Thanks, Shawn! Minor adjustments have been resubmitted.
Thanks, Gabe On Mon, Jul 28, 2014 at 7:06 PM, Shawn Wells <[email protected]> wrote: > > On 7/15/14, 9:23 PM, Gabe wrote: > > - add aide oval check to check */etc/crontab and files in /etc/cron.d/* > - add aide bash fix > - enable aide oval check in scan > > Signed-off-by: Gabe <[email protected]> <[email protected]> > --- > RHEL/6/input/checks/aide_cron_checking.xml | 39 > +++++++++++++++++++++++++++ > RHEL/6/input/fixes/bash/aide_cron_checking.sh | 1 + > RHEL/6/input/system/software/integrity.xml | 1 + > 3 files changed, 41 insertions(+) > create mode 100644 RHEL/6/input/checks/aide_cron_checking.xml > create mode 100644 RHEL/6/input/fixes/bash/aide_cron_checking.sh > > diff --git a/RHEL/6/input/checks/aide_cron_checking.xml > b/RHEL/6/input/checks/aide_cron_checking.xml > new file mode 100644 > index 0000000..ed8f506 > --- /dev/null > +++ b/RHEL/6/input/checks/aide_cron_checking.xml > @@ -0,0 +1,39 @@ > +<def-group> > + <definition class="compliance" id="aide_cron_checking" version="1"> > + <metadata> > + <title>Configure Periodic Execution of AIDE</title> > + <affected family="unix"> > + <platform>Red Hat Enterprise Linux 6</platform> > + </affected> > + <description>By default, AIDE does not install itself for periodic > + execution. Periodically running AIDE is necessary to reveal > + unexpected changes in installed files. > + </description> > + <reference source="MED" ref_id="20130928" ref_url="test_attestation" /> > + </metadata> > + <criteria operator="OR"> > + <extend_definition comment="Aide is installed" negate="true" > definition_ref="package_aide_installed" /> > + <criterion comment="run aide daily with cron" > test_ref="test_aide_cron_checking" /> > + <criterion comment="run aide daily with cron" > test_ref="test_aide_crond_checking" /> > + </criteria> > + </definition> > + > + <ind:textfilecontent54_test check="all" check_existence="all_exist" > comment="run aide daily with cron" id="test_aide_cron_checking" version="1"> > + <ind:object object_ref="object_test_aide_cron_checking" /> > + </ind:textfilecontent54_test> > + <ind:textfilecontent54_object comment="run aide daily with cron" > id="object_test_aide_cron_checking" version="1"> > + <ind:filepath>/etc/crontab</ind:filepath> > + <ind:pattern operation="pattern > match">^[\s]*05[\s]*4[\s]*\*[\s]*\*[\s]*\*[\s]*root[\s]*/usr/sbin/aide[\s]*\-\-check+$</ind:pattern> > + <ind:instance datatype="int" operation="greater than or > equal">1</ind:instance> > + </ind:textfilecontent54_object> > + > + <ind:textfilecontent54_test check="all" check_existence="all_exist" > comment="run aide daily with cron" id="test_aide_crond_checking" version="1"> > + <ind:object object_ref="object_test_aide_crond_checking" /> > + </ind:textfilecontent54_test> > + <ind:textfilecontent54_object comment="run aide daily with cron" > id="object_test_aide_crond_checking" version="1"> > + <ind:path>/etc/cron.d</ind:path> > + <ind:filename operation="pattern match">^.*$</ind:filename> > + <ind:pattern operation="pattern > match">^[\s]*05[\s]*4[\s]*\*[\s]*\*[\s]*\*[\s]*root[\s]*/usr/sbin/aide[\s]*\-\-check+$</ind:pattern> > + <ind:instance datatype="int" operation="greater than or > equal">1</ind:instance> > + </ind:textfilecontent54_object> > +</def-group> > diff --git a/RHEL/6/input/fixes/bash/aide_cron_checking.sh > b/RHEL/6/input/fixes/bash/aide_cron_checking.sh > new file mode 100644 > index 0000000..f62ef72 > --- /dev/null > +++ b/RHEL/6/input/fixes/bash/aide_cron_checking.sh > @@ -0,0 +1 @@ > +echo "05 4 * * * root /usr/sbin/aide --check" >> /etc/crontab > diff --git a/RHEL/6/input/system/software/integrity.xml > b/RHEL/6/input/system/software/integrity.xml > index 55bf115..7c2f262 100644 > --- a/RHEL/6/input/system/software/integrity.xml > +++ b/RHEL/6/input/system/software/integrity.xml > @@ -100,6 +100,7 @@ To determine that periodic AIDE execution has been > scheduled, run the following > By default, AIDE does not install itself for periodic execution. Periodically > running AIDE is necessary to reveal unexpected changes in installed files. > </rationale> > +<oval id="aide_cron_checking" /> > <ident cce="27222-9" /> > <ref nist="CM-3(d),CM-3(e),CM-6(d),CM-6(3),SC-28,SI-7" > disa="374,416,1069,1263,1297,1589"/> > </Rule> > -- > 2.0.0 > > > I can't tell if anyone responded to this. So, risking being a dupe, thanks > for filling out this gap in OVAL content! Two minor adjustments are needed: > > - The OVAL filename should be named to match the XCCDF rule ID. In this > case, 'git mv aide_cron_checking.xml aide_periodic_cron_checking.xml'. > Technically the build scripts will parse whatever is in the XCCDF oval id, > though eventually we'll drop this bit of code and have things automatically > (and only) search for matching XCCDF/OVAL/remediation script pairings. > > - The 0405 cron time was an example (which we need to make clearer), and > not meant to mandate DoD systems to kickoff aide at 0405. The OVAL should > be tolerant of any time combination within the hour/minute fields, and > require *'s on days/month/week. > > > -- > SCAP Security Guide mailing list > [email protected] > https://lists.fedorahosted.org/mailman/listinfo/scap-security-guide > https://github.com/OpenSCAP/scap-security-guide/ >
-- SCAP Security Guide mailing list [email protected] https://lists.fedorahosted.org/mailman/listinfo/scap-security-guide https://github.com/OpenSCAP/scap-security-guide/
