From 29ef00ac92720e22108c78d10ea6f2e8a65cfe98 Mon Sep 17 00:00:00 2001
From: Vojtech Polasek <vpolasek@redhat.com>
Date: Tue, 5 Nov 2019 20:01:40 +0100
Subject: [PATCH 1/5] tried to update regex

tests added
---
 .../aide/aide_periodic_cron_checking/oval/shared.xml          | 2 +-
 .../aide_periodic_cron_checking/tests/crontab_daily.pass.sh   | 4 ++++
 .../tests/crontab_weekly_on_exact_day.pass.sh                 | 4 ++++
 .../tests/crontab_weekly_shortcut.pass.sh                     | 4 ++++
 4 files changed, 13 insertions(+), 1 deletion(-)
 create mode 100644 linux_os/guide/system/software/integrity/software-integrity/aide/aide_periodic_cron_checking/tests/crontab_daily.pass.sh
 create mode 100644 linux_os/guide/system/software/integrity/software-integrity/aide/aide_periodic_cron_checking/tests/crontab_weekly_on_exact_day.pass.sh
 create mode 100644 linux_os/guide/system/software/integrity/software-integrity/aide/aide_periodic_cron_checking/tests/crontab_weekly_shortcut.pass.sh

diff --git a/linux_os/guide/system/software/integrity/software-integrity/aide/aide_periodic_cron_checking/oval/shared.xml b/linux_os/guide/system/software/integrity/software-integrity/aide/aide_periodic_cron_checking/oval/shared.xml
index e5b20e545b..49f53e997f 100644
--- a/linux_os/guide/system/software/integrity/software-integrity/aide/aide_periodic_cron_checking/oval/shared.xml
+++ b/linux_os/guide/system/software/integrity/software-integrity/aide/aide_periodic_cron_checking/oval/shared.xml
@@ -29,7 +29,7 @@
   </ind:textfilecontent54_test>
   <ind:textfilecontent54_object comment="run aide with cron" id="object_test_aide_periodic_cron_checking" version="1">
     <ind:filepath>/etc/crontab</ind:filepath>
-    <ind:pattern operation="pattern match">^(([0-9]*[\s]*[0-9]*[\s]*\*[\s]*\*[\s]*\*)|@(hourly|daily|weekly|monthly))[\s]*root[\s]*/usr/sbin/aide[\s]*\-\-check.*$</ind:pattern>
+    <ind:pattern operation="pattern match">^(([0-9]*[\s]*[0-9]*[\s]*\*[\s]*\*[\s]*[\*,0-9])|@(hourly|daily|weekly|monthly))[\s]*root[\s]*/usr/sbin/aide[\s]*\-\-check.*$</ind:pattern>
     <ind:instance datatype="int" operation="greater than or equal">1</ind:instance>
   </ind:textfilecontent54_object>


From 6ac0dfcc4fd968a3ab8dd7b32f0654b2800446d7 Mon Sep 17 00:00:00 2001
From: Vojtech Polasek <vpolasek@redhat.com>
Date: Wed, 6 Nov 2019 16:06:14 +0100
Subject: [PATCH 2/5] rewrote oval check, extended remediation, wrote tests

everything applies only to /etc/crontab
allowed more flexible configuration of runs
remediation deletes all potentially wrong lines from /etc/crontab
---
 .../aide/aide_periodic_cron_checking/bash/shared.sh           | 3 +++
 .../aide/aide_periodic_cron_checking/oval/shared.xml          | 2 +-
 .../aide_periodic_cron_checking/tests/crontab_monthly.fail.sh | 4 ++++
 .../tests/crontab_two_days_week.pass.sh                       | 4 ++++
 .../tests/crontab_weekly_shortcut.pass.sh                     | 2 +-
 .../tests/crontab_weekly_word.pass.sh                         | 4 ++++
 .../aide_periodic_cron_checking/tests/crontab_yearly.fail.sh  | 4 ++++
 7 files changed, 21 insertions(+), 2 deletions(-)
 create mode 100644 linux_os/guide/system/software/integrity/software-integrity/aide/aide_periodic_cron_checking/tests/crontab_monthly.fail.sh
 create mode 100644 linux_os/guide/system/software/integrity/software-integrity/aide/aide_periodic_cron_checking/tests/crontab_two_days_week.pass.sh
 create mode 100644 linux_os/guide/system/software/integrity/software-integrity/aide/aide_periodic_cron_checking/tests/crontab_weekly_word.pass.sh
 create mode 100644 linux_os/guide/system/software/integrity/software-integrity/aide/aide_periodic_cron_checking/tests/crontab_yearly.fail.sh

diff --git a/linux_os/guide/system/software/integrity/software-integrity/aide/aide_periodic_cron_checking/bash/shared.sh b/linux_os/guide/system/software/integrity/software-integrity/aide/aide_periodic_cron_checking/bash/shared.sh
index 367d7b2df3..674fa7c9d8 100644
--- a/linux_os/guide/system/software/integrity/software-integrity/aide/aide_periodic_cron_checking/bash/shared.sh
+++ b/linux_os/guide/system/software/integrity/software-integrity/aide/aide_periodic_cron_checking/bash/shared.sh
@@ -4,4 +4,7 @@
 
 if ! grep -q "/usr/sbin/aide --check" /etc/crontab ; then
     echo "05 4 * * * root /usr/sbin/aide --check" >> /etc/crontab
+else
+    sed -i '/^.*\/usr\/sbin\/aide --check.*$/d' /etc/crontab
+    echo "05 4 * * * root /usr/sbin/aide --check" >> /etc/crontab
 fi
diff --git a/linux_os/guide/system/software/integrity/software-integrity/aide/aide_periodic_cron_checking/oval/shared.xml b/linux_os/guide/system/software/integrity/software-integrity/aide/aide_periodic_cron_checking/oval/shared.xml
index 49f53e997f..06a6eb5618 100644
--- a/linux_os/guide/system/software/integrity/software-integrity/aide/aide_periodic_cron_checking/oval/shared.xml
+++ b/linux_os/guide/system/software/integrity/software-integrity/aide/aide_periodic_cron_checking/oval/shared.xml
@@ -29,7 +29,7 @@
   </ind:textfilecontent54_test>
   <ind:textfilecontent54_object comment="run aide with cron" id="object_test_aide_periodic_cron_checking" version="1">
     <ind:filepath>/etc/crontab</ind:filepath>
-    <ind:pattern operation="pattern match">^(([0-9]*[\s]*[0-9]*[\s]*\*[\s]*\*[\s]*[\*,0-9])|@(hourly|daily|weekly|monthly))[\s]*root[\s]*/usr/sbin/aide[\s]*\-\-check.*$</ind:pattern>
+    <ind:pattern operation="pattern match">^(([0-9]*[\s]*[0-9]*[\s]*\*[\s]*\*[\s]*(\*|([0-7]|mon|tue|wed|thu|fri|sat|sun)|[0-7]-[0-7]))|@(hourly|daily|weekly))[\s]*root[\s]*/usr/sbin/aide[\s]*\-\-check.*$</ind:pattern>
     <ind:instance datatype="int" operation="greater than or equal">1</ind:instance>
   </ind:textfilecontent54_object>


From 3c697624a85dcca87daae189103901ce95a7c27a Mon Sep 17 00:00:00 2001
From: Vojtech Polasek <vpolasek@redhat.com>
Date: Wed, 6 Nov 2019 16:25:30 +0100
Subject: [PATCH 3/5] modified oval checks for other locations

---
 .../aide/aide_periodic_cron_checking/oval/shared.xml        | 6 +++---
 1 file changed, 3 insertions(+), 3 deletions(-)

diff --git a/linux_os/guide/system/software/integrity/software-integrity/aide/aide_periodic_cron_checking/oval/shared.xml b/linux_os/guide/system/software/integrity/software-integrity/aide/aide_periodic_cron_checking/oval/shared.xml
index 06a6eb5618..70271a0553 100644
--- a/linux_os/guide/system/software/integrity/software-integrity/aide/aide_periodic_cron_checking/oval/shared.xml
+++ b/linux_os/guide/system/software/integrity/software-integrity/aide/aide_periodic_cron_checking/oval/shared.xml
@@ -39,7 +39,7 @@
   <ind:textfilecontent54_object comment="run aide with cron" id="object_test_aide_crond_checking" version="1">
     <ind:path>/etc/cron.d</ind:path>
     <ind:filename operation="pattern match">^.*$</ind:filename>
-    <ind:pattern operation="pattern match">^(([0-9]*[\s]*[0-9]*[\s]*\*[\s]*\*[\s]*\*)|@(hourly|daily|weekly|monthly))[\s]*root[\s]*/usr/sbin/aide[\s]*\-\-check.*$</ind:pattern>
+    <ind:pattern operation="pattern match">^(([0-9]*[\s]*[0-9]*[\s]*\*[\s]*\*[\s]*(\*|([0-7]|mon|tue|wed|thu|fri|sat|sun)|[0-7]-[0-7]))|@(hourly|daily|weekly))[\s]*root[\s]*/usr/sbin/aide[\s]*\-\-check.*$</ind:pattern>
     <ind:instance datatype="int" operation="greater than or equal">1</ind:instance>
   </ind:textfilecontent54_object>
 
@@ -48,7 +48,7 @@
   </ind:textfilecontent54_test>
   <ind:textfilecontent54_object comment="run aide with cron" id="object_aide_var_cron_checking" version="1">
     <ind:filepath>/var/spool/cron/root</ind:filepath>
-    <ind:pattern operation="pattern match">^(([0-9]*[\s]*[0-9]*[\s]*\*[\s]*\*[\s]*\*)|@(hourly|daily|weekly|monthly))[\s]*root[\s]*/usr/sbin/aide[\s]*\-\-check.*$</ind:pattern>
+    <ind:pattern operation="pattern match">^(([0-9]*[\s]*[0-9]*[\s]*\*[\s]*\*[\s]*(\*|([0-7]|mon|tue|wed|thu|fri|sat|sun)|[0-7]-[0-7]))|@(hourly|daily|weekly))[\s]*(root)?[\s]*/usr/sbin/aide[\s]*\-\-check.*$</ind:pattern>
     <ind:instance datatype="int" operation="greater than or equal">1</ind:instance>
   </ind:textfilecontent54_object>
 
@@ -56,7 +56,7 @@
     <ind:object object_ref="object_aide_crontabs_checking" />
   </ind:textfilecontent54_test>
   <ind:textfilecontent54_object comment="run aide with cron.(daily|weekly|monthly)" id="object_aide_crontabs_checking" version="1">
-    <ind:path operation="pattern match">^/etc/cron.(daily|weekly|monthly)$</ind:path>
+    <ind:path operation="pattern match">^/etc/cron.(daily|weekly)$</ind:path>
     <ind:filename operation="pattern match">^.*$</ind:filename>
     <ind:pattern operation="pattern match">^\s*/usr/sbin/aide[\s]*\-\-check.*$</ind:pattern>
     <ind:instance datatype="int" operation="greater than or equal">1</ind:instance>

From 0d0268edacf7544ca7febe33c5f9e82899fca935 Mon Sep 17 00:00:00 2001
From: Vojtech Polasek <vpolasek@redhat.com>
Date: Thu, 7 Nov 2019 09:19:11 +0100
Subject: [PATCH 4/5] fixed oval comments

---
 .../aide/aide_periodic_cron_checking/oval/shared.xml        | 6 +++---
 1 file changed, 3 insertions(+), 3 deletions(-)

diff --git a/linux_os/guide/system/software/integrity/software-integrity/aide/aide_periodic_cron_checking/oval/shared.xml b/linux_os/guide/system/software/integrity/software-integrity/aide/aide_periodic_cron_checking/oval/shared.xml
index 70271a0553..b330e496e1 100644
--- a/linux_os/guide/system/software/integrity/software-integrity/aide/aide_periodic_cron_checking/oval/shared.xml
+++ b/linux_os/guide/system/software/integrity/software-integrity/aide/aide_periodic_cron_checking/oval/shared.xml
@@ -19,7 +19,7 @@
         <criterion comment="run aide with cron" test_ref="test_aide_periodic_cron_checking" />
         <criterion comment="run aide with cron" test_ref="test_aide_crond_checking" />
         <criterion comment="run aide with cron" test_ref="test_aide_var_cron_checking" />
-        <criterion comment="run aide with cron.(daily|weekly|monthly)" test_ref="test_aide_crontabs_checking" />
+        <criterion comment="run aide with cron.(daily|weekly)" test_ref="test_aide_crontabs_checking" />
       </criteria>
     </criteria>
   </definition>
@@ -52,10 +52,10 @@
     <ind:instance datatype="int" operation="greater than or equal">1</ind:instance>
   </ind:textfilecontent54_object>
 
-  <ind:textfilecontent54_test check="all" check_existence="all_exist" comment="run aide with cron.(daily|weekly|monthly)" id="test_aide_crontabs_checking" version="2">
+  <ind:textfilecontent54_test check="all" check_existence="all_exist" comment="run aide with cron.(daily|weekly)" id="test_aide_crontabs_checking" version="2">
     <ind:object object_ref="object_aide_crontabs_checking" />
   </ind:textfilecontent54_test>
-  <ind:textfilecontent54_object comment="run aide with cron.(daily|weekly|monthly)" id="object_aide_crontabs_checking" version="1">
+  <ind:textfilecontent54_object comment="run aide with cron.(daily|weekly)" id="object_aide_crontabs_checking" version="1">
     <ind:path operation="pattern match">^/etc/cron.(daily|weekly)$</ind:path>
     <ind:filename operation="pattern match">^.*$</ind:filename>
     <ind:pattern operation="pattern match">^\s*/usr/sbin/aide[\s]*\-\-check.*$</ind:pattern>

From f1455731d6633375fd144a69e4bc1d0c2d5e7f3a Mon Sep 17 00:00:00 2001
From: Vojtech Polasek <vpolasek@redhat.com>
Date: Thu, 7 Nov 2019 09:32:51 +0100
Subject: [PATCH 5/5] added one test and modified description

lower limit of daily Aide scan removed
---
 .../aide/aide_periodic_cron_checking/rule.yml                 | 2 +-
 .../tests/crontab_daily_shortcut.pass.sh                      | 4 ++++
 .../tests/crontab_weekly_on_exact_day.pass.sh                 | 2 +-
 3 files changed, 6 insertions(+), 2 deletions(-)
 create mode 100644 linux_os/guide/system/software/integrity/software-integrity/aide/aide_periodic_cron_checking/tests/crontab_daily_shortcut.pass.sh

diff --git a/linux_os/guide/system/software/integrity/software-integrity/aide/aide_periodic_cron_checking/rule.yml b/linux_os/guide/system/software/integrity/software-integrity/aide/aide_periodic_cron_checking/rule.yml
index a91aaa23c5..1e13a534fa 100644
--- a/linux_os/guide/system/software/integrity/software-integrity/aide/aide_periodic_cron_checking/rule.yml
+++ b/linux_os/guide/system/software/integrity/software-integrity/aide/aide_periodic_cron_checking/rule.yml
@@ -5,7 +5,7 @@ prodtype: wrlinux1019,rhel6,rhel7,rhel8,fedora,ol7,ol8,rhv4
 title: 'Configure Periodic Execution of AIDE'
 
 description: |-
-    At a minimum, AIDE should be configured to run a weekly scan. At most, AIDE should be run daily.
+    At a minimum, AIDE should be configured to run a weekly scan.
     To implement a daily execution of AIDE at 4:05am using cron, add the following line to <tt>/etc/crontab</tt>:
     <pre>05 4 * * * root /usr/sbin/aide --check</pre>
     To implement a weekly execution of AIDE at 4:05am using cron, add the following line to <tt>/etc/crontab</tt>: