Rule "Configure AIDE to Verify the Audit Tools" fails on Ubuntu 22.04

[marcofortina]

Description of problem:

This rule is looking for /usr/sbin/audispd in file /etc/aide/aide.conf on Ubuntu 22.04 but this program does not exists anymore.

SCAP Security Guide Version:

master branch

Operating System Version:

Ubuntu 22.04 LTS

Steps to Reproduce:

1. On the target Ubuntu 22.04 LTS VM, configure /etc/aide/aide.conf to have:

/usr/sbin/auditctl p+i+n+u+g+s+b+acl+xattrs+sha512
/usr/sbin/aureport p+i+n+u+g+s+b+acl+xattrs+sha512
/usr/sbin/ausearch p+i+n+u+g+s+b+acl+xattrs+sha512
/usr/sbin/autrace p+i+n+u+g+s+b+acl+xattrs+sha512
/usr/sbin/auditd p+i+n+u+g+s+b+acl+xattrs+sha512
/usr/sbin/augenrules p+i+n+u+g+s+b+acl+xattrs+sha512

2. ./build_product ubuntu2204
   copy the datastream to a UBUNTU 22.04 LTS VM
3. scp build/ssg-ubuntu2204-ds.xml root@ubuntu2204:
4. oscap xccdf eval --profile xccdf_org.ssgproject.content_profile_cis_level2_server --rule xccdf_org.ssgproject.content_rule_aide_check_audit_tools ssg-ubuntu2204-ds.xml

Actual Results:

Title   Configure AIDE to Verify the Audit Tools
Rule    xccdf_org.ssgproject.content_rule_aide_check_audit_tools
Result  fail

Expected Results:

Result pass

Additional Information/Debugging Steps:

In the CIS guide CIS_Ubuntu_Linux_22.04_LTS_Benchmark_v1.0.0.pdf, the process audispd is never mentioned and this process was also removed from the auditd package.

File product_properties/10-aide-audit.yml contains:

default:
  aide_also_checks_rsyslog: "yes"
  aide_also_checks_audispd: "no"

overrides:
{{% if "rhel-like" not in families %}}
  aide_also_checks_rsyslog: "no"
  aide_also_checks_audispd: "yes"
{{% endif %}}

aide_also_checks_audispd setting is wrong for Debian > 10 or Ubuntu > 20.04, where this executable do not exists anymore, then extra checks should be included inside this file:

diff --git a/product_properties/10-aide-audit.yml b/product_properties/10-aide-audit.yml
index 6f2f601664..c185363c58 100644
--- a/product_properties/10-aide-audit.yml
+++ b/product_properties/10-aide-audit.yml
@@ -7,3 +7,19 @@ overrides:
   aide_also_checks_rsyslog: "no"
   aide_also_checks_audispd: "yes"
 {{% endif %}}
+
+{{% if "debian-like" in families %}}
+  {{% if "debian" in families %}}
+    {{% if major_version_ordinal <= 10 %}}
+  aide_also_checks_audispd: "yes"
+    {{% else %}}
+  aide_also_checks_audispd: "no"
+    {{% endif %}}
+  {{% elif "ubuntu" in families %}}
+    {{% if major_version_ordinal <= 2004 %}}
+  aide_also_checks_audispd: "yes"
+    {{% else %}}
+  aide_also_checks_audispd: "no"
+    {{% endif %}}
+  {{% endif %}}
+{{% endif %}}

I will create a PR for this.

[dodys]

@marcofortina there are a lot of inconsistencies in your bug report:

1. The steps you mentioned to reproduce mentioned aide_build_database while the rule that is failing is aide_check_audit_tools. Two different rules.
2. You didn't mention any hardening of your system.

[marcofortina]

@marcofortina there are a lot of inconsistencies in your bug report:

1. The steps you mentioned to reproduce mentioned aide_build_database while the rule that is failing is aide_check_audit_tools. Two different rules.
2. You didn't mention any hardening of your system.

Sorry... wrong cut & paste :( reproduce steps updated with the correct rule

[dodys]

@marcofortina there are a lot of inconsistencies in your bug report:

1. The steps you mentioned to reproduce mentioned aide_build_database while the rule that is failing is aide_check_audit_tools. Two different rules.
2. You didn't mention any hardening of your system.

Sorry... wrong cut & paste :( reproduce steps updated with the correct rule

could you also post your aide.conf

[marcofortina]

root@ubuntu:~# cat /etc/aide/aide.conf
# AIDE conf

# set environment for executable config files included by x_include
@@x_include_setenv UPAC_settingsd /etc/aide/aide.settings.d

# The daily cron job depends on these paths
database=file:/var/lib/aide/aide.db
database_in=file:/var/lib/aide/aide.db
database_out=file:/var/lib/aide/aide.db.new
database_new=file:/var/lib/aide/aide.db.new
gzip_dbout=yes

# Set to no to disable report_summarize_changes option.
report_summarize_changes=yes

# Set to no to disable grouping of files in report.
report_grouped=yes

# Set verbosity of aide run and reports
log_level=warning
report_level=changed_attributes

# Ignore e2fs attributes that cannot be set manually
report_ignore_e2fsattrs=EhI

# Set to yes to print the checksums in the report in hex format
report_base16 = no

# if you want to sacrifice security for speed, remove some of these
# checksums.
Checksums = sha256+sha512+rmd160+haval+gost+crc32+tiger+whirlpool

# The checksums of the databases to be printed in the report
# Set to 'E' to disable.
database_attrs = Checksums

# check permissions, owner, group and file type
OwnerMode = p+u+g+ftype

# Check size and block count
Size = s+b

# Files that stay static
InodeData = OwnerMode+n+i+Size+l+X
StaticFile = m+c+Checksums

# Files that stay static but are copied to a ram disk on startup
# (causing different inode)
RamdiskData = InodeData-i

# Check everything
Full = InodeData+StaticFile

# Files that change their mtimes or ctimes but not their contents
VarTime = InodeData+Checksums

# Files that are recreated regularly but do not change their contents
VarInode = VarTime-i

# Files that change their contents during system operation
VarFile = OwnerMode+n+l+X

# Directories that change their contents during system operation
VarDir = OwnerMode+n+i+X

# Directories that are recreated regularly and change their contents
VarDirInode = OwnerMode+n+X

# Directories that change their mtimes or ctimes but not their contents
VarDirTime = InodeData

# Logs are special: they are continously written to, may be compressed
# have their file name changed in different, mutually incompatibly ways
# and apprear and vanish at will. Handling this is a a complex and error-
# prone issue.
#
# This is best broken down in a number of small tasks:
#
#
# (A)
# While a live log is being written to, it doesn't change its mode and
# inode and its size only increases.
#
# (B)
# When a live log is rotated for the first time, it should not change
# its mode, may change its inode, and its size decreases. The size
# decrease may not be noticed by aide if the file had size x at the last
# aide run, was rotated in the mean time and was written to so that it
# had a size > x at the next aide run.
#
# (C)
# When a log is compressed, this looks to aide like the uncompressed
# file vanished (or was replaced by another file) and the compressed
# file appeared out of the blue. There is (currently) no way to
# associate the (gone) uncompressed file's contents with the (new)
# compressed file's contents
#
# (D)
# The actual log rotation may rename foo.{x}.bar to foo.{x+1}.bar without
# changing the other properties of the file
#
# (E)
# If only a given number of log generations is to be kept, foo.{y}.bar may
# vanish, but usually only when no foo.{z}.bar exists for z>y.
#
# (F)
# The set of files foo.{x}.bar to foo.{y}.bar is called a "log series"
# in aide terms, with the lowest x being called the "LoSerMember" element
# and the highest y being called the "HiSerMember" element, and the z
# with x<z<y simple called "SerMember". The Lo and Hi members need to
# be special cased in aide configuration.
#
#
# This is an example of the normal life of a log named foo in a logrotate
# configuration using a configuration at it is commonly used in Debian
# (from old to new):
#     1 logrotate deletes HiSerMember foo.{y}.gz
#     2 logrotate rotates SerMember foo.{z-1}.gz to foo.{z}.gz for all
#       z with 3<z<=y. This includes rotation of foo.{y-1}.gz to
#       foo.{y}.gz and foo.2.gz to foo.3.gz
#     3 logrotate compresses foo.1 to foo.2.gz, creating LoSerMember foo.2.gz
#     4 logrotate rotates foo to foo.1 (a simple rename)
#     5 logrotate creates new, empty foo
#     6 foo daemon logs to foo - foo grows in size
#
# we need the following rules:
# /var/log/foo$ f Log
# /var/log/foo$ f FreqRotLog
#    this takes care of the growing live log (step 7). The "Log" rule
#    is appropriate for logs that are not rotated daily as rotation
#    might be reported (if the file size has decreased since the last
#    aide run). For daily rotated logs, the "FreqRotLog" may be more
#    appropriate.
# /var/log/foo\.1$ f LowLog
#    this takes care of step 5.
# /var/log/foo\.2\.gz$ f LoSerMemberLog
#    this allows yet unknown new files to appear with a \.2\.gz extension,
#    covering step 3.
# /var/log/foo\.[3..y-1]\.gz$ f SerMemberLog
#    this watches the log files as they wander through the Series,
#    changing only their file name but not their contents or metadata,
#    covering step 2.
#    Please note that [3..y-1] needs to be a manually crafted regexp covering
#    all numbers between 3 and y-1.
# /var/log/foo\.y\.gz$ f HiSerMemberLog
#    finally, the last element of the Series is allowed to vanish without
#    being reported, covering step 1.
#
# Please note that these example rules need to be adapted to the logrotate
# configuration for the log. Compression may be disabled or lead to a different
# extension, the dateext option may be used, old logs might be held in a
# different place, a log series does not necessarily need to be compressed etc.
#
# Please note that savelog rotates the live log to .0 and not to .1 as it
# is logrotates (changeable) default.


# Logs grow in size. Log rotation of these logs will be reported, so
# this should only be used for logs that are not rotated daily.
Log = OwnerMode+n+S+X

# Logs that are frequently rotated
FreqRotLog = Log-S

# The first instance of a rotated log: After the log has stopped being
# written to, but before rotation
LowLog = Log-S

# Rotated logs change their file name but retain all their other properties
SerMemberLog  = Full+I

# The first instance of a compressed, rotated log: After a LowLog was
# compressed.
LoSerMemberLog = SerMemberLog+ANF

# The last instance of a compressed, rotated log: After this name, a log
# will be removed
HiSerMemberLog = SerMemberLog+ARF

# Not-yet-compressed log created by logrotate's dateext option:
# These files appear one rotation (renamed from the live log) and are gone
# the next rotation (being compressed)
LowDELog = SerMemberLog+ANF+ARF

# Compressed log created by logrotate's dateext option: These files appear
# once and are not touched any more.
SerMemberDELog = Full+ANF

# For daemons that log to a variable file name and have the live log
# hardlinked to a static file name
LinkedLog = Log-n

@@x_include_setenv PATH /bin:/usr/bin
@@x_include /etc/aide/aide.conf.d ^[a-zA-Z0-9_-]+$
# Audit tools
/usr/sbin/auditctl p+i+n+u+g+s+b+acl+xattrs+sha512
/usr/sbin/aureport p+i+n+u+g+s+b+acl+xattrs+sha512
/usr/sbin/ausearch p+i+n+u+g+s+b+acl+xattrs+sha512
/usr/sbin/autrace p+i+n+u+g+s+b+acl+xattrs+sha512
/usr/sbin/auditd p+i+n+u+g+s+b+acl+xattrs+sha512
/usr/sbin/augenrules p+i+n+u+g+s+b+acl+xattrs+sha512

[marcofortina]

The root cause is the check of /usr/sbin/audispd in the aide.conf file, but this executable was removed in auditd package (merged with auditd):

linux-audit/audit-userspace@9c74da5
linux-audit/audit-userspace@ca7e553
linux-audit/audit-userspace@000a054
linux-audit/audit-userspace@1271b20
linux-audit/audit-userspace@a1192d0
linux-audit/audit-userspace@bf5f3cf

and may be much more commits on linux-audit package.

CIS Ubuntu Linux 22.04 LTS Benchmark also do not mention audispd package to be added in /etc/aide/aide.conf file (please check 6.1.3 Ensure cryptographic mechanisms are used to protect the
integrity of audit tools - Page 709)

[dodys]

The root cause is the check of /usr/sbin/audispd in the aide.conf file, but this executable was removed in auditd package (merged with auditd):

linux-audit/audit-userspace@9c74da5 linux-audit/audit-userspace@ca7e553 linux-audit/audit-userspace@000a054 linux-audit/audit-userspace@1271b20 linux-audit/audit-userspace@a1192d0 linux-audit/audit-userspace@bf5f3cf

and may be much more commits on linux-audit package.

CIS Ubuntu Linux 22.04 LTS Benchmark also do not mention audispd package to be added in /etc/aide/aide.conf file (please check 6.1.3 Ensure cryptographic mechanisms are used to protect the integrity of audit tools - Page 709)

it is understood, just trying to get your report done correctly.