SLE15 prefer systemd unit handling of AIDE checks and notifications

[teacup-on-rockingchair]

Description:

• Make sure that for SLE15 platform the AIDE periodic check is done via systemd unit and also improve the notification rule so it can be done via systemd unit also

Rationale:

• Make sure to use aide_periodic_checking_systemd_timer for sle15 platform
• Add OVAL checks that allow notification to be implemented via systemd unit
• Add SLE15 specific BASH and Ansible remediation for aide check notification

[github-actions]

Start a new ephemeral environment with changes proposed in this pull request:

rhel8 (from CTF) Environment (using Fedora as testing environment)

Fedora Testing Environment

Oracle Linux 8 Environment

[github-actions]

This datastream diff is auto generated by the check Compare DS/Generate Diff

Click here to see the full diff

OCIL for rule 'xccdf_org.ssgproject.content_rule_aide_scan_notification' differs.
--- ocil:ssg-aide_scan_notification_ocil:questionnaire:1
+++ ocil:ssg-aide_scan_notification_ocil:questionnaire:1
@@ -1,4 +1,5 @@
 To determine that periodic AIDE execution has been scheduled, run the following command:
+
 $ grep aide /etc/crontab
 The output should return something similar to the following:
 05 4 * * * root /usr/sbin/aide --check | /bin/mail -s "$(hostname) - AIDE Integrity Check" root@localhost

bash remediation for rule 'xccdf_org.ssgproject.content_rule_aide_scan_notification' differs.
--- xccdf_org.ssgproject.content_rule_aide_scan_notification
+++ xccdf_org.ssgproject.content_rule_aide_scan_notification
@@ -5,6 +5,7 @@
     yum install -y "aide"
 fi
 var_aide_scan_notification_email=''
+
 
 
 CRONTAB=/etc/crontab

[jan-cerny]

This new part isn't described in rule.yml at all. You should extend the rule description and other artifacts.

[teacup-on-rockingchair]

got you will do 🙇

[jan-cerny]

OK

[jan-cerny]

Should this new criteria be guarded as SLE-only? The new code in Bash and Ansible remediations is marked as SLE-only.

[teacup-on-rockingchair]

Well I prefer to be SLE only for now and other maintainers to adopt it if consider viable, therefore the bash and ansible remediations aer platform dependant

[jan-cerny]

Thanks for reply. But, if you think that this part should be SLE-only for now, would it be better to put it inside a Jinja if product in ... block?

[jan-cerny]

/packit build

[jan-cerny]

@teacup-on-rockingchair I think this shouldn't be removed, these variables are used below (lines 37-38). I think this might be the reason why this rule fails the CI.

[codeclimate]

Code Climate has analyzed commit 10173f5 and detected 0 issues on this pull request.

The test coverage on the diff in this pull request is 100.0% (50% is the threshold).

This pull request will bring the total coverage in the repository to 58.5%.

View more on Code Climate.

[jan-cerny]

The CI fail of Automatus on SLE15 is fixed by #11212 and isn't related to this PR.

Notice the Automatus CS9 job pass because the rule is evaluated as notapplicable in a container environment. I have run the test scenarios locally with a RHEL 9 virtual machine as a back end. Both Ansible and Bash are passing:

jcerny@fedora ~/work/git/scap-security-guide (pr/11178) $ python3 tests/automatus.py rule --libvirt qemu:///system ssgts_rhel9 aide_periodic_cron_checking
Setting console output to log level INFO
INFO - The base image option has not been specified, choosing libvirt-based test environment.
INFO - Logging into /home/jcerny/work/git/scap-security-guide/logs/rule-custom-2023-11-02-1432/test_suite.log
INFO - xccdf_org.ssgproject.content_rule_aide_periodic_cron_checking
INFO - Script aide_not_installed.fail.sh using profile (all) OK
INFO - Script cron_daily.pass.sh using profile (all) OK
INFO - Script cron_daily_complex.pass.sh using profile (all) OK
INFO - Script crontab_daily.pass.sh using profile (all) OK
INFO - Script crontab_daily_shortcut.pass.sh using profile (all) OK
INFO - Script crontab_monthly.fail.sh using profile (all) OK
INFO - Script crontab_two_days_week.pass.sh using profile (all) OK
INFO - Script crontab_weekly_on_exact_day.pass.sh using profile (all) OK
INFO - Script crontab_weekly_shortcut.pass.sh using profile (all) OK
INFO - Script crontab_weekly_word.pass.sh using profile (all) OK
INFO - Script crontab_yearly.fail.sh using profile (all) OK
INFO - Script not_in_cron.fail.sh using profile (all) OK
jcerny@fedora ~/work/git/scap-security-guide (pr/11178) $ python3 tests/automatus.py rule --libvirt qemu:///system ssgts_rhel9 --remediate-using ansible aide_periodic_cron_checking
Setting console output to log level INFO
INFO - The base image option has not been specified, choosing libvirt-based test environment.
INFO - Logging into /home/jcerny/work/git/scap-security-guide/logs/rule-custom-2023-11-02-1437/test_suite.log
INFO - xccdf_org.ssgproject.content_rule_aide_periodic_cron_checking
INFO - Script aide_not_installed.fail.sh using profile (all) OK
INFO - Script cron_daily.pass.sh using profile (all) OK
INFO - Script cron_daily_complex.pass.sh using profile (all) OK
INFO - Script crontab_daily.pass.sh using profile (all) OK
INFO - Script crontab_daily_shortcut.pass.sh using profile (all) OK
INFO - Script crontab_monthly.fail.sh using profile (all) OK
INFO - Script crontab_two_days_week.pass.sh using profile (all) OK
INFO - Script crontab_weekly_on_exact_day.pass.sh using profile (all) OK
INFO - Script crontab_weekly_shortcut.pass.sh using profile (all) OK
INFO - Script crontab_weekly_word.pass.sh using profile (all) OK
INFO - Script crontab_yearly.fail.sh using profile (all) OK
INFO - Script not_in_cron.fail.sh using profile (all) OK