Check: RHEL-06-000305
Red Hat Enterprise Linux 6 STIG:
RHEL-06-000305
(in versions v2 r2 through v1 r14)
Title
The operating system must provide a near real-time alert when any of the organization defined list of compromise or potential compromise indicators occurs. (Cat II impact)
Discussion
By default, AIDE does not install itself for periodic execution. Periodically running AIDE may reveal unexpected changes in installed files.
Check Content
To determine that periodic AIDE execution has been scheduled, run the following command: # grep aide /etc/crontab /etc/cron.*/* If there is no output, this is a finding.
Fix Text
AIDE should be executed on a periodic basis to check for changes. To implement a daily execution of AIDE at 4:05am using cron, add the following line to /etc/crontab: 05 4 * * * root /usr/sbin/aide --check AIDE can be executed periodically through other means; this is merely one example.
Additional Identifiers
Rule ID: SV-218051r603264_rule
Vulnerability ID: V-218051
Group Title: SRG-OS-000363
Expert Comments
CCIs
| Number | Definition |
|---|---|
| CCI-001263 |
The information system provides near real-time alerts when any of the organization-defined list of compromise or potential compromise indicators occurs. |
| CCI-001774 |
The organization employs a deny-all, permit-by-exception policy to allow the execution of authorized software programs on the information system. |
| CCI-002664 |
The information system alerts organization-defined personnel or roles when organization-defined compromise indicators reflect the occurrence of a compromise or a potential compromise. |
| CCI-002687 |
The organization implements organization-defined host-based monitoring mechanisms at organization-defined information system components. |