SLE15 prefer systemd unit handling of AIDE checks and notifications#11178
Conversation
|
Start a new ephemeral environment with changes proposed in this pull request: rhel8 (from CTF) Environment (using Fedora as testing environment) Fedora Testing Environment Oracle Linux 8 Environment |
|
This datastream diff is auto generated by the check Click here to see the full diffOCIL for rule 'xccdf_org.ssgproject.content_rule_aide_scan_notification' differs.
--- ocil:ssg-aide_scan_notification_ocil:questionnaire:1
+++ ocil:ssg-aide_scan_notification_ocil:questionnaire:1
@@ -1,4 +1,5 @@
To determine that periodic AIDE execution has been scheduled, run the following command:
+
$ grep aide /etc/crontab
The output should return something similar to the following:
05 4 * * * root /usr/sbin/aide --check | /bin/mail -s "$(hostname) - AIDE Integrity Check" root@localhost
bash remediation for rule 'xccdf_org.ssgproject.content_rule_aide_scan_notification' differs.
--- xccdf_org.ssgproject.content_rule_aide_scan_notification
+++ xccdf_org.ssgproject.content_rule_aide_scan_notification
@@ -5,6 +5,7 @@
yum install -y "aide"
fi
var_aide_scan_notification_email=''
+
CRONTAB=/etc/crontab |
| <ind:instance datatype="int" operation="greater than or equal">1</ind:instance> | ||
| </ind:textfilecontent54_object> | ||
|
|
||
| <ind:textfilecontent54_test check="all" check_existence="all_exist" |
There was a problem hiding this comment.
This new part isn't described in rule.yml at all. You should extend the rule description and other artifacts.
There was a problem hiding this comment.
got you will do 🙇
| test_ref="test_aide_var_cron_notification" /> | ||
| <criterion comment="notify personnel when aide completes in cron.(d|daily|weekly|monthly)" | ||
| test_ref="test_aide_crontabs_notification" /> | ||
| <criteria operator="AND"> |
There was a problem hiding this comment.
Should this new criteria be guarded as SLE-only? The new code in Bash and Ansible remediations is marked as SLE-only.
There was a problem hiding this comment.
Well I prefer to be SLE only for now and other maintainers to adopt it if consider viable, therefore the bash and ansible remediations aer platform dependant
There was a problem hiding this comment.
Thanks for reply. But, if you think that this part should be SLE-only for now, would it be better to put it inside a Jinja if product in ... block?
…ions Drop some extra whitespaces. Thanks to @jan-cerny for the feedback on this 🙇
6229a3f to
8fd0786
Compare
|
/packit build |
| CRONTAB=/etc/crontab | ||
| CRONDIRS='/etc/cron.d /etc/cron.daily /etc/cron.weekly /etc/cron.monthly' | ||
|
|
There was a problem hiding this comment.
@teacup-on-rockingchair I think this shouldn't be removed, these variables are used below (lines 37-38). I think this might be the reason why this rule fails the CI.
Thanks to @jan-cerny for the note 🙇
|
Code Climate has analyzed commit 10173f5 and detected 0 issues on this pull request. The test coverage on the diff in this pull request is 100.0% (50% is the threshold). This pull request will bring the total coverage in the repository to 58.5%. View more on Code Climate. |
jan-cerny
left a comment
There was a problem hiding this comment.
The CI fail of Automatus on SLE15 is fixed by #11212 and isn't related to this PR.
Notice the Automatus CS9 job pass because the rule is evaluated as notapplicable in a container environment. I have run the test scenarios locally with a RHEL 9 virtual machine as a back end. Both Ansible and Bash are passing:
jcerny@fedora ~/work/git/scap-security-guide (pr/11178) $ python3 tests/automatus.py rule --libvirt qemu:///system ssgts_rhel9 aide_periodic_cron_checking
Setting console output to log level INFO
INFO - The base image option has not been specified, choosing libvirt-based test environment.
INFO - Logging into /home/jcerny/work/git/scap-security-guide/logs/rule-custom-2023-11-02-1432/test_suite.log
INFO - xccdf_org.ssgproject.content_rule_aide_periodic_cron_checking
INFO - Script aide_not_installed.fail.sh using profile (all) OK
INFO - Script cron_daily.pass.sh using profile (all) OK
INFO - Script cron_daily_complex.pass.sh using profile (all) OK
INFO - Script crontab_daily.pass.sh using profile (all) OK
INFO - Script crontab_daily_shortcut.pass.sh using profile (all) OK
INFO - Script crontab_monthly.fail.sh using profile (all) OK
INFO - Script crontab_two_days_week.pass.sh using profile (all) OK
INFO - Script crontab_weekly_on_exact_day.pass.sh using profile (all) OK
INFO - Script crontab_weekly_shortcut.pass.sh using profile (all) OK
INFO - Script crontab_weekly_word.pass.sh using profile (all) OK
INFO - Script crontab_yearly.fail.sh using profile (all) OK
INFO - Script not_in_cron.fail.sh using profile (all) OK
jcerny@fedora ~/work/git/scap-security-guide (pr/11178) $ python3 tests/automatus.py rule --libvirt qemu:///system ssgts_rhel9 --remediate-using ansible aide_periodic_cron_checking
Setting console output to log level INFO
INFO - The base image option has not been specified, choosing libvirt-based test environment.
INFO - Logging into /home/jcerny/work/git/scap-security-guide/logs/rule-custom-2023-11-02-1437/test_suite.log
INFO - xccdf_org.ssgproject.content_rule_aide_periodic_cron_checking
INFO - Script aide_not_installed.fail.sh using profile (all) OK
INFO - Script cron_daily.pass.sh using profile (all) OK
INFO - Script cron_daily_complex.pass.sh using profile (all) OK
INFO - Script crontab_daily.pass.sh using profile (all) OK
INFO - Script crontab_daily_shortcut.pass.sh using profile (all) OK
INFO - Script crontab_monthly.fail.sh using profile (all) OK
INFO - Script crontab_two_days_week.pass.sh using profile (all) OK
INFO - Script crontab_weekly_on_exact_day.pass.sh using profile (all) OK
INFO - Script crontab_weekly_shortcut.pass.sh using profile (all) OK
INFO - Script crontab_weekly_word.pass.sh using profile (all) OK
INFO - Script crontab_yearly.fail.sh using profile (all) OK
INFO - Script not_in_cron.fail.sh using profile (all) OK
Description:
Rationale: