Add oval for aide to check that it is running in a cron job.
Thanks, Gabe Alford
Gabe (1): add aide cron oval check
RHEL/6/input/checks/aide_cron_checking.xml | 39 +++++++++++++++++++++++++++ RHEL/6/input/fixes/bash/aide_cron_checking.sh | 1 + RHEL/6/input/system/software/integrity.xml | 1 + 3 files changed, 41 insertions(+) create mode 100644 RHEL/6/input/checks/aide_cron_checking.xml create mode 100644 RHEL/6/input/fixes/bash/aide_cron_checking.sh
- add aide oval check to check /etc/crontab and files in /etc/cron.d/ - add aide bash fix - enable aide oval check in scan
Signed-off-by: Gabe redhatrises@gmail.com --- RHEL/6/input/checks/aide_cron_checking.xml | 39 +++++++++++++++++++++++++++ RHEL/6/input/fixes/bash/aide_cron_checking.sh | 1 + RHEL/6/input/system/software/integrity.xml | 1 + 3 files changed, 41 insertions(+) create mode 100644 RHEL/6/input/checks/aide_cron_checking.xml create mode 100644 RHEL/6/input/fixes/bash/aide_cron_checking.sh
diff --git a/RHEL/6/input/checks/aide_cron_checking.xml b/RHEL/6/input/checks/aide_cron_checking.xml new file mode 100644 index 0000000..ed8f506 --- /dev/null +++ b/RHEL/6/input/checks/aide_cron_checking.xml @@ -0,0 +1,39 @@ +<def-group> + <definition class="compliance" id="aide_cron_checking" version="1"> + <metadata> + <title>Configure Periodic Execution of AIDE</title> + <affected family="unix"> + <platform>Red Hat Enterprise Linux 6</platform> + </affected> + <description>By default, AIDE does not install itself for periodic + execution. Periodically running AIDE is necessary to reveal + unexpected changes in installed files. + </description> + <reference source="MED" ref_id="20130928" ref_url="test_attestation" /> + </metadata> + <criteria operator="OR"> + <extend_definition comment="Aide is installed" negate="true" definition_ref="package_aide_installed" /> + <criterion comment="run aide daily with cron" test_ref="test_aide_cron_checking" /> + <criterion comment="run aide daily with cron" test_ref="test_aide_crond_checking" /> + </criteria> + </definition> + + <ind:textfilecontent54_test check="all" check_existence="all_exist" comment="run aide daily with cron" id="test_aide_cron_checking" version="1"> + <ind:object object_ref="object_test_aide_cron_checking" /> + </ind:textfilecontent54_test> + <ind:textfilecontent54_object comment="run aide daily with cron" id="object_test_aide_cron_checking" version="1"> + ind:filepath/etc/crontab</ind:filepath> + <ind:pattern operation="pattern match">^[\s]*05[\s]*4[\s]**[\s]**[\s]**[\s]*root[\s]*/usr/sbin/aide[\s]*--check+$</ind:pattern> + <ind:instance datatype="int" operation="greater than or equal">1</ind:instance> + </ind:textfilecontent54_object> + + <ind:textfilecontent54_test check="all" check_existence="all_exist" comment="run aide daily with cron" id="test_aide_crond_checking" version="1"> + <ind:object object_ref="object_test_aide_crond_checking" /> + </ind:textfilecontent54_test> + <ind:textfilecontent54_object comment="run aide daily with cron" id="object_test_aide_crond_checking" version="1"> + ind:path/etc/cron.d</ind:path> + <ind:filename operation="pattern match">^.*$</ind:filename> + <ind:pattern operation="pattern match">^[\s]*05[\s]*4[\s]**[\s]**[\s]**[\s]*root[\s]*/usr/sbin/aide[\s]*--check+$</ind:pattern> + <ind:instance datatype="int" operation="greater than or equal">1</ind:instance> + </ind:textfilecontent54_object> +</def-group> diff --git a/RHEL/6/input/fixes/bash/aide_cron_checking.sh b/RHEL/6/input/fixes/bash/aide_cron_checking.sh new file mode 100644 index 0000000..f62ef72 --- /dev/null +++ b/RHEL/6/input/fixes/bash/aide_cron_checking.sh @@ -0,0 +1 @@ +echo "05 4 * * * root /usr/sbin/aide --check" >> /etc/crontab diff --git a/RHEL/6/input/system/software/integrity.xml b/RHEL/6/input/system/software/integrity.xml index 55bf115..7c2f262 100644 --- a/RHEL/6/input/system/software/integrity.xml +++ b/RHEL/6/input/system/software/integrity.xml @@ -100,6 +100,7 @@ To determine that periodic AIDE execution has been scheduled, run the following By default, AIDE does not install itself for periodic execution. Periodically running AIDE is necessary to reveal unexpected changes in installed files. </rationale> +<oval id="aide_cron_checking" /> <ident cce="27222-9" /> <ref nist="CM-3(d),CM-3(e),CM-6(d),CM-6(3),SC-28,SI-7" disa="374,416,1069,1263,1297,1589"/> </Rule>
On 7/15/14, 9:23 PM, Gabe wrote:
- add aide oval check to check/etc/crontab and files in /etc/cron.d/
- add aide bash fix
- enable aide oval check in scan
Signed-off-by: Gaberedhatrises@gmail.com
RHEL/6/input/checks/aide_cron_checking.xml | 39 +++++++++++++++++++++++++++ RHEL/6/input/fixes/bash/aide_cron_checking.sh | 1 + RHEL/6/input/system/software/integrity.xml | 1 + 3 files changed, 41 insertions(+) create mode 100644 RHEL/6/input/checks/aide_cron_checking.xml create mode 100644 RHEL/6/input/fixes/bash/aide_cron_checking.sh
diff --git a/RHEL/6/input/checks/aide_cron_checking.xml b/RHEL/6/input/checks/aide_cron_checking.xml new file mode 100644 index 0000000..ed8f506 --- /dev/null +++ b/RHEL/6/input/checks/aide_cron_checking.xml @@ -0,0 +1,39 @@ +<def-group>
<definition class="compliance" id="aide_cron_checking" version="1">
<metadata>
<title>Configure Periodic Execution of AIDE</title><affected family="unix"><platform>Red Hat Enterprise Linux 6</platform></affected><description>By default, AIDE does not install itself for periodicexecution. Periodically running AIDE is necessary to revealunexpected changes in installed files.</description><reference source="MED" ref_id="20130928" ref_url="test_attestation" /></metadata>
<criteria operator="OR">
<extend_definition comment="Aide is installed" negate="true" definition_ref="package_aide_installed" /><criterion comment="run aide daily with cron" test_ref="test_aide_cron_checking" /><criterion comment="run aide daily with cron" test_ref="test_aide_crond_checking" /></criteria>
</definition>
- <ind:textfilecontent54_test check="all" check_existence="all_exist" comment="run aide daily with cron" id="test_aide_cron_checking" version="1">
- <ind:object object_ref="object_test_aide_cron_checking" />
- </ind:textfilecontent54_test>
- <ind:textfilecontent54_object comment="run aide daily with cron" id="object_test_aide_cron_checking" version="1">
- ind:filepath/etc/crontab</ind:filepath>
- <ind:pattern operation="pattern match">^[\s]*05[\s]*4[\s]**[\s]**[\s]**[\s]*root[\s]*/usr/sbin/aide[\s]*--check+$</ind:pattern>
- <ind:instance datatype="int" operation="greater than or equal">1</ind:instance>
- </ind:textfilecontent54_object>
- <ind:textfilecontent54_test check="all" check_existence="all_exist" comment="run aide daily with cron" id="test_aide_crond_checking" version="1">
- <ind:object object_ref="object_test_aide_crond_checking" />
- </ind:textfilecontent54_test>
- <ind:textfilecontent54_object comment="run aide daily with cron" id="object_test_aide_crond_checking" version="1">
- ind:path/etc/cron.d</ind:path>
- <ind:filename operation="pattern match">^.*$</ind:filename>
- <ind:pattern operation="pattern match">^[\s]*05[\s]*4[\s]**[\s]**[\s]**[\s]*root[\s]*/usr/sbin/aide[\s]*--check+$</ind:pattern>
- <ind:instance datatype="int" operation="greater than or equal">1</ind:instance>
- </ind:textfilecontent54_object>
+</def-group> diff --git a/RHEL/6/input/fixes/bash/aide_cron_checking.sh b/RHEL/6/input/fixes/bash/aide_cron_checking.sh new file mode 100644 index 0000000..f62ef72 --- /dev/null +++ b/RHEL/6/input/fixes/bash/aide_cron_checking.sh @@ -0,0 +1 @@ +echo "05 4 * * * root /usr/sbin/aide --check" >> /etc/crontab diff --git a/RHEL/6/input/system/software/integrity.xml b/RHEL/6/input/system/software/integrity.xml index 55bf115..7c2f262 100644 --- a/RHEL/6/input/system/software/integrity.xml +++ b/RHEL/6/input/system/software/integrity.xml @@ -100,6 +100,7 @@ To determine that periodic AIDE execution has been scheduled, run the following By default, AIDE does not install itself for periodic execution. Periodically running AIDE is necessary to reveal unexpected changes in installed files.
</rationale> +<oval id="aide_cron_checking" /> <ident cce="27222-9" /> <ref nist="CM-3(d),CM-3(e),CM-6(d),CM-6(3),SC-28,SI-7" disa="374,416,1069,1263,1297,1589"/> </Rule> -- 2.0.0
I can't tell if anyone responded to this. So, risking being a dupe, thanks for filling out this gap in OVAL content! Two minor adjustments are needed:
- The OVAL filename should be named to match the XCCDF rule ID. In this case, 'git mv aide_cron_checking.xml aide_periodic_cron_checking.xml'. Technically the build scripts will parse whatever is in the XCCDF oval id, though eventually we'll drop this bit of code and have things automatically (and only) search for matching XCCDF/OVAL/remediation script pairings.
- The 0405 cron time was an example (which we need to make clearer), and not meant to mandate DoD systems to kickoff aide at 0405. The OVAL should be tolerant of any time combination within the hour/minute fields, and require *'s on days/month/week.
Thanks, Shawn! Minor adjustments have been resubmitted.
Thanks,
Gabe
On Mon, Jul 28, 2014 at 7:06 PM, Shawn Wells shawn@redhat.com wrote:
On 7/15/14, 9:23 PM, Gabe wrote:
- add aide oval check to check */etc/crontab and files in /etc/cron.d/*
- add aide bash fix
- enable aide oval check in scan
Signed-off-by: Gabe redhatrises@gmail.com redhatrises@gmail.com
RHEL/6/input/checks/aide_cron_checking.xml | 39 +++++++++++++++++++++++++++ RHEL/6/input/fixes/bash/aide_cron_checking.sh | 1 + RHEL/6/input/system/software/integrity.xml | 1 + 3 files changed, 41 insertions(+) create mode 100644 RHEL/6/input/checks/aide_cron_checking.xml create mode 100644 RHEL/6/input/fixes/bash/aide_cron_checking.sh
diff --git a/RHEL/6/input/checks/aide_cron_checking.xml b/RHEL/6/input/checks/aide_cron_checking.xml new file mode 100644 index 0000000..ed8f506 --- /dev/null +++ b/RHEL/6/input/checks/aide_cron_checking.xml @@ -0,0 +1,39 @@ +<def-group>
<definition class="compliance" id="aide_cron_checking" version="1">
<metadata>
<title>Configure Periodic Execution of AIDE</title><affected family="unix"><platform>Red Hat Enterprise Linux 6</platform></affected><description>By default, AIDE does not install itself for periodicexecution. Periodically running AIDE is necessary to revealunexpected changes in installed files.</description><reference source="MED" ref_id="20130928" ref_url="test_attestation" /></metadata>
<criteria operator="OR">
<extend_definition comment="Aide is installed" negate="true" definition_ref="package_aide_installed" /><criterion comment="run aide daily with cron" test_ref="test_aide_cron_checking" /><criterion comment="run aide daily with cron" test_ref="test_aide_crond_checking" /></criteria>
</definition>
- <ind:textfilecontent54_test check="all" check_existence="all_exist" comment="run aide daily with cron" id="test_aide_cron_checking" version="1">
- <ind:object object_ref="object_test_aide_cron_checking" />
- </ind:textfilecontent54_test>
- <ind:textfilecontent54_object comment="run aide daily with cron" id="object_test_aide_cron_checking" version="1">
- ind:filepath/etc/crontab</ind:filepath>
- <ind:pattern operation="pattern match">^[\s]*05[\s]*4[\s]**[\s]**[\s]**[\s]*root[\s]*/usr/sbin/aide[\s]*--check+$</ind:pattern>
- <ind:instance datatype="int" operation="greater than or equal">1</ind:instance>
- </ind:textfilecontent54_object>
- <ind:textfilecontent54_test check="all" check_existence="all_exist" comment="run aide daily with cron" id="test_aide_crond_checking" version="1">
- <ind:object object_ref="object_test_aide_crond_checking" />
- </ind:textfilecontent54_test>
- <ind:textfilecontent54_object comment="run aide daily with cron" id="object_test_aide_crond_checking" version="1">
- ind:path/etc/cron.d</ind:path>
- <ind:filename operation="pattern match">^.*$</ind:filename>
- <ind:pattern operation="pattern match">^[\s]*05[\s]*4[\s]**[\s]**[\s]**[\s]*root[\s]*/usr/sbin/aide[\s]*--check+$</ind:pattern>
- <ind:instance datatype="int" operation="greater than or equal">1</ind:instance>
- </ind:textfilecontent54_object>
+</def-group> diff --git a/RHEL/6/input/fixes/bash/aide_cron_checking.sh b/RHEL/6/input/fixes/bash/aide_cron_checking.sh new file mode 100644 index 0000000..f62ef72 --- /dev/null +++ b/RHEL/6/input/fixes/bash/aide_cron_checking.sh @@ -0,0 +1 @@ +echo "05 4 * * * root /usr/sbin/aide --check" >> /etc/crontab diff --git a/RHEL/6/input/system/software/integrity.xml b/RHEL/6/input/system/software/integrity.xml index 55bf115..7c2f262 100644 --- a/RHEL/6/input/system/software/integrity.xml +++ b/RHEL/6/input/system/software/integrity.xml @@ -100,6 +100,7 @@ To determine that periodic AIDE execution has been scheduled, run the following By default, AIDE does not install itself for periodic execution. Periodically running AIDE is necessary to reveal unexpected changes in installed files.
</rationale> +<oval id="aide_cron_checking" /> <ident cce="27222-9" /> <ref nist="CM-3(d),CM-3(e),CM-6(d),CM-6(3),SC-28,SI-7" disa="374,416,1069,1263,1297,1589"/> </Rule> -- 2.0.0
I can't tell if anyone responded to this. So, risking being a dupe, thanks for filling out this gap in OVAL content! Two minor adjustments are needed:
- The OVAL filename should be named to match the XCCDF rule ID. In this
case, 'git mv aide_cron_checking.xml aide_periodic_cron_checking.xml'. Technically the build scripts will parse whatever is in the XCCDF oval id, though eventually we'll drop this bit of code and have things automatically (and only) search for matching XCCDF/OVAL/remediation script pairings.
- The 0405 cron time was an example (which we need to make clearer), and
not meant to mandate DoD systems to kickoff aide at 0405. The OVAL should be tolerant of any time combination within the hour/minute fields, and require *'s on days/month/week.
-- SCAP Security Guide mailing list scap-security-guide@lists.fedorahosted.org https://lists.fedorahosted.org/mailman/listinfo/scap-security-guide https://github.com/OpenSCAP/scap-security-guide/
scap-security-guide@lists.fedorahosted.org
-
Gabe Alford -
Shawn Wells