Description of problem: The compliancy report of Red Hat Insights will note that we do not have AIDE installed, configured and the database renewed. We all have these things in place though. I noticed that we have the Cron job for the database refresh in another path than is stated in the report. Version-Release number of selected component (if applicable): Scap-security-guide 1.6.3 and 1.6.6 RHEL 7 and 8 How reproducible: To check the compliance reports in Red Hat Insights Steps to Reproduce: 1. 2. 3. Actual results: We are not compliant in regards to AIDE according to the compliancy report. Expected results: Compliancy in regards to AIDE installation and configuration. Additional info:
Hello Pierre Lemmers, Can you provide the following info for us to help on this better? 1. Insights Compliancy policy name 2. Rule identifier, Rule name for the rules that you think are failing incorrectly If you are not comfortable providing info here, please open a support case with Red Hat (https://access.redhat.com/support) Looking forward to hearing from you.
Hello, 1. The policy name: CIS Red Hat Enterprise Linux 8 Benchmark 2. A. Build and Test AIDE Database B. Configure Periodic Execution of AIDE Kind Regards, Pierre
This seems to be an issue with the compliance content shipped via scap-security-guide package. Moving to the right product. (For now RHEL8, might clone to RHEL7 too if need arise)
Hello! We think that this bug probably isn't a direct problem in the cosole.redhat.com but instead it might be a bug in the scap-security-guide package. The scap-security-guide package provides the security compliance policies, including the CIS Red Hat Enterprise Linux 8 Benchmark and its rules. I'm a developer working on this package and I would like to help with your problem. In order to investigate the problem, we will need some additional information from you. We would like you to connect to the machine to run the compliance scans manually and retrieve results and attach them to this BZ. Run the following commands on the target machine: sudo oscap xccdf eval --verbose INFO --verbose-log-file aide_build_database_verbose.txt --profile xccdf_org.ssgproject.content_profile_cis --rule xccdf_org.ssgproject.content_rule_aide_build_database --results-arf aide_build_database_arf.xml /usr/share/xml/scap/ssg/content/ssg-rhel8-ds.xml sudo oscap xccdf eval --verbose INFO --verbose-log-file aide_periodic_cron_checking_verbose.txt --profile xccdf_org.ssgproject.content_profile_cis --rule xccdf_org.ssgproject.content_rule_aide_periodic_cron_checking --results-arf aide_periodic_cron_checking_arf.xml /usr/share/xml/scap/ssg/content/ssg-rhel8-ds.xml (If /usr/share/xml/scap/ssg/content/ssg-rhel8-ds.xml isn't available it's can be added by installing the scap-security-guide package). Then, collect and attach the generated ARF result files and verbose outputs: aide_build_database_arf.xml aide_build_database_verbose.txt aide_periodic_cron_checking_arf.xml aide_periodic_cron_checking_verbose.txt Since the 2 offending rules are touching the AIDE and cron configuration, we will also need the contents of these files: /etc/crontab /etc/aide.conf Then, I will try to review your files and find the cause. You said that the compliance report says that you do not have AIDE installed, configured and the database renewed. But, you mentioned that we all have these things in place though. Based on what you think that you have all these things in place? And in what path is your cron job located? In general, I think that there might be a discrepancy between the way the security policy expects AIDE to be configured and the way it's actually configured. Even if the configuration has the desired effect, this difference might be reported as a fail. Thank you very much for your cooperation.
Created attachment 1951416 [details] Requested files
Created attachment 1951417 [details] Aide config file
Created attachment 1951418 [details] Aide build database
Created attachment 1951431 [details] Aide cron checking
Created attachment 1951432 [details] aide periodic verbose
Created attachment 1951434 [details] aide build database
I want to note that we use /etc/cron.daily for the cronjob execution.
Hello, thank you for all the attachments. Could you please also send contents of /etc/cron.daily? Thank you, Vojtech Polasek
Hello, this is the content of the cron.daily #!/bin/sh nice ionice /usr/sbin/aide --check nice ionice /usr/sbin/aide --init /bin/mv -f /var/lib/aide/aide.db.new.gz /var/lib/aide/aide.db.gz Kind regards, Pierre Lemmers
Analysis: The rule "aide_build_database" fails because it expects that both files /var/lib/aide/aide.db.new.gz and /var/lib/aide/aide.db.gz exist at the same time. The rule description says that /var/lib/aide/aide.db.gz should be created by copying /var/lib/aide/aide.db.new.gz. However, the customer creates the file by moving instead of copying. According to aide man page, moving the file is a valid approach. I was informed that the existence of /var/lib/aide/aide.db.new.gz isn't needed for AIDE to work. It would be useful only for AIDE database comparison, but the comparison feature isn't requested by the security compliance profile. Therefore, the rule needs to be adjusted to remove the check for existence of /var/lib/aide/aide.db.new.gz from the OVAL. The rule "aide_periodic_cron_checking" fails because the regex "^\s*\/usr\/sbin\/aide[\s]*\-\-check.*$" used in this rule doesn't match the entries in the customer's /etc/cron.daily. I believe this regular expression isn't flexible enough, it can't match valid scenarios, for example the customer is running aide with a niceness. Therefore, we should change the regular expression in our OVAL to match also these kinds of crontab entries.
Hello Pierre, to help us prioritize to fix, it would be great to also have a support request through the customer portal. It looks like we don't need more information, it's more for our internal tracking. Can you create one? Thanks!
A fix has been merged in upstream by https://github.com/ComplianceAsCode/content/pull/10403