From 29ef00ac92720e22108c78d10ea6f2e8a65cfe98 Mon Sep 17 00:00:00 2001

From: Vojtech Polasek <vpolasek@redhat.com>

Date: Tue, 5 Nov 2019 20:01:40 +0100

Subject: [PATCH 1/5] tried to update regex

tests added

---

 .../aide/aide_periodic_cron_checking/oval/shared.xml          | 2 +-

 .../aide_periodic_cron_checking/tests/crontab_daily.pass.sh   | 4 ++++

 .../tests/crontab_weekly_on_exact_day.pass.sh                 | 4 ++++

 .../tests/crontab_weekly_shortcut.pass.sh                     | 4 ++++

 4 files changed, 13 insertions(+), 1 deletion(-)

 create mode 100644 linux_os/guide/system/software/integrity/software-integrity/aide/aide_periodic_cron_checking/tests/crontab_daily.pass.sh

 create mode 100644 linux_os/guide/system/software/integrity/software-integrity/aide/aide_periodic_cron_checking/tests/crontab_weekly_on_exact_day.pass.sh

 create mode 100644 linux_os/guide/system/software/integrity/software-integrity/aide/aide_periodic_cron_checking/tests/crontab_weekly_shortcut.pass.sh

diff --git a/linux_os/guide/system/software/integrity/software-integrity/aide/aide_periodic_cron_checking/oval/shared.xml b/linux_os/guide/system/software/integrity/software-integrity/aide/aide_periodic_cron_checking/oval/shared.xml

index e5b20e545b..49f53e997f 100644

--- a/linux_os/guide/system/software/integrity/software-integrity/aide/aide_periodic_cron_checking/oval/shared.xml

+++ b/linux_os/guide/system/software/integrity/software-integrity/aide/aide_periodic_cron_checking/oval/shared.xml

@@ -29,7 +29,7 @@

   </ind:textfilecontent54_test>

   <ind:textfilecontent54_object comment="run aide with cron" id="object_test_aide_periodic_cron_checking" version="1">

     <ind:filepath>/etc/crontab</ind:filepath>

-    <ind:pattern operation="pattern match">^(([0-9]*[\s]*[0-9]*[\s]*\*[\s]*\*[\s]*\*)|@(hourly|daily|weekly|monthly))[\s]*root[\s]*/usr/sbin/aide[\s]*\-\-check.*$</ind:pattern>

+    <ind:pattern operation="pattern match">^(([0-9]*[\s]*[0-9]*[\s]*\*[\s]*\*[\s]*[\*,0-9])|@(hourly|daily|weekly|monthly))[\s]*root[\s]*/usr/sbin/aide[\s]*\-\-check.*$</ind:pattern>

     <ind:instance datatype="int" operation="greater than or equal">1</ind:instance>

   </ind:textfilecontent54_object>

From 6ac0dfcc4fd968a3ab8dd7b32f0654b2800446d7 Mon Sep 17 00:00:00 2001

From: Vojtech Polasek <vpolasek@redhat.com>

Date: Wed, 6 Nov 2019 16:06:14 +0100

Subject: [PATCH 2/5] rewrote oval check, extended remediation, wrote tests

everything applies only to /etc/crontab

allowed more flexible configuration of runs

remediation deletes all potentially wrong lines from /etc/crontab

---

 .../aide/aide_periodic_cron_checking/bash/shared.sh           | 3 +++

 .../aide/aide_periodic_cron_checking/oval/shared.xml          | 2 +-

 .../aide_periodic_cron_checking/tests/crontab_monthly.fail.sh | 4 ++++

 .../tests/crontab_two_days_week.pass.sh                       | 4 ++++

 .../tests/crontab_weekly_shortcut.pass.sh                     | 2 +-

 .../tests/crontab_weekly_word.pass.sh                         | 4 ++++

 .../aide_periodic_cron_checking/tests/crontab_yearly.fail.sh  | 4 ++++

 7 files changed, 21 insertions(+), 2 deletions(-)

 create mode 100644 linux_os/guide/system/software/integrity/software-integrity/aide/aide_periodic_cron_checking/tests/crontab_monthly.fail.sh

 create mode 100644 linux_os/guide/system/software/integrity/software-integrity/aide/aide_periodic_cron_checking/tests/crontab_two_days_week.pass.sh

 create mode 100644 linux_os/guide/system/software/integrity/software-integrity/aide/aide_periodic_cron_checking/tests/crontab_weekly_word.pass.sh

 create mode 100644 linux_os/guide/system/software/integrity/software-integrity/aide/aide_periodic_cron_checking/tests/crontab_yearly.fail.sh

diff --git a/linux_os/guide/system/software/integrity/software-integrity/aide/aide_periodic_cron_checking/bash/shared.sh b/linux_os/guide/system/software/integrity/software-integrity/aide/aide_periodic_cron_checking/bash/shared.sh

index 367d7b2df3..674fa7c9d8 100644

--- a/linux_os/guide/system/software/integrity/software-integrity/aide/aide_periodic_cron_checking/bash/shared.sh

+++ b/linux_os/guide/system/software/integrity/software-integrity/aide/aide_periodic_cron_checking/bash/shared.sh

@@ -4,4 +4,7 @@

 if ! grep -q "/usr/sbin/aide --check" /etc/crontab ; then

     echo "05 4 * * * root /usr/sbin/aide --check" >> /etc/crontab

+else

+    sed -i '/^.*\/usr\/sbin\/aide --check.*$/d' /etc/crontab

+    echo "05 4 * * * root /usr/sbin/aide --check" >> /etc/crontab

 fi

diff --git a/linux_os/guide/system/software/integrity/software-integrity/aide/aide_periodic_cron_checking/oval/shared.xml b/linux_os/guide/system/software/integrity/software-integrity/aide/aide_periodic_cron_checking/oval/shared.xml

index 49f53e997f..06a6eb5618 100644

--- a/linux_os/guide/system/software/integrity/software-integrity/aide/aide_periodic_cron_checking/oval/shared.xml

+++ b/linux_os/guide/system/software/integrity/software-integrity/aide/aide_periodic_cron_checking/oval/shared.xml

@@ -29,7 +29,7 @@

   </ind:textfilecontent54_test>

   <ind:textfilecontent54_object comment="run aide with cron" id="object_test_aide_periodic_cron_checking" version="1">

     <ind:filepath>/etc/crontab</ind:filepath>

-    <ind:pattern operation="pattern match">^(([0-9]*[\s]*[0-9]*[\s]*\*[\s]*\*[\s]*[\*,0-9])|@(hourly|daily|weekly|monthly))[\s]*root[\s]*/usr/sbin/aide[\s]*\-\-check.*$</ind:pattern>

+    <ind:pattern operation="pattern match">^(([0-9]*[\s]*[0-9]*[\s]*\*[\s]*\*[\s]*(\*|([0-7]|mon|tue|wed|thu|fri|sat|sun)|[0-7]-[0-7]))|@(hourly|daily|weekly))[\s]*root[\s]*/usr/sbin/aide[\s]*\-\-check.*$</ind:pattern>

     <ind:instance datatype="int" operation="greater than or equal">1</ind:instance>

   </ind:textfilecontent54_object>

From 3c697624a85dcca87daae189103901ce95a7c27a Mon Sep 17 00:00:00 2001

From: Vojtech Polasek <vpolasek@redhat.com>

Date: Wed, 6 Nov 2019 16:25:30 +0100

Subject: [PATCH 3/5] modified oval checks for other locations

---

 .../aide/aide_periodic_cron_checking/oval/shared.xml        | 6 +++---

 1 file changed, 3 insertions(+), 3 deletions(-)

diff --git a/linux_os/guide/system/software/integrity/software-integrity/aide/aide_periodic_cron_checking/oval/shared.xml b/linux_os/guide/system/software/integrity/software-integrity/aide/aide_periodic_cron_checking/oval/shared.xml

index 06a6eb5618..70271a0553 100644

--- a/linux_os/guide/system/software/integrity/software-integrity/aide/aide_periodic_cron_checking/oval/shared.xml

+++ b/linux_os/guide/system/software/integrity/software-integrity/aide/aide_periodic_cron_checking/oval/shared.xml

@@ -39,7 +39,7 @@

   <ind:textfilecontent54_object comment="run aide with cron" id="object_test_aide_crond_checking" version="1">

     <ind:path>/etc/cron.d</ind:path>

     <ind:filename operation="pattern match">^.*$</ind:filename>

-    <ind:pattern operation="pattern match">^(([0-9]*[\s]*[0-9]*[\s]*\*[\s]*\*[\s]*\*)|@(hourly|daily|weekly|monthly))[\s]*root[\s]*/usr/sbin/aide[\s]*\-\-check.*$</ind:pattern>

+    <ind:pattern operation="pattern match">^(([0-9]*[\s]*[0-9]*[\s]*\*[\s]*\*[\s]*(\*|([0-7]|mon|tue|wed|thu|fri|sat|sun)|[0-7]-[0-7]))|@(hourly|daily|weekly))[\s]*root[\s]*/usr/sbin/aide[\s]*\-\-check.*$</ind:pattern>

     <ind:instance datatype="int" operation="greater than or equal">1</ind:instance>

   </ind:textfilecontent54_object>

@@ -48,7 +48,7 @@

   </ind:textfilecontent54_test>

   <ind:textfilecontent54_object comment="run aide with cron" id="object_aide_var_cron_checking" version="1">

     <ind:filepath>/var/spool/cron/root</ind:filepath>

-    <ind:pattern operation="pattern match">^(([0-9]*[\s]*[0-9]*[\s]*\*[\s]*\*[\s]*\*)|@(hourly|daily|weekly|monthly))[\s]*root[\s]*/usr/sbin/aide[\s]*\-\-check.*$</ind:pattern>

+    <ind:pattern operation="pattern match">^(([0-9]*[\s]*[0-9]*[\s]*\*[\s]*\*[\s]*(\*|([0-7]|mon|tue|wed|thu|fri|sat|sun)|[0-7]-[0-7]))|@(hourly|daily|weekly))[\s]*(root)?[\s]*/usr/sbin/aide[\s]*\-\-check.*$</ind:pattern>

     <ind:instance datatype="int" operation="greater than or equal">1</ind:instance>

   </ind:textfilecontent54_object>

@@ -56,7 +56,7 @@

     <ind:object object_ref="object_aide_crontabs_checking" />

   </ind:textfilecontent54_test>

   <ind:textfilecontent54_object comment="run aide with cron.(daily|weekly|monthly)" id="object_aide_crontabs_checking" version="1">

-    <ind:path operation="pattern match">^/etc/cron.(daily|weekly|monthly)$</ind:path>

+    <ind:path operation="pattern match">^/etc/cron.(daily|weekly)$</ind:path>

     <ind:filename operation="pattern match">^.*$</ind:filename>

     <ind:pattern operation="pattern match">^\s*/usr/sbin/aide[\s]*\-\-check.*$</ind:pattern>

     <ind:instance datatype="int" operation="greater than or equal">1</ind:instance>

From 0d0268edacf7544ca7febe33c5f9e82899fca935 Mon Sep 17 00:00:00 2001

From: Vojtech Polasek <vpolasek@redhat.com>

Date: Thu, 7 Nov 2019 09:19:11 +0100

Subject: [PATCH 4/5] fixed oval comments

---

 .../aide/aide_periodic_cron_checking/oval/shared.xml        | 6 +++---

 1 file changed, 3 insertions(+), 3 deletions(-)

diff --git a/linux_os/guide/system/software/integrity/software-integrity/aide/aide_periodic_cron_checking/oval/shared.xml b/linux_os/guide/system/software/integrity/software-integrity/aide/aide_periodic_cron_checking/oval/shared.xml

index 70271a0553..b330e496e1 100644

--- a/linux_os/guide/system/software/integrity/software-integrity/aide/aide_periodic_cron_checking/oval/shared.xml

+++ b/linux_os/guide/system/software/integrity/software-integrity/aide/aide_periodic_cron_checking/oval/shared.xml

@@ -19,7 +19,7 @@

         <criterion comment="run aide with cron" test_ref="test_aide_periodic_cron_checking" />

         <criterion comment="run aide with cron" test_ref="test_aide_crond_checking" />

         <criterion comment="run aide with cron" test_ref="test_aide_var_cron_checking" />

-        <criterion comment="run aide with cron.(daily|weekly|monthly)" test_ref="test_aide_crontabs_checking" />

+        <criterion comment="run aide with cron.(daily|weekly)" test_ref="test_aide_crontabs_checking" />

       </criteria>

     </criteria>

   </definition>

@@ -52,10 +52,10 @@

     <ind:instance datatype="int" operation="greater than or equal">1</ind:instance>

   </ind:textfilecontent54_object>

-  <ind:textfilecontent54_test check="all" check_existence="all_exist" comment="run aide with cron.(daily|weekly|monthly)" id="test_aide_crontabs_checking" version="2">

+  <ind:textfilecontent54_test check="all" check_existence="all_exist" comment="run aide with cron.(daily|weekly)" id="test_aide_crontabs_checking" version="2">

     <ind:object object_ref="object_aide_crontabs_checking" />

   </ind:textfilecontent54_test>

-  <ind:textfilecontent54_object comment="run aide with cron.(daily|weekly|monthly)" id="object_aide_crontabs_checking" version="1">

+  <ind:textfilecontent54_object comment="run aide with cron.(daily|weekly)" id="object_aide_crontabs_checking" version="1">

     <ind:path operation="pattern match">^/etc/cron.(daily|weekly)$</ind:path>

     <ind:filename operation="pattern match">^.*$</ind:filename>

     <ind:pattern operation="pattern match">^\s*/usr/sbin/aide[\s]*\-\-check.*$</ind:pattern>

From f1455731d6633375fd144a69e4bc1d0c2d5e7f3a Mon Sep 17 00:00:00 2001

From: Vojtech Polasek <vpolasek@redhat.com>

Date: Thu, 7 Nov 2019 09:32:51 +0100

Subject: [PATCH 5/5] added one test and modified description

lower limit of daily Aide scan removed

---

 .../aide/aide_periodic_cron_checking/rule.yml                 | 2 +-

 .../tests/crontab_daily_shortcut.pass.sh                      | 4 ++++

 .../tests/crontab_weekly_on_exact_day.pass.sh                 | 2 +-

 3 files changed, 6 insertions(+), 2 deletions(-)

 create mode 100644 linux_os/guide/system/software/integrity/software-integrity/aide/aide_periodic_cron_checking/tests/crontab_daily_shortcut.pass.sh

diff --git a/linux_os/guide/system/software/integrity/software-integrity/aide/aide_periodic_cron_checking/rule.yml b/linux_os/guide/system/software/integrity/software-integrity/aide/aide_periodic_cron_checking/rule.yml

index a91aaa23c5..1e13a534fa 100644

--- a/linux_os/guide/system/software/integrity/software-integrity/aide/aide_periodic_cron_checking/rule.yml

+++ b/linux_os/guide/system/software/integrity/software-integrity/aide/aide_periodic_cron_checking/rule.yml

@@ -5,7 +5,7 @@ prodtype: wrlinux1019,rhel6,rhel7,rhel8,fedora,ol7,ol8,rhv4

 title: 'Configure Periodic Execution of AIDE'

 description: |-

-    At a minimum, AIDE should be configured to run a weekly scan. At most, AIDE should be run daily.

+    At a minimum, AIDE should be configured to run a weekly scan.

     To implement a daily execution of AIDE at 4:05am using cron, add the following line to <tt>/etc/crontab</tt>:

     
05 4 * * * root /usr/sbin/aide --check

     To implement a weekly execution of AIDE at 4:05am using cron, add the following line to <tt>/etc/crontab</tt>: