|
|
44eea6 |
From 29ef00ac92720e22108c78d10ea6f2e8a65cfe98 Mon Sep 17 00:00:00 2001
|
|
|
44eea6 |
From: Vojtech Polasek <vpolasek@redhat.com>
|
|
|
44eea6 |
Date: Tue, 5 Nov 2019 20:01:40 +0100
|
|
|
44eea6 |
Subject: [PATCH 1/5] tried to update regex
|
|
|
44eea6 |
|
|
|
44eea6 |
tests added
|
|
|
44eea6 |
---
|
|
|
44eea6 |
.../aide/aide_periodic_cron_checking/oval/shared.xml | 2 +-
|
|
|
44eea6 |
.../aide_periodic_cron_checking/tests/crontab_daily.pass.sh | 4 ++++
|
|
|
44eea6 |
.../tests/crontab_weekly_on_exact_day.pass.sh | 4 ++++
|
|
|
44eea6 |
.../tests/crontab_weekly_shortcut.pass.sh | 4 ++++
|
|
|
44eea6 |
4 files changed, 13 insertions(+), 1 deletion(-)
|
|
|
44eea6 |
create mode 100644 linux_os/guide/system/software/integrity/software-integrity/aide/aide_periodic_cron_checking/tests/crontab_daily.pass.sh
|
|
|
44eea6 |
create mode 100644 linux_os/guide/system/software/integrity/software-integrity/aide/aide_periodic_cron_checking/tests/crontab_weekly_on_exact_day.pass.sh
|
|
|
44eea6 |
create mode 100644 linux_os/guide/system/software/integrity/software-integrity/aide/aide_periodic_cron_checking/tests/crontab_weekly_shortcut.pass.sh
|
|
|
44eea6 |
|
|
|
44eea6 |
diff --git a/linux_os/guide/system/software/integrity/software-integrity/aide/aide_periodic_cron_checking/oval/shared.xml b/linux_os/guide/system/software/integrity/software-integrity/aide/aide_periodic_cron_checking/oval/shared.xml
|
|
|
44eea6 |
index e5b20e545b..49f53e997f 100644
|
|
|
44eea6 |
--- a/linux_os/guide/system/software/integrity/software-integrity/aide/aide_periodic_cron_checking/oval/shared.xml
|
|
|
44eea6 |
+++ b/linux_os/guide/system/software/integrity/software-integrity/aide/aide_periodic_cron_checking/oval/shared.xml
|
|
|
44eea6 |
@@ -29,7 +29,7 @@
|
|
|
44eea6 |
</ind:textfilecontent54_test>
|
|
|
44eea6 |
<ind:textfilecontent54_object comment="run aide with cron" id="object_test_aide_periodic_cron_checking" version="1">
|
|
|
44eea6 |
<ind:filepath>/etc/crontab</ind:filepath>
|
|
|
44eea6 |
- <ind:pattern operation="pattern match">^(([0-9]*[\s]*[0-9]*[\s]*\*[\s]*\*[\s]*\*)|@(hourly|daily|weekly|monthly))[\s]*root[\s]*/usr/sbin/aide[\s]*\-\-check.*$</ind:pattern>
|
|
|
44eea6 |
+ <ind:pattern operation="pattern match">^(([0-9]*[\s]*[0-9]*[\s]*\*[\s]*\*[\s]*[\*,0-9])|@(hourly|daily|weekly|monthly))[\s]*root[\s]*/usr/sbin/aide[\s]*\-\-check.*$</ind:pattern>
|
|
|
44eea6 |
<ind:instance datatype="int" operation="greater than or equal">1</ind:instance>
|
|
|
44eea6 |
</ind:textfilecontent54_object>
|
|
|
44eea6 |
|
|
|
44eea6 |
|
|
|
44eea6 |
From 6ac0dfcc4fd968a3ab8dd7b32f0654b2800446d7 Mon Sep 17 00:00:00 2001
|
|
|
44eea6 |
From: Vojtech Polasek <vpolasek@redhat.com>
|
|
|
44eea6 |
Date: Wed, 6 Nov 2019 16:06:14 +0100
|
|
|
44eea6 |
Subject: [PATCH 2/5] rewrote oval check, extended remediation, wrote tests
|
|
|
44eea6 |
|
|
|
44eea6 |
everything applies only to /etc/crontab
|
|
|
44eea6 |
allowed more flexible configuration of runs
|
|
|
44eea6 |
remediation deletes all potentially wrong lines from /etc/crontab
|
|
|
44eea6 |
---
|
|
|
44eea6 |
.../aide/aide_periodic_cron_checking/bash/shared.sh | 3 +++
|
|
|
44eea6 |
.../aide/aide_periodic_cron_checking/oval/shared.xml | 2 +-
|
|
|
44eea6 |
.../aide_periodic_cron_checking/tests/crontab_monthly.fail.sh | 4 ++++
|
|
|
44eea6 |
.../tests/crontab_two_days_week.pass.sh | 4 ++++
|
|
|
44eea6 |
.../tests/crontab_weekly_shortcut.pass.sh | 2 +-
|
|
|
44eea6 |
.../tests/crontab_weekly_word.pass.sh | 4 ++++
|
|
|
44eea6 |
.../aide_periodic_cron_checking/tests/crontab_yearly.fail.sh | 4 ++++
|
|
|
44eea6 |
7 files changed, 21 insertions(+), 2 deletions(-)
|
|
|
44eea6 |
create mode 100644 linux_os/guide/system/software/integrity/software-integrity/aide/aide_periodic_cron_checking/tests/crontab_monthly.fail.sh
|
|
|
44eea6 |
create mode 100644 linux_os/guide/system/software/integrity/software-integrity/aide/aide_periodic_cron_checking/tests/crontab_two_days_week.pass.sh
|
|
|
44eea6 |
create mode 100644 linux_os/guide/system/software/integrity/software-integrity/aide/aide_periodic_cron_checking/tests/crontab_weekly_word.pass.sh
|
|
|
44eea6 |
create mode 100644 linux_os/guide/system/software/integrity/software-integrity/aide/aide_periodic_cron_checking/tests/crontab_yearly.fail.sh
|
|
|
44eea6 |
|
|
|
44eea6 |
diff --git a/linux_os/guide/system/software/integrity/software-integrity/aide/aide_periodic_cron_checking/bash/shared.sh b/linux_os/guide/system/software/integrity/software-integrity/aide/aide_periodic_cron_checking/bash/shared.sh
|
|
|
44eea6 |
index 367d7b2df3..674fa7c9d8 100644
|
|
|
44eea6 |
--- a/linux_os/guide/system/software/integrity/software-integrity/aide/aide_periodic_cron_checking/bash/shared.sh
|
|
|
44eea6 |
+++ b/linux_os/guide/system/software/integrity/software-integrity/aide/aide_periodic_cron_checking/bash/shared.sh
|
|
|
44eea6 |
@@ -4,4 +4,7 @@
|
|
|
44eea6 |
|
|
|
44eea6 |
if ! grep -q "/usr/sbin/aide --check" /etc/crontab ; then
|
|
|
44eea6 |
echo "05 4 * * * root /usr/sbin/aide --check" >> /etc/crontab
|
|
|
44eea6 |
+else
|
|
|
44eea6 |
+ sed -i '/^.*\/usr\/sbin\/aide --check.*$/d' /etc/crontab
|
|
|
44eea6 |
+ echo "05 4 * * * root /usr/sbin/aide --check" >> /etc/crontab
|
|
|
44eea6 |
fi
|
|
|
44eea6 |
diff --git a/linux_os/guide/system/software/integrity/software-integrity/aide/aide_periodic_cron_checking/oval/shared.xml b/linux_os/guide/system/software/integrity/software-integrity/aide/aide_periodic_cron_checking/oval/shared.xml
|
|
|
44eea6 |
index 49f53e997f..06a6eb5618 100644
|
|
|
44eea6 |
--- a/linux_os/guide/system/software/integrity/software-integrity/aide/aide_periodic_cron_checking/oval/shared.xml
|
|
|
44eea6 |
+++ b/linux_os/guide/system/software/integrity/software-integrity/aide/aide_periodic_cron_checking/oval/shared.xml
|
|
|
44eea6 |
@@ -29,7 +29,7 @@
|
|
|
44eea6 |
</ind:textfilecontent54_test>
|
|
|
44eea6 |
<ind:textfilecontent54_object comment="run aide with cron" id="object_test_aide_periodic_cron_checking" version="1">
|
|
|
44eea6 |
<ind:filepath>/etc/crontab</ind:filepath>
|
|
|
44eea6 |
- <ind:pattern operation="pattern match">^(([0-9]*[\s]*[0-9]*[\s]*\*[\s]*\*[\s]*[\*,0-9])|@(hourly|daily|weekly|monthly))[\s]*root[\s]*/usr/sbin/aide[\s]*\-\-check.*$</ind:pattern>
|
|
|
44eea6 |
+ <ind:pattern operation="pattern match">^(([0-9]*[\s]*[0-9]*[\s]*\*[\s]*\*[\s]*(\*|([0-7]|mon|tue|wed|thu|fri|sat|sun)|[0-7]-[0-7]))|@(hourly|daily|weekly))[\s]*root[\s]*/usr/sbin/aide[\s]*\-\-check.*$</ind:pattern>
|
|
|
44eea6 |
<ind:instance datatype="int" operation="greater than or equal">1</ind:instance>
|
|
|
44eea6 |
</ind:textfilecontent54_object>
|
|
|
44eea6 |
|
|
|
44eea6 |
|
|
|
44eea6 |
From 3c697624a85dcca87daae189103901ce95a7c27a Mon Sep 17 00:00:00 2001
|
|
|
44eea6 |
From: Vojtech Polasek <vpolasek@redhat.com>
|
|
|
44eea6 |
Date: Wed, 6 Nov 2019 16:25:30 +0100
|
|
|
44eea6 |
Subject: [PATCH 3/5] modified oval checks for other locations
|
|
|
44eea6 |
|
|
|
44eea6 |
---
|
|
|
44eea6 |
.../aide/aide_periodic_cron_checking/oval/shared.xml | 6 +++---
|
|
|
44eea6 |
1 file changed, 3 insertions(+), 3 deletions(-)
|
|
|
44eea6 |
|
|
|
44eea6 |
diff --git a/linux_os/guide/system/software/integrity/software-integrity/aide/aide_periodic_cron_checking/oval/shared.xml b/linux_os/guide/system/software/integrity/software-integrity/aide/aide_periodic_cron_checking/oval/shared.xml
|
|
|
44eea6 |
index 06a6eb5618..70271a0553 100644
|
|
|
44eea6 |
--- a/linux_os/guide/system/software/integrity/software-integrity/aide/aide_periodic_cron_checking/oval/shared.xml
|
|
|
44eea6 |
+++ b/linux_os/guide/system/software/integrity/software-integrity/aide/aide_periodic_cron_checking/oval/shared.xml
|
|
|
44eea6 |
@@ -39,7 +39,7 @@
|
|
|
44eea6 |
<ind:textfilecontent54_object comment="run aide with cron" id="object_test_aide_crond_checking" version="1">
|
|
|
44eea6 |
<ind:path>/etc/cron.d</ind:path>
|
|
|
44eea6 |
<ind:filename operation="pattern match">^.*$</ind:filename>
|
|
|
44eea6 |
- <ind:pattern operation="pattern match">^(([0-9]*[\s]*[0-9]*[\s]*\*[\s]*\*[\s]*\*)|@(hourly|daily|weekly|monthly))[\s]*root[\s]*/usr/sbin/aide[\s]*\-\-check.*$</ind:pattern>
|
|
|
44eea6 |
+ <ind:pattern operation="pattern match">^(([0-9]*[\s]*[0-9]*[\s]*\*[\s]*\*[\s]*(\*|([0-7]|mon|tue|wed|thu|fri|sat|sun)|[0-7]-[0-7]))|@(hourly|daily|weekly))[\s]*root[\s]*/usr/sbin/aide[\s]*\-\-check.*$</ind:pattern>
|
|
|
44eea6 |
<ind:instance datatype="int" operation="greater than or equal">1</ind:instance>
|
|
|
44eea6 |
</ind:textfilecontent54_object>
|
|
|
44eea6 |
|
|
|
44eea6 |
@@ -48,7 +48,7 @@
|
|
|
44eea6 |
</ind:textfilecontent54_test>
|
|
|
44eea6 |
<ind:textfilecontent54_object comment="run aide with cron" id="object_aide_var_cron_checking" version="1">
|
|
|
44eea6 |
<ind:filepath>/var/spool/cron/root</ind:filepath>
|
|
|
44eea6 |
- <ind:pattern operation="pattern match">^(([0-9]*[\s]*[0-9]*[\s]*\*[\s]*\*[\s]*\*)|@(hourly|daily|weekly|monthly))[\s]*root[\s]*/usr/sbin/aide[\s]*\-\-check.*$</ind:pattern>
|
|
|
44eea6 |
+ <ind:pattern operation="pattern match">^(([0-9]*[\s]*[0-9]*[\s]*\*[\s]*\*[\s]*(\*|([0-7]|mon|tue|wed|thu|fri|sat|sun)|[0-7]-[0-7]))|@(hourly|daily|weekly))[\s]*(root)?[\s]*/usr/sbin/aide[\s]*\-\-check.*$</ind:pattern>
|
|
|
44eea6 |
<ind:instance datatype="int" operation="greater than or equal">1</ind:instance>
|
|
|
44eea6 |
</ind:textfilecontent54_object>
|
|
|
44eea6 |
|
|
|
44eea6 |
@@ -56,7 +56,7 @@
|
|
|
44eea6 |
<ind:object object_ref="object_aide_crontabs_checking" />
|
|
|
44eea6 |
</ind:textfilecontent54_test>
|
|
|
44eea6 |
<ind:textfilecontent54_object comment="run aide with cron.(daily|weekly|monthly)" id="object_aide_crontabs_checking" version="1">
|
|
|
44eea6 |
- <ind:path operation="pattern match">^/etc/cron.(daily|weekly|monthly)$</ind:path>
|
|
|
44eea6 |
+ <ind:path operation="pattern match">^/etc/cron.(daily|weekly)$</ind:path>
|
|
|
44eea6 |
<ind:filename operation="pattern match">^.*$</ind:filename>
|
|
|
44eea6 |
<ind:pattern operation="pattern match">^\s*/usr/sbin/aide[\s]*\-\-check.*$</ind:pattern>
|
|
|
44eea6 |
<ind:instance datatype="int" operation="greater than or equal">1</ind:instance>
|
|
|
44eea6 |
|
|
|
44eea6 |
From 0d0268edacf7544ca7febe33c5f9e82899fca935 Mon Sep 17 00:00:00 2001
|
|
|
44eea6 |
From: Vojtech Polasek <vpolasek@redhat.com>
|
|
|
44eea6 |
Date: Thu, 7 Nov 2019 09:19:11 +0100
|
|
|
44eea6 |
Subject: [PATCH 4/5] fixed oval comments
|
|
|
44eea6 |
|
|
|
44eea6 |
---
|
|
|
44eea6 |
.../aide/aide_periodic_cron_checking/oval/shared.xml | 6 +++---
|
|
|
44eea6 |
1 file changed, 3 insertions(+), 3 deletions(-)
|
|
|
44eea6 |
|
|
|
44eea6 |
diff --git a/linux_os/guide/system/software/integrity/software-integrity/aide/aide_periodic_cron_checking/oval/shared.xml b/linux_os/guide/system/software/integrity/software-integrity/aide/aide_periodic_cron_checking/oval/shared.xml
|
|
|
44eea6 |
index 70271a0553..b330e496e1 100644
|
|
|
44eea6 |
--- a/linux_os/guide/system/software/integrity/software-integrity/aide/aide_periodic_cron_checking/oval/shared.xml
|
|
|
44eea6 |
+++ b/linux_os/guide/system/software/integrity/software-integrity/aide/aide_periodic_cron_checking/oval/shared.xml
|
|
|
44eea6 |
@@ -19,7 +19,7 @@
|
|
|
44eea6 |
<criterion comment="run aide with cron" test_ref="test_aide_periodic_cron_checking" />
|
|
|
44eea6 |
<criterion comment="run aide with cron" test_ref="test_aide_crond_checking" />
|
|
|
44eea6 |
<criterion comment="run aide with cron" test_ref="test_aide_var_cron_checking" />
|
|
|
44eea6 |
- <criterion comment="run aide with cron.(daily|weekly|monthly)" test_ref="test_aide_crontabs_checking" />
|
|
|
44eea6 |
+ <criterion comment="run aide with cron.(daily|weekly)" test_ref="test_aide_crontabs_checking" />
|
|
|
44eea6 |
</criteria>
|
|
|
44eea6 |
</criteria>
|
|
|
44eea6 |
</definition>
|
|
|
44eea6 |
@@ -52,10 +52,10 @@
|
|
|
44eea6 |
<ind:instance datatype="int" operation="greater than or equal">1</ind:instance>
|
|
|
44eea6 |
</ind:textfilecontent54_object>
|
|
|
44eea6 |
|
|
|
44eea6 |
- <ind:textfilecontent54_test check="all" check_existence="all_exist" comment="run aide with cron.(daily|weekly|monthly)" id="test_aide_crontabs_checking" version="2">
|
|
|
44eea6 |
+ <ind:textfilecontent54_test check="all" check_existence="all_exist" comment="run aide with cron.(daily|weekly)" id="test_aide_crontabs_checking" version="2">
|
|
|
44eea6 |
<ind:object object_ref="object_aide_crontabs_checking" />
|
|
|
44eea6 |
</ind:textfilecontent54_test>
|
|
|
44eea6 |
- <ind:textfilecontent54_object comment="run aide with cron.(daily|weekly|monthly)" id="object_aide_crontabs_checking" version="1">
|
|
|
44eea6 |
+ <ind:textfilecontent54_object comment="run aide with cron.(daily|weekly)" id="object_aide_crontabs_checking" version="1">
|
|
|
44eea6 |
<ind:path operation="pattern match">^/etc/cron.(daily|weekly)$</ind:path>
|
|
|
44eea6 |
<ind:filename operation="pattern match">^.*$</ind:filename>
|
|
|
44eea6 |
<ind:pattern operation="pattern match">^\s*/usr/sbin/aide[\s]*\-\-check.*$</ind:pattern>
|
|
|
44eea6 |
|
|
|
44eea6 |
From f1455731d6633375fd144a69e4bc1d0c2d5e7f3a Mon Sep 17 00:00:00 2001
|
|
|
44eea6 |
From: Vojtech Polasek <vpolasek@redhat.com>
|
|
|
44eea6 |
Date: Thu, 7 Nov 2019 09:32:51 +0100
|
|
|
44eea6 |
Subject: [PATCH 5/5] added one test and modified description
|
|
|
44eea6 |
|
|
|
44eea6 |
lower limit of daily Aide scan removed
|
|
|
44eea6 |
---
|
|
|
44eea6 |
.../aide/aide_periodic_cron_checking/rule.yml | 2 +-
|
|
|
44eea6 |
.../tests/crontab_daily_shortcut.pass.sh | 4 ++++
|
|
|
44eea6 |
.../tests/crontab_weekly_on_exact_day.pass.sh | 2 +-
|
|
|
44eea6 |
3 files changed, 6 insertions(+), 2 deletions(-)
|
|
|
44eea6 |
create mode 100644 linux_os/guide/system/software/integrity/software-integrity/aide/aide_periodic_cron_checking/tests/crontab_daily_shortcut.pass.sh
|
|
|
44eea6 |
|
|
|
44eea6 |
diff --git a/linux_os/guide/system/software/integrity/software-integrity/aide/aide_periodic_cron_checking/rule.yml b/linux_os/guide/system/software/integrity/software-integrity/aide/aide_periodic_cron_checking/rule.yml
|
|
|
44eea6 |
index a91aaa23c5..1e13a534fa 100644
|
|
|
44eea6 |
--- a/linux_os/guide/system/software/integrity/software-integrity/aide/aide_periodic_cron_checking/rule.yml
|
|
|
44eea6 |
+++ b/linux_os/guide/system/software/integrity/software-integrity/aide/aide_periodic_cron_checking/rule.yml
|
|
|
44eea6 |
@@ -5,7 +5,7 @@ prodtype: wrlinux1019,rhel6,rhel7,rhel8,fedora,ol7,ol8,rhv4
|
|
|
44eea6 |
title: 'Configure Periodic Execution of AIDE'
|
|
|
44eea6 |
|
|
|
44eea6 |
description: |-
|
|
|
44eea6 |
- At a minimum, AIDE should be configured to run a weekly scan. At most, AIDE should be run daily.
|
|
|
44eea6 |
+ At a minimum, AIDE should be configured to run a weekly scan.
|
|
|
44eea6 |
To implement a daily execution of AIDE at 4:05am using cron, add the following line to <tt>/etc/crontab</tt>:
|
|
|
44eea6 |
05 4 * * * root /usr/sbin/aide --check
|
|
|
44eea6 |
To implement a weekly execution of AIDE at 4:05am using cron, add the following line to <tt>/etc/crontab</tt>:
|