[PATCH 1/1] add aide cron oval check

[Gabe]

- add aide oval check to check /etc/crontab and files in /etc/cron.d/
- add aide bash fix
- enable aide oval check in scan

Signed-off-by: Gabe <redhatri...@gmail.com>
---
 .../6/input/checks/aide_periodic_cron_checking.xml | 39 ++++++++++++++++++++++
 .../fixes/bash/aide_periodic_cron_checking.sh      |  1 +
 RHEL/6/input/system/software/integrity.xml         |  1 +
 3 files changed, 41 insertions(+)
 create mode 100644 RHEL/6/input/checks/aide_periodic_cron_checking.xml
 create mode 100644 RHEL/6/input/fixes/bash/aide_periodic_cron_checking.sh

diff --git a/RHEL/6/input/checks/aide_periodic_cron_checking.xml 
b/RHEL/6/input/checks/aide_periodic_cron_checking.xml
new file mode 100644
index 0000000..4a4dbff
--- /dev/null
+++ b/RHEL/6/input/checks/aide_periodic_cron_checking.xml
@@ -0,0 +1,39 @@
+<def-group>
+  <definition class="compliance" id="aide_periodic_cron_checking" version="1">
+    <metadata>
+      <title>Configure Periodic Execution of AIDE</title>
+      <affected family="unix">
+        <platform>Red Hat Enterprise Linux 6</platform>
+      </affected>
+      <description>By default, AIDE does not install itself for periodic
+      execution. Periodically running AIDE is necessary to reveal
+      unexpected changes in installed files.
+      </description>
+      <reference source="MED" ref_id="20130928" ref_url="test_attestation" />
+    </metadata>
+    <criteria operator="OR">
+      <extend_definition comment="Aide is installed" negate="true" 
definition_ref="package_aide_installed" />
+      <criterion comment="run aide daily with cron" 
test_ref="test_aide_periodic_cron_checking" />
+      <criterion comment="run aide daily with cron" 
test_ref="test_aide_crond_checking" />
+    </criteria>
+  </definition>
+
+  <ind:textfilecontent54_test check="all" check_existence="all_exist" 
comment="run aide daily with cron" id="test_aide_periodic_cron_checking" 
version="1">
+    <ind:object object_ref="object_test_aide_periodic_cron_checking" />
+  </ind:textfilecontent54_test>
+  <ind:textfilecontent54_object comment="run aide daily with cron" 
id="object_test_aide_periodic_cron_checking" version="1">
+    <ind:filepath>/etc/crontab</ind:filepath>
+    <ind:pattern operation="pattern 
match">^[0-9]*[\s]*[0-9]*[\s]*\*[\s]*\*[\s]*\*[\s]*root[\s]*/usr/sbin/aide[\s]*\-\-check+$</ind:pattern>
+    <ind:instance datatype="int" operation="greater than or 
equal">1</ind:instance>
+  </ind:textfilecontent54_object>
+
+  <ind:textfilecontent54_test check="all" check_existence="all_exist" 
comment="run aide daily with cron" id="test_aide_crond_checking" version="1">
+    <ind:object object_ref="object_test_aide_crond_checking" />
+  </ind:textfilecontent54_test>
+  <ind:textfilecontent54_object comment="run aide daily with cron" 
id="object_test_aide_crond_checking" version="1">
+    <ind:path>/etc/cron.d</ind:path>
+    <ind:filename operation="pattern match">^.*$</ind:filename>
+    <ind:pattern operation="pattern 
match">^[0-9]*[\s]*[0-9]*[\s]*\*[\s]*\*[\s]*\*[\s]*root[\s]*/usr/sbin/aide[\s]*\-\-check+$</ind:pattern>
+    <ind:instance datatype="int" operation="greater than or 
equal">1</ind:instance>
+  </ind:textfilecontent54_object>
+</def-group>
diff --git a/RHEL/6/input/fixes/bash/aide_periodic_cron_checking.sh 
b/RHEL/6/input/fixes/bash/aide_periodic_cron_checking.sh
new file mode 100644
index 0000000..f62ef72
--- /dev/null
+++ b/RHEL/6/input/fixes/bash/aide_periodic_cron_checking.sh
@@ -0,0 +1 @@
+echo "05 4 * * * root /usr/sbin/aide --check" >> /etc/crontab
diff --git a/RHEL/6/input/system/software/integrity.xml 
b/RHEL/6/input/system/software/integrity.xml
index 55bf115..ab9f44d 100644
--- a/RHEL/6/input/system/software/integrity.xml
+++ b/RHEL/6/input/system/software/integrity.xml
@@ -100,6 +100,7 @@ To determine that periodic AIDE execution has been 
scheduled, run the following
 By default, AIDE does not install itself for periodic execution. Periodically
 running AIDE is necessary to reveal unexpected changes in installed files.
 </rationale>
+<oval id="aide_periodic_cron_checking" />
 <ident cce="27222-9" />
 <ref nist="CM-3(d),CM-3(e),CM-6(d),CM-6(3),SC-28,SI-7" 
disa="374,416,1069,1263,1297,1589"/>
 </Rule>
-- 
2.0.0

-- 
SCAP Security Guide mailing list
scap-security-guide@lists.fedorahosted.org
https://lists.fedorahosted.org/mailman/listinfo/scap-security-guide
https://github.com/OpenSCAP/scap-security-guide/