServerRun port
- If any of the above modules are being loaded in the "/etc/rsyslog.conf" file, ask to see the documentation for the system being used for log aggregation.
-
-fixtext: 'The {{{ full_name }}} must be configured so that the rsyslog daemon does not accept log messages from other servers unless the server is being used for log aggregation.'
+ If using RainerScript syntax:
+ module(load="imtcp")
+ module(load="imudp")
+ input(type="imtcp" port="514")
+ input(type="imudp" port="514")
+
-srg_requirement: |-
- {{{ full_name }}} must be configured so that the rsyslog daemon does not accept log messages from other servers unless the server is being used for log aggregation.
+fixtext: |-
+ The {{{ full_name }}} must be configured so that the rsyslog daemon does not accept log
+ messages from other servers unless the server is being used for log aggregation.
diff --git a/linux_os/guide/system/logging/rsyslog_accepting_remote_messages/rsyslog_nolisten/tests/all_lines_commented.pass.sh b/linux_os/guide/system/logging/rsyslog_accepting_remote_messages/rsyslog_nolisten/tests/all_lines_commented.pass.sh
deleted file mode 100644
index 82bf2b4636c..00000000000
--- a/linux_os/guide/system/logging/rsyslog_accepting_remote_messages/rsyslog_nolisten/tests/all_lines_commented.pass.sh
+++ /dev/null
@@ -1,10 +0,0 @@
-#!/bin/bash
-
-. shared.sh
-
-echo "# \$ModLoad imtcp
-# \$InputTCPServerRun 5000
-# \$ModLoad imudp
-# \$UDPServerRun 5000
-# \$ModLoad imrelp
-# \$InputRELPServerRun 5000" >> "$CONF_FILE"
diff --git a/linux_os/guide/system/logging/rsyslog_accepting_remote_messages/rsyslog_nolisten/tests/all_lines_in_conf.fail.sh b/linux_os/guide/system/logging/rsyslog_accepting_remote_messages/rsyslog_nolisten/tests/all_lines_in_conf.fail.sh
deleted file mode 100644
index e696111d1cf..00000000000
--- a/linux_os/guide/system/logging/rsyslog_accepting_remote_messages/rsyslog_nolisten/tests/all_lines_in_conf.fail.sh
+++ /dev/null
@@ -1,12 +0,0 @@
-#!/bin/bash
-#
-# remediation = none
-
-. shared.sh
-
-echo "\$ModLoad imtcp
-\$InputTCPServerRun 5000
-\$ModLoad imudp
-\$UDPServerRun 5000
-\$ModLoad imrelp
-\$InputRELPServerRun 5000" >> "$CONF_FILE"
diff --git a/linux_os/guide/system/logging/rsyslog_accepting_remote_messages/rsyslog_nolisten/tests/legacy_commented_lines.pass.sh b/linux_os/guide/system/logging/rsyslog_accepting_remote_messages/rsyslog_nolisten/tests/legacy_commented_lines.pass.sh
new file mode 100755
index 00000000000..62fb1115491
--- /dev/null
+++ b/linux_os/guide/system/logging/rsyslog_accepting_remote_messages/rsyslog_nolisten/tests/legacy_commented_lines.pass.sh
@@ -0,0 +1,29 @@
+#!/bin/bash
+# platform = multi_platform_all
+
+# Declare variables used for the tests and define the create_rsyslog_test_logs function
+source $SHARED/rsyslog_log_utils.sh
+
+# create one test log file
+create_rsyslog_test_logs 1
+
+# setup test log file property
+chmod 0640 ${RSYSLOG_TEST_LOGS[0]}
+chown root.root ${RSYSLOG_TEST_LOGS[0]}
+
+# add commented modules lines to main configuration file
+cat << EOF > $RSYSLOG_CONF
+# rsyslog configuration file
+
+#### MODULES ####
+# \$ModLoad imtcp
+# \$InputTCPServerRun 5000
+# \$ModLoad imudp
+# \$UDPServerRun 5000
+# \$ModLoad imrelp
+# \$InputRELPServerRun 5000
+
+#### RULES ####
+*.* ${RSYSLOG_TEST_LOGS[0]}
+
+EOF
diff --git a/linux_os/guide/system/logging/rsyslog_accepting_remote_messages/rsyslog_nolisten/tests/legacy_commented_lines_included.pass.sh b/linux_os/guide/system/logging/rsyslog_accepting_remote_messages/rsyslog_nolisten/tests/legacy_commented_lines_included.pass.sh
new file mode 100755
index 00000000000..f00b8a0a7fb
--- /dev/null
+++ b/linux_os/guide/system/logging/rsyslog_accepting_remote_messages/rsyslog_nolisten/tests/legacy_commented_lines_included.pass.sh
@@ -0,0 +1,39 @@
+#!/bin/bash
+# platform = multi_platform_all
+
+# Declare variables used for the tests and define the create_rsyslog_test_logs function
+source $SHARED/rsyslog_log_utils.sh
+
+# create one test log file
+create_rsyslog_test_logs 1
+
+# setup test log file property
+chmod 0640 ${RSYSLOG_TEST_LOGS[0]}
+chown root.root ${RSYSLOG_TEST_LOGS[0]}
+
+# create test configuration file with commented modules lines
+test_conf=${RSYSLOG_CONF_DIR}/test1.conf
+cat << EOF > ${test_conf}
+# rsyslog test configuration file
+
+#### MODULES ####
+# \$ModLoad imtcp
+# \$InputTCPServerRun 5000
+# \$ModLoad imudp
+# \$UDPServerRun 5000
+# \$ModLoad imrelp
+# \$InputRELPServerRun 5000
+
+EOF
+
+# add generic rule plus an include statement
+cat << EOF > $RSYSLOG_CONF
+# rsyslog configuration file
+
+#### RULES ####
+*.* ${RSYSLOG_TEST_LOGS[0]}
+
+#### MODULES ####
+\$IncludeConfig ${test_conf}
+
+EOF
diff --git a/linux_os/guide/system/logging/rsyslog_accepting_remote_messages/rsyslog_nolisten/tests/legacy_modules_used.fail.sh b/linux_os/guide/system/logging/rsyslog_accepting_remote_messages/rsyslog_nolisten/tests/legacy_modules_used.fail.sh
new file mode 100755
index 00000000000..0b516e27975
--- /dev/null
+++ b/linux_os/guide/system/logging/rsyslog_accepting_remote_messages/rsyslog_nolisten/tests/legacy_modules_used.fail.sh
@@ -0,0 +1,29 @@
+#!/bin/bash
+# platform = multi_platform_all
+
+# Declare variables used for the tests and define the create_rsyslog_test_logs function
+source $SHARED/rsyslog_log_utils.sh
+
+# create one test log file
+create_rsyslog_test_logs 1
+
+# setup test log file property
+chmod 0640 ${RSYSLOG_TEST_LOGS[0]}
+chown root.root ${RSYSLOG_TEST_LOGS[0]}
+
+# add modules lines to main configuration file
+cat << EOF > $RSYSLOG_CONF
+# rsyslog configuration file
+
+#### MODULES ####
+\$ModLoad imtcp
+\$InputTCPServerRun 5000
+\$ModLoad imudp
+\$UDPServerRun 5000
+\$ModLoad imrelp
+\$InputRELPServerRun 5000
+
+#### RULES ####
+*.* ${RSYSLOG_TEST_LOGS[0]}
+
+EOF
diff --git a/linux_os/guide/system/logging/rsyslog_accepting_remote_messages/rsyslog_nolisten/tests/legacy_modules_used_included.fail.sh b/linux_os/guide/system/logging/rsyslog_accepting_remote_messages/rsyslog_nolisten/tests/legacy_modules_used_included.fail.sh
new file mode 100755
index 00000000000..f381ae675db
--- /dev/null
+++ b/linux_os/guide/system/logging/rsyslog_accepting_remote_messages/rsyslog_nolisten/tests/legacy_modules_used_included.fail.sh
@@ -0,0 +1,39 @@
+#!/bin/bash
+# platform = multi_platform_all
+
+# Declare variables used for the tests and define the create_rsyslog_test_logs function
+source $SHARED/rsyslog_log_utils.sh
+
+# create one test log file
+create_rsyslog_test_logs 1
+
+# setup test log file property
+chmod 0640 ${RSYSLOG_TEST_LOGS[0]}
+chown root.root ${RSYSLOG_TEST_LOGS[0]}
+
+# create test configuration file with modules lines defined
+test_conf=${RSYSLOG_CONF_DIR}/test1.conf
+cat << EOF > ${test_conf}
+# rsyslog test configuration file
+
+#### MODULES ####
+\$ModLoad imtcp
+\$InputTCPServerRun 5000
+\$ModLoad imudp
+\$UDPServerRun 5000
+\$ModLoad imrelp
+\$InputRELPServerRun 5000
+
+EOF
+
+# add generic rule plus an include statement
+cat << EOF > $RSYSLOG_CONF
+# rsyslog configuration file
+
+#### RULES ####
+*.* ${RSYSLOG_TEST_LOGS[0]}
+
+#### MODULES ####
+\$IncludeConfig ${test_conf}
+
+EOF
diff --git a/linux_os/guide/system/logging/rsyslog_accepting_remote_messages/rsyslog_nolisten/tests/legacy_one_module_used.fail.sh b/linux_os/guide/system/logging/rsyslog_accepting_remote_messages/rsyslog_nolisten/tests/legacy_one_module_used.fail.sh
new file mode 100755
index 00000000000..f40ea87e43e
--- /dev/null
+++ b/linux_os/guide/system/logging/rsyslog_accepting_remote_messages/rsyslog_nolisten/tests/legacy_one_module_used.fail.sh
@@ -0,0 +1,25 @@
+#!/bin/bash
+# platform = multi_platform_all
+
+# Declare variables used for the tests and define the create_rsyslog_test_logs function
+source $SHARED/rsyslog_log_utils.sh
+
+# create one test log file
+create_rsyslog_test_logs 1
+
+# setup test log file property
+chmod 0640 ${RSYSLOG_TEST_LOGS[0]}
+chown root.root ${RSYSLOG_TEST_LOGS[0]}
+
+# add modules lines to main configuration file
+cat << EOF > $RSYSLOG_CONF
+# rsyslog configuration file
+
+#### MODULES ####
+\$ModLoad imtcp
+\$InputTCPServerRun 5000
+
+#### RULES ####
+*.* ${RSYSLOG_TEST_LOGS[0]}
+
+EOF
diff --git a/linux_os/guide/system/logging/rsyslog_accepting_remote_messages/rsyslog_nolisten/tests/no_lines_in_conf.pass.sh b/linux_os/guide/system/logging/rsyslog_accepting_remote_messages/rsyslog_nolisten/tests/no_lines_in_conf.pass.sh
deleted file mode 100644
index 62ddc50649c..00000000000
--- a/linux_os/guide/system/logging/rsyslog_accepting_remote_messages/rsyslog_nolisten/tests/no_lines_in_conf.pass.sh
+++ /dev/null
@@ -1,3 +0,0 @@
-#!/bin/bash
-
-. shared.sh
diff --git a/linux_os/guide/system/logging/rsyslog_accepting_remote_messages/rsyslog_nolisten/tests/no_modules.pass.sh b/linux_os/guide/system/logging/rsyslog_accepting_remote_messages/rsyslog_nolisten/tests/no_modules.pass.sh
new file mode 100755
index 00000000000..e839f15fbbc
--- /dev/null
+++ b/linux_os/guide/system/logging/rsyslog_accepting_remote_messages/rsyslog_nolisten/tests/no_modules.pass.sh
@@ -0,0 +1,23 @@
+#!/bin/bash
+# platform = multi_platform_all
+
+# Declare variables used for the tests and define the create_rsyslog_test_logs function
+source $SHARED/rsyslog_log_utils.sh
+
+# create one test log file
+create_rsyslog_test_logs 1
+
+# setup test log file property
+chmod 0640 ${RSYSLOG_TEST_LOGS[0]}
+chown root.root ${RSYSLOG_TEST_LOGS[0]}
+
+# no modules configuration in the main configuration file
+cat << EOF > $RSYSLOG_CONF
+# rsyslog configuration file
+
+#### MODULES ####
+
+#### RULES ####
+*.* ${RSYSLOG_TEST_LOGS[0]}
+
+EOF
diff --git a/linux_os/guide/system/logging/rsyslog_accepting_remote_messages/rsyslog_nolisten/tests/one_line_in_conf.fail.sh b/linux_os/guide/system/logging/rsyslog_accepting_remote_messages/rsyslog_nolisten/tests/one_line_in_conf.fail.sh
deleted file mode 100644
index 825a4d1d761..00000000000
--- a/linux_os/guide/system/logging/rsyslog_accepting_remote_messages/rsyslog_nolisten/tests/one_line_in_conf.fail.sh
+++ /dev/null
@@ -1,7 +0,0 @@
-#!/bin/bash
-#
-# remediation = none
-
-. shared.sh
-
-echo "\$UDPServerRun 5000" >> "$CONF_FILE"
diff --git a/linux_os/guide/system/logging/rsyslog_accepting_remote_messages/rsyslog_nolisten/tests/rainer_commented_lines.pass.sh b/linux_os/guide/system/logging/rsyslog_accepting_remote_messages/rsyslog_nolisten/tests/rainer_commented_lines.pass.sh
new file mode 100755
index 00000000000..e6e4f6ec9d3
--- /dev/null
+++ b/linux_os/guide/system/logging/rsyslog_accepting_remote_messages/rsyslog_nolisten/tests/rainer_commented_lines.pass.sh
@@ -0,0 +1,25 @@
+#!/bin/bash
+# platform = multi_platform_all
+
+# Declare variables used for the tests and define the create_rsyslog_test_logs function
+source $SHARED/rsyslog_log_utils.sh
+
+# create one test log file
+create_rsyslog_test_logs 1
+
+# setup test log file property
+chmod 0640 ${RSYSLOG_TEST_LOGS[0]}
+chown root.root ${RSYSLOG_TEST_LOGS[0]}
+
+# add commented modules lines to main configuration file
+cat << EOF > $RSYSLOG_CONF
+# rsyslog configuration file
+
+#### MODULES ####
+# module(load="imtcp")
+# input(type="imtcp" port="514")
+
+#### RULES ####
+*.* ${RSYSLOG_TEST_LOGS[0]}
+
+EOF
diff --git a/linux_os/guide/system/logging/rsyslog_accepting_remote_messages/rsyslog_nolisten/tests/rainer_commented_lines_included.pass.sh b/linux_os/guide/system/logging/rsyslog_accepting_remote_messages/rsyslog_nolisten/tests/rainer_commented_lines_included.pass.sh
new file mode 100755
index 00000000000..66d2ec66d8b
--- /dev/null
+++ b/linux_os/guide/system/logging/rsyslog_accepting_remote_messages/rsyslog_nolisten/tests/rainer_commented_lines_included.pass.sh
@@ -0,0 +1,35 @@
+#!/bin/bash
+# platform = multi_platform_all
+
+# Declare variables used for the tests and define the create_rsyslog_test_logs function
+source $SHARED/rsyslog_log_utils.sh
+
+# create one test log file
+create_rsyslog_test_logs 1
+
+# setup test log file property
+chmod 0640 ${RSYSLOG_TEST_LOGS[0]}
+chown root.root ${RSYSLOG_TEST_LOGS[0]}
+
+# create test configuration file with commented modules lines
+test_conf=${RSYSLOG_CONF_DIR}/test1.conf
+cat << EOF > ${test_conf}
+# rsyslog test configuration file
+
+#### MODULES ####
+# module(load="imtcp")
+# input(type="imtcp" port="514")
+
+EOF
+
+# add generic rule plus an include statement
+cat << EOF > $RSYSLOG_CONF
+# rsyslog configuration file
+
+#### RULES ####
+*.* ${RSYSLOG_TEST_LOGS[0]}
+
+#### MODULES ####
+include(file="${test_conf}")
+
+EOF
diff --git a/linux_os/guide/system/logging/rsyslog_accepting_remote_messages/rsyslog_nolisten/tests/rainer_commented_lines_multiline_included.pass.sh b/linux_os/guide/system/logging/rsyslog_accepting_remote_messages/rsyslog_nolisten/tests/rainer_commented_lines_multiline_included.pass.sh
new file mode 100755
index 00000000000..1855217b82e
--- /dev/null
+++ b/linux_os/guide/system/logging/rsyslog_accepting_remote_messages/rsyslog_nolisten/tests/rainer_commented_lines_multiline_included.pass.sh
@@ -0,0 +1,37 @@
+#!/bin/bash
+# platform = multi_platform_all
+
+# Declare variables used for the tests and define the create_rsyslog_test_logs function
+source $SHARED/rsyslog_log_utils.sh
+
+# create one test log file
+create_rsyslog_test_logs 1
+
+# setup test log file property
+chmod 0640 ${RSYSLOG_TEST_LOGS[0]}
+chown root.root ${RSYSLOG_TEST_LOGS[0]}
+
+# create test configuration file with commented modules lines
+test_conf=${RSYSLOG_CONF_DIR}/test1.conf
+cat << EOF > ${test_conf}
+# rsyslog test configuration file
+
+#### MODULES ####
+# module(load="imtcp")
+# input(type="imtcp" port="514")
+
+EOF
+
+# add generic rule plus an include statement
+cat << EOF > $RSYSLOG_CONF
+# rsyslog configuration file
+
+#### RULES ####
+*.* ${RSYSLOG_TEST_LOGS[0]}
+
+#### MODULES ####
+include(
+ file="${test_conf}"
+)
+
+EOF
diff --git a/linux_os/guide/system/logging/rsyslog_accepting_remote_messages/rsyslog_nolisten/tests/rainer_modules_used.fail.sh b/linux_os/guide/system/logging/rsyslog_accepting_remote_messages/rsyslog_nolisten/tests/rainer_modules_used.fail.sh
new file mode 100755
index 00000000000..ff918b47e76
--- /dev/null
+++ b/linux_os/guide/system/logging/rsyslog_accepting_remote_messages/rsyslog_nolisten/tests/rainer_modules_used.fail.sh
@@ -0,0 +1,25 @@
+#!/bin/bash
+# platform = multi_platform_all
+
+# Declare variables used for the tests and define the create_rsyslog_test_logs function
+source $SHARED/rsyslog_log_utils.sh
+
+# create one test log file
+create_rsyslog_test_logs 1
+
+# setup test log file property
+chmod 0640 ${RSYSLOG_TEST_LOGS[0]}
+chown root.root ${RSYSLOG_TEST_LOGS[0]}
+
+# add modules lines to main configuration file
+cat << EOF > $RSYSLOG_CONF
+# rsyslog configuration file
+
+#### MODULES ####
+module(load="imtcp")
+input(type="imtcp" port="514")
+
+#### RULES ####
+*.* ${RSYSLOG_TEST_LOGS[0]}
+
+EOF
diff --git a/linux_os/guide/system/logging/rsyslog_accepting_remote_messages/rsyslog_nolisten/tests/rainer_modules_used_included.fail.sh b/linux_os/guide/system/logging/rsyslog_accepting_remote_messages/rsyslog_nolisten/tests/rainer_modules_used_included.fail.sh
new file mode 100755
index 00000000000..dccc6747cce
--- /dev/null
+++ b/linux_os/guide/system/logging/rsyslog_accepting_remote_messages/rsyslog_nolisten/tests/rainer_modules_used_included.fail.sh
@@ -0,0 +1,35 @@
+#!/bin/bash
+# platform = multi_platform_all
+
+# Declare variables used for the tests and define the create_rsyslog_test_logs function
+source $SHARED/rsyslog_log_utils.sh
+
+# create one test log file
+create_rsyslog_test_logs 1
+
+# setup test log file property
+chmod 0640 ${RSYSLOG_TEST_LOGS[0]}
+chown root.root ${RSYSLOG_TEST_LOGS[0]}
+
+# create test configuration file with modules lines defined
+test_conf=${RSYSLOG_CONF_DIR}/test1.conf
+cat << EOF > ${test_conf}
+# rsyslog test configuration file
+
+#### MODULES ####
+module(load="imtcp")
+input(type="imtcp" port="514")
+
+EOF
+
+# add generic rule plus an include statement
+cat << EOF > $RSYSLOG_CONF
+# rsyslog configuration file
+
+#### RULES ####
+*.* ${RSYSLOG_TEST_LOGS[0]}
+
+#### MODULES ####
+include(file="${test_conf}")
+
+EOF
diff --git a/linux_os/guide/system/logging/rsyslog_accepting_remote_messages/rsyslog_nolisten/tests/shared.sh b/linux_os/guide/system/logging/rsyslog_accepting_remote_messages/rsyslog_nolisten/tests/shared.sh
deleted file mode 100644
index 5f70ebcc8b3..00000000000
--- a/linux_os/guide/system/logging/rsyslog_accepting_remote_messages/rsyslog_nolisten/tests/shared.sh
+++ /dev/null
@@ -1,14 +0,0 @@
-#!/bin/bash
-
-CONF_FILE="/etc/rsyslog.conf"
-
-declare -a BAD_LINES=("\\\$ModLoad\\s\\+imtcp"
-"\\\$InputTCPServerRun.*"
-"\\\$ModLoad\\s\\+imudp"
-"\\\$UDPServerRun.*"
-"\\\$ModLoad\\s\\+imrelp"
-"\\\$InputRELPServerRun.*")
-
-for line in "${BAD_LINES[@]}"; do
- sed -i "/$line/d" "$CONF_FILE"
-done
diff --git a/tests/shared/rsyslog_log_utils.sh b/tests/shared/rsyslog_log_utils.sh
index 5a2a776e95e..206f9bec831 100755
--- a/tests/shared/rsyslog_log_utils.sh
+++ b/tests/shared/rsyslog_log_utils.sh
@@ -1,6 +1,7 @@
#!/bin/bash
RSYSLOG_CONF='/etc/rsyslog.conf'
+RSYSLOG_CONF_DIR='/etc/rsyslog.d'
LOG_FILE_PREFIX=test
RSYSLOG_TEST_DIR=/tmp
declare -a RSYSLOG_TEST_LOGS