From a94db3f8add8c592407f4b4abfe81b478461682b Mon Sep 17 00:00:00 2001
From: svet-se <svetlin.boychev@suse.com>
Date: Wed, 4 Sep 2024 10:14:47 +0300
Subject: [PATCH] Add rule aide_scan_notification to sle micro 5 stig profile

---
 controls/stig_slmicro5.yml                             |  5 +++--
 .../aide/aide_scan_notification/ansible/shared.yml     |  2 +-
 .../aide/aide_scan_notification/bash/shared.sh         |  2 +-
 .../aide/aide_scan_notification/oval/shared.xml        | 10 +++++-----
 .../aide/aide_scan_notification/rule.yml               |  5 +++--
 shared/references/cce-slmicro5-avail.txt               |  1 -
 6 files changed, 13 insertions(+), 12 deletions(-)

diff --git a/controls/stig_slmicro5.yml b/controls/stig_slmicro5.yml
index c3ef2253d91..90e2568bfd9 100644
--- a/controls/stig_slmicro5.yml
+++ b/controls/stig_slmicro5.yml
@@ -1349,8 +1349,9 @@ controls:
           SLEM 5 must notify the system administrator (SA) when Advanced Intrusion
           Detection Environment (AIDE) discovers anomalies in the operation of any security
           functions.
-      rules: []
-      status: pending
+      rules:
+          - aide_scan_notification
+      status: automated
     
     - id: SLEM-05-652010
       levels:
diff --git a/linux_os/guide/system/software/integrity/software-integrity/aide/aide_scan_notification/ansible/shared.yml b/linux_os/guide/system/software/integrity/software-integrity/aide/aide_scan_notification/ansible/shared.yml
index 6544d5d94ca..d486ed81786 100644
--- a/linux_os/guide/system/software/integrity/software-integrity/aide/aide_scan_notification/ansible/shared.yml
+++ b/linux_os/guide/system/software/integrity/software-integrity/aide/aide_scan_notification/ansible/shared.yml
@@ -12,7 +12,7 @@
   with_items:
     - aide
 
-{{% if product in ["sle15"] %}}
+{{% if product in ["sle15", "slmicro5"] %}}
 - name: "{{{ rule_title }}} check service"
   ansible.builtin.blockinfile:
       create: yes
diff --git a/linux_os/guide/system/software/integrity/software-integrity/aide/aide_scan_notification/bash/shared.sh b/linux_os/guide/system/software/integrity/software-integrity/aide/aide_scan_notification/bash/shared.sh
index c3a4301f91c..972a4813cfb 100644
--- a/linux_os/guide/system/software/integrity/software-integrity/aide/aide_scan_notification/bash/shared.sh
+++ b/linux_os/guide/system/software/integrity/software-integrity/aide/aide_scan_notification/bash/shared.sh
@@ -3,7 +3,7 @@
 {{{ bash_package_install("aide") }}}
 {{{ bash_instantiate_variables("var_aide_scan_notification_email") }}}
 
-{{% if product in ["sle15"] %}}
+{{% if product in ["sle15", "slmicro5"] %}}
 # create unit file for periodic aide database check
 cat > /etc/systemd/system/aidecheck.service <<CHECKEOF
 [Unit]
diff --git a/linux_os/guide/system/software/integrity/software-integrity/aide/aide_scan_notification/oval/shared.xml b/linux_os/guide/system/software/integrity/software-integrity/aide/aide_scan_notification/oval/shared.xml
index f9433d6a10b..38630e94ae2 100644
--- a/linux_os/guide/system/software/integrity/software-integrity/aide/aide_scan_notification/oval/shared.xml
+++ b/linux_os/guide/system/software/integrity/software-integrity/aide/aide_scan_notification/oval/shared.xml
@@ -11,7 +11,7 @@
           test_ref="test_aide_var_cron_notification" />
         <criterion comment="notify personnel when aide completes in cron.(d|daily|weekly|monthly)"
           test_ref="test_aide_crontabs_notification" />
-{{% if product in ["sle15"] %}}
+{{% if product in ["sle15", "slmicro5"] %}}
         <criteria operator="AND">
           <criterion comment="notification started after check"
             test_ref="test_aidecheck_systemd_scan_before_notification"/>
@@ -52,7 +52,7 @@
     <ind:pattern operation="pattern match">^.*{{{ aide_bin_path }}}[\s]*\-\-check.*\|.*/bin/mail[\s]*-s[\s]*".*"[\s]*.+@.+$</ind:pattern>
     <ind:instance datatype="int" operation="greater than or equal">1</ind:instance>
   </ind:textfilecontent54_object>
-{{% if product in ["sle15"] %}}
+{{% if product in ["sle15", "slmicro5"] %}}
   <ind:textfilecontent54_test check="all" check_existence="all_exist"
     id="test_aidecheck_systemd_scan_report" version="1"
     comment="report results of aide check, when started by systemd">
@@ -61,7 +61,7 @@
   <ind:textfilecontent54_object id="obj_aidecheck_systemd_report" version="1"
     comment="run aide check with output to a report file">
     <ind:filepath>/etc/systemd/system/aidecheck.service</ind:filepath>
-    <ind:pattern operation="pattern match">^ExecStart\=.*/usr/bin/aide[\s]*\-\-check.*\-r\s*file:\/w*.*$</ind:pattern>
+    <ind:pattern operation="pattern match">^.*ExecStart\=.*/usr/bin/aide[\s]*\-\-check.*\-r\s*file:\/w*.*$</ind:pattern>
     <ind:instance datatype="int" operation="greater than or equal">1</ind:instance>
   </ind:textfilecontent54_object>
   <ind:textfilecontent54_test check="all" check_existence="all_exist"
@@ -72,7 +72,7 @@
   <ind:textfilecontent54_object id="obj_aidecheck_systemd_before_notification" version="1"
     comment="run aide check before notification">
     <ind:filepath>/etc/systemd/system/aidecheck.service</ind:filepath>
-    <ind:pattern operation="pattern match">^Before\=.*aidecheck-notify.service$</ind:pattern>
+    <ind:pattern operation="pattern match">^.*Before\=.*aidecheck-notify.service.*$</ind:pattern>
     <ind:instance datatype="int" operation="greater than or equal">1</ind:instance>
   </ind:textfilecontent54_object>
   <ind:textfilecontent54_test check="all" check_existence="any_exist"
@@ -83,7 +83,7 @@
   <ind:textfilecontent54_object id="object_aidecheck_for_notification_enabled" version="1"
     comment="list of dependencies should include aidecheck.service">
     <ind:filepath>/etc/systemd/system/aidecheck.service</ind:filepath>
-    <ind:pattern operation="pattern match">^Wants\=.*aidecheck-notify.service.*$</ind:pattern>
+    <ind:pattern operation="pattern match">^.*Wants\=.*aidecheck-notify.service.*$</ind:pattern>
     <ind:instance datatype="int" operation="greater than or equal">1</ind:instance>
   </ind:textfilecontent54_object>
 {{% endif %}}
diff --git a/linux_os/guide/system/software/integrity/software-integrity/aide/aide_scan_notification/rule.yml b/linux_os/guide/system/software/integrity/software-integrity/aide/aide_scan_notification/rule.yml
index d786e13096f..028e6dc2f8d 100644
--- a/linux_os/guide/system/software/integrity/software-integrity/aide/aide_scan_notification/rule.yml
+++ b/linux_os/guide/system/software/integrity/software-integrity/aide/aide_scan_notification/rule.yml
@@ -32,6 +32,7 @@ identifiers:
     cce@rhel10: CCE-90177-7
     cce@sle12: CCE-83048-9
     cce@sle15: CCE-91214-7
+    cce@slmicro5: CCE-93722-7
 
 references:
     cis-csc: 1,11,12,13,15,16,2,3,5,7,8,9
@@ -54,7 +55,7 @@ ocil_clause: 'AIDE has not been configured or has not been configured to notify
 
 ocil: |-
     To determine that periodic AIDE execution has been scheduled, run the following command:
-{{% if product in ["sle15"] %}}
+{{% if product in ["sle15", "slmicro5"] %}}
     <pre>$ sudo systemctl status  aidecheck-notify|grep loaded</pre>
     The output should return that the service is loaded.
     Also we should make sure that notification service is started by the check:
@@ -73,7 +74,7 @@ fixtext: |-
     The AIDE tool can be configured to email designated personnel with the use of the cron system.
 
     The following example output is generic. It will set cron to run AIDE daily and to send email at the completion of the analysis.
-{{% if product in ["sle15"] %}}
+{{% if product in ["sle15", "slmicro5"] %}}
     $ cat > /etc/systemd/system/aidecheck-notify.service <<NOTIFYEOF
     [Unit]
         Description=Status email for AIDE check result
diff --git a/shared/references/cce-slmicro5-avail.txt b/shared/references/cce-slmicro5-avail.txt
index 7721fdd7e32..2e8c36c93f4 100644
--- a/shared/references/cce-slmicro5-avail.txt
+++ b/shared/references/cce-slmicro5-avail.txt
@@ -9,7 +9,6 @@ CCE-93709-4
 CCE-93713-6
 CCE-93711-0
 CCE-93712-8
-CCE-93722-7
 CCE-93726-8
 CCE-93743-3
 CCE-93757-3