{"description": "AIDE should notify appropriate personnel of the details of a scan after the scan has been run.\nIf AIDE has already been configured for periodic execution in /etc/crontab, append the\nfollowing line to the existing AIDE line:\n | /bin/mail -s \"$(hostname) - AIDE Integrity Check\" root@localhost
\nOtherwise, add the following line to /etc/crontab:\n05 4 * * * root /usr/bin/aide --check | /bin/mail -s \"$(hostname) - AIDE Integrity Check\" root@localhost
\nAIDE can be executed periodically through other means; this is merely one example.", "rationale": "Unauthorized changes to the baseline configuration could make the system vulnerable\nto various attacks or allow unauthorized access to the operating system. Changes to\noperating system configurations can have unintended side effects, some of which may\nbe relevant to security.\n
\nDetecting such changes and providing an automated response can help avoid unintended,\nnegative consequences that could ultimately affect the security state of the operating\nsystem. The operating system's Information Management Officer (IMO)/Information System\nSecurity Officer (ISSO) and System Administrators (SAs) must be notified via email and/or\nmonitoring system trap when there is an unauthorized modification of a configuration item.", "severity": "medium", "references": {"cis-csc": ["1", "11", "12", "13", "15", "16", "2", "3", "5", "7", "8", "9"], "cobit5": ["BAI01.06", "BAI06.01", "BAI10.01", "BAI10.02", "BAI10.03", "BAI10.05", "DSS01.03", "DSS03.05", "DSS05.02", "DSS05.05", "DSS05.07"], "isa-62443-2009": ["4.3.4.3.2", "4.3.4.3.3"], "isa-62443-2013": ["SR 6.2", "SR 7.6"], "iso27001-2013": ["A.12.1.2", "A.12.4.1", "A.12.5.1", "A.12.6.2", "A.14.2.2", "A.14.2.3", "A.14.2.4", "A.14.2.7", "A.15.2.1"], "nist": ["CM-6(a)", "CM-3(5)"], "nist-csf": ["DE.CM-1", "DE.CM-7", "PR.IP-1", "PR.IP-3"], "srg": ["SRG-OS-000363-GPOS-00150", "SRG-OS-000446-GPOS-00200", "SRG-OS-000447-GPOS-00201"], "anssi": ["R76"]}, "control_references": {"anssi": ["R76"]}, "components": [], "identifiers": {}, "ocil_clause": "AIDE has not been configured or has not been configured to notify personnel of scan details", "ocil": "To determine that periodic AIDE execution has been scheduled, run the following command:\n\n$ grep aide /etc/crontab
\nThe output should return something similar to the following:\n05 4 * * * root /usr/bin/aide --check | /bin/mail -s \"$(hostname) - AIDE Integrity Check\" root@localhost
\nThe email address that the notifications are sent to can be changed by overriding\n
.", "oval_external_content": null, "fixtext": "Configure the file integrity tool to run automatically on the system at least weekly and to notify designated personnel if baseline configurations are changed in an unauthorized manner.\nThe AIDE tool can be configured to email designated personnel with the use of the cron system.\n\nThe following example output is generic. It will set cron to run AIDE daily and to send email at the completion of the analysis.\n\n$ sudo more /etc/cron.daily/aide\n\n#!/bin/bash\n\n/usr/bin/aide --check | /bin/mail -s \"$HOSTNAME - Daily aide integrity check run\" root@sysname.mil", "checktext": "", "vuldiscussion": "", "srg_requirement": "The Ubuntu 22.04 file integrity tool must notify the system administrator when changes to the baseline configuration or anomalies in the operation of any security functions are discovered within an organizationally defined frequency.", "warnings": [], "conflicts": [], "requires": [], "policy_specific_content": {}, "platform": null, "platforms": [], "sce_metadata": {}, "inherited_platforms": ["system_with_kernel"], "cpe_platform_names": [], "inherited_cpe_platform_names": ["system_with_kernel"], "bash_conditional": null, "fixes": {}, "title": "Configure Notification of Post-AIDE Scan Details", "definition_location": "/aptdata/openscap/scap-security-guide/linux_os/guide/system/software/integrity/software-integrity/aide/aide_scan_notification/rule.yml", "template": null}