From 386f9787ceac9b0fc732bcd5fd5f7174254922b3 Mon Sep 17 00:00:00 2001
From: Matthew Burket <mburket@redhat.com>
Date: Thu, 15 Jul 2021 14:33:44 -0500
Subject: [PATCH]  Update 'Configure Notification of Post-AIDE Scan Details'

Added
- Ansible fix for this rule
- Configurable email for sending notification email for AIDE alerts
---
 .../aide_scan_notification/ansible/shared.yml | 28 +++++++++++++++++++
 .../aide_scan_notification/bash/shared.sh     | 18 ++++++++----
 .../aide/aide_scan_notification/rule.yml      |  2 ++
 .../var_aide_scan_notification_email.var      | 16 +++++++++++
 4 files changed, 58 insertions(+), 6 deletions(-)
 create mode 100644 linux_os/guide/system/software/integrity/software-integrity/aide/aide_scan_notification/ansible/shared.yml
 create mode 100644 linux_os/guide/system/software/integrity/software-integrity/var_aide_scan_notification_email.var

diff --git a/linux_os/guide/system/software/integrity/software-integrity/aide/aide_scan_notification/ansible/shared.yml b/linux_os/guide/system/software/integrity/software-integrity/aide/aide_scan_notification/ansible/shared.yml
new file mode 100644
index 00000000000..5c11fc1719e
--- /dev/null
+++ b/linux_os/guide/system/software/integrity/software-integrity/aide/aide_scan_notification/ansible/shared.yml
@@ -0,0 +1,28 @@
+# platform = Red Hat Enterprise Linux 7,Red Hat Enterprise Linux 8,Red Hat Virtualization 4,multi_platform_wrlinux,multi_platform_ol,multi_platform_sle
+# reboot = false
+# strategy = restrict
+# complexity = low
+# disruption = low
+{{% if product in ["sle12", "sle15"] %}}
+    {{% set aide_path = "/usr/bin/aide" %}}
+{{% else %}}
+    {{% set aide_path = "/usr/sbin/aide" %}}
+{{% endif %}}
+
+- (xccdf-var var_aide_scan_notification_email)
+
+- name: "Ensure AIDE is installed"
+  package:
+    name: "{{ item }}"
+    state: present
+  with_items:
+    - aide
+
+- name: "{{{ rule_title }}}"
+  cron:
+    name: "run AIDE check"
+    minute: 05
+    hour: 04
+    weekday: 0
+    user: root
+    job: '{{{aide_path}}}  --check | /bin/mail -s "$(hostname) - AIDE Integrity Check" {{ var_aide_scan_notification_email }}'
diff --git a/linux_os/guide/system/software/integrity/software-integrity/aide/aide_scan_notification/bash/shared.sh b/linux_os/guide/system/software/integrity/software-integrity/aide/aide_scan_notification/bash/shared.sh
index 2f129e568b2..3cb8b72a0bd 100644
--- a/linux_os/guide/system/software/integrity/software-integrity/aide/aide_scan_notification/bash/shared.sh
+++ b/linux_os/guide/system/software/integrity/software-integrity/aide/aide_scan_notification/bash/shared.sh
@@ -1,6 +1,16 @@
 # platform = multi_platform_all
 
+. /usr/share/scap-security-guide/remediation_functions
+
 {{{ bash_package_install("aide") }}}
+{{{ bash_instantiate_variables("var_aide_scan_notification_email") }}}
+{{% if product in ["sle12", "sle15"] %}}
+    {{% set aide_path = "/usr/bin/aide" %}}
+{{% else %}}
+    {{% set aide_path = "/usr/sbin/aide" %}}
+{{% endif %}}
+
+
 
 CRONTAB=/etc/crontab
 CRONDIRS='/etc/cron.d /etc/cron.daily /etc/cron.weekly /etc/cron.monthly'
@@ -14,11 +24,7 @@ if [ -f /var/spool/cron/root ]; then
 	VARSPOOL=/var/spool/cron/root
 fi
 
-if ! grep -qR '^.*\/usr\/sbin\/aide\s*\-\-check.*|.*\/bin\/mail\s*-s\s*".*"\s*root@.*$' $CRONTAB_EXIST $VARSPOOL $CRONDIRS; then
-{{% if product in ["sle12", "sle15"] %}}
-	echo '0 5 * * * root /usr/bin/aide  --check | /bin/mail -s "$(hostname) - AIDE Integrity Check" root@localhost' >> $CRONTAB
-{{% else %}}
-	echo '0 5 * * * root /usr/sbin/aide  --check | /bin/mail -s "$(hostname) - AIDE Integrity Check" root@localhost' >> $CRONTAB
-{{% endif %}}
+if ! grep -qR '^.*{{{aide_path}}}\s*\-\-check.*|.*\/bin\/mail\s*-s\s*".*"\s*.*@.*$' $CRONTAB_EXIST $VARSPOOL $CRONDIRS; then
+	echo "0 5 * * * root {{{ aide_path }}}  --check | /bin/mail -s \"\$(hostname) - AIDE Integrity Check\" $var_aide_scan_notification_email" >> $CRONTAB
 fi
 
diff --git a/linux_os/guide/system/software/integrity/software-integrity/aide/aide_scan_notification/rule.yml b/linux_os/guide/system/software/integrity/software-integrity/aide/aide_scan_notification/rule.yml
index 51dae72ee6d..cb35c5c642d 100644
--- a/linux_os/guide/system/software/integrity/software-integrity/aide/aide_scan_notification/rule.yml
+++ b/linux_os/guide/system/software/integrity/software-integrity/aide/aide_scan_notification/rule.yml
@@ -57,3 +57,5 @@ ocil: |-
     <pre>$ grep aide /etc/crontab</pre>
     The output should return something similar to the following:
     <pre>05 4 * * * root /usr/sbin/aide --check | /bin/mail -s "$(hostname) - AIDE Integrity Check" root@localhost</pre>
+    The email address that the notifications are sent to can be changed by overriding
+    <pre><sub idref="var_aide_scan_notification_email" /></pre>.
diff --git a/linux_os/guide/system/software/integrity/software-integrity/var_aide_scan_notification_email.var b/linux_os/guide/system/software/integrity/software-integrity/var_aide_scan_notification_email.var
new file mode 100644
index 00000000000..75b9f5d2650
--- /dev/null
+++ b/linux_os/guide/system/software/integrity/software-integrity/var_aide_scan_notification_email.var
@@ -0,0 +1,16 @@
+documentation_complete: true
+
+title: Integrity Scan Notification Email Address
+
+description: |-
+    Specify the email address for designated personnel if baseline
+    configurations are changed in an unauthorized manner.
+
+type: string
+
+operator: equals
+
+interactive: true
+
+options:
+    default: root@localhost