Add oval for aide to check that it is running in a cron job. This is a resubmit.
Thanks, Gabe Alford
Gabe (1): add aide cron oval check
.../6/input/checks/aide_periodic_cron_checking.xml | 39 ++++++++++++++++++++++ .../fixes/bash/aide_periodic_cron_checking.sh | 1 + RHEL/6/input/system/software/integrity.xml | 1 + 3 files changed, 41 insertions(+) create mode 100644 RHEL/6/input/checks/aide_periodic_cron_checking.xml create mode 100644 RHEL/6/input/fixes/bash/aide_periodic_cron_checking.sh
- add aide oval check to check /etc/crontab and files in /etc/cron.d/ - add aide bash fix - enable aide oval check in scan
Signed-off-by: Gabe redhatrises@gmail.com --- .../6/input/checks/aide_periodic_cron_checking.xml | 39 ++++++++++++++++++++++ .../fixes/bash/aide_periodic_cron_checking.sh | 1 + RHEL/6/input/system/software/integrity.xml | 1 + 3 files changed, 41 insertions(+) create mode 100644 RHEL/6/input/checks/aide_periodic_cron_checking.xml create mode 100644 RHEL/6/input/fixes/bash/aide_periodic_cron_checking.sh
diff --git a/RHEL/6/input/checks/aide_periodic_cron_checking.xml b/RHEL/6/input/checks/aide_periodic_cron_checking.xml new file mode 100644 index 0000000..4a4dbff --- /dev/null +++ b/RHEL/6/input/checks/aide_periodic_cron_checking.xml @@ -0,0 +1,39 @@ +<def-group> + <definition class="compliance" id="aide_periodic_cron_checking" version="1"> + <metadata> + <title>Configure Periodic Execution of AIDE</title> + <affected family="unix"> + <platform>Red Hat Enterprise Linux 6</platform> + </affected> + <description>By default, AIDE does not install itself for periodic + execution. Periodically running AIDE is necessary to reveal + unexpected changes in installed files. + </description> + <reference source="MED" ref_id="20130928" ref_url="test_attestation" /> + </metadata> + <criteria operator="OR"> + <extend_definition comment="Aide is installed" negate="true" definition_ref="package_aide_installed" /> + <criterion comment="run aide daily with cron" test_ref="test_aide_periodic_cron_checking" /> + <criterion comment="run aide daily with cron" test_ref="test_aide_crond_checking" /> + </criteria> + </definition> + + <ind:textfilecontent54_test check="all" check_existence="all_exist" comment="run aide daily with cron" id="test_aide_periodic_cron_checking" version="1"> + <ind:object object_ref="object_test_aide_periodic_cron_checking" /> + </ind:textfilecontent54_test> + <ind:textfilecontent54_object comment="run aide daily with cron" id="object_test_aide_periodic_cron_checking" version="1"> + ind:filepath/etc/crontab</ind:filepath> + <ind:pattern operation="pattern match">^[0-9]*[\s]*[0-9]*[\s]**[\s]**[\s]**[\s]*root[\s]*/usr/sbin/aide[\s]*--check+$</ind:pattern> + <ind:instance datatype="int" operation="greater than or equal">1</ind:instance> + </ind:textfilecontent54_object> + + <ind:textfilecontent54_test check="all" check_existence="all_exist" comment="run aide daily with cron" id="test_aide_crond_checking" version="1"> + <ind:object object_ref="object_test_aide_crond_checking" /> + </ind:textfilecontent54_test> + <ind:textfilecontent54_object comment="run aide daily with cron" id="object_test_aide_crond_checking" version="1"> + ind:path/etc/cron.d</ind:path> + <ind:filename operation="pattern match">^.*$</ind:filename> + <ind:pattern operation="pattern match">^[0-9]*[\s]*[0-9]*[\s]**[\s]**[\s]**[\s]*root[\s]*/usr/sbin/aide[\s]*--check+$</ind:pattern> + <ind:instance datatype="int" operation="greater than or equal">1</ind:instance> + </ind:textfilecontent54_object> +</def-group> diff --git a/RHEL/6/input/fixes/bash/aide_periodic_cron_checking.sh b/RHEL/6/input/fixes/bash/aide_periodic_cron_checking.sh new file mode 100644 index 0000000..f62ef72 --- /dev/null +++ b/RHEL/6/input/fixes/bash/aide_periodic_cron_checking.sh @@ -0,0 +1 @@ +echo "05 4 * * * root /usr/sbin/aide --check" >> /etc/crontab diff --git a/RHEL/6/input/system/software/integrity.xml b/RHEL/6/input/system/software/integrity.xml index 55bf115..ab9f44d 100644 --- a/RHEL/6/input/system/software/integrity.xml +++ b/RHEL/6/input/system/software/integrity.xml @@ -100,6 +100,7 @@ To determine that periodic AIDE execution has been scheduled, run the following By default, AIDE does not install itself for periodic execution. Periodically running AIDE is necessary to reveal unexpected changes in installed files. </rationale> +<oval id="aide_periodic_cron_checking" /> <ident cce="27222-9" /> <ref nist="CM-3(d),CM-3(e),CM-6(d),CM-6(3),SC-28,SI-7" disa="374,416,1069,1263,1297,1589"/> </Rule>
scap-security-guide@lists.fedorahosted.org