search

ComplianceAsCode / content

Security automation content in SCAP, Bash, Ansible, and other formats
https://complianceascode.readthedocs.io/en/latest/
Other
2.16k stars 685 forks source link

CIS 1.3.1 Ensure AIDE is installed #11929

Open marcofortina opened 4 months ago

marcofortina commented 4 months ago

Description of problem:

Check for rule xccdf_org.ssgproject.content_rule_aide_build_database fails on Ubuntu 22.04.

SCAP Security Guide Version:

master branch

Operating System Version:

Ubuntu 22.04 LTS

Steps to Reproduce:

  1. Install AIDE: apt install aide aide-common
  2. Initialize AIDE: aideinit && mv /var/lib/aide/aide.db.new /var/lib/aide/aide.db
  3. Run SCAP: oscap xccdf eval --profile xccdf_org.ssgproject.content_profile_cis_level2_server --rule xccdf_org.ssgproject.content_rule_aide_build_database ssg-ubuntu2204-ds.xml

Actual Results:

Title   Build and Test AIDE Database
Rule    xccdf_org.ssgproject.content_rule_aide_build_database
Result  fail

Expected Results:

Title   Build and Test AIDE Database
Rule    xccdf_org.ssgproject.content_rule_aide_build_database
Result  pass

Additional Information/Debugging Steps:

On Ubuntu 22.04 database definition keyword in the /etc/aide/aide.conf file was changed from database=file:/var/lib/aide/aide.db to database_in=file:/var/lib/aide/aide.db.

Adding database=file:/var/lib/aide/aide.db in the /etc/aide/aide.conf as workaround gives this warning:

WARNING: /etc/aide/aide.conf:194: Using 'database' is DEPRECATED. Update your config and use 'database_in' instead (line: 'database=file:/var/lib/aide/aide.db')
dodys commented 4 months ago

The database message is just a warning and we are not yet planning to move to database_in now as this is not backwards compatible and the warning doesn't prevent from aide to work.

Regarding the fail, have you tried to use the bash remediation?

marcofortina commented 4 months ago

The database message is just a warning and we are not yet planning to move to database_in now as this is not backwards compatible and the warning doesn't prevent from aide to work.

Regarding the fail, have you tried to use the bash remediation?

Yes of course I used successfully the bash remediation. My issue is only to truck a wrong check for database= on Ubuntu 22.04 instead of the new database_in= showing a false error where workaround was not applied.

Is not possible to use <% if "ubuntu2204" in product %> for this rule as fix?

dodys commented 4 months ago

not really a priority for us now, since database is still supported on 22.04 adding the checks would be required on bash, ansible, oval and rule.yml

dodys commented 4 months ago

not really a priority for us now, since database is still supported on 22.04 adding the checks would be required on bash, ansible, oval and rule.yml

and a reminder that you would still need to keep compatibility to database as people might not have migrated to the new item.

dodys commented 1 month ago

Debian also suffers the same as expected.