Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

SLE15 prefer systemd unit handling of AIDE checks and notifications #11178

1 change: 1 addition & 0 deletions controls/anssi.yml
Original file line number Diff line number Diff line change
Expand Up @@ -1467,6 +1467,7 @@ controls:
- package_aide_installed
- aide_build_database
- aide_periodic_cron_checking
- aide_periodic_checking_systemd_timer
- aide_scan_notification
- aide_verify_acls
- aide_verify_ext_attributes
Expand Down
1 change: 1 addition & 0 deletions controls/pcidss_3.yml
Original file line number Diff line number Diff line change
Expand Up @@ -2339,6 +2339,7 @@ controls:
- disable_prelink
- package_aide_installed
- aide_periodic_cron_checking
- aide_periodic_checking_systemd_timer
- rpm_verify_ownership
- rpm_verify_hashes
- aide_build_database
Expand Down
1 change: 1 addition & 0 deletions controls/pcidss_4.yml
Original file line number Diff line number Diff line change
Expand Up @@ -2592,6 +2592,7 @@ controls:
- disable_prelink
- package_aide_installed
- aide_periodic_cron_checking
- aide_periodic_checking_systemd_timer
- rpm_verify_ownership
- rpm_verify_hashes
- aide_build_database
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -4,7 +4,7 @@

documentation_complete: true

prodtype: alinux2,alinux3,anolis23,anolis8,fedora,ol7,ol8,ol9,openembedded,rhel7,rhel8,rhel9,rhv4,sle12,sle15,ubuntu2004,ubuntu2204
prodtype: alinux2,alinux3,anolis23,anolis8,fedora,ol7,ol8,ol9,openembedded,rhel7,rhel8,rhel9,rhv4,sle12,ubuntu2004,ubuntu2204

title: 'Configure Periodic Execution of AIDE'

Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -12,6 +12,41 @@
with_items:
- aide

{{% if product in ["sle15"] %}}
- name: "{{{ rule_title }}} check service"
ansible.builtin.blockinfile:
create: yes
dest: /etc/systemd/system/aidecheck.service
owner: root
group: root
mode: '0644'
block: |
[Unit]
Description=Aide Check
Before=aidecheck-notify.service
Wants=aidecheck-notify.service
[Service]
Type=forking
ExecStart={{{ aide_bin_path }}} --check -r file:/tmp/aide-report.log
[Install]
WantedBy=multi-user.target

- name: "{{{ rule_title }}} notify service"
ansible.builtin.blockinfile:
create: yes
dest: /etc/systemd/system/aidecheck-notify.service
owner: root
group: root
mode: '0644'
block: |
[Unit]
Description=Status email for AIDE check result
After=aidecheck.service
[Service]
Type=forking
ExecStart=/bin/sh -c 'cat /tmp/aide-report.log | /bin/mail -s "$(hostname) - AIDE Integrity Check" {{ var_aide_scan_notification_email }}'

{{% else %}}
- name: "{{{ rule_title }}}"
cron:
name: "run AIDE check"
Expand All @@ -20,3 +55,4 @@
weekday: 0
user: root
job: '{{{ aide_bin_path }}} --check | /bin/mail -s "$(hostname) - AIDE Integrity Check" {{ var_aide_scan_notification_email }}'
{{% endif %}}
Original file line number Diff line number Diff line change
Expand Up @@ -3,9 +3,28 @@
{{{ bash_package_install("aide") }}}
{{{ bash_instantiate_variables("var_aide_scan_notification_email") }}}

CRONTAB=/etc/crontab
CRONDIRS='/etc/cron.d /etc/cron.daily /etc/cron.weekly /etc/cron.monthly'

Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@teacup-on-rockingchair I think this shouldn't be removed, these variables are used below (lines 37-38). I think this might be the reason why this rule fails the CI.

{{% if product in ["sle15"] %}}
# create unit file for periodic aide database check
cat > /etc/systemd/system/aidecheck.service <<CHECKEOF
[Unit]
Description=Aide Check
Before=aidecheck-notify.service
Wants=aidecheck-notify.service
[Service]
Type=forking
ExecStart=/usr/bin/aide --check -r file:/tmp/aide-report.log
[Install]
WantedBy=multi-user.target
CHECKEOF
cat > /etc/systemd/system/aidecheck-notify.service <<NOTIFYEOF
[Unit]
Description=Status email for AIDE check result
After=aidecheck.service
[Service]
Type=forking
ExecStart=/bin/sh -c 'cat /tmp/aide-report.log | /bin/mail -s "$(hostname) - AIDE Integrity Check" $var_aide_scan_notification_email'
NOTIFYEOF
{{% else %}}
# NOTE: on some platforms, /etc/crontab may not exist
if [ -f /etc/crontab ]; then
CRONTAB_EXIST=/etc/crontab
Expand All @@ -18,4 +37,4 @@ fi
if ! grep -qR '^.*{{{ aide_bin_path }}}\s*\-\-check.*|.*\/bin\/mail\s*-s\s*".*"\s*.*@.*$' $CRONTAB_EXIST $VARSPOOL $CRONDIRS; then
echo "0 5 * * * root {{{ aide_bin_path }}} --check | /bin/mail -s \"\$(hostname) - AIDE Integrity Check\" $var_aide_scan_notification_email" >> $CRONTAB
fi

{{% endif %}}
Original file line number Diff line number Diff line change
Expand Up @@ -5,9 +5,22 @@
<criteria operator="AND">
<extend_definition comment="Aide is installed" definition_ref="package_aide_installed" />
<criteria operator="OR">
<criterion comment="notify personnel when aide completes" test_ref="test_aide_scan_notification" />
<criterion comment="notify personnel when aide completes" test_ref="test_aide_var_cron_notification" />
<criterion comment="notify personnel when aide completes in cron.(d|daily|weekly|monthly)" test_ref="test_aide_crontabs_notification" />
<criterion comment="notify personnel when aide completes"
test_ref="test_aide_scan_notification" />
<criterion comment="notify personnel when aide completes"
test_ref="test_aide_var_cron_notification" />
<criterion comment="notify personnel when aide completes in cron.(d|daily|weekly|monthly)"
test_ref="test_aide_crontabs_notification" />
{{% if product in ["sle15"] %}}
<criteria operator="AND">
Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Should this new criteria be guarded as SLE-only? The new code in Bash and Ansible remediations is marked as SLE-only.

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Well I prefer to be SLE only for now and other maintainers to adopt it if consider viable, therefore the bash and ansible remediations aer platform dependant

Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thanks for reply. But, if you think that this part should be SLE-only for now, would it be better to put it inside a Jinja if product in ... block?

<criterion comment="notification started after check"
test_ref="test_aidecheck_systemd_scan_before_notification"/>
<criterion comment="systemd aidecheck wants notification"
test_ref="test_aidecheck_systemd_scan_wants_notification"/>
<criterion comment="systemd aidecheck scan notification test"
test_ref="test_aidecheck_systemd_scan_report"/>
</criteria>
{{% endif %}}
</criteria>
</criteria>
</definition>
Expand Down Expand Up @@ -39,5 +52,39 @@
<ind:pattern operation="pattern match">^.*{{{ aide_bin_path }}}[\s]*\-\-check.*\|.*/bin/mail[\s]*-s[\s]*".*"[\s]*.+@.+$</ind:pattern>
<ind:instance datatype="int" operation="greater than or equal">1</ind:instance>
</ind:textfilecontent54_object>

{{% if product in ["sle15"] %}}
<ind:textfilecontent54_test check="all" check_existence="all_exist"
Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This new part isn't described in rule.yml at all. You should extend the rule description and other artifacts.

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

got you will do 🙇

Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

OK

id="test_aidecheck_systemd_scan_report" version="1"
comment="report results of aide check, when started by systemd">
<ind:object object_ref="obj_aidecheck_systemd_report" />
</ind:textfilecontent54_test>
<ind:textfilecontent54_object id="obj_aidecheck_systemd_report" version="1"
comment="run aide check with output to a report file">
<ind:filepath>/etc/systemd/system/aidecheck.service</ind:filepath>
<ind:pattern operation="pattern match">^ExecStart\=.*/usr/bin/aide[\s]*\-\-check.*\-r\s*file:\/w*.*$</ind:pattern>
<ind:instance datatype="int" operation="greater than or equal">1</ind:instance>
</ind:textfilecontent54_object>
<ind:textfilecontent54_test check="all" check_existence="all_exist"
id="test_aidecheck_systemd_scan_before_notification" version="1"
comment="aide check is run before notification service">
<ind:object object_ref="obj_aidecheck_systemd_before_notification" />
</ind:textfilecontent54_test>
<ind:textfilecontent54_object id="obj_aidecheck_systemd_before_notification" version="1"
comment="run aide check before notification">
<ind:filepath>/etc/systemd/system/aidecheck.service</ind:filepath>
<ind:pattern operation="pattern match">^Before\=.*aidecheck-notify.service$</ind:pattern>
<ind:instance datatype="int" operation="greater than or equal">1</ind:instance>
</ind:textfilecontent54_object>
<ind:textfilecontent54_test check="all" check_existence="any_exist"
comment="aide check systemd unit wants notification service"
id="test_aidecheck_systemd_scan_wants_notification" version="1">
<ind:object object_ref="object_aidecheck_for_notification_enabled"/>
</ind:textfilecontent54_test>
<ind:textfilecontent54_object id="object_aidecheck_for_notification_enabled" version="1"
comment="list of dependencies should include aidecheck.service">
<ind:filepath>/etc/systemd/system/aidecheck.service</ind:filepath>
<ind:pattern operation="pattern match">^Wants\=.*aidecheck-notify.service.*$</ind:pattern>
<ind:instance datatype="int" operation="greater than or equal">1</ind:instance>
</ind:textfilecontent54_object>
{{% endif %}}
</def-group>
Original file line number Diff line number Diff line change
Expand Up @@ -57,23 +57,41 @@ ocil_clause: 'AIDE has not been configured or has not been configured to notify

ocil: |-
To determine that periodic AIDE execution has been scheduled, run the following command:
{{% if product in ["sle15"] %}}
<pre>$ sudo systemctl status aidecheck-notify|grep loaded</pre>
The output should return that the service is loaded.
Also we should make sure that notification service is started by the check:
<pre>$ sudo systemctl list-dependencies --reverse aidecheck-notify</pre>,
which should display the aidecheck.service in the dependency tree
{{% else %}}
<pre>$ grep aide /etc/crontab</pre>
The output should return something similar to the following:
<pre>05 4 * * * root /usr/sbin/aide --check | /bin/mail -s "$(hostname) - AIDE Integrity Check" root@localhost</pre>
The email address that the notifications are sent to can be changed by overriding
<pre><sub idref="var_aide_scan_notification_email" /></pre>.
{{% endif %}}

fixtext: |-
Configure the file integrity tool to run automatically on the system at least weekly and to notify designated personnel if baseline configurations are changed in an unauthorized manner.
The AIDE tool can be configured to email designated personnel with the use of the cron system.

The following example output is generic. It will set cron to run AIDE daily and to send email at the completion of the analysis.

{{% if product in ["sle15"] %}}
$ cat > /etc/systemd/system/aidecheck-notify.service <<NOTIFYEOF
[Unit]
Description=Status email for AIDE check result
After=aidecheck.service
[Service]
Type=forking
ExecStart=/bin/sh -c 'cat /tmp/aide-report.log | /bin/mail -s "$(hostname) - AIDE Integrity Check" $var_aide_scan_notification_email'
NOTIFYEOF
{{% else %}}
$ sudo more /etc/cron.daily/aide

#!/bin/bash

/usr/sbin/aide --check | /bin/mail -s "$HOSTNAME - Daily aide integrity check run" root@sysname.mil
{{% endif %}}

srg_requirement: |-
The {{{ full_name }}} file integrity tool must notify the system administrator when changes to the baseline configuration or anomalies in the operation of any security functions are discovered within an organizationally defined frequency.
Loading