Bug 1658036

Summary: [pci dss] rule "Configure Periodic Execution of AIDE" fails due to regex issues
Product: Red Hat Enterprise Linux 7 Reporter: Ravindra Patil <ravpatil>
Component: scap-security-guideAssignee: Vojtech Polasek <vpolasek>
Status: CLOSED ERRATA QA Contact: Jan Černý <jcerny>
Severity: urgent Docs Contact:
Priority: high    
Version: 7.6CC: b.prins, jcerny, lmiksik, mhaicman, mmicene, openscap-maint, rmetrich, wsato
Target Milestone: rc   
Target Release: ---   
Hardware: x86_64   
OS: Linux   
Whiteboard:
Fixed In Version: scap-security-guide-0.1.46-10.el7 Doc Type: No Doc Update
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2020-03-31 19:38:15 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Ravindra Patil 2018-12-11 05:45:41 UTC 
Description of problem:

Rule states that "At a minimum, AIDE should be configured to run a weekly scan.". We've implemented a cron job for running the scan on a weekly basis:
[root@P03MQT02 ~]# cat /etc/crontab
#Ansible: AIDE check
0 21 * * 6 root /usr/sbin/aide --check &>/dev/null

The (non-POSIX compatible?) regex for checking this is:
^(([0-9]*[\s]*[0-9]*[\s]*\*[\s]*\*[\s]*\*)|@(hourly|daily|weekly|monthly))[\s]*root[\s]*/usr/sbin/aide[\s]*\-\-check.*$

Since we don't use @weekly it actually expects a * in the 'day of week' field. We want to randomize the hour that the job is run at, so we set the 'minute', 'hour' and 'day of week' field.


# oscap xccdf eval --profile xccdf_org.ssgproject.content_profile_pci-dss --rule xccdf_org.ssgproject.content_rule_aide_periodic_cron_checking /usr/share/xml/scap/ssg/content/ssg-rhel7-ds.xml
WARNING: This content points out to the remote resources. Use `--fetch-remote-resources' option to download them.
WARNING: Skipping https://www.redhat.com/security/data/oval/com.redhat.rhsa-RHEL7.xml.bz2 file which is referenced from XCCDF content
Title   Configure Periodic Execution of AIDE
Rule    xccdf_org.ssgproject.content_rule_aide_periodic_cron_checking
Ident   CCE-26952-2
Result  fail

It expects weekly,daily or hourly in 5th column in cron job, which is impossible. It should accept value at 'day of week' and should pass the rule. 

If I user '*' in fifth column, rule is passed. i.e. daily job runs but unable to schedule weekly job. 

Version-Release number of selected component (if applicable):
openscap-1.2.10-3.el7_3.x86_64

How reproducible:
1. Schedule cron job
# cat /etc/crontab
0 21 * * 6 root /usr/sbin/aide --check &>/dev/null

2. Run the report to check cron job scheduled weekly to execute 'aide --check' command. 

Steps to Reproduce:
1. Install package 
2. Add weekly cron job 
3. Run report 

Actual results:
Rule fails 

Expected results:
Rule should pass, as weekly cron job is allowed for aide check. 

Additional info:
Comment 2 Watson Yuuma Sato 2018-12-11 12:08:29 UTC 
*** Bug 1547610 has been marked as a duplicate of this bug. ***
Comment 3 Watson Yuuma Sato 2019-02-11 09:18:54 UTC 
*** Bug 1673954 has been marked as a duplicate of this bug. ***
Comment 5 Vojtech Polasek 2019-11-15 10:47:58 UTC 
The fix is merged upstream:
https://github.com/ComplianceAsCode/content/pull/4989
Comment 11 errata-xmlrpc 2020-03-31 19:38:15 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2020:1019