rpms/scap-security-guide
7
0
Fork 0
Code Issues Pull Requests Releases Activity
01490d5abd
scap-security-guide/SOURCES/scap-security-guide-0.1.58-RHEL_08_010360-PR_7209.patch
CentOS Sources 01490d5abd import scap-security-guide-0.1.57-3.el8
2021-09-10 04:19:00 +00:00

119 lines
5.4 KiB
Diff
Raw Blame History

From 386f9787ceac9b0fc732bcd5fd5f7174254922b3 Mon Sep 17 00:00:00 2001
From: Matthew Burket <mburket@redhat.com>
Date: Thu, 15 Jul 2021 14:33:44 -0500
Subject: [PATCH] Update 'Configure Notification of Post-AIDE Scan Details'
Added
- Ansible fix for this rule
- Configurable email for sending notification email for AIDE alerts
---
.../aide_scan_notification/ansible/shared.yml | 28 +++++++++++++++++++
.../aide_scan_notification/bash/shared.sh | 18 ++++++++----
.../aide/aide_scan_notification/rule.yml | 2 ++
.../var_aide_scan_notification_email.var | 16 +++++++++++
4 files changed, 58 insertions(+), 6 deletions(-)
create mode 100644 linux_os/guide/system/software/integrity/software-integrity/aide/aide_scan_notification/ansible/shared.yml
create mode 100644 linux_os/guide/system/software/integrity/software-integrity/var_aide_scan_notification_email.var
diff --git a/linux_os/guide/system/software/integrity/software-integrity/aide/aide_scan_notification/ansible/shared.yml b/linux_os/guide/system/software/integrity/software-integrity/aide/aide_scan_notification/ansible/shared.yml
new file mode 100644
index 00000000000..5c11fc1719e
--- /dev/null
+++ b/linux_os/guide/system/software/integrity/software-integrity/aide/aide_scan_notification/ansible/shared.yml
@@ -0,0 +1,28 @@
+# platform = Red Hat Enterprise Linux 7,Red Hat Enterprise Linux 8,Red Hat Virtualization 4,multi_platform_wrlinux,multi_platform_ol,multi_platform_sle
+# reboot = false
+# strategy = restrict
+# complexity = low
+# disruption = low
+{{% if product in ["sle12", "sle15"] %}}
+ {{% set aide_path = "/usr/bin/aide" %}}
+{{% else %}}
+ {{% set aide_path = "/usr/sbin/aide" %}}
+{{% endif %}}
+
+- (xccdf-var var_aide_scan_notification_email)
+
+- name: "Ensure AIDE is installed"
+ package:
+ name: "{{ item }}"
+ state: present
+ with_items:
+ - aide
+
+- name: "{{{ rule_title }}}"
+ cron:
+ name: "run AIDE check"
+ minute: 05
+ hour: 04
+ weekday: 0
+ user: root
+ job: '{{{aide_path}}} --check | /bin/mail -s "$(hostname) - AIDE Integrity Check" {{ var_aide_scan_notification_email }}'
diff --git a/linux_os/guide/system/software/integrity/software-integrity/aide/aide_scan_notification/bash/shared.sh b/linux_os/guide/system/software/integrity/software-integrity/aide/aide_scan_notification/bash/shared.sh
index 2f129e568b2..3cb8b72a0bd 100644
--- a/linux_os/guide/system/software/integrity/software-integrity/aide/aide_scan_notification/bash/shared.sh
+++ b/linux_os/guide/system/software/integrity/software-integrity/aide/aide_scan_notification/bash/shared.sh
@@ -1,6 +1,16 @@
# platform = multi_platform_all
+. /usr/share/scap-security-guide/remediation_functions
+
{{{ bash_package_install("aide") }}}
+{{{ bash_instantiate_variables("var_aide_scan_notification_email") }}}
+{{% if product in ["sle12", "sle15"] %}}
+ {{% set aide_path = "/usr/bin/aide" %}}
+{{% else %}}
+ {{% set aide_path = "/usr/sbin/aide" %}}
+{{% endif %}}
+
+
CRONTAB=/etc/crontab
CRONDIRS='/etc/cron.d /etc/cron.daily /etc/cron.weekly /etc/cron.monthly'
@@ -14,11 +24,7 @@ if [ -f /var/spool/cron/root ]; then
VARSPOOL=/var/spool/cron/root
fi
-if ! grep -qR '^.*\/usr\/sbin\/aide\s*\-\-check.*|.*\/bin\/mail\s*-s\s*".*"\s*root@.*$' $CRONTAB_EXIST $VARSPOOL $CRONDIRS; then
-{{% if product in ["sle12", "sle15"] %}}
- echo '0 5 * * * root /usr/bin/aide --check | /bin/mail -s "$(hostname) - AIDE Integrity Check" root@localhost' >> $CRONTAB
-{{% else %}}
- echo '0 5 * * * root /usr/sbin/aide --check | /bin/mail -s "$(hostname) - AIDE Integrity Check" root@localhost' >> $CRONTAB
-{{% endif %}}
+if ! grep -qR '^.*{{{aide_path}}}\s*\-\-check.*|.*\/bin\/mail\s*-s\s*".*"\s*.*@.*$' $CRONTAB_EXIST $VARSPOOL $CRONDIRS; then
+ echo "0 5 * * * root {{{ aide_path }}} --check | /bin/mail -s \"\$(hostname) - AIDE Integrity Check\" $var_aide_scan_notification_email" >> $CRONTAB
fi
diff --git a/linux_os/guide/system/software/integrity/software-integrity/aide/aide_scan_notification/rule.yml b/linux_os/guide/system/software/integrity/software-integrity/aide/aide_scan_notification/rule.yml
index 51dae72ee6d..cb35c5c642d 100644
--- a/linux_os/guide/system/software/integrity/software-integrity/aide/aide_scan_notification/rule.yml
+++ b/linux_os/guide/system/software/integrity/software-integrity/aide/aide_scan_notification/rule.yml
@@ -57,3 +57,5 @@ ocil: |-
<pre>$ grep aide /etc/crontab</pre>
The output should return something similar to the following:
<pre>05 4 * * * root /usr/sbin/aide --check | /bin/mail -s "$(hostname) - AIDE Integrity Check" root@localhost</pre>
+ The email address that the notifications are sent to can be changed by overriding
+ <pre><sub idref="var_aide_scan_notification_email" /></pre>.
diff --git a/linux_os/guide/system/software/integrity/software-integrity/var_aide_scan_notification_email.var b/linux_os/guide/system/software/integrity/software-integrity/var_aide_scan_notification_email.var
new file mode 100644
index 00000000000..75b9f5d2650
--- /dev/null
+++ b/linux_os/guide/system/software/integrity/software-integrity/var_aide_scan_notification_email.var
@@ -0,0 +1,16 @@
+documentation_complete: true
+
+title: Integrity Scan Notification Email Address
+
+description: |-
+ Specify the email address for designated personnel if baseline
+ configurations are changed in an unauthorized manner.
+
+type: string
+
+operator: equals
+
+interactive: true
+
+options:
+ default: root@localhost
Reference in New Issue View Git Blame Copy Permalink