Bug 1673954

Summary: Rule xccdf_org.ssgproject.content_rule_aide_periodic_cron_checking fails even though crontab entry is a proposed remediation
Product: Red Hat Enterprise Linux 7 Reporter: Renaud Métrich <rmetrich>
Component: scap-security-guideAssignee: Watson Yuuma Sato <wsato>
Status: CLOSED DUPLICATE QA Contact: BaseOS QE Security Team <qe-baseos-security>
Severity: medium Docs Contact:
Priority: medium    
Version: 7.6CC: mhaicman, openscap-maint
Target Milestone: rc   
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2019-02-11 09:18:54 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Renaud Métrich 2019-02-08 14:36:22 UTC 
Description of problem:

On RHEL7.6 systems, the xccdf_org.ssgproject.content_rule_aide_periodic_cron_checking rule fails when the /etc/crontab file contains the proposed remediation for a "weekly" aide check:

# cat /etc/crontab
05 4 * * 0 root /usr/sbin/aide --check

"To implement a weekly execution of AIDE at 4:05am using cron, add the following line to /etc/crontab:
05 4 * * 0 root /usr/sbin/aide --check
"


Version-Release number of selected component (if applicable):

scap-security-guide-0.1.40-12.el7.noarch


How reproducible:

Always


Steps to Reproduce:
1. Create remediation entry in /etc/crontab for a weekly check

# cat /etc/crontab
05 4 * * 0 root /usr/sbin/aide --check

2. Execute the rule

# oscap xccdf eval --fetch-remote-resources --report report.html --results results.xml --profile xccdf_org.ssgproject.content_profile_pci-dss --rule xccdf_org.ssgproject.content_rule_aide_periodic_cron_checking /usr/share/xml/scap/ssg/content/ssg-rhel7-ds.xml


Actual results:

Result  fail


Expected results:

Result  pass


Additional info:

Looking at the code (shared/checks/oval/aide_periodic_cron_checking.xml), we can see the following pattern being checked for /etc/crontab:

-------- 8< ---------------- 8< ---------------- 8< ---------------- 8< --------
 24   <ind:textfilecontent54_test check="all" check_existence="all_exist" comment="run aide with cron" id="test_aide_periodic_cron_checking" version="1">
 25     <ind:object object_ref="object_test_aide_periodic_cron_checking" />
 26   </ind:textfilecontent54_test>
 27   <ind:textfilecontent54_object comment="run aide with cron" id="object_test_aide_periodic_cron_checking" version="1">
 28     <ind:filepath>/etc/crontab</ind:filepath>
 29     <ind:pattern operation="pattern match">^(([0-9]*[\s]*[0-9]*[\s]*\*[\s]*\*[\s]*\*)|@(hourly|daily|weekly|monthly))[\s]*root[\s]*/usr/sbin/aide[\s]*\-\-check.*$</ind:pattern>
 30     <ind:instance datatype="int" operation="greater than or equal">1</ind:instance>
 31   </ind:textfilecontent54_object>
-------- 8< ---------------- 8< ---------------- 8< ---------------- 8< --------

Pattern: ^(([0-9]*[\s]*[0-9]*[\s]*\*[\s]*\*[\s]*\*)|@(hourly|daily|weekly|monthly))[\s]*root[\s]*/usr/sbin/aide[\s]*\-\-check.*$

The fifth field must here be "*" and a weekday number (0 -> 7) isn't expected at all, which is a bug.

Proposed new pattern: ^(([0-9]*[\s]*[0-9]*[\s]*\*[\s]*\*[\s]*(\*|[0-7]|sun|mon|tue|wed|thu|fri|sat))|@(hourly|daily|weekly|monthly))[\s]*root[\s]*/usr/sbin/aide[\s]*\-\-check.*$

This allows setting the weekday numerically or using the short name.

Still, this may not be sufficient because we should also allow ranges and lists of numbers for the 5 field at least.
Comment 2 Watson Yuuma Sato 2019-02-11 09:18:54 UTC 
Hello Renaud, thank you for the regex suggestion.

*** This bug has been marked as a duplicate of bug 1658036 ***