An error occurred:

Check: RHEL-09-651010

RHEL 9 STIG: RHEL-09-651010 (in versions v1 r3 through v1 r1)

Title

RHEL 9 must have the AIDE package installed. (Cat II impact)

Discussion

Without verification of the security functions, security functions may not operate correctly, and the failure may go unnoticed. Security function is defined as the hardware, software, and/or firmware of the information system responsible for enforcing the system security policy and supporting the isolation of code and data on which the protection is based. Security functionality includes, but is not limited to, establishing system accounts, configuring access authorizations (i.e., permissions, privileges), setting events to be audited, and setting intrusion detection parameters. Satisfies: SRG-OS-000363-GPOS-00150, SRG-OS-000445-GPOS-00199

Check Content

Verify that RHEL 9 has the Advanced Intrusion Detection Environment (AIDE) package installed with the following command: $ sudo dnf list --installed aide Example output: aide.x86_64 0.16.100.el9 If AIDE is not installed, ask the system administrator (SA) how file integrity checks are performed on the system. If there is no application installed to perform integrity checks, this is a finding. If AIDE is installed, check if it has been initialized with the following command: $ sudo /usr/sbin/aide --check If the output is "Couldn't open file /var/lib/aide/aide.db.gz for reading", this is a finding.

Fix Text

Install AIDE, initialize it, and perform a manual check. Install AIDE: $ sudo dnf install aide Initialize AIDE: $ sudo /usr/sbin/aide --init Example output: Start timestamp: 2023-06-05 10:09:04 -0600 (AIDE 0.16) AIDE initialized database at /var/lib/aide/aide.db.new.gz Number of entries: 86833 --------------------------------------------------- The attributes of the (uncompressed) database(s): --------------------------------------------------- /var/lib/aide/aide.db.new.gz MD5 : coZUtPHhoFoeD7+k54fUvQ== SHA1 : DVpOEMWJwo0uPgrKZAygIUgSxeM= SHA256 : EQiZH0XNEk001tcDmJa+5STFEjDb4MPE TGdBJ/uvZKc= SHA512 : 86KUqw++PZhoPK0SZvT3zuFq9yu9nnPP toei0nENVELJ1LPurjoMlRig6q69VR8l +44EwO9eYyy9nnbzQsfG1g== End timestamp: 2023-06-05 10:09:57 -0600 (run time: 0m 53s) The new database will need to be renamed to be read by AIDE: $ sudo mv /var/lib/aide/aide.db.new.gz /var/lib/aide/aide.db.gz Perform a manual check: $ sudo /usr/sbin/aide --check Example output: 2023-06-05 10:16:08 -0600 (AIDE 0.16) AIDE found NO differences between database and filesystem. Looks okay!! ...

Additional Identifiers

Rule ID: SV-258134r926389_rule

Vulnerability ID: V-258134

Group Title: SRG-OS-000363-GPOS-00150

Expert Comments

Expert comments are only available to logged-in users.

CCIs

CCIs tied to check.
Number Definition
CCI-001744

The information system implements organization-defined security responses automatically if baseline configurations are changed in an unauthorized manner.
CCI-002696

The information system verifies correct operation of organization-defined security functions.

Controls

Controls tied to check. These are derived from the CCIs shown above.
Number Title
CM-3 (5)

Automated Security Response
SI-6

Security Function Verification