aide - Advanced Intrusion Detection Environment

aide - Advanced Intrusion Detection Environment

AIDE provides integrity monitoring for files on a Linux system and can notify system administrators of changes to critical files and packages.

Overview

By default, AIDE will examine and monitor all of the files on a host unless directories are added to its exclusion list. The security role sets directories to exclude from AIDE monitoring via the aide_exclude_dirs variable. this list excludes the most common directories that change very often via automated methods.

The security role skips the AIDE initialization step by default to avoid system disruption or a reduction in performance. Deployers should determine the best time to initialize the database that does not interfere with the system’s operations.

To initialize the AIDE database, set the following Ansible variable and re-apply the role:

security_rhel7_initialize_aide: true

Warning

Even with the excluded directories, the first AIDE initialization can take a long time on some systems. During this time, the CPU and disks are very busy.

STIG requirements

All of the tasks for these STIG requirements are included in tasks/rhel7stig/aide.yml.

V-71973

  • Summary: A file integrity tool must verify the baseline operating system configuration at least weekly.

  • Severity: Medium

  • Implementation Status: Opt-In

Deployer/Auditor notes

Initializing the AIDE database and completing the first AIDE run causes increased disk I/O and CPU usage for extended periods. Therefore, the AIDE database is not automatically initialized by the tasks in the security role.

Deployers can enable the AIDE database initialization within the security role by setting the following Ansible variable:

security_rhel7_initialize_aide: yes

V-71975

  • Summary: Designated personnel must be notified if baseline configurations are changed in an unauthorized manner.

  • Severity: Medium

  • Implementation Status: Implemented

Deployer/Auditor notes

The cron job for AIDE is configured to send emails to the root user after each AIDE run.


V-72069

  • Summary: The file integrity tool must be configured to verify Access Control Lists (ACLs).

  • Severity: Low

  • Implementation Status: Implemented

Deployer/Auditor notes

CentOS 7 and Red Hat Enterprise Linux 7 already deploy a very secure AIDE configuration that checks access control lists (ACLs) and extended attributes by default. No configuration changes are applied on these systems.

However, Ubuntu lacks the rules that include ACL and extended attribute checks. The tasks in the security role will add a small configuration block at the end of the AIDE configuration file to meet the requirements of this STIG, as well as V-72071.

openSUSE Leap and SUSE Linux Enterprise 12 also lack a rule to check ACLs and extended attributes. The default configuration file is adjusted to include those as well.


V-72071

  • Summary: The file integrity tool must be configured to verify extended attributes.

  • Severity: Low

  • Implementation Status: Implemented

Deployer/Auditor notes

CentOS 7 and Red Hat Enterprise Linux 7 already deploy a very secure AIDE configuration that checks access control lists (ACLs) and extended attributes by default. No configuration changes are applied on these systems.

However, Ubuntu lacks the rules that include ACL and extended attribute checks. The tasks in the security role will add a small configuration block at the end of the AIDE configuration file to meet the requirements of this STIG, as well as V-72069.

openSUSE Leap and SUSE Linux Enterprise 12 also lack a rule to check ACLs and extended attributes. The default configuration file is adjusted to include those as well.


V-72073

  • Summary: The file integrity tool must use FIPS 140-2 approved cryptographic hashes for validating file contents and directories.

  • Severity: Medium

  • Implementation Status: Implemented

Deployer/Auditor notes

The default AIDE configuration in CentOS 7, Red Hat Enterprise Linux 7, openSUSE Leap and SUSE Linux Enterprise 12 already uses SHA512 to validate file contents and directories. No changes are required on these systems.

The tasks in the security role add a rule to end of the AIDE configuration on Ubuntu systems that uses SHA512 for validation.

Creative Commons Attribution 3.0 License

Except where otherwise noted, this document is licensed under Creative Commons Attribution 3.0 License. See all OpenStack Legal Documents.