From 0691afd8d1edaf0d8cbfe1f2d438e4188d401055 Mon Sep 17 00:00:00 2001
From: Dexter Le <dexter.le@sap.com>
Date: Tue, 20 Jun 2023 18:42:41 +0000
Subject: [PATCH 1/5] add aide_disable_silentreports rule for UBTU-20-010437

This commit will add in rule for UBTU-20-010437 which ensures to update aide configurations along with tests to be utilized. Additionally, a rule is created utilizing the lineinfile template.
---
 components/aide.yml                           |  1 +
 .../aide/aide_disable_silentreports/rule.yml  | 49 +++++++++++++++++++
 .../tests/correct.pass.sh                     |  5 ++
 .../tests/not_config.fail.sh                  |  5 ++
 products/ubuntu2004/product.yml               |  1 +
 products/ubuntu2004/profiles/stig.profile     |  1 +
 tests/data/product_stability/ubuntu2004.yml   |  1 +
 7 files changed, 63 insertions(+)
 create mode 100644 linux_os/guide/system/software/integrity/software-integrity/aide/aide_disable_silentreports/rule.yml
 create mode 100644 linux_os/guide/system/software/integrity/software-integrity/aide/aide_disable_silentreports/tests/correct.pass.sh
 create mode 100644 linux_os/guide/system/software/integrity/software-integrity/aide/aide_disable_silentreports/tests/not_config.fail.sh

diff --git a/components/aide.yml b/components/aide.yml
index 6f08da4c468..fa6d5d0a432 100644
--- a/components/aide.yml
+++ b/components/aide.yml
@@ -6,6 +6,7 @@ packages:
 rules:
 - aide_build_database
 - aide_check_audit_tools
+- aide_disable_silentreports
 - aide_periodic_cron_checking
 - aide_periodic_checking_systemd_timer
 - aide_scan_notification
diff --git a/linux_os/guide/system/software/integrity/software-integrity/aide/aide_disable_silentreports/rule.yml b/linux_os/guide/system/software/integrity/software-integrity/aide/aide_disable_silentreports/rule.yml
new file mode 100644
index 00000000000..5ed7831608b
--- /dev/null
+++ b/linux_os/guide/system/software/integrity/software-integrity/aide/aide_disable_silentreports/rule.yml
@@ -0,0 +1,49 @@
+documentation_complete: true
+
+prodtype: ubuntu1804,ubuntu2004
+
+title: 'Configure AIDE To Notify Personnel if Baseline Configurations Are Altered'
+
+description: |-
+    The operating system file integrity tool must be configured to notify designated personnel of any changes to configurations.
+
+rationale: |-
+    Detecting changes in the system can help avoid unintended, and negative consequences 
+    that could affect the security state of the operating system
+
+severity: medium
+
+references:
+    disa: "CCI-001744,CCI-002702"
+    srg: "SRG-OS-000447-GPOS-00201,SRG-OS-000363-GPOS-00150"
+    stigid@ubuntu2004: UBTU-20-010437
+
+ocil_clause: 'silentreports is enabled in aide default configuration, or is missing'
+
+ocil: |- 
+    Verify that Advanced Intrusion Detection Environment (AIDE) notifies the System Administrator
+    when anomalies in the operation of any security functions are discovered with the following command: 
+    <pre># grep SILENTREPORTS {{{ aide_default_path }}} </pre>
+
+    SILENTREPORTS=no 
+
+    If SILENTREPORTS is commented out, this is a finding. 
+ 
+    If SILENTREPORTS is set to "yes", this is a finding. 
+ 
+    If SILENTREPORTS is not set to "no", this is a finding.
+
+fixtext: |-
+    Configure the {{{ full_name }}} operating system to notify designated personnel if baseline configurations are changed in an unauthorized manner. 
+ 
+    Modify the "SILENTREPORTS" parameter in the "{{{ aide_default_path }}}" file with a value of "no" if it does not already exist.
+
+srg_requirement:
+    {{{ full_name }}} must notify designated personnel if baseline configurations are changed in an unauthorized manner.
+
+template: 
+    name: lineinfile
+    vars:
+      text: 'SILENTREPORTS=no'
+      path: '{{{ aide_default_path }}}'
+
diff --git a/linux_os/guide/system/software/integrity/software-integrity/aide/aide_disable_silentreports/tests/correct.pass.sh b/linux_os/guide/system/software/integrity/software-integrity/aide/aide_disable_silentreports/tests/correct.pass.sh
new file mode 100644
index 00000000000..82b05e8259c
--- /dev/null
+++ b/linux_os/guide/system/software/integrity/software-integrity/aide/aide_disable_silentreports/tests/correct.pass.sh
@@ -0,0 +1,5 @@
+#!/bin/bash
+# platform = multi_platform_ubuntu
+# packages = aide
+
+echo "SILENTREPORTS=no" >> /etc/default/aide
diff --git a/linux_os/guide/system/software/integrity/software-integrity/aide/aide_disable_silentreports/tests/not_config.fail.sh b/linux_os/guide/system/software/integrity/software-integrity/aide/aide_disable_silentreports/tests/not_config.fail.sh
new file mode 100644
index 00000000000..0c8eee86905
--- /dev/null
+++ b/linux_os/guide/system/software/integrity/software-integrity/aide/aide_disable_silentreports/tests/not_config.fail.sh
@@ -0,0 +1,5 @@
+#!/bin/bash
+# platform = multi_platform_ubuntu
+# packages = aide
+
+echo sed -i "^SILENTREPORTS\s*=\s*no$" /etc/default/aide
diff --git a/products/ubuntu2004/product.yml b/products/ubuntu2004/product.yml
index e0d2eefa1fa..ba0274ea5ed 100644
--- a/products/ubuntu2004/product.yml
+++ b/products/ubuntu2004/product.yml
@@ -22,6 +22,7 @@ oval_feed_url: "https://people.canonical.com/~ubuntu-security/oval/com.ubuntu.fo
 
 aide_bin_path: "/usr/bin/aide.wrapper"
 aide_conf_path: "/etc/aide/aide.conf"
+aide_default_path: "/etc/default/aide"
 chrony_conf_path: "/etc/chrony/chrony.conf"
 
 cpes_root: "../../shared/applicability"
diff --git a/products/ubuntu2004/profiles/stig.profile b/products/ubuntu2004/profiles/stig.profile
index d0f3921f346..ec9e1fd4458 100644
--- a/products/ubuntu2004/profiles/stig.profile
+++ b/products/ubuntu2004/profiles/stig.profile
@@ -525,6 +525,7 @@ selections:
     - chronyd_sync_clock
 
     # UBTU-20-010437 The Ubuntu operating system must notify designated personnel if baseline configurations are changed in an unauthorized manner. The file integrity tool must notify the System Administrator when changes to the baseline configuration or anomalies in the oper
+    - aide_disable_silentreports
 
     # UBTU-20-010438 The Ubuntu operating system's Advance Package Tool (APT) must be configured to prevent the installation of patches, service packs, device drivers, or Ubuntu operating system components without verification they have been digitally signed using a certificate that is recognized and approved by the organization.
     - apt_conf_disallow_unauthenticated
diff --git a/tests/data/product_stability/ubuntu2004.yml b/tests/data/product_stability/ubuntu2004.yml
index a3cbe0bf55d..233d16d40b0 100644
--- a/tests/data/product_stability/ubuntu2004.yml
+++ b/tests/data/product_stability/ubuntu2004.yml
@@ -2,6 +2,7 @@ aide_also_checks_audispd: 'yes'
 aide_also_checks_rsyslog: 'no'
 aide_bin_path: /usr/bin/aide.wrapper
 aide_conf_path: /etc/aide/aide.conf
+aide_default_path: /etc/default/aide
 audisp_conf_path: /etc/audit
 auid: 1000
 basic_properties_derived: true

From 0e7e281e0523ff526ce0c9e042a20100d584cb76 Mon Sep 17 00:00:00 2001
From: Miha Purg <miha.purg@canonical.com>
Date: Tue, 28 Nov 2023 13:22:14 +0100
Subject: [PATCH 2/5] Remove trailing whitespaces

---
 .../aide/aide_disable_silentreports/rule.yml  | 22 +++++++++----------
 1 file changed, 11 insertions(+), 11 deletions(-)

diff --git a/linux_os/guide/system/software/integrity/software-integrity/aide/aide_disable_silentreports/rule.yml b/linux_os/guide/system/software/integrity/software-integrity/aide/aide_disable_silentreports/rule.yml
index 5ed7831608b..3b83726e452 100644
--- a/linux_os/guide/system/software/integrity/software-integrity/aide/aide_disable_silentreports/rule.yml
+++ b/linux_os/guide/system/software/integrity/software-integrity/aide/aide_disable_silentreports/rule.yml
@@ -8,7 +8,7 @@ description: |-
     The operating system file integrity tool must be configured to notify designated personnel of any changes to configurations.
 
 rationale: |-
-    Detecting changes in the system can help avoid unintended, and negative consequences 
+    Detecting changes in the system can help avoid unintended, and negative consequences
     that could affect the security state of the operating system
 
 severity: medium
@@ -20,28 +20,28 @@ references:
 
 ocil_clause: 'silentreports is enabled in aide default configuration, or is missing'
 
-ocil: |- 
+ocil: |-
     Verify that Advanced Intrusion Detection Environment (AIDE) notifies the System Administrator
-    when anomalies in the operation of any security functions are discovered with the following command: 
+    when anomalies in the operation of any security functions are discovered with the following command:
     <pre># grep SILENTREPORTS {{{ aide_default_path }}} </pre>
 
-    SILENTREPORTS=no 
+    SILENTREPORTS=no
+
+    If SILENTREPORTS is commented out, this is a finding.
+
+    If SILENTREPORTS is set to "yes", this is a finding.
 
-    If SILENTREPORTS is commented out, this is a finding. 
- 
-    If SILENTREPORTS is set to "yes", this is a finding. 
- 
     If SILENTREPORTS is not set to "no", this is a finding.
 
 fixtext: |-
-    Configure the {{{ full_name }}} operating system to notify designated personnel if baseline configurations are changed in an unauthorized manner. 
- 
+    Configure the {{{ full_name }}} operating system to notify designated personnel if baseline configurations are changed in an unauthorized manner.
+
     Modify the "SILENTREPORTS" parameter in the "{{{ aide_default_path }}}" file with a value of "no" if it does not already exist.
 
 srg_requirement:
     {{{ full_name }}} must notify designated personnel if baseline configurations are changed in an unauthorized manner.
 
-template: 
+template:
     name: lineinfile
     vars:
       text: 'SILENTREPORTS=no'

From fbbadbc62fca933fa9af0dfae24e60a29278eb9f Mon Sep 17 00:00:00 2001
From: Miha Purg <miha.purg@canonical.com>
Date: Tue, 28 Nov 2023 13:38:18 +0100
Subject: [PATCH 3/5] Added comment for UBTU-20-010451

Same rule as UBTU-20-010437. Notified DISA.
---
 products/ubuntu2004/profiles/stig.profile | 1 +
 1 file changed, 1 insertion(+)

diff --git a/products/ubuntu2004/profiles/stig.profile b/products/ubuntu2004/profiles/stig.profile
index ec9e1fd4458..16e99a53ca2 100644
--- a/products/ubuntu2004/profiles/stig.profile
+++ b/products/ubuntu2004/profiles/stig.profile
@@ -567,6 +567,7 @@ selections:
     - aide_build_database
 
     # UBTU-20-010451 The Ubuntu operating system must notify designated personnel if baseline configurations are changed in an unauthorized manner. The file integrity tool must notify the System Administrator when changes to the baseline configuration or anomalies in the operation of any security functions are discovered.
+    # Same as UBTU-20-010437
 
     # UBTU-20-010453 The Ubuntu operating system must display the date and time of the last successful account logon upon logon.
     - display_login_attempts

From d8ce311afc4797b06aa66e6b0bab73be7444f015 Mon Sep 17 00:00:00 2001
From: Miha Purg <miha.purg@canonical.com>
Date: Tue, 28 Nov 2023 14:52:40 +0100
Subject: [PATCH 4/5] Fixed tests for aide_disable_silentreports

---
 .../tests/not_config.fail.sh                         |  5 -----
 .../tests/wrong_multiple_values.fail.sh              |  9 +++++++++
 .../tests/wrong_value.fail.sh                        | 12 ++++++++++++
 3 files changed, 21 insertions(+), 5 deletions(-)
 delete mode 100644 linux_os/guide/system/software/integrity/software-integrity/aide/aide_disable_silentreports/tests/not_config.fail.sh
 create mode 100644 linux_os/guide/system/software/integrity/software-integrity/aide/aide_disable_silentreports/tests/wrong_multiple_values.fail.sh
 create mode 100644 linux_os/guide/system/software/integrity/software-integrity/aide/aide_disable_silentreports/tests/wrong_value.fail.sh

diff --git a/linux_os/guide/system/software/integrity/software-integrity/aide/aide_disable_silentreports/tests/not_config.fail.sh b/linux_os/guide/system/software/integrity/software-integrity/aide/aide_disable_silentreports/tests/not_config.fail.sh
deleted file mode 100644
index 0c8eee86905..00000000000
--- a/linux_os/guide/system/software/integrity/software-integrity/aide/aide_disable_silentreports/tests/not_config.fail.sh
+++ /dev/null
@@ -1,5 +0,0 @@
-#!/bin/bash
-# platform = multi_platform_ubuntu
-# packages = aide
-
-echo sed -i "^SILENTREPORTS\s*=\s*no$" /etc/default/aide
diff --git a/linux_os/guide/system/software/integrity/software-integrity/aide/aide_disable_silentreports/tests/wrong_multiple_values.fail.sh b/linux_os/guide/system/software/integrity/software-integrity/aide/aide_disable_silentreports/tests/wrong_multiple_values.fail.sh
new file mode 100644
index 00000000000..83e4373120e
--- /dev/null
+++ b/linux_os/guide/system/software/integrity/software-integrity/aide/aide_disable_silentreports/tests/wrong_multiple_values.fail.sh
@@ -0,0 +1,9 @@
+#!/bin/bash
+# platform = multi_platform_ubuntu
+# packages = aide
+
+FILE=/etc/default/aide
+
+echo "SILENTREPORTS=no" >> $FILE
+echo "SILENTREPORTS=wrong" >> $FILE
+
diff --git a/linux_os/guide/system/software/integrity/software-integrity/aide/aide_disable_silentreports/tests/wrong_value.fail.sh b/linux_os/guide/system/software/integrity/software-integrity/aide/aide_disable_silentreports/tests/wrong_value.fail.sh
new file mode 100644
index 00000000000..00e76f445d2
--- /dev/null
+++ b/linux_os/guide/system/software/integrity/software-integrity/aide/aide_disable_silentreports/tests/wrong_value.fail.sh
@@ -0,0 +1,12 @@
+#!/bin/bash
+# platform = multi_platform_ubuntu
+# packages = aide
+
+FILE=/etc/default/aide
+
+if grep -Eq "SILENTREPORTS=" $FILE; then
+    sed -i "s/^.*SILENTREPORTS=.*$/SILENTREPORTS=wrong/g" $FILE
+else
+    echo "SILENTREPORTS=wrong" >> $FILE
+fi
+

From 20be8bcbdd250ff158ba7afbec3962bb235b179a Mon Sep 17 00:00:00 2001
From: Miha Purg <miha.purg@canonical.com>
Date: Fri, 1 Dec 2023 12:17:55 +0100
Subject: [PATCH 5/5] Change template for 'aide_disable_silentreports'

Switch to template `key_value_pair_in_file` for rule `aide_disable_silentreports`.
Previously used template `lineinfile` only checked for lines containing
correct key value pairs (`key=value`).
It did not check for or remediate existing wrong values.
---
 .../aide/aide_disable_silentreports/rule.yml              | 8 +++++---
 .../aide_disable_silentreports/tests/wrong_value.fail.sh  | 4 ++--
 2 files changed, 7 insertions(+), 5 deletions(-)

diff --git a/linux_os/guide/system/software/integrity/software-integrity/aide/aide_disable_silentreports/rule.yml b/linux_os/guide/system/software/integrity/software-integrity/aide/aide_disable_silentreports/rule.yml
index 3b83726e452..9f2ad887604 100644
--- a/linux_os/guide/system/software/integrity/software-integrity/aide/aide_disable_silentreports/rule.yml
+++ b/linux_os/guide/system/software/integrity/software-integrity/aide/aide_disable_silentreports/rule.yml
@@ -42,8 +42,10 @@ srg_requirement:
     {{{ full_name }}} must notify designated personnel if baseline configurations are changed in an unauthorized manner.
 
 template:
-    name: lineinfile
+    name: key_value_pair_in_file
     vars:
-      text: 'SILENTREPORTS=no'
       path: '{{{ aide_default_path }}}'
-
+      key: 'SILENTREPORTS'
+      value: 'no'
+      sep: '='
+      sep_regex: '='
diff --git a/linux_os/guide/system/software/integrity/software-integrity/aide/aide_disable_silentreports/tests/wrong_value.fail.sh b/linux_os/guide/system/software/integrity/software-integrity/aide/aide_disable_silentreports/tests/wrong_value.fail.sh
index 00e76f445d2..736891e5d11 100644
--- a/linux_os/guide/system/software/integrity/software-integrity/aide/aide_disable_silentreports/tests/wrong_value.fail.sh
+++ b/linux_os/guide/system/software/integrity/software-integrity/aide/aide_disable_silentreports/tests/wrong_value.fail.sh
@@ -4,8 +4,8 @@
 
 FILE=/etc/default/aide
 
-if grep -Eq "SILENTREPORTS=" $FILE; then
-    sed -i "s/^.*SILENTREPORTS=.*$/SILENTREPORTS=wrong/g" $FILE
+if grep -q "^SILENTREPORTS=" $FILE; then
+    sed -i "s/^SILENTREPORTS=.*$/SILENTREPORTS=wrong/g" $FILE
 else
     echo "SILENTREPORTS=wrong" >> $FILE
 fi