Security guidance and baselines in SCAP formats
Johnny Hughes
2018-05-14 8ecd84502c677f29e250fae6518a1a0a421e264a
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
From 0a88755485a67e1e29c62196cc506763594f2154 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Jan=20=C4=8Cern=C3=BD?= <jcerny@redhat.com>
Date: Thu, 1 Feb 2018 08:36:18 +0100
Subject: [PATCH 1/2] Do not fail aide_scan_notification with other email
 adresses
 
The rule aide_scan_notification says that AIDE should notify appropriate
personnell of the detials of an AIDE scan. The check currently requires
that the email address of the appropriate personell starts with 'root@'.
In practice, the email address could be any email address. The check
should match any email address.
Fixes RHBZ#1540505
---
 shared/checks/oval/aide_scan_notification.xml | 6 +++---
 1 file changed, 3 insertions(+), 3 deletions(-)
 
diff --git a/shared/checks/oval/aide_scan_notification.xml b/shared/checks/oval/aide_scan_notification.xml
index 3293efb084..3aba02d144 100644
--- a/shared/checks/oval/aide_scan_notification.xml
+++ b/shared/checks/oval/aide_scan_notification.xml
@@ -23,7 +23,7 @@
   </ind:textfilecontent54_test>
   <ind:textfilecontent54_object comment="notify personnel when aide completes" id="object_test_aide_scan_notification" version="1">
     <ind:filepath>/etc/crontab</ind:filepath>
-    <ind:pattern operation="pattern match">^.*/usr/sbin/aide[\s]*\-\-check.*\|.*/bin/mail[\s]*-s[\s]*".*"[\s]*root@.*$</ind:pattern>
+    <ind:pattern operation="pattern match">^.*/usr/sbin/aide[\s]*\-\-check.*\|.*/bin/mail[\s]*-s[\s]*".*"[\s]*.*@.*$</ind:pattern>
     <ind:instance datatype="int" operation="greater than or equal">1</ind:instance>
   </ind:textfilecontent54_object>
 
@@ -32,7 +32,7 @@
   </ind:textfilecontent54_test>
   <ind:textfilecontent54_object comment="notify personnel when aide completes" id="object_aide_var_cron_notification" version="1">
     <ind:filepath>/var/spool/cron/root</ind:filepath>
-    <ind:pattern operation="pattern match">^.*/usr/sbin/aide[\s]*\-\-check.*\|.*/bin/mail[\s]*-s[\s]*".*"[\s]*root@.*$</ind:pattern>
+    <ind:pattern operation="pattern match">^.*/usr/sbin/aide[\s]*\-\-check.*\|.*/bin/mail[\s]*-s[\s]*".*"[\s]*.*@.*$</ind:pattern>
     <ind:instance datatype="int" operation="greater than or equal">1</ind:instance>
   </ind:textfilecontent54_object>
 
@@ -42,7 +42,7 @@
   <ind:textfilecontent54_object comment="notify personnel when aide completes in cron.(d|daily|weekly|monthly)" id="object_aide_crontabs_notification" version="1">
     <ind:path operation="pattern match">/etc/cron.(d|daily|weekly|monthly)</ind:path>
     <ind:filename operation="pattern match">^.*$</ind:filename>
-    <ind:pattern operation="pattern match">^.*/usr/sbin/aide[\s]*\-\-check.*\|.*/bin/mail[\s]*-s[\s]*".*"[\s]*root@.*$</ind:pattern>
+    <ind:pattern operation="pattern match">^.*/usr/sbin/aide[\s]*\-\-check.*\|.*/bin/mail[\s]*-s[\s]*".*"[\s]*.*@.*$</ind:pattern>
     <ind:instance datatype="int" operation="greater than or equal">1</ind:instance>
   </ind:textfilecontent54_object>
    
 
From 381ca3e54eb2e79c18f613a0d95e187e5e622005 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Jan=20=C4=8Cern=C3=BD?= <jcerny@redhat.com>
Date: Mon, 5 Feb 2018 09:58:23 +0100
Subject: [PATCH 2/2] Match at least 1 character in email address
 
---
 shared/checks/oval/aide_scan_notification.xml | 6 +++---
 1 file changed, 3 insertions(+), 3 deletions(-)
 
diff --git a/shared/checks/oval/aide_scan_notification.xml b/shared/checks/oval/aide_scan_notification.xml
index 3aba02d144..b9f8e78929 100644
--- a/shared/checks/oval/aide_scan_notification.xml
+++ b/shared/checks/oval/aide_scan_notification.xml
@@ -23,7 +23,7 @@
   </ind:textfilecontent54_test>
   <ind:textfilecontent54_object comment="notify personnel when aide completes" id="object_test_aide_scan_notification" version="1">
     <ind:filepath>/etc/crontab</ind:filepath>
-    <ind:pattern operation="pattern match">^.*/usr/sbin/aide[\s]*\-\-check.*\|.*/bin/mail[\s]*-s[\s]*".*"[\s]*.*@.*$</ind:pattern>
+    <ind:pattern operation="pattern match">^.*/usr/sbin/aide[\s]*\-\-check.*\|.*/bin/mail[\s]*-s[\s]*".*"[\s]*.+@.+$</ind:pattern>
     <ind:instance datatype="int" operation="greater than or equal">1</ind:instance>
   </ind:textfilecontent54_object>
 
@@ -32,7 +32,7 @@
   </ind:textfilecontent54_test>
   <ind:textfilecontent54_object comment="notify personnel when aide completes" id="object_aide_var_cron_notification" version="1">
     <ind:filepath>/var/spool/cron/root</ind:filepath>
-    <ind:pattern operation="pattern match">^.*/usr/sbin/aide[\s]*\-\-check.*\|.*/bin/mail[\s]*-s[\s]*".*"[\s]*.*@.*$</ind:pattern>
+    <ind:pattern operation="pattern match">^.*/usr/sbin/aide[\s]*\-\-check.*\|.*/bin/mail[\s]*-s[\s]*".*"[\s]*.+@.+$</ind:pattern>
     <ind:instance datatype="int" operation="greater than or equal">1</ind:instance>
   </ind:textfilecontent54_object>
 
@@ -42,7 +42,7 @@
   <ind:textfilecontent54_object comment="notify personnel when aide completes in cron.(d|daily|weekly|monthly)" id="object_aide_crontabs_notification" version="1">
     <ind:path operation="pattern match">/etc/cron.(d|daily|weekly|monthly)</ind:path>
     <ind:filename operation="pattern match">^.*$</ind:filename>
-    <ind:pattern operation="pattern match">^.*/usr/sbin/aide[\s]*\-\-check.*\|.*/bin/mail[\s]*-s[\s]*".*"[\s]*.*@.*$</ind:pattern>
+    <ind:pattern operation="pattern match">^.*/usr/sbin/aide[\s]*\-\-check.*\|.*/bin/mail[\s]*-s[\s]*".*"[\s]*.+@.+$</ind:pattern>
     <ind:instance datatype="int" operation="greater than or equal">1</ind:instance>
   </ind:textfilecontent54_object>