{"description": "By default, the <tt>sha512</tt> option is added to the <tt>NORMAL</tt> ruleset in AIDE.\nIf using a custom ruleset or the <tt>sha512</tt> option is missing, add <tt>sha512</tt>\nto the appropriate ruleset.\nFor example, add <tt>sha512</tt> to the following line in <tt>/etc/aide.conf</tt>:\n<pre>NORMAL = FIPSR+sha512</pre>\nAIDE rules can be configured in multiple ways; this is merely one example that is already\nconfigured by default.", "rationale": "File integrity tools use cryptographic hashes for verifying file contents and directories\nhave not been altered. These hashes must be FIPS 140-2 approved cryptographic hashes.", "severity": "medium", "references": {"cis-csc": ["2", "3"], "cobit5": ["APO01.06", "BAI03.05", "BAI06.01", "DSS06.02"], "cui": ["3.13.11"], "isa-62443-2009": ["4.3.4.4.4"], "isa-62443-2013": ["SR 3.1", "SR 3.3", "SR 3.4", "SR 3.8"], "iso27001-2013": ["A.11.2.4", "A.12.2.1", "A.12.5.1", "A.14.1.2", "A.14.1.3", "A.14.2.4"], "nist": ["SI-7", "SI-7(1)", "CM-6(a)"], "nist-csf": ["PR.DS-6", "PR.DS-8"], "srg": ["SRG-OS-000480-GPOS-00227"]}, "control_references": {}, "components": [], "identifiers": {}, "ocil_clause": "the sha512 option is missing or not added to the correct ruleset", "ocil": "To determine that AIDE is configured for FIPS 140-2 file hashing, run the following command:\n<pre>$ grep sha512 /etc/aide.conf</pre>\nVerify that the <tt>sha512</tt> option is added to the correct ruleset.", "oval_external_content": null, "fixtext": "", "checktext": "", "vuldiscussion": "", "srg_requirement": "", "warnings": [{"regulatory": "System Crypto Modules must be provided by a vendor that undergoes\nFIPS-140 certifications.\nFIPS-140 is applicable to all Federal agencies that use\ncryptographic-based security systems to protect sensitive information\nin computer and telecommunication systems (including voice systems) as\ndefined in Section 5131 of the Information Technology Management Reform\nAct of 1996, Public Law 104-106. This standard shall be used in\ndesigning and implementing cryptographic modules that Federal\ndepartments and agencies operate or are operated for them under\ncontract. See <b>\n<a xmlns='http://www.w3.org/1999/xhtml' href='https://nvlpubs.nist.gov/nistpubs/FIPS/NIST.FIPS.140-2.pdf'>https://nvlpubs.nist.gov/nistpubs/FIPS/NIST.FIPS.140-2.pdf</a></b>\nTo meet this, the system has to have cryptographic software provided by\na vendor that has undergone this certification. This means providing\ndocumentation, test results, design information, and independent third\nparty review by an accredited lab. While open source software is\ncapable of meeting this, it does not meet FIPS-140 unless the vendor\nsubmits to this process."}], "conflicts": [], "requires": [], "policy_specific_content": {"stig": {"srg_requirement": "Ubuntu 22.04 must use a file integrity tool that is configured to use FIPS 140-3-approved cryptographic hashes for validating file contents and directories.", "fixtext": "Configure the file integrity tool to use FIPS 140-3 cryptographic hashes for validating file and directory contents.\n\nIf AIDE is installed, ensure the \"sha512\" rule is present on all uncommented file and directory selection lists. Exclude any log files, or files expected to change frequently, to reduce unnecessary notifications.", "checktext": "Verify that AIDE is configured to use FIPS 140-3 file hashing with the following command:\n\n$ sudo grep sha512 /etc/aide.conf\n\nAll=p+i+n+u+g+s+m+S+sha512+acl+xattrs+selinux\n\nIf the \"sha512\" rule is not being used on all uncommented selection lines in the \"/etc/aide.conf\" file, or another file integrity tool is not using FIPS 140-3-approved cryptographic hashes for validating file contents and directories, this is a finding.", "vuldiscussion": "Ubuntu 22.04 installation media ships with an optional file integrity tool called Advanced Intrusion Detection Environment (AIDE). AIDE is highly configurable at install time. This requirement assumes the \"aide.conf\" file is under the \"/etc\" directory.\n\nFile integrity tools use cryptographic hashes for verifying file contents and directories have not been altered. These hashes must be FIPS 140-3-approved cryptographic hashes."}}, "platform": null, "platforms": [], "sce_metadata": {}, "inherited_platforms": ["system_with_kernel"], "cpe_platform_names": [], "inherited_cpe_platform_names": ["system_with_kernel"], "bash_conditional": null, "fixes": {}, "title": "Configure AIDE to Use FIPS 140-2 for Validating Hashes", "definition_location": "/aptdata/openscap/scap-security-guide/linux_os/guide/system/software/integrity/software-integrity/aide/aide_use_fips_hashes/rule.yml", "template": null}