CIS 1.3.1 Ensure AIDE is installed

[marcofortina]

Description of problem:

Check for rule xccdf_org.ssgproject.content_rule_aide_build_database fails on Ubuntu 22.04.

SCAP Security Guide Version:

master branch

Operating System Version:

Ubuntu 22.04 LTS

Steps to Reproduce:

1. Install AIDE: apt install aide aide-common
2. Initialize AIDE: aideinit && mv /var/lib/aide/aide.db.new /var/lib/aide/aide.db
3. Run SCAP: oscap xccdf eval --profile xccdf_org.ssgproject.content_profile_cis_level2_server --rule xccdf_org.ssgproject.content_rule_aide_build_database ssg-ubuntu2204-ds.xml

Actual Results:

Title   Build and Test AIDE Database
Rule    xccdf_org.ssgproject.content_rule_aide_build_database
Result  fail

Expected Results:

Title   Build and Test AIDE Database
Rule    xccdf_org.ssgproject.content_rule_aide_build_database
Result  pass

Additional Information/Debugging Steps:

On Ubuntu 22.04 database definition keyword in the /etc/aide/aide.conf file was changed from database=file:/var/lib/aide/aide.db to database_in=file:/var/lib/aide/aide.db.

Adding database=file:/var/lib/aide/aide.db in the /etc/aide/aide.conf as workaround gives this warning:

WARNING: /etc/aide/aide.conf:194: Using 'database' is DEPRECATED. Update your config and use 'database_in' instead (line: 'database=file:/var/lib/aide/aide.db')

[dodys]

The database message is just a warning and we are not yet planning to move to database_in now as this is not backwards compatible and the warning doesn't prevent from aide to work.

Regarding the fail, have you tried to use the bash remediation?

[marcofortina]

The database message is just a warning and we are not yet planning to move to database_in now as this is not backwards compatible and the warning doesn't prevent from aide to work.

Regarding the fail, have you tried to use the bash remediation?

Yes of course I used successfully the bash remediation. My issue is only to truck a wrong check for database= on Ubuntu 22.04 instead of the new database_in= showing a false error where workaround was not applied.

Is not possible to use <% if "ubuntu2204" in product %> for this rule as fix?

[dodys]

not really a priority for us now, since database is still supported on 22.04
adding the checks would be required on bash, ansible, oval and rule.yml

[dodys]

not really a priority for us now, since database is still supported on 22.04 adding the checks would be required on bash, ansible, oval and rule.yml

and a reminder that you would still need to keep compatibility to database as people might not have migrated to the new item.

[dodys]

Debian also suffers the same as expected.