Bug 2175684

Hello Pierre Lemmers,
Can you provide the following info for us to help on this better?  

1. Insights Compliancy policy name
2. Rule identifier, Rule name for the rules that you think are failing incorrectly

If you are not comfortable providing info here, please open a support case with Red Hat (https://access.redhat.com/support)

Looking forward to hearing from you.

Hello,

1. The policy name: CIS Red Hat Enterprise Linux 8 Benchmark
2. A. Build and Test AIDE Database
   B. Configure Periodic Execution of AIDE

Kind Regards,

Pierre

This seems to be an issue with the compliance content shipped via scap-security-guide package. Moving to the right product. (For now RHEL8, might clone to RHEL7 too if need arise)

Hello!

We think that this bug probably isn't a direct problem in the cosole.redhat.com but instead it might be a bug in the scap-security-guide package. The scap-security-guide package provides the security compliance policies, including the CIS Red Hat Enterprise Linux 8 Benchmark and its rules. I'm a developer working on this package and I would like to help with your problem.

In order to investigate the problem, we will need some additional information from you. We would like you to connect to the machine to run the compliance scans manually and retrieve results and attach them to this BZ.

Run the following commands on the target machine:

sudo oscap xccdf eval --verbose INFO --verbose-log-file aide_build_database_verbose.txt --profile xccdf_org.ssgproject.content_profile_cis --rule xccdf_org.ssgproject.content_rule_aide_build_database --results-arf aide_build_database_arf.xml /usr/share/xml/scap/ssg/content/ssg-rhel8-ds.xml

sudo oscap xccdf eval --verbose INFO --verbose-log-file aide_periodic_cron_checking_verbose.txt --profile xccdf_org.ssgproject.content_profile_cis --rule xccdf_org.ssgproject.content_rule_aide_periodic_cron_checking --results-arf aide_periodic_cron_checking_arf.xml /usr/share/xml/scap/ssg/content/ssg-rhel8-ds.xml

(If /usr/share/xml/scap/ssg/content/ssg-rhel8-ds.xml isn't available it's can be added by installing the scap-security-guide package).

Then, collect and attach the generated ARF result files and verbose outputs:
aide_build_database_arf.xml
aide_build_database_verbose.txt
aide_periodic_cron_checking_arf.xml
aide_periodic_cron_checking_verbose.txt

Since the 2 offending rules are touching the AIDE and cron configuration, we will also need the contents of these files:
/etc/crontab
/etc/aide.conf

Then, I will try to review your files and find the cause.

You said that the compliance report says that you do not have AIDE installed, configured and the database renewed. But, you mentioned that we all have these things in place though. Based on what you think that you have all these things in place? And in what path is your cron job located?

In general, I think that there might be a discrepancy between the way the security policy expects AIDE to be configured and the way it's actually configured. Even if the configuration has the desired effect, this difference might be reported as a fail.

Thank you very much for your cooperation.

Created attachment 1951416 [details]
Requested files

Created attachment 1951417 [details]
Aide config file

Created attachment 1951418 [details]
Aide build database

Created attachment 1951431 [details]
Aide cron checking

Created attachment 1951432 [details]
aide periodic verbose

Created attachment 1951434 [details]
aide build database

I want to note that we use /etc/cron.daily for the cronjob execution.

Hello,
thank you for all the attachments. Could you please also send contents of /etc/cron.daily?
Thank you,
Vojtech Polasek

Hello,

this is the content of the cron.daily

#!/bin/sh
nice ionice /usr/sbin/aide --check
nice ionice /usr/sbin/aide --init
/bin/mv -f /var/lib/aide/aide.db.new.gz /var/lib/aide/aide.db.gz

Kind regards,

Pierre Lemmers

Analysis:

The rule "aide_build_database" fails because it expects that both files /var/lib/aide/aide.db.new.gz and /var/lib/aide/aide.db.gz exist at the same time. The rule description says that /var/lib/aide/aide.db.gz should be created by copying /var/lib/aide/aide.db.new.gz. However, the customer creates the file by moving instead of copying. According to aide man page, moving the file is a valid approach. I was informed that the existence of /var/lib/aide/aide.db.new.gz isn't needed for AIDE to work. It would be useful only for AIDE database comparison, but the comparison feature isn't requested by the security compliance profile. Therefore, the rule needs to be adjusted to remove the check for existence of /var/lib/aide/aide.db.new.gz from the OVAL.

The rule "aide_periodic_cron_checking" fails because the regex "^\s*\/usr\/sbin\/aide[\s]*\-\-check.*$" used in this rule doesn't match the entries in the customer's /etc/cron.daily. I believe this regular expression isn't flexible enough, it can't match valid scenarios, for example the customer is running aide with a niceness. Therefore, we should change the regular expression in our OVAL to match also these kinds of crontab entries.

Hello Pierre, to help us prioritize to fix, it would be great to also have a support request through the customer portal. It looks like we don't need more information, it's more for our internal tracking. Can you create one? Thanks!

A fix has been merged in upstream by https://github.com/ComplianceAsCode/content/pull/10403

Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory (scap-security-guide bug fix update), and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2023:7056