From 386f9787ceac9b0fc732bcd5fd5f7174254922b3 Mon Sep 17 00:00:00 2001

From: Matthew Burket <mburket@redhat.com>

Date: Thu, 15 Jul 2021 14:33:44 -0500

Subject: [PATCH]  Update 'Configure Notification of Post-AIDE Scan Details'

Added

- Ansible fix for this rule

- Configurable email for sending notification email for AIDE alerts

---

 .../aide_scan_notification/ansible/shared.yml | 28 +++++++++++++++++++

 .../aide_scan_notification/bash/shared.sh     | 18 ++++++++----

 .../aide/aide_scan_notification/rule.yml      |  2 ++

 .../var_aide_scan_notification_email.var      | 16 +++++++++++

 4 files changed, 58 insertions(+), 6 deletions(-)

 create mode 100644 linux_os/guide/system/software/integrity/software-integrity/aide/aide_scan_notification/ansible/shared.yml

 create mode 100644 linux_os/guide/system/software/integrity/software-integrity/var_aide_scan_notification_email.var

diff --git a/linux_os/guide/system/software/integrity/software-integrity/aide/aide_scan_notification/ansible/shared.yml b/linux_os/guide/system/software/integrity/software-integrity/aide/aide_scan_notification/ansible/shared.yml

new file mode 100644

index 00000000000..5c11fc1719e

--- /dev/null

+++ b/linux_os/guide/system/software/integrity/software-integrity/aide/aide_scan_notification/ansible/shared.yml

@@ -0,0 +1,28 @@

+# platform = Red Hat Enterprise Linux 7,Red Hat Enterprise Linux 8,Red Hat Virtualization 4,multi_platform_wrlinux,multi_platform_ol,multi_platform_sle

+# reboot = false

+# strategy = restrict

+# complexity = low

+# disruption = low

+{{% if product in ["sle12", "sle15"] %}}

+    {{% set aide_path = "/usr/bin/aide" %}}

+{{% else %}}

+    {{% set aide_path = "/usr/sbin/aide" %}}

+{{% endif %}}

+

+- (xccdf-var var_aide_scan_notification_email)

+

+- name: "Ensure AIDE is installed"

+  package:

+    name: "{{ item }}"

+    state: present

+  with_items:

+    - aide

+

+- name: "{{{ rule_title }}}"

+  cron:

+    name: "run AIDE check"

+    minute: 05

+    hour: 04

+    weekday: 0

+    user: root

+    job: '{{{aide_path}}}  --check | /bin/mail -s "$(hostname) - AIDE Integrity Check" {{ var_aide_scan_notification_email }}'

diff --git a/linux_os/guide/system/software/integrity/software-integrity/aide/aide_scan_notification/bash/shared.sh b/linux_os/guide/system/software/integrity/software-integrity/aide/aide_scan_notification/bash/shared.sh

index 2f129e568b2..3cb8b72a0bd 100644

--- a/linux_os/guide/system/software/integrity/software-integrity/aide/aide_scan_notification/bash/shared.sh

+++ b/linux_os/guide/system/software/integrity/software-integrity/aide/aide_scan_notification/bash/shared.sh

@@ -1,6 +1,16 @@

 # platform = multi_platform_all

+. /usr/share/scap-security-guide/remediation_functions

+

 {{{ bash_package_install("aide") }}}

+{{{ bash_instantiate_variables("var_aide_scan_notification_email") }}}

+{{% if product in ["sle12", "sle15"] %}}

+    {{% set aide_path = "/usr/bin/aide" %}}

+{{% else %}}

+    {{% set aide_path = "/usr/sbin/aide" %}}

+{{% endif %}}

+

+

 CRONTAB=/etc/crontab

 CRONDIRS='/etc/cron.d /etc/cron.daily /etc/cron.weekly /etc/cron.monthly'

@@ -14,11 +24,7 @@ if [ -f /var/spool/cron/root ]; then

 	VARSPOOL=/var/spool/cron/root

 fi

-if ! grep -qR '^.*\/usr\/sbin\/aide\s*\-\-check.*|.*\/bin\/mail\s*-s\s*".*"\s*root@.*$' $CRONTAB_EXIST $VARSPOOL $CRONDIRS; then

-{{% if product in ["sle12", "sle15"] %}}

-	echo '0 5 * * * root /usr/bin/aide  --check | /bin/mail -s "$(hostname) - AIDE Integrity Check" root@localhost' >> $CRONTAB

-{{% else %}}

-	echo '0 5 * * * root /usr/sbin/aide  --check | /bin/mail -s "$(hostname) - AIDE Integrity Check" root@localhost' >> $CRONTAB

-{{% endif %}}

+if ! grep -qR '^.*{{{aide_path}}}\s*\-\-check.*|.*\/bin\/mail\s*-s\s*".*"\s*.*@.*$' $CRONTAB_EXIST $VARSPOOL $CRONDIRS; then

+	echo "0 5 * * * root {{{ aide_path }}}  --check | /bin/mail -s \"\$(hostname) - AIDE Integrity Check\" $var_aide_scan_notification_email" >> $CRONTAB

 fi

diff --git a/linux_os/guide/system/software/integrity/software-integrity/aide/aide_scan_notification/rule.yml b/linux_os/guide/system/software/integrity/software-integrity/aide/aide_scan_notification/rule.yml

index 51dae72ee6d..cb35c5c642d 100644

--- a/linux_os/guide/system/software/integrity/software-integrity/aide/aide_scan_notification/rule.yml

+++ b/linux_os/guide/system/software/integrity/software-integrity/aide/aide_scan_notification/rule.yml

@@ -57,3 +57,5 @@ ocil: |-

     
$ grep aide /etc/crontab

     The output should return something similar to the following:

     
05 4 * * * root /usr/sbin/aide --check | /bin/mail -s "$(hostname) - AIDE Integrity Check" root@localhost

+    The email address that the notifications are sent to can be changed by overriding

+    
<sub idref="var_aide_scan_notification_email" />
.

diff --git a/linux_os/guide/system/software/integrity/software-integrity/var_aide_scan_notification_email.var b/linux_os/guide/system/software/integrity/software-integrity/var_aide_scan_notification_email.var

new file mode 100644

index 00000000000..75b9f5d2650

--- /dev/null

+++ b/linux_os/guide/system/software/integrity/software-integrity/var_aide_scan_notification_email.var

@@ -0,0 +1,16 @@

+documentation_complete: true

+

+title: Integrity Scan Notification Email Address

+

+description: |-

+    Specify the email address for designated personnel if baseline

+    configurations are changed in an unauthorized manner.

+

+type: string

+

+operator: equals

+

+interactive: true

+

+options:

+    default: root@localhost