2175684 – AIDE compliancy

RHEL Engineering is moving the tracking of its product development work on RHEL 6 through RHEL 9 to Red Hat Jira (issues.redhat.com). If you're a Red Hat customer, please continue to file support cases via the Red Hat customer portal. If you're not, please head to the "RHEL project" in Red Hat Jira and file new tickets here. Individual Bugzilla bugs in the statuses "NEW", "ASSIGNED", and "POST" are being migrated throughout September 2023. Bugs of Red Hat partners with an assigned Engineering Partner Manager (EPM) are migrated in late September as per pre-agreed dates. Bugs against components "kernel", "kernel-rt", and "kpatch" are only migrated if still in "NEW" or "ASSIGNED". If you cannot log in to RH Jira, please consult article #7032570. That failing, please send an e-mail to the RH Jira admins at rh-issues@redhat.com to troubleshoot your issue as a user management inquiry. The email creates a ServiceNow ticket with Red Hat. Individual Bugzilla bugs that are migrated will be moved to status "CLOSED", resolution "MIGRATED", and set with "MigratedToJIRA" in "Keywords". The link to the successor Jira issue will be found under "Links", have a little "two-footprint" icon next to it, and direct you to the "RHEL project" in Red Hat Jira (issue links are of type "https://issues.redhat.com/browse/RHEL-XXXX", where "X" is a digit). This same link will be available in a blue banner at the top of the page informing you that that bug has been migrated.

Bug 2175684 - AIDE compliancy

Summary: AIDE compliancy

Keywords:
Status:	CLOSED ERRATA
Alias:	None
Product:	Red Hat Enterprise Linux 8
Classification:	Red Hat
Component:	scap-security-guide
Sub Component:
Version:	8.7
Hardware:	All
OS:	Linux
Priority:	medium
Severity:	medium
Target Milestone:	rc
Target Release:	8.9
Assignee:	Jan Černý
QA Contact:	Milan Lysonek
Docs Contact:	Petr Hybl
URL:
Whiteboard:
Depends On:
Blocks:	2228458 2228459
TreeView+	depends on / blocked

Reported:	2023-03-06 10:20 UTC by pierre.lemmers
Modified:	2023-11-14 17:10 UTC (History)
CC List:	9 users (show)
Fixed In Version:	scap-security-guide-0.1.69-1.el8
Doc Type:	Bug Fix
Doc Text:	.Removed strict requirements from SSG rules related to AIDE configuration Previously, the SCAP Security Guide (SSG) rule `aide_build_database` required the existence of both `/var/lib/aide/aide.db.new.gz` and `/var/lib/aide/aide.db.gz` files to pass. Because the `AIDE` utility does not require the `/var/lib/aide/aide.db.new.gz` file, this update removed the corresponding requirement from the `aide_build_database` rule. As a result, the rule requires only the `/var/lib/aide/aide.db.gz` file to pass. In addition, the SCAP Security Guide rule `aide_periodic_cron_checking` is now less strict on entries in `/etc/cron.daily` and `/etc/cron.weekly` files. You can now schedule the `aide --check` command with additional wrappers while staying compliant with the rule.
Clone Of:
Clones:	2228458 2228459 (view as bug list)
Environment:
Last Closed:	2023-11-14 15:36:38 UTC
Type:	Bug
Target Upstream Version:
Embargoed:
Dependent Products:

Attachments	(Terms of Use)
Requested files (451 bytes, application/x-shellscript) 2023-03-17 09:32 UTC, pierre.lemmers	no flags	Details
Aide config file (4.63 KB, text/plain) 2023-03-17 09:32 UTC, pierre.lemmers	no flags	Details
Aide build database (1.11 MB, application/x-7z-compressed) 2023-03-17 09:36 UTC, pierre.lemmers	no flags	Details
Aide cron checking (1.11 MB, application/x-7z-compressed) 2023-03-17 09:46 UTC, pierre.lemmers	no flags	Details
aide periodic verbose (27.61 KB, text/plain) 2023-03-17 09:52 UTC, pierre.lemmers	no flags	Details
aide build database (28.27 KB, text/plain) 2023-03-17 09:54 UTC, pierre.lemmers	no flags	Details
View All

Links
System	ID	Priority	Status	Summary	Last Updated
Red Hat Issue Tracker	RHELPLAN-152044	None	None	None	2023-03-16 10:16:56 UTC
Red Hat Issue Tracker	RHICOMPL-3676	None	None	None	2023-03-06 10:21:00 UTC
Red Hat Product Errata	RHBA-2023:7056	None	None	None	2023-11-14 15:37:31 UTC

Description pierre.lemmers 2023-03-06 10:20:32 UTC

Description of problem:
The compliancy report of Red Hat Insights will note that we do not have AIDE installed, configured and the database renewed. We all have these things in place though. I noticed that we have the Cron job for the database refresh in another path than is stated in the report. 

Version-Release number of selected component (if applicable):
Scap-security-guide 1.6.3 and 1.6.6
RHEL 7 and 8

How reproducible:
To check the compliance reports in Red Hat Insights

Steps to Reproduce:
1.
2.
3.

Actual results:
We are not compliant in regards to AIDE according to the compliancy report. 

Expected results:
Compliancy in regards to AIDE installation and configuration.

Additional info:

Comment 1 sthirugn@redhat.com 2023-03-13 21:21:59 UTC

Hello Pierre Lemmers,
Can you provide the following info for us to help on this better?  

1. Insights Compliancy policy name
2. Rule identifier, Rule name for the rules that you think are failing incorrectly

If you are not comfortable providing info here, please open a support case with Red Hat (https://access.redhat.com/support)

Looking forward to hearing from you.

Comment 2 pierre.lemmers 2023-03-14 13:19:38 UTC

Hello,

1. The policy name: CIS Red Hat Enterprise Linux 8 Benchmark
2. A. Build and Test AIDE Database
   B. Configure Periodic Execution of AIDE

Kind Regards,

Pierre

Comment 3 Marek Haicman 2023-03-16 10:16:04 UTC

This seems to be an issue with the compliance content shipped via scap-security-guide package. Moving to the right product. (For now RHEL8, might clone to RHEL7 too if need arise)

Comment 5 Jan Černý 2023-03-16 15:54:43 UTC

Hello!

We think that this bug probably isn't a direct problem in the cosole.redhat.com but instead it might be a bug in the scap-security-guide package. The scap-security-guide package provides the security compliance policies, including the CIS Red Hat Enterprise Linux 8 Benchmark and its rules. I'm a developer working on this package and I would like to help with your problem.

In order to investigate the problem, we will need some additional information from you. We would like you to connect to the machine to run the compliance scans manually and retrieve results and attach them to this BZ.

Run the following commands on the target machine:

sudo oscap xccdf eval --verbose INFO --verbose-log-file aide_build_database_verbose.txt --profile xccdf_org.ssgproject.content_profile_cis --rule xccdf_org.ssgproject.content_rule_aide_build_database --results-arf aide_build_database_arf.xml /usr/share/xml/scap/ssg/content/ssg-rhel8-ds.xml

sudo oscap xccdf eval --verbose INFO --verbose-log-file aide_periodic_cron_checking_verbose.txt --profile xccdf_org.ssgproject.content_profile_cis --rule xccdf_org.ssgproject.content_rule_aide_periodic_cron_checking --results-arf aide_periodic_cron_checking_arf.xml /usr/share/xml/scap/ssg/content/ssg-rhel8-ds.xml

(If /usr/share/xml/scap/ssg/content/ssg-rhel8-ds.xml isn't available it's can be added by installing the scap-security-guide package).

Then, collect and attach the generated ARF result files and verbose outputs:
aide_build_database_arf.xml
aide_build_database_verbose.txt
aide_periodic_cron_checking_arf.xml
aide_periodic_cron_checking_verbose.txt

Since the 2 offending rules are touching the AIDE and cron configuration, we will also need the contents of these files:
/etc/crontab
/etc/aide.conf

Then, I will try to review your files and find the cause.

You said that the compliance report says that you do not have AIDE installed, configured and the database renewed. But, you mentioned that we all have these things in place though. Based on what you think that you have all these things in place? And in what path is your cron job located?

In general, I think that there might be a discrepancy between the way the security policy expects AIDE to be configured and the way it's actually configured. Even if the configuration has the desired effect, this difference might be reported as a fail.

Thank you very much for your cooperation.

Comment 6 pierre.lemmers 2023-03-17 09:32:16 UTC

Created attachment 1951416 [details]
Requested files

Comment 7 pierre.lemmers 2023-03-17 09:32:44 UTC

Created attachment 1951417 [details]
Aide config file

Comment 8 pierre.lemmers 2023-03-17 09:36:57 UTC

Created attachment 1951418 [details]
Aide build database

Comment 9 pierre.lemmers 2023-03-17 09:46:53 UTC

Created attachment 1951431 [details]
Aide cron checking

Comment 10 pierre.lemmers 2023-03-17 09:52:33 UTC

Created attachment 1951432 [details]
aide periodic verbose

Comment 11 pierre.lemmers 2023-03-17 09:54:00 UTC

Created attachment 1951434 [details]
aide build database

Comment 12 pierre.lemmers 2023-03-17 09:54:28 UTC

I want to note that we use /etc/cron.daily for the cronjob execution.

Comment 13 Vojtech Polasek 2023-03-20 08:10:19 UTC

Hello,
thank you for all the attachments. Could you please also send contents of /etc/cron.daily?
Thank you,
Vojtech Polasek

Comment 14 pierre.lemmers 2023-03-28 08:16:59 UTC

Hello,

this is the content of the cron.daily

#!/bin/sh
nice ionice /usr/sbin/aide --check
nice ionice /usr/sbin/aide --init
/bin/mv -f /var/lib/aide/aide.db.new.gz /var/lib/aide/aide.db.gz

Kind regards,

Pierre Lemmers

Comment 15 Jan Černý 2023-03-28 15:59:03 UTC

Analysis:

The rule "aide_build_database" fails because it expects that both files /var/lib/aide/aide.db.new.gz and /var/lib/aide/aide.db.gz exist at the same time. The rule description says that /var/lib/aide/aide.db.gz should be created by copying /var/lib/aide/aide.db.new.gz. However, the customer creates the file by moving instead of copying. According to aide man page, moving the file is a valid approach. I was informed that the existence of /var/lib/aide/aide.db.new.gz isn't needed for AIDE to work. It would be useful only for AIDE database comparison, but the comparison feature isn't requested by the security compliance profile. Therefore, the rule needs to be adjusted to remove the check for existence of /var/lib/aide/aide.db.new.gz from the OVAL.

The rule "aide_periodic_cron_checking" fails because the regex "^\s*\/usr\/sbin\/aide[\s]*\-\-check.*$" used in this rule doesn't match the entries in the customer's /etc/cron.daily. I believe this regular expression isn't flexible enough, it can't match valid scenarios, for example the customer is running aide with a niceness. Therefore, we should change the regular expression in our OVAL to match also these kinds of crontab entries.

Comment 16 Marek Haicman 2023-03-31 11:03:43 UTC

Hello Pierre, to help us prioritize to fix, it would be great to also have a support request through the customer portal. It looks like we don't need more information, it's more for our internal tracking. Can you create one? Thanks!

Comment 17 Jan Černý 2023-04-17 06:13:20 UTC

A fix has been merged in upstream by https://github.com/ComplianceAsCode/content/pull/10403

Comment 37 errata-xmlrpc 2023-11-14 15:36:38 UTC

Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory (scap-security-guide bug fix update), and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2023:7056

Note You need to log in before you can comment on or make changes to this bug.