From 065b6e540a2aa437ddf5239c97ed4e1fddf43b50 Mon Sep 17 00:00:00 2001

From: Matthew Burket <mburket@redhat.com>

Date: Mon, 26 Jul 2021 09:00:49 -0500

Subject: [PATCH] Update rule aide_check_audit_tools for RHEL-08-030650

---

 .../aide_check_audit_tools/ansible/shared.yml | 27 ++++++++++++------

 .../aide_check_audit_tools/bash/shared.sh     | 25 +++++++++++++++++

 .../aide_check_audit_tools/oval/shared.xml    | 20 +++++++++++++

 .../aide/aide_check_audit_tools/rule.yml      | 28 ++++++++++++-------

 .../tests/correct.pass.sh                     | 15 ++++++++++

 .../tests/correct_with_selinux.pass.sh        | 12 ++++++++

 .../tests/not_config.fail.sh                  | 14 ++++++++++

 products/rhel8/profiles/stig.profile          |  1 +

 shared/references/cce-redhat-avail.txt        |  1 -

 .../data/profile_stability/rhel8/stig.profile |  1 +

 .../profile_stability/rhel8/stig_gui.profile  |  1 +

 11 files changed, 126 insertions(+), 19 deletions(-)

 create mode 100644 linux_os/guide/system/software/integrity/software-integrity/aide/aide_check_audit_tools/bash/shared.sh

 create mode 100644 linux_os/guide/system/software/integrity/software-integrity/aide/aide_check_audit_tools/tests/correct.pass.sh

 create mode 100644 linux_os/guide/system/software/integrity/software-integrity/aide/aide_check_audit_tools/tests/correct_with_selinux.pass.sh

 create mode 100644 linux_os/guide/system/software/integrity/software-integrity/aide/aide_check_audit_tools/tests/not_config.fail.sh

diff --git a/linux_os/guide/system/software/integrity/software-integrity/aide/aide_check_audit_tools/ansible/shared.yml b/linux_os/guide/system/software/integrity/software-integrity/aide/aide_check_audit_tools/ansible/shared.yml

index 73afaeff869..edef272183d 100644

--- a/linux_os/guide/system/software/integrity/software-integrity/aide/aide_check_audit_tools/ansible/shared.yml

+++ b/linux_os/guide/system/software/integrity/software-integrity/aide/aide_check_audit_tools/ansible/shared.yml

@@ -1,18 +1,29 @@

-# platform = multi_platform_sle

+# platform = multi_platform_sle,multi_platform_rhel

 # reboot = false

 # strategy = restrict

 # complexity = low

 # disruption = low

-- name: Install aide package

-  zypper:

-    name: aide

-    state: latest

+{{% if 'rhel' not in product %}}

+{{% set aide_string = 'p+i+n+u+g+s+b+acl+selinux+xattrs+sha512' %}}

+{{% else %}}

+{{% set aide_string = 'p+i+n+u+g+s+b+acl+xattrs+sha512' %}}

+{{% endif %}}

+

+

+

+- name: Ensure aide is installed

+  package:

+    name: "{{ item }}"

+    state: present

+  with_items:

+    - aide

+

 - name: Set audit_tools fact

   set_fact:

     audit_tools:

-      - /usr/sbin/audispd

+      {{% if 'rhel' not in product %}}- /usr/sbin/audispd{{% endif %}}

       - /usr/sbin/auditctl

       - /usr/sbin/auditd

       - /usr/sbin/augenrules

@@ -24,11 +35,11 @@

   lineinfile:

     path: /etc/aide.conf

     regexp: ^{{ item }}\s

-    line: "{{ item }} p+i+n+u+g+s+b+acl+selinux+xattrs+sha512"

+    line: "{{ item }} {{{ aide_string }}}"

   with_items: "{{ audit_tools }}"

 - name: Configure AIDE to properly protect audit tools

   lineinfile:

     path: /etc/aide.conf

-    line: "{{ item }} p+i+n+u+g+s+b+acl+selinux+xattrs+sha512"

+    line: "{{ item }} {{{ aide_string }}}"

   with_items: "{{ audit_tools }}"

diff --git a/linux_os/guide/system/software/integrity/software-integrity/aide/aide_check_audit_tools/bash/shared.sh b/linux_os/guide/system/software/integrity/software-integrity/aide/aide_check_audit_tools/bash/shared.sh

new file mode 100644

index 00000000000..0875eeec648

--- /dev/null

+++ b/linux_os/guide/system/software/integrity/software-integrity/aide/aide_check_audit_tools/bash/shared.sh

@@ -0,0 +1,25 @@

+# platform = multi_platform_rhel

+# reboot = false

+# strategy = restrict

+# complexity = low

+# disruption = low

+. /usr/share/scap-security-guide/remediation_functions

+

+{{{ bash_package_install("aide") }}}

+

+{{% set configString = "p+i+n+u+g+s+b+acl+xattrs+sha512" %}}

+{{% set configFile = "/etc/aide.conf" %}}

+{{% for file in (

+      "/usr/sbin/auditctl",

+      "/usr/sbin/auditd",

+      "/usr/sbin/ausearch",

+      "/usr/sbin/aureport",

+      "/usr/sbin/autrace",

+      "/usr/sbin/augenrules" ) %}}

+

+if grep -i '^.*{{{file}}}.*$' {{{ configFile }}}; then

+sed -i "s#.*{{{file}}}.*#{{{file}}} {{{ configString }}}#" {{{ configFile }}}

+else

+echo "{{{ file }}} {{{ configString }}}" >> {{{ configFile }}}

+fi

+{{% endfor %}}

diff --git a/linux_os/guide/system/software/integrity/software-integrity/aide/aide_check_audit_tools/oval/shared.xml b/linux_os/guide/system/software/integrity/software-integrity/aide/aide_check_audit_tools/oval/shared.xml

index 32e6325a3ab..22c6276a1f5 100644

--- a/linux_os/guide/system/software/integrity/software-integrity/aide/aide_check_audit_tools/oval/shared.xml

+++ b/linux_os/guide/system/software/integrity/software-integrity/aide/aide_check_audit_tools/oval/shared.xml

@@ -8,13 +8,19 @@

       <criterion comment="ausearch is checked in /etc/aide.conf" test_ref="test_aide_verify_ausearch" />

       <criterion comment="aureport is checked in /etc/aide.conf" test_ref="test_aide_verify_aureport" />

       <criterion comment="autrace is checked in /etc/aide.conf" test_ref="test_aide_verify_autrace" />

+      {{% if 'rhel' not in product %}}

       <criterion comment="audispd is checked in /etc/aide.conf" test_ref="test_aide_verify_audispd" />

+      {{% endif %}}

       <criterion comment="augenrules is checked in /etc/aide.conf" test_ref="test_aide_verify_augenrules" />

     </criteria>

   </definition>

   <ind:textfilecontent54_state id="state_aide_check_attributes" version="1">

+    {{% if 'rhel' not in product %}}

     <ind:subexpression operation="equals">p+i+n+u+g+s+b+acl+selinux+xattrs+sha512</ind:subexpression>

+    {{% else %}}

+    <ind:subexpression operation="pattern match">p\+i\+n\+u\+g\+s\+b\+acl(|\+selinux)\+xattrs\+sha512</ind:subexpression>

+    {{% endif %}}

   </ind:textfilecontent54_state>

@@ -95,6 +101,20 @@

     <ind:instance datatype="int" operation="equals">1</ind:instance>

   </ind:textfilecontent54_object>

+  

+  comment="rsyslogd is checked in /etc/aide.conf" check="all"

+  check_existence="all_exist" version="1">

+    <ind:object object_ref="object_aide_verify_rsyslogd" />

+    <ind:state state_ref="state_aide_check_attributes" />

+  </ind:textfilecontent54_test>

+  

+  version="1">

+    <ind:filepath>/etc/aide.conf</ind:filepath>

+    <ind:pattern operation="pattern match">^/usr/sbin/rsyslogd\s+([^\n]+)$</ind:pattern>

+    <ind:instance datatype="int" operation="equals">1</ind:instance>

+  </ind:textfilecontent54_object>

+

+

   comment="augenrules is checked in /etc/aide.conf" check="all"

   check_existence="all_exist" version="1">

diff --git a/linux_os/guide/system/software/integrity/software-integrity/aide/aide_check_audit_tools/rule.yml b/linux_os/guide/system/software/integrity/software-integrity/aide/aide_check_audit_tools/rule.yml

index 126ee756cc0..17a95bf4b31 100644

--- a/linux_os/guide/system/software/integrity/software-integrity/aide/aide_check_audit_tools/rule.yml

+++ b/linux_os/guide/system/software/integrity/software-integrity/aide/aide_check_audit_tools/rule.yml

@@ -1,11 +1,11 @@

 documentation_complete: true

-prodtype: sle12,sle15,ubuntu2004

+prodtype: sle12,sle15,ubuntu2004,rhel8,fedora

 title: 'Configure AIDE to Verify the Audit Tools'

 description: |-

-    The SUSE operating system file integrity tool must be configured to protect the integrity of the audit tools.

+    The operating system file integrity tool must be configured to protect the integrity of the audit tools.

 rationale: |-

     Protecting the integrity of the tools used for auditing purposes is a

@@ -31,32 +31,40 @@ rationale: |-

 severity: medium

 identifiers:

+    cce@rhel8: CCE-85964-5

     cce@sle12: CCE-83204-8

     cce@sle15: CCE-85610-4

 references:

     disa: CCI-001496

-    nist@sle12: AU-9(3),AU-9(3).1

+    nist: AU-9(3),AU-9(3).1

     srg: SRG-OS-000278-GPOS-00108

+    stigid@rhel8: RHEL-08-030650

     stigid@sle12: SLES-12-010540

     stigid@sle15: SLES-15-030630

     stigid@ubuntu2004: UBTU-20-010205

 ocil_clause: 'integrity checks of the audit tools are missing or incomplete'

+{{% if 'rhel' not in product %}}

+{{% set aide_string = 'p+i+n+u+g+s+b+acl+selinux+xattrs+sha512' %}}

+{{% else %}}

+{{% set aide_string = 'p+i+n+u+g+s+b+acl+xattrs+sha512' %}}

+{{% endif %}}

+

 ocil: |-

     Check that AIDE is properly configured to protect the integrity of the

     audit tools by running the following command:

     
# sudo cat /etc/aide.conf | grep /usr/sbin/au

-    /usr/sbin/auditctl p+i+n+u+g+s+b+acl+selinux+xattrs+sha512

-    /usr/sbin/auditd p+i+n+u+g+s+b+acl+selinux+xattrs+sha512

-    /usr/sbin/ausearch p+i+n+u+g+s+b+acl+selinux+xattrs+sha512

-    /usr/sbin/aureport p+i+n+u+g+s+b+acl+selinux+xattrs+sha512

-    /usr/sbin/autrace p+i+n+u+g+s+b+acl+selinux+xattrs+sha512

-    /usr/sbin/audispd p+i+n+u+g+s+b+acl+selinux+xattrs+sha512

-    /usr/sbin/augenrules p+i+n+u+g+s+b+acl+selinux+xattrs+sha512

+    /usr/sbin/auditctl {{{ aide_string }}}

+    /usr/sbin/auditd {{{ aide_string }}}

+    /usr/sbin/ausearch {{{ aide_string }}}

+    /usr/sbin/aureport {{{ aide_string }}}

+    /usr/sbin/autrace {{{ aide_string }}}

+    {{% if 'rhel' not in product %}}/usr/sbin/audispd {{{ aide_string }}}{{% endif %}}

+    /usr/sbin/augenrules {{{ aide_string }}}

     If AIDE is configured properly to protect the integrity of the audit tools,

     all lines listed above will be returned from the command.

diff --git a/linux_os/guide/system/software/integrity/software-integrity/aide/aide_check_audit_tools/tests/correct.pass.sh b/linux_os/guide/system/software/integrity/software-integrity/aide/aide_check_audit_tools/tests/correct.pass.sh

new file mode 100644

index 00000000000..756b88d8a23

--- /dev/null

+++ b/linux_os/guide/system/software/integrity/software-integrity/aide/aide_check_audit_tools/tests/correct.pass.sh

@@ -0,0 +1,15 @@

+#!/bin/bash

+# platform = multi_platform_rhel,multi_platform_fedora

+

+

+yum -y install aide

+aide --init

+

+

+declare -a bins

+bins=('/usr/sbin/auditctl' '/usr/sbin/auditd' '/usr/sbin/augenrules' '/usr/sbin/aureport' '/usr/sbin/ausearch' '/usr/sbin/autrace')

+

+for theFile in "${bins[@]}"

+do

+    echo "$theFile p+i+n+u+g+s+b+acl+xattrs+sha512"  >> /etc/aide.conf

+done

diff --git a/linux_os/guide/system/software/integrity/software-integrity/aide/aide_check_audit_tools/tests/correct_with_selinux.pass.sh b/linux_os/guide/system/software/integrity/software-integrity/aide/aide_check_audit_tools/tests/correct_with_selinux.pass.sh

new file mode 100644

index 00000000000..f3a2a126d3d

--- /dev/null

+++ b/linux_os/guide/system/software/integrity/software-integrity/aide/aide_check_audit_tools/tests/correct_with_selinux.pass.sh

@@ -0,0 +1,12 @@

+#!/bin/bash

+# platform = multi_platform_rhel,multi_platform_fedora

+

+yum -y install aide

+

+declare -a bins

+bins=('/usr/sbin/auditctl' '/usr/sbin/auditd' '/usr/sbin/augenrules' '/usr/sbin/aureport' '/usr/sbin/ausearch' '/usr/sbin/autrace')

+

+for theFile in "${bins[@]}"

+do

+    echo "$theFile p+i+n+u+g+s+b+acl+selinux+xattrs+sha5122" >> /etc/aide.conf

+done

diff --git a/linux_os/guide/system/software/integrity/software-integrity/aide/aide_check_audit_tools/tests/not_config.fail.sh b/linux_os/guide/system/software/integrity/software-integrity/aide/aide_check_audit_tools/tests/not_config.fail.sh

new file mode 100644

index 00000000000..4315cef2073

--- /dev/null

+++ b/linux_os/guide/system/software/integrity/software-integrity/aide/aide_check_audit_tools/tests/not_config.fail.sh

@@ -0,0 +1,14 @@

+#!/bin/bash

+# platform = multi_platform_rhel,multi_platform_fedora

+

+

+yum -y install aide

+aide --init

+

+declare -a bins

+bins=('/usr/sbin/auditctl' '/usr/sbin/auditd' '/usr/sbin/augenrules' '/usr/sbin/aureport' '/usr/sbin/ausearch' '/usr/sbin/autrace')

+

+for theFile in "${bins[@]}"

+do

+    echo sed -i "s#^.*${theFile}.*##g" /etc/aide.conf

+done

diff --git a/products/rhel8/profiles/stig.profile b/products/rhel8/profiles/stig.profile

index 7270a8f91f2..6b3232a9e00 100644

--- a/products/rhel8/profiles/stig.profile

+++ b/products/rhel8/profiles/stig.profile

@@ -822,6 +822,7 @@ selections:

     # RHEL-08-030640

     # RHEL-08-030650

+    - aide_check_audit_tools

     # RHEL-08-030660

     - auditd_audispd_configure_sufficiently_large_partition

diff --git a/shared/references/cce-redhat-avail.txt b/shared/references/cce-redhat-avail.txt

index 665f903ead4..ff557cc2323 100644

--- a/shared/references/cce-redhat-avail.txt

+++ b/shared/references/cce-redhat-avail.txt

@@ -97,7 +97,6 @@ CCE-85960-3

 CCE-85961-1

 CCE-85962-9

 CCE-85963-7

-CCE-85964-5

 CCE-85965-2

 CCE-85966-0

 CCE-85967-8

diff --git a/tests/data/profile_stability/rhel8/stig.profile b/tests/data/profile_stability/rhel8/stig.profile

index 7d59cfff625..692a1690b19 100644

--- a/tests/data/profile_stability/rhel8/stig.profile

+++ b/tests/data/profile_stability/rhel8/stig.profile

@@ -60,6 +60,7 @@ selections:

 - accounts_user_home_paths_only

 - accounts_user_interactive_home_directory_defined

 - accounts_user_interactive_home_directory_exists

+- aide_check_audit_tools

 - aide_scan_notification

 - aide_verify_acls

 - aide_verify_ext_attributes

diff --git a/tests/data/profile_stability/rhel8/stig_gui.profile b/tests/data/profile_stability/rhel8/stig_gui.profile

index 2c2daad6f6d..cf119c02a17 100644

--- a/tests/data/profile_stability/rhel8/stig_gui.profile

+++ b/tests/data/profile_stability/rhel8/stig_gui.profile

@@ -71,6 +71,7 @@ selections:

 - accounts_user_home_paths_only

 - accounts_user_interactive_home_directory_defined

 - accounts_user_interactive_home_directory_exists

+- aide_check_audit_tools

 - aide_scan_notification

 - aide_verify_acls

 - aide_verify_ext_attributes