Title

RHEL 9 must have the AIDE package installed. (Cat II impact)

Discussion

Without verification of the security functions, security functions may not operate correctly, and the failure may go unnoticed. Security function is defined as the hardware, software, and/or firmware of the information system responsible for enforcing the system security policy and supporting the isolation of code and data on which the protection is based. Security functionality includes, but is not limited to, establishing system accounts, configuring access authorizations (i.e., permissions, privileges), setting events to be audited, and setting intrusion detection parameters. Selection lines in the aide.conf file determine which files and directories AIDE will monitor for changes. They follow this format: <path> <rules> The <path> specifies a file, directory or wildcard pattern to monitor. The <rules>define which attributes (hashes, permissions, timestamps, etc.) to check. Satisfies: SRG-OS-000363-GPOS-00150, SRG-OS-000445-GPOS-00199

Check Content

Verify the file integrity tool is configured to verify ACLs. Note: AIDE is highly configurable at install time. This requirement assumes the "aide.conf" file is under the "/etc" directory. If AIDE is not installed, ask the system administrator (SA) how file integrity checks are performed on the system. Use the following command to determine if the file is in a location other than "/etc/aide/aide.conf": $ sudo find / -name aide.conf Use the following command to review the "aide.conf" file to determine if the "acl" rule has been added to the rule list being applied to the files and directories selection lists: $ sudo cat /etc/aide.conf | more If the "acl" rule is not being used on all selection lines in the "/etc/aide.conf" file, is commented out, or ACLs are not being checked by another file integrity tool, this is a finding.

Fix Text

Install AIDE, initialize it, and perform a manual check. Install AIDE: $ sudo dnf install aide Initialize AIDE: $ sudo /usr/sbin/aide --init Example output: Start timestamp: 2023-06-05 10:09:04 -0600 (AIDE 0.16) AIDE initialized database at /var/lib/aide/aide.db.new.gz Number of entries: 86833 --------------------------------------------------- The attributes of the (uncompressed) database(s): --------------------------------------------------- /var/lib/aide/aide.db.new.gz MD5 : coZUtPHhoFoeD7+k54fUvQ== SHA1 : DVpOEMWJwo0uPgrKZAygIUgSxeM= SHA256 : EQiZH0XNEk001tcDmJa+5STFEjDb4MPE TGdBJ/uvZKc= SHA512 : 86KUqw++PZhoPK0SZvT3zuFq9yu9nnPP toei0nENVELJ1LPurjoMlRig6q69VR8l +44EwO9eYyy9nnbzQsfG1g== End timestamp: 2023-06-05 10:09:57 -0600 (run time: 0m 53s) The new database will need to be renamed to be read by AIDE: $ sudo mv /var/lib/aide/aide.db.new.gz /var/lib/aide/aide.db.gz Perform a manual check: $ sudo /usr/sbin/aide --check Example output: 2023-06-05 10:16:08 -0600 (AIDE 0.16) AIDE found NO differences between database and filesystem. Looks okay!! ...

Additional Identifiers

Rule ID: SV-258134r1101983_rule

Vulnerability ID: V-258134

Group Title: SRG-OS-000363-GPOS-00150

Expert Comments

CCIs tied to check.

Controls tied to check. These are derived from the CCIs shown above.