Bug 1540505

Summary: Rule xccdf_org.ssgproject.content_rule_aide_scan_notification fails when email ID other than root@. is given
Product: Red Hat Enterprise Linux 7 Reporter: amitkuma
Component: scap-security-guideAssignee: Watson Yuuma Sato <wsato>
Status: CLOSED ERRATA QA Contact: Marek Haicman <mhaicman>
Severity: urgent Docs Contact:
Priority: high    
Version: 7.4CC: mhaicman, mthacker, openscap-maint
Target Milestone: rcKeywords: ZStream
Target Release: ---   
Hardware: x86_64   
OS: Linux   
Whiteboard:
Fixed In Version: scap-security-guide-0.1.39-1.el7 Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of:
: 1571315 (view as bug list) Environment:
Last Closed: 2018-10-30 11:46:47 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On:    
Bug Blocks: 1571315    

Description amitkuma 2018-01-31 09:12:52 UTC 
Description of problem:

# yum install aide -y
# vim /etc/crontab        //As directed in 'scan-xccdf-report.html'
    05 4 * * * root /usr/sbin/aide --check | /bin/mail -s "$(hostname) - AIDE Integrity Check" root@localhost        //Passes Test
    05 4 * * * root /usr/sbin/aide --check | /bin/mail -s "$(hostname) - AIDE Integrity Check" abc.xyz.df.gh       //Fails test
# oscap    xccdf eval    --profile xccdf_org.ssgproject.content_profile_stig-rhel7-disa  --report report.html --results scan-xccdf-results.xml    /usr/share/xml/scap/ssg/content/ssg-rhel7-ds.xml
        Title Configure Notification of Post-AIDE Scan Details
        Rule xccdf_org.ssgproject.content_rule_aide_scan_notification
        Ident CCE-80374-2
        Result fail
    # 


/////////Fix For Same/////////////
Option-1:
/etc/crontab
05 4 * * * root /usr/sbin/aide --check | /bin/mail -s "$(hostname) - AIDE Integrity Check" root.df.gh

Option-2:
# vim /usr/share/xml/scap/ssg/content/ssg-rhel7-ds.xml
Replace:
if ! grep -qR '^.*\/usr\/sbin\/aide\s*\-\-check.*\|.*\/bin\/mail\s*-s\s*".*"\s*root@.*$' $CRONTAB $VARSPOOL $CRONDIRS; then
With
if ! grep -qR '^.*\/usr\/sbin\/aide\s*\-\-check.*\|.*\/bin\/mail\s*-s\s*".*"\s**@.*$' $CRONTAB $VARSPOOL $CRONDIRS; then


//////Further Questions/////////
1. Why Email ID of root is expected? Why cannot a normal user Email ID is used? Since a normal user can also run openscap test.
2. Why Email ID format root@something fixed?

Version-Release number of selected component (if applicable):
openscap-1.2.14-2.el7.x86_64.rpm

How reproducible:
Always

Steps to Reproduce:
1. Mentioned in case description
2.
3.

Actual results:
Aide can only send mail to root account.

Expected results:
Aide should be able to send email to any user-mail.

Additional info:
Comment 2 Jan Černý 2018-02-01 07:27:33 UTC 
Switching this to the correct component.
Comment 3 amitkuma 2018-02-01 08:32:16 UTC 
Thanks Jan.
I had this in my mind. But forgot to do in haste.
Great Thanks!!!
Comment 4 Watson Yuuma Sato 2018-02-07 10:50:33 UTC 
Patch upstream: https://github.com/OpenSCAP/scap-security-guide/pull/2599
Comment 9 Watson Yuuma Sato 2018-04-30 08:10:20 UTC 
PR https://github.com/OpenSCAP/scap-security-guide/pull/2500 is also needed for this bug.
Comment 11 Marek Haicman 2018-09-16 22:36:47 UTC 
Verified fix is in version scap-security-guide-0.1.40-5.el7

Tested with SSG Test Suite, on the commit
commit 2dc31c16cc6aa961d1e93e17b0f08ab83a82abfd
With command line arguments: --libvirt qemu:///system ssg-test-suite-rhel7 --xccdf-id scap_org.open-scap_cref_ssg-rhel7-xccdf-1.2.xml --remediate-using ansible rule_aide_scan_notification

DataStream used (md5) : e445217bb8024176edeae9a55137cc48 ./0.1.36-7.rhel7.ds.xml
Setting console output to log level INFO
INFO - The base image option has not been specified, choosing libvirt-based test environment.
INFO - Logging into /home/dahaic/RH/git/upstream/dahaic/scap-security-guide/tests/logs/rule-custom-2018-09-17-0015/test_suite.log
INFO - xccdf_org.ssgproject.content_rule_aide_scan_notification
ERROR - Script cron_weekly_configured.pass.sh using profile xccdf_org.ssgproject.content_profile_stig-rhel7-disa found issue:
ERROR - Scan has exited with return code 2, instead of expected 0 during stage initial
ERROR - The initial scan failed for rule 'xccdf_org.ssgproject.content_rule_aide_scan_notification'.
ERROR - Script crontab_configured.pass.sh using profile xccdf_org.ssgproject.content_profile_stig-rhel7-disa found issue:
ERROR - Scan has exited with return code 2, instead of expected 0 during stage initial
ERROR - The initial scan failed for rule 'xccdf_org.ssgproject.content_rule_aide_scan_notification'.
INFO - Script crontab_just_periodic_checking.fail.sh using profile xccdf_org.ssgproject.content_profile_stig-rhel7-disa OK
ERROR - Scan has exited with return code 2, instead of expected 0 during stage final
ERROR - The check after remediation failed for rule 'xccdf_org.ssgproject.content_rule_aide_scan_notification'.
INFO - Script default.fail.sh using profile xccdf_org.ssgproject.content_profile_stig-rhel7-disa OK
ERROR - Scan has exited with return code 2, instead of expected 0 during stage final
ERROR - The check after remediation failed for rule 'xccdf_org.ssgproject.content_rule_aide_scan_notification'.
ERROR - Script var_cron_configured.pass.sh using profile xccdf_org.ssgproject.content_profile_stig-rhel7-disa found issue:
ERROR - Scan has exited with return code 2, instead of expected 0 during stage initial
ERROR - The initial scan failed for rule 'xccdf_org.ssgproject.content_rule_aide_scan_notification'.

DataStream used (md5) : 1b70337c8805d0107eadbaa89bc11ad5 ./0.1.40-5.rhel7.ds.xml
Setting console output to log level INFO
INFO - The base image option has not been specified, choosing libvirt-based test environment.
INFO - Logging into /home/dahaic/RH/git/upstream/dahaic/scap-security-guide/tests/logs/rule-custom-2018-09-17-0021/test_suite.log
INFO - xccdf_org.ssgproject.content_rule_aide_scan_notification
INFO - Script cron_weekly_configured.pass.sh using profile xccdf_org.ssgproject.content_profile_stig-rhel7-disa OK
INFO - Script crontab_configured.pass.sh using profile xccdf_org.ssgproject.content_profile_stig-rhel7-disa OK
INFO - Script crontab_just_periodic_checking.fail.sh using profile xccdf_org.ssgproject.content_profile_stig-rhel7-disa OK
ERROR - Scan has exited with return code 2, instead of expected 0 during stage final
ERROR - The check after remediation failed for rule 'xccdf_org.ssgproject.content_rule_aide_scan_notification'.
INFO - Script default.fail.sh using profile xccdf_org.ssgproject.content_profile_stig-rhel7-disa OK
ERROR - Scan has exited with return code 2, instead of expected 0 during stage final
ERROR - The check after remediation failed for rule 'xccdf_org.ssgproject.content_rule_aide_scan_notification'.
INFO - Script var_cron_configured.pass.sh using profile xccdf_org.ssgproject.content_profile_stig-rhel7-disa OK

Note: errors might happen - this particular bug is tested by scenario `var_cron_configured.pass.sh` which is passing in new version.
Comment 13 errata-xmlrpc 2018-10-30 11:46:47 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2018:3308