Title

Advanced Intrusion Detection Environment (AIDE) must verify the baseline SLEM 5 configuration at least weekly. (Cat II impact)

Discussion

Unauthorized changes to the baseline configuration could make the system vulnerable to various attacks or allow unauthorized access to SLEM 5. Changes to SLEM 5 configurations can have unintended side effects, some of which may be relevant to security. Detecting such changes and providing an automated response can help avoid unintended, negative consequences that could ultimately affect the security state of SLEM 5. SLEM 5's information system security manager (ISSM)/information system security officer (ISSO) and system administrator (SA) must be notified via email and/or monitoring system trap when there is an unauthorized modification of a configuration item.

Check Content

Verify SLEM 5 checks the baseline configuration using AIDE for unauthorized changes at least once weekly with the following command: Note: A file integrity tool other than AIDE may be used, but the tool must be executed at least once per week. > sudo grep -R aide /etc/crontab /etc/cron.* /etc/crontab: 30 04 * * * root /usr/sbin/aide If the file integrity application does not exist, or a "crontab" file does not exist in "/etc/crontab", the "/etc/cron.daily" subdirectory, or "/etc/cron.weekly" subdirectory, this is a finding.

Fix Text

Configure SLEM 5 to check the baseline configuration for unauthorized changes at least once weekly. Add or modify the following line in the "/etc/cron.weekly/aide" file: 0 0 * * * /usr/sbin/aide --check | /bin/mail -s "$HOSTNAME - Weekly AIDE integrity check run" root@example_server_name.mil

Additional Identifiers

Rule ID: SV-261407r996637_rule

Vulnerability ID: V-261407

Group Title: SRG-OS-000363-GPOS-00150

Expert Comments

CCIs tied to check.

Controls tied to check. These are derived from the CCIs shown above.