Bug 1540505
| Summary: | Rule xccdf_org.ssgproject.content_rule_aide_scan_notification fails when email ID other than root@. is given | |||
|---|---|---|---|---|
| Product: | Red Hat Enterprise Linux 7 | Reporter: | amitkuma | |
| Component: | scap-security-guide | Assignee: | Watson Yuuma Sato <wsato> | |
| Status: | CLOSED ERRATA | QA Contact: | Marek Haicman <mhaicman> | |
| Severity: | urgent | Docs Contact: | ||
| Priority: | high | |||
| Version: | 7.4 | CC: | mhaicman, mthacker, openscap-maint | |
| Target Milestone: | rc | Keywords: | ZStream | |
| Target Release: | --- | |||
| Hardware: | x86_64 | |||
| OS: | Linux | |||
| Whiteboard: | ||||
| Fixed In Version: | scap-security-guide-0.1.39-1.el7 | Doc Type: | If docs needed, set a value | |
| Doc Text: | Story Points: | --- | ||
| Clone Of: | ||||
| : | 1571315 (view as bug list) | Environment: | ||
| Last Closed: | 2018-10-30 11:46:47 UTC | Type: | Bug | |
| Regression: | --- | Mount Type: | --- | |
| Documentation: | --- | CRM: | ||
| Verified Versions: | Category: | --- | ||
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | ||
| Cloudforms Team: | --- | Target Upstream Version: | ||
| Embargoed: | ||||
| Bug Depends On: | ||||
| Bug Blocks: | 1571315 | |||
Switching this to the correct component. Thanks Jan. I had this in my mind. But forgot to do in haste. Great Thanks!!! Patch upstream: https://github.com/OpenSCAP/scap-security-guide/pull/2599 PR https://github.com/OpenSCAP/scap-security-guide/pull/2500 is also needed for this bug. Verified fix is in version scap-security-guide-0.1.40-5.el7 Tested with SSG Test Suite, on the commit commit 2dc31c16cc6aa961d1e93e17b0f08ab83a82abfd With command line arguments: --libvirt qemu:///system ssg-test-suite-rhel7 --xccdf-id scap_org.open-scap_cref_ssg-rhel7-xccdf-1.2.xml --remediate-using ansible rule_aide_scan_notification DataStream used (md5) : e445217bb8024176edeae9a55137cc48 ./0.1.36-7.rhel7.ds.xml Setting console output to log level INFO INFO - The base image option has not been specified, choosing libvirt-based test environment. INFO - Logging into /home/dahaic/RH/git/upstream/dahaic/scap-security-guide/tests/logs/rule-custom-2018-09-17-0015/test_suite.log INFO - xccdf_org.ssgproject.content_rule_aide_scan_notification ERROR - Script cron_weekly_configured.pass.sh using profile xccdf_org.ssgproject.content_profile_stig-rhel7-disa found issue: ERROR - Scan has exited with return code 2, instead of expected 0 during stage initial ERROR - The initial scan failed for rule 'xccdf_org.ssgproject.content_rule_aide_scan_notification'. ERROR - Script crontab_configured.pass.sh using profile xccdf_org.ssgproject.content_profile_stig-rhel7-disa found issue: ERROR - Scan has exited with return code 2, instead of expected 0 during stage initial ERROR - The initial scan failed for rule 'xccdf_org.ssgproject.content_rule_aide_scan_notification'. INFO - Script crontab_just_periodic_checking.fail.sh using profile xccdf_org.ssgproject.content_profile_stig-rhel7-disa OK ERROR - Scan has exited with return code 2, instead of expected 0 during stage final ERROR - The check after remediation failed for rule 'xccdf_org.ssgproject.content_rule_aide_scan_notification'. INFO - Script default.fail.sh using profile xccdf_org.ssgproject.content_profile_stig-rhel7-disa OK ERROR - Scan has exited with return code 2, instead of expected 0 during stage final ERROR - The check after remediation failed for rule 'xccdf_org.ssgproject.content_rule_aide_scan_notification'. ERROR - Script var_cron_configured.pass.sh using profile xccdf_org.ssgproject.content_profile_stig-rhel7-disa found issue: ERROR - Scan has exited with return code 2, instead of expected 0 during stage initial ERROR - The initial scan failed for rule 'xccdf_org.ssgproject.content_rule_aide_scan_notification'. DataStream used (md5) : 1b70337c8805d0107eadbaa89bc11ad5 ./0.1.40-5.rhel7.ds.xml Setting console output to log level INFO INFO - The base image option has not been specified, choosing libvirt-based test environment. INFO - Logging into /home/dahaic/RH/git/upstream/dahaic/scap-security-guide/tests/logs/rule-custom-2018-09-17-0021/test_suite.log INFO - xccdf_org.ssgproject.content_rule_aide_scan_notification INFO - Script cron_weekly_configured.pass.sh using profile xccdf_org.ssgproject.content_profile_stig-rhel7-disa OK INFO - Script crontab_configured.pass.sh using profile xccdf_org.ssgproject.content_profile_stig-rhel7-disa OK INFO - Script crontab_just_periodic_checking.fail.sh using profile xccdf_org.ssgproject.content_profile_stig-rhel7-disa OK ERROR - Scan has exited with return code 2, instead of expected 0 during stage final ERROR - The check after remediation failed for rule 'xccdf_org.ssgproject.content_rule_aide_scan_notification'. INFO - Script default.fail.sh using profile xccdf_org.ssgproject.content_profile_stig-rhel7-disa OK ERROR - Scan has exited with return code 2, instead of expected 0 during stage final ERROR - The check after remediation failed for rule 'xccdf_org.ssgproject.content_rule_aide_scan_notification'. INFO - Script var_cron_configured.pass.sh using profile xccdf_org.ssgproject.content_profile_stig-rhel7-disa OK Note: errors might happen - this particular bug is tested by scenario `var_cron_configured.pass.sh` which is passing in new version. Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory, and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://access.redhat.com/errata/RHBA-2018:3308 |
Description of problem: # yum install aide -y # vim /etc/crontab //As directed in 'scan-xccdf-report.html' 05 4 * * * root /usr/sbin/aide --check | /bin/mail -s "$(hostname) - AIDE Integrity Check" root@localhost //Passes Test 05 4 * * * root /usr/sbin/aide --check | /bin/mail -s "$(hostname) - AIDE Integrity Check" abc.xyz.df.gh //Fails test # oscap xccdf eval --profile xccdf_org.ssgproject.content_profile_stig-rhel7-disa --report report.html --results scan-xccdf-results.xml /usr/share/xml/scap/ssg/content/ssg-rhel7-ds.xml Title Configure Notification of Post-AIDE Scan Details Rule xccdf_org.ssgproject.content_rule_aide_scan_notification Ident CCE-80374-2 Result fail # /////////Fix For Same///////////// Option-1: /etc/crontab 05 4 * * * root /usr/sbin/aide --check | /bin/mail -s "$(hostname) - AIDE Integrity Check" root.df.gh Option-2: # vim /usr/share/xml/scap/ssg/content/ssg-rhel7-ds.xml Replace: if ! grep -qR '^.*\/usr\/sbin\/aide\s*\-\-check.*\|.*\/bin\/mail\s*-s\s*".*"\s*root@.*$' $CRONTAB $VARSPOOL $CRONDIRS; then With if ! grep -qR '^.*\/usr\/sbin\/aide\s*\-\-check.*\|.*\/bin\/mail\s*-s\s*".*"\s**@.*$' $CRONTAB $VARSPOOL $CRONDIRS; then //////Further Questions///////// 1. Why Email ID of root is expected? Why cannot a normal user Email ID is used? Since a normal user can also run openscap test. 2. Why Email ID format root@something fixed? Version-Release number of selected component (if applicable): openscap-1.2.14-2.el7.x86_64.rpm How reproducible: Always Steps to Reproduce: 1. Mentioned in case description 2. 3. Actual results: Aide can only send mail to root account. Expected results: Aide should be able to send email to any user-mail. Additional info: