Add aide_disable_silentreports OVAL and remediations

This commit will add in OVAL definition and ansible/bash remediations for disabling silentreports from AIDE

linux_os/guide/system/software/integrity/software-integrity/aide/aide_disable_silentreports/ansible/ubuntu.yml

@@ -0,0 +1,19 @@
+# platform = multi_platform_ubuntu
+# reboot = false
+# strategy = restrict
+# complexity = low
+# disruption = low
+- name: Ensure aide is installed
+  package:
+    name: "{{ item }}"
+    state: present
+  with_items:
+    - aide
+
+
+- name: Ensure AIDE silentreports is disabled
+  lineinfile:
+    path: /etc/default/aide
+    regexp: "^((#+(.*)SILENTREPORTS)|(SILENTREPORTS(\\s*)=(\\s*)yes))"
+    line: "SILENTREPORTS=no"
+    create: true

linux_os/guide/system/software/integrity/software-integrity/aide/aide_disable_silentreports/bash/ubuntu.sh

@@ -0,0 +1,12 @@
+# platform = multi_platform_ubuntu
+# reboot = false
+# strategy = restrict
+# complexity = low
+# disruption = low
+
+{{{ bash_package_install("aide") }}}
+
+if ! grep -i "^SILENTREPORTS*=*no$" {{{ aide_default_path }}}
+then
+sed -i "^((#+(\s*)SILENTREPORTS)|(SILENTREPORTS(\s*)=(\s*)yes))" "SILENTREPORTS=no" {{{ aide_default_path }}}
+fi

linux_os/guide/system/software/integrity/software-integrity/aide/aide_disable_silentreports/oval/ubuntu.xml

@@ -0,0 +1,25 @@
+<def-group>
+  <definition class="compliance"
+  id="aide_disable_silentreports" version="1">
+    {{{ oval_metadata("The " ~ full_name ~ " operating system file must notify designated personnel if baseline configurations are changed in an unauthorized manner.", title="" )}}}
+    <criteria operator="AND">
+      <extend_definition comment="Aide is installed"
+      definition_ref="package_aide_installed" />
+      <criterion comment="Aide is checked in {{ aide_default_path }}"
+      test_ref="test_aide_silentreports" />
+    </criteria>
+  </definition>
+  <ind:textfilecontent54_test check="all" check_existence="all_exist" comment="SILENTREPORTS is set to no in {{ aide_default_path }}" id="test_aide_silentreports" version="1">
+    <ind:object object_ref="object_aide_verify_silentreports" />
+  </ind:textfilecontent54_test>
+  <ind:textfilecontent54_object
+  id="object_aide_verify_silentreports" version="1">
+    <ind:filepath>{{{ aide_default_path }}}</ind:filepath>
+    <ind:pattern operation="pattern match">^SILENTREPORTS\s*=\s*no$</ind:pattern>
+    <ind:instance datatype="int" operation="equals">1</ind:instance>
+  </ind:textfilecontent54_object>
+
+</def-group>
+
+
+

linux_os/guide/system/software/integrity/software-integrity/aide/aide_disable_silentreports/rule.yml

@@ -1,8 +1,8 @@
 documentation_complete: true
 
-prodtype: ubuntu2004
+prodtype: ubuntu1804,ubuntu2004
 
-title: 'AIDE must notify personnel if baseline configurations are altered'
+title: 'Configure AIDE To Notify Personnel if Baseline Configurations Are Altered'
 
 description: |-
     The operating system file integrity tool must be configured to notify designated personnel of any changes to configurations.
@@ -23,7 +23,7 @@ ocil_clause: 'silentreports is enabled in aide default configuration, or is miss
 ocil: |- 
     Verify that Advanced Intrusion Detection Environment (AIDE) notifies the System Administrator
     when anomalies in the operation of any security functions are discovered with the following command: 
-    <pre># grep SILENTREPORTS /etc/default/aide </pre>
+    <pre># grep SILENTREPORTS {{{ aide_default_path }}} </pre>
 
     SILENTREPORTS=no 
 
@@ -36,7 +36,7 @@ ocil: |-
 fixtext: |-
     Configure the Ubuntu operating system to notify designated personnel if baseline configurations are changed in an unauthorized manner. 
  
-    Modify the "SILENTREPORTS" parameter in the "/etc/default/aide" file with a value of "no" if it does not already exist.
+    Modify the "SILENTREPORTS" parameter in the "{{{ aide_default_path }}}" file with a value of "no" if it does not already exist.
 
 srg_requirement:
     {{{ full_name }}} must notify designated personnel if baseline configurations are changed in an unauthorized manner.
@@ -45,5 +45,5 @@ template:
     name: lineinfile
     vars:
       text: 'SILENTREPORTS=no'
-      path: '/etc/default/aide'
+      path: '{{{ aide_default_path }}}'
 

linux_os/guide/system/software/integrity/software-integrity/aide/aide_disable_silentreports/tests/correct.pass.sh

@@ -0,0 +1,5 @@
+#!/bin/bash
+# platform = multi_platform_ubuntu
+# packages = aide
+
+echo "SILENTREPORTS=no" >> /etc/default/aide

linux_os/guide/system/software/integrity/software-integrity/aide/aide_disable_silentreports/tests/not_config.fail.sh

@@ -0,0 +1,5 @@
+#!/bin/bash
+# platform = multi_platform_ubuntu
+# packages = aide
+
+echo sed -i "^SILENTREPORTS\s*=\s*no$" /etc/default/aide

products/ubuntu2004/product.yml

@@ -18,6 +18,7 @@ grub2_uefi_boot_path: "/boot/grub"
 
 aide_bin_path: "/usr/bin/aide.wrapper"
 aide_conf_path: "/etc/aide/aide.conf"
+aide_default_path: "/etc/default/aide"
 chrony_conf_path: "/etc/chrony/chrony.conf"
 
 cpes_root: "../../shared/applicability"