Bug 1540505 - Rule xccdf_org.ssgproject.content_rule_aide_scan_notification fails when email ID other than root@. is given
Summary: Rule xccdf_org.ssgproject.content_rule_aide_scan_notification fails when emai...
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: Red Hat Enterprise Linux 7
Classification: Red Hat
Component: scap-security-guide
Version: 7.4
Hardware: x86_64
OS: Linux
high
urgent
Target Milestone: rc
: ---
Assignee: Watson Yuuma Sato
QA Contact: Marek Haicman
URL:
Whiteboard:
Depends On:
Blocks: 1571315
TreeView+ depends on / blocked
 
Reported: 2018-01-31 09:12 UTC by amitkuma
Modified: 2021-09-09 13:07 UTC (History)
3 users (show)

Fixed In Version: scap-security-guide-0.1.39-1.el7
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
: 1571315 (view as bug list)
Environment:
Last Closed: 2018-10-30 11:46:47 UTC
Target Upstream Version:


Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Red Hat Product Errata RHBA-2018:3308 0 None None None 2018-10-30 11:47:23 UTC

Description amitkuma 2018-01-31 09:12:52 UTC
Description of problem:

# yum install aide -y
# vim /etc/crontab        //As directed in 'scan-xccdf-report.html'
    05 4 * * * root /usr/sbin/aide --check | /bin/mail -s "$(hostname) - AIDE Integrity Check" root@localhost        //Passes Test
    05 4 * * * root /usr/sbin/aide --check | /bin/mail -s "$(hostname) - AIDE Integrity Check" abc.xyz.df.gh       //Fails test
# oscap    xccdf eval    --profile xccdf_org.ssgproject.content_profile_stig-rhel7-disa  --report report.html --results scan-xccdf-results.xml    /usr/share/xml/scap/ssg/content/ssg-rhel7-ds.xml
        Title Configure Notification of Post-AIDE Scan Details
        Rule xccdf_org.ssgproject.content_rule_aide_scan_notification
        Ident CCE-80374-2
        Result fail
    # 


/////////Fix For Same/////////////
Option-1:
/etc/crontab
05 4 * * * root /usr/sbin/aide --check | /bin/mail -s "$(hostname) - AIDE Integrity Check" root.df.gh

Option-2:
# vim /usr/share/xml/scap/ssg/content/ssg-rhel7-ds.xml
Replace:
if ! grep -qR '^.*\/usr\/sbin\/aide\s*\-\-check.*\|.*\/bin\/mail\s*-s\s*".*"\s*root@.*$' $CRONTAB $VARSPOOL $CRONDIRS; then
With
if ! grep -qR '^.*\/usr\/sbin\/aide\s*\-\-check.*\|.*\/bin\/mail\s*-s\s*".*"\s**@.*$' $CRONTAB $VARSPOOL $CRONDIRS; then


//////Further Questions/////////
1. Why Email ID of root is expected? Why cannot a normal user Email ID is used? Since a normal user can also run openscap test.
2. Why Email ID format root@something fixed?

Version-Release number of selected component (if applicable):
openscap-1.2.14-2.el7.x86_64.rpm

How reproducible:
Always

Steps to Reproduce:
1. Mentioned in case description
2.
3.

Actual results:
Aide can only send mail to root account.

Expected results:
Aide should be able to send email to any user-mail.

Additional info:

Comment 2 Jan Černý 2018-02-01 07:27:33 UTC
Switching this to the correct component.

Comment 3 amitkuma 2018-02-01 08:32:16 UTC
Thanks Jan.
I had this in my mind. But forgot to do in haste.
Great Thanks!!!

Comment 4 Watson Yuuma Sato 2018-02-07 10:50:33 UTC
Patch upstream: https://github.com/OpenSCAP/scap-security-guide/pull/2599

Comment 9 Watson Yuuma Sato 2018-04-30 08:10:20 UTC
PR https://github.com/OpenSCAP/scap-security-guide/pull/2500 is also needed for this bug.

Comment 11 Marek Haicman 2018-09-16 22:36:47 UTC
Verified fix is in version scap-security-guide-0.1.40-5.el7

Tested with SSG Test Suite, on the commit
commit 2dc31c16cc6aa961d1e93e17b0f08ab83a82abfd
With command line arguments: --libvirt qemu:///system ssg-test-suite-rhel7 --xccdf-id scap_org.open-scap_cref_ssg-rhel7-xccdf-1.2.xml --remediate-using ansible rule_aide_scan_notification

DataStream used (md5) : e445217bb8024176edeae9a55137cc48 ./0.1.36-7.rhel7.ds.xml
Setting console output to log level INFO
INFO - The base image option has not been specified, choosing libvirt-based test environment.
INFO - Logging into /home/dahaic/RH/git/upstream/dahaic/scap-security-guide/tests/logs/rule-custom-2018-09-17-0015/test_suite.log
INFO - xccdf_org.ssgproject.content_rule_aide_scan_notification
ERROR - Script cron_weekly_configured.pass.sh using profile xccdf_org.ssgproject.content_profile_stig-rhel7-disa found issue:
ERROR - Scan has exited with return code 2, instead of expected 0 during stage initial
ERROR - The initial scan failed for rule 'xccdf_org.ssgproject.content_rule_aide_scan_notification'.
ERROR - Script crontab_configured.pass.sh using profile xccdf_org.ssgproject.content_profile_stig-rhel7-disa found issue:
ERROR - Scan has exited with return code 2, instead of expected 0 during stage initial
ERROR - The initial scan failed for rule 'xccdf_org.ssgproject.content_rule_aide_scan_notification'.
INFO - Script crontab_just_periodic_checking.fail.sh using profile xccdf_org.ssgproject.content_profile_stig-rhel7-disa OK
ERROR - Scan has exited with return code 2, instead of expected 0 during stage final
ERROR - The check after remediation failed for rule 'xccdf_org.ssgproject.content_rule_aide_scan_notification'.
INFO - Script default.fail.sh using profile xccdf_org.ssgproject.content_profile_stig-rhel7-disa OK
ERROR - Scan has exited with return code 2, instead of expected 0 during stage final
ERROR - The check after remediation failed for rule 'xccdf_org.ssgproject.content_rule_aide_scan_notification'.
ERROR - Script var_cron_configured.pass.sh using profile xccdf_org.ssgproject.content_profile_stig-rhel7-disa found issue:
ERROR - Scan has exited with return code 2, instead of expected 0 during stage initial
ERROR - The initial scan failed for rule 'xccdf_org.ssgproject.content_rule_aide_scan_notification'.

DataStream used (md5) : 1b70337c8805d0107eadbaa89bc11ad5 ./0.1.40-5.rhel7.ds.xml
Setting console output to log level INFO
INFO - The base image option has not been specified, choosing libvirt-based test environment.
INFO - Logging into /home/dahaic/RH/git/upstream/dahaic/scap-security-guide/tests/logs/rule-custom-2018-09-17-0021/test_suite.log
INFO - xccdf_org.ssgproject.content_rule_aide_scan_notification
INFO - Script cron_weekly_configured.pass.sh using profile xccdf_org.ssgproject.content_profile_stig-rhel7-disa OK
INFO - Script crontab_configured.pass.sh using profile xccdf_org.ssgproject.content_profile_stig-rhel7-disa OK
INFO - Script crontab_just_periodic_checking.fail.sh using profile xccdf_org.ssgproject.content_profile_stig-rhel7-disa OK
ERROR - Scan has exited with return code 2, instead of expected 0 during stage final
ERROR - The check after remediation failed for rule 'xccdf_org.ssgproject.content_rule_aide_scan_notification'.
INFO - Script default.fail.sh using profile xccdf_org.ssgproject.content_profile_stig-rhel7-disa OK
ERROR - Scan has exited with return code 2, instead of expected 0 during stage final
ERROR - The check after remediation failed for rule 'xccdf_org.ssgproject.content_rule_aide_scan_notification'.
INFO - Script var_cron_configured.pass.sh using profile xccdf_org.ssgproject.content_profile_stig-rhel7-disa OK

Note: errors might happen - this particular bug is tested by scenario `var_cron_configured.pass.sh` which is passing in new version.

Comment 13 errata-xmlrpc 2018-10-30 11:46:47 UTC
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2018:3308


Note You need to log in before you can comment on or make changes to this bug.