From 065b6e540a2aa437ddf5239c97ed4e1fddf43b50 Mon Sep 17 00:00:00 2001
From: Matthew Burket <mburket@redhat.com>
Date: Mon, 26 Jul 2021 09:00:49 -0500
Subject: [PATCH] Update rule aide_check_audit_tools for RHEL-08-030650

---
 .../aide_check_audit_tools/ansible/shared.yml | 27 ++++++++++++------
 .../aide_check_audit_tools/bash/shared.sh     | 25 +++++++++++++++++
 .../aide_check_audit_tools/oval/shared.xml    | 20 +++++++++++++
 .../aide/aide_check_audit_tools/rule.yml      | 28 ++++++++++++-------
 .../tests/correct.pass.sh                     | 15 ++++++++++
 .../tests/correct_with_selinux.pass.sh        | 12 ++++++++
 .../tests/not_config.fail.sh                  | 14 ++++++++++
 products/rhel8/profiles/stig.profile          |  1 +
 shared/references/cce-redhat-avail.txt        |  1 -
 .../data/profile_stability/rhel8/stig.profile |  1 +
 .../profile_stability/rhel8/stig_gui.profile  |  1 +
 11 files changed, 126 insertions(+), 19 deletions(-)
 create mode 100644 linux_os/guide/system/software/integrity/software-integrity/aide/aide_check_audit_tools/bash/shared.sh
 create mode 100644 linux_os/guide/system/software/integrity/software-integrity/aide/aide_check_audit_tools/tests/correct.pass.sh
 create mode 100644 linux_os/guide/system/software/integrity/software-integrity/aide/aide_check_audit_tools/tests/correct_with_selinux.pass.sh
 create mode 100644 linux_os/guide/system/software/integrity/software-integrity/aide/aide_check_audit_tools/tests/not_config.fail.sh

diff --git a/linux_os/guide/system/software/integrity/software-integrity/aide/aide_check_audit_tools/ansible/shared.yml b/linux_os/guide/system/software/integrity/software-integrity/aide/aide_check_audit_tools/ansible/shared.yml
index 73afaeff869..edef272183d 100644
--- a/linux_os/guide/system/software/integrity/software-integrity/aide/aide_check_audit_tools/ansible/shared.yml
+++ b/linux_os/guide/system/software/integrity/software-integrity/aide/aide_check_audit_tools/ansible/shared.yml
@@ -1,18 +1,29 @@
-# platform = multi_platform_sle
+# platform = multi_platform_sle,multi_platform_rhel
 # reboot = false
 # strategy = restrict
 # complexity = low
 # disruption = low
 
-- name: Install aide package
-  zypper:
-    name: aide
-    state: latest
+{{% if 'rhel' not in product %}}
+{{% set aide_string = 'p+i+n+u+g+s+b+acl+selinux+xattrs+sha512' %}}
+{{% else %}}
+{{% set aide_string = 'p+i+n+u+g+s+b+acl+xattrs+sha512' %}}
+{{% endif %}}
+
+
+
+- name: Ensure aide is installed
+  package:
+    name: "{{ item }}"
+    state: present
+  with_items:
+    - aide
+
 
 - name: Set audit_tools fact
   set_fact:
     audit_tools:
-      - /usr/sbin/audispd
+      {{% if 'rhel' not in product %}}- /usr/sbin/audispd{{% endif %}}
       - /usr/sbin/auditctl
       - /usr/sbin/auditd
       - /usr/sbin/augenrules
@@ -24,11 +35,11 @@
   lineinfile:
     path: /etc/aide.conf
     regexp: ^{{ item }}\s
-    line: "{{ item }} p+i+n+u+g+s+b+acl+selinux+xattrs+sha512"
+    line: "{{ item }} {{{ aide_string }}}"
   with_items: "{{ audit_tools }}"
 
 - name: Configure AIDE to properly protect audit tools
   lineinfile:
     path: /etc/aide.conf
-    line: "{{ item }} p+i+n+u+g+s+b+acl+selinux+xattrs+sha512"
+    line: "{{ item }} {{{ aide_string }}}"
   with_items: "{{ audit_tools }}"
diff --git a/linux_os/guide/system/software/integrity/software-integrity/aide/aide_check_audit_tools/bash/shared.sh b/linux_os/guide/system/software/integrity/software-integrity/aide/aide_check_audit_tools/bash/shared.sh
new file mode 100644
index 00000000000..0875eeec648
--- /dev/null
+++ b/linux_os/guide/system/software/integrity/software-integrity/aide/aide_check_audit_tools/bash/shared.sh
@@ -0,0 +1,25 @@
+# platform = multi_platform_rhel
+# reboot = false
+# strategy = restrict
+# complexity = low
+# disruption = low
+. /usr/share/scap-security-guide/remediation_functions
+
+{{{ bash_package_install("aide") }}}
+
+{{% set configString = "p+i+n+u+g+s+b+acl+xattrs+sha512" %}}
+{{% set configFile = "/etc/aide.conf" %}}
+{{% for file in (
+      "/usr/sbin/auditctl",
+      "/usr/sbin/auditd",
+      "/usr/sbin/ausearch",
+      "/usr/sbin/aureport",
+      "/usr/sbin/autrace",
+      "/usr/sbin/augenrules" ) %}}
+
+if grep -i '^.*{{{file}}}.*$' {{{ configFile }}}; then
+sed -i "s#.*{{{file}}}.*#{{{file}}} {{{ configString }}}#" {{{ configFile }}}
+else
+echo "{{{ file }}} {{{ configString }}}" >> {{{ configFile }}}
+fi
+{{% endfor %}}
diff --git a/linux_os/guide/system/software/integrity/software-integrity/aide/aide_check_audit_tools/oval/shared.xml b/linux_os/guide/system/software/integrity/software-integrity/aide/aide_check_audit_tools/oval/shared.xml
index 32e6325a3ab..22c6276a1f5 100644
--- a/linux_os/guide/system/software/integrity/software-integrity/aide/aide_check_audit_tools/oval/shared.xml
+++ b/linux_os/guide/system/software/integrity/software-integrity/aide/aide_check_audit_tools/oval/shared.xml
@@ -8,13 +8,19 @@
       <criterion comment="ausearch is checked in /etc/aide.conf" test_ref="test_aide_verify_ausearch" />
       <criterion comment="aureport is checked in /etc/aide.conf" test_ref="test_aide_verify_aureport" />
       <criterion comment="autrace is checked in /etc/aide.conf" test_ref="test_aide_verify_autrace" />
+      {{% if 'rhel' not in product %}}
       <criterion comment="audispd is checked in /etc/aide.conf" test_ref="test_aide_verify_audispd" />
+      {{% endif %}}
       <criterion comment="augenrules is checked in /etc/aide.conf" test_ref="test_aide_verify_augenrules" />
     </criteria>
   </definition>
 
   <ind:textfilecontent54_state id="state_aide_check_attributes" version="1">
+    {{% if 'rhel' not in product %}}
     <ind:subexpression operation="equals">p+i+n+u+g+s+b+acl+selinux+xattrs+sha512</ind:subexpression>
+    {{% else %}}
+    <ind:subexpression operation="pattern match">p\+i\+n\+u\+g\+s\+b\+acl(|\+selinux)\+xattrs\+sha512</ind:subexpression>
+    {{% endif %}}
   </ind:textfilecontent54_state>
 
   <ind:textfilecontent54_test id="test_aide_verify_auditctl"
@@ -95,6 +101,20 @@
     <ind:instance datatype="int" operation="equals">1</ind:instance>
   </ind:textfilecontent54_object>
 
+  <ind:textfilecontent54_test id="test_aide_verify_rsyslogd"
+  comment="rsyslogd is checked in /etc/aide.conf" check="all"
+  check_existence="all_exist" version="1">
+    <ind:object object_ref="object_aide_verify_rsyslogd" />
+    <ind:state state_ref="state_aide_check_attributes" />
+  </ind:textfilecontent54_test>
+  <ind:textfilecontent54_object id="object_aide_verify_rsyslogd"
+  version="1">
+    <ind:filepath>/etc/aide.conf</ind:filepath>
+    <ind:pattern operation="pattern match">^/usr/sbin/rsyslogd\s+([^\n]+)$</ind:pattern>
+    <ind:instance datatype="int" operation="equals">1</ind:instance>
+  </ind:textfilecontent54_object>
+
+
   <ind:textfilecontent54_test id="test_aide_verify_augenrules"
   comment="augenrules is checked in /etc/aide.conf" check="all"
   check_existence="all_exist" version="1">
diff --git a/linux_os/guide/system/software/integrity/software-integrity/aide/aide_check_audit_tools/rule.yml b/linux_os/guide/system/software/integrity/software-integrity/aide/aide_check_audit_tools/rule.yml
index 126ee756cc0..17a95bf4b31 100644
--- a/linux_os/guide/system/software/integrity/software-integrity/aide/aide_check_audit_tools/rule.yml
+++ b/linux_os/guide/system/software/integrity/software-integrity/aide/aide_check_audit_tools/rule.yml
@@ -1,11 +1,11 @@
 documentation_complete: true
 
-prodtype: sle12,sle15,ubuntu2004
+prodtype: sle12,sle15,ubuntu2004,rhel8,fedora
 
 title: 'Configure AIDE to Verify the Audit Tools'
 
 description: |-
-    The SUSE operating system file integrity tool must be configured to protect the integrity of the audit tools.
+    The operating system file integrity tool must be configured to protect the integrity of the audit tools.
 
 rationale: |-
     Protecting the integrity of the tools used for auditing purposes is a
@@ -31,32 +31,40 @@ rationale: |-
 severity: medium
 
 identifiers:
+    cce@rhel8: CCE-85964-5
     cce@sle12: CCE-83204-8
     cce@sle15: CCE-85610-4
 
 references:
     disa: CCI-001496
-    nist@sle12: AU-9(3),AU-9(3).1
+    nist: AU-9(3),AU-9(3).1
     srg: SRG-OS-000278-GPOS-00108
+    stigid@rhel8: RHEL-08-030650
     stigid@sle12: SLES-12-010540
     stigid@sle15: SLES-15-030630
     stigid@ubuntu2004: UBTU-20-010205
 
 ocil_clause: 'integrity checks of the audit tools are missing or incomplete'
 
+{{% if 'rhel' not in product %}}
+{{% set aide_string = 'p+i+n+u+g+s+b+acl+selinux+xattrs+sha512' %}}
+{{% else %}}
+{{% set aide_string = 'p+i+n+u+g+s+b+acl+xattrs+sha512' %}}
+{{% endif %}}
+
 ocil: |-
     Check that AIDE is properly configured to protect the integrity of the
     audit tools by running the following command:
 
     <pre># sudo cat /etc/aide.conf | grep /usr/sbin/au
 
-    /usr/sbin/auditctl p+i+n+u+g+s+b+acl+selinux+xattrs+sha512
-    /usr/sbin/auditd p+i+n+u+g+s+b+acl+selinux+xattrs+sha512
-    /usr/sbin/ausearch p+i+n+u+g+s+b+acl+selinux+xattrs+sha512
-    /usr/sbin/aureport p+i+n+u+g+s+b+acl+selinux+xattrs+sha512
-    /usr/sbin/autrace p+i+n+u+g+s+b+acl+selinux+xattrs+sha512
-    /usr/sbin/audispd p+i+n+u+g+s+b+acl+selinux+xattrs+sha512
-    /usr/sbin/augenrules p+i+n+u+g+s+b+acl+selinux+xattrs+sha512</pre>
+    /usr/sbin/auditctl {{{ aide_string }}}
+    /usr/sbin/auditd {{{ aide_string }}}
+    /usr/sbin/ausearch {{{ aide_string }}}
+    /usr/sbin/aureport {{{ aide_string }}}
+    /usr/sbin/autrace {{{ aide_string }}}
+    {{% if 'rhel' not in product %}}/usr/sbin/audispd {{{ aide_string }}}{{% endif %}}
+    /usr/sbin/augenrules {{{ aide_string }}}</pre>
 
     If AIDE is configured properly to protect the integrity of the audit tools,
     all lines listed above will be returned from the command.
diff --git a/linux_os/guide/system/software/integrity/software-integrity/aide/aide_check_audit_tools/tests/correct.pass.sh b/linux_os/guide/system/software/integrity/software-integrity/aide/aide_check_audit_tools/tests/correct.pass.sh
new file mode 100644
index 00000000000..756b88d8a23
--- /dev/null
+++ b/linux_os/guide/system/software/integrity/software-integrity/aide/aide_check_audit_tools/tests/correct.pass.sh
@@ -0,0 +1,15 @@
+#!/bin/bash
+# platform = multi_platform_rhel,multi_platform_fedora
+
+
+yum -y install aide
+aide --init
+
+
+declare -a bins
+bins=('/usr/sbin/auditctl' '/usr/sbin/auditd' '/usr/sbin/augenrules' '/usr/sbin/aureport' '/usr/sbin/ausearch' '/usr/sbin/autrace')
+
+for theFile in "${bins[@]}"
+do
+    echo "$theFile p+i+n+u+g+s+b+acl+xattrs+sha512"  >> /etc/aide.conf
+done
diff --git a/linux_os/guide/system/software/integrity/software-integrity/aide/aide_check_audit_tools/tests/correct_with_selinux.pass.sh b/linux_os/guide/system/software/integrity/software-integrity/aide/aide_check_audit_tools/tests/correct_with_selinux.pass.sh
new file mode 100644
index 00000000000..f3a2a126d3d
--- /dev/null
+++ b/linux_os/guide/system/software/integrity/software-integrity/aide/aide_check_audit_tools/tests/correct_with_selinux.pass.sh
@@ -0,0 +1,12 @@
+#!/bin/bash
+# platform = multi_platform_rhel,multi_platform_fedora
+
+yum -y install aide
+
+declare -a bins
+bins=('/usr/sbin/auditctl' '/usr/sbin/auditd' '/usr/sbin/augenrules' '/usr/sbin/aureport' '/usr/sbin/ausearch' '/usr/sbin/autrace')
+
+for theFile in "${bins[@]}"
+do
+    echo "$theFile p+i+n+u+g+s+b+acl+selinux+xattrs+sha5122" >> /etc/aide.conf
+done
diff --git a/linux_os/guide/system/software/integrity/software-integrity/aide/aide_check_audit_tools/tests/not_config.fail.sh b/linux_os/guide/system/software/integrity/software-integrity/aide/aide_check_audit_tools/tests/not_config.fail.sh
new file mode 100644
index 00000000000..4315cef2073
--- /dev/null
+++ b/linux_os/guide/system/software/integrity/software-integrity/aide/aide_check_audit_tools/tests/not_config.fail.sh
@@ -0,0 +1,14 @@
+#!/bin/bash
+# platform = multi_platform_rhel,multi_platform_fedora
+
+
+yum -y install aide
+aide --init
+
+declare -a bins
+bins=('/usr/sbin/auditctl' '/usr/sbin/auditd' '/usr/sbin/augenrules' '/usr/sbin/aureport' '/usr/sbin/ausearch' '/usr/sbin/autrace')
+
+for theFile in "${bins[@]}"
+do
+    echo sed -i "s#^.*${theFile}.*##g" /etc/aide.conf
+done
diff --git a/products/rhel8/profiles/stig.profile b/products/rhel8/profiles/stig.profile
index 7270a8f91f2..6b3232a9e00 100644
--- a/products/rhel8/profiles/stig.profile
+++ b/products/rhel8/profiles/stig.profile
@@ -822,6 +822,7 @@ selections:
     # RHEL-08-030640
 
     # RHEL-08-030650
+    - aide_check_audit_tools
 
     # RHEL-08-030660
     - auditd_audispd_configure_sufficiently_large_partition
diff --git a/shared/references/cce-redhat-avail.txt b/shared/references/cce-redhat-avail.txt
index 665f903ead4..ff557cc2323 100644
--- a/shared/references/cce-redhat-avail.txt
+++ b/shared/references/cce-redhat-avail.txt
@@ -97,7 +97,6 @@ CCE-85960-3
 CCE-85961-1
 CCE-85962-9
 CCE-85963-7
-CCE-85964-5
 CCE-85965-2
 CCE-85966-0
 CCE-85967-8
diff --git a/tests/data/profile_stability/rhel8/stig.profile b/tests/data/profile_stability/rhel8/stig.profile
index 7d59cfff625..692a1690b19 100644
--- a/tests/data/profile_stability/rhel8/stig.profile
+++ b/tests/data/profile_stability/rhel8/stig.profile
@@ -60,6 +60,7 @@ selections:
 - accounts_user_home_paths_only
 - accounts_user_interactive_home_directory_defined
 - accounts_user_interactive_home_directory_exists
+- aide_check_audit_tools
 - aide_scan_notification
 - aide_verify_acls
 - aide_verify_ext_attributes
diff --git a/tests/data/profile_stability/rhel8/stig_gui.profile b/tests/data/profile_stability/rhel8/stig_gui.profile
index 2c2daad6f6d..cf119c02a17 100644
--- a/tests/data/profile_stability/rhel8/stig_gui.profile
+++ b/tests/data/profile_stability/rhel8/stig_gui.profile
@@ -71,6 +71,7 @@ selections:
 - accounts_user_home_paths_only
 - accounts_user_interactive_home_directory_defined
 - accounts_user_interactive_home_directory_exists
+- aide_check_audit_tools
 - aide_scan_notification
 - aide_verify_acls
 - aide_verify_ext_attributes