{"description": "At a minimum, AIDE should be configured to run a weekly scan.\nTo implement a daily execution of AIDE at 4:05am using cron, add the following line to <tt>/etc/crontab</tt>:\n<pre>05 4 * * * root /usr/bin/aide --config /etc/aide/aide.conf --check</pre>\nTo implement a weekly execution of AIDE at 4:05am using cron, add the following line to <tt>/etc/crontab</tt>:\n<pre>05 4 * * 0 root /usr/bin/aide --config /etc/aide/aide.conf --check</pre>\nAIDE can be executed periodically through other means; this is merely one example.\nThe usage of cron's special time codes, such as  <tt>@daily</tt> and\n<tt>@weekly</tt> is acceptable.", "rationale": "By default, AIDE does not install itself for periodic execution. Periodically\nrunning AIDE is necessary to reveal unexpected changes in installed files.\n<br /><br />\nUnauthorized changes to the baseline configuration could make the system vulnerable\nto various attacks or allow unauthorized access to the operating system. Changes to\noperating system configurations can have unintended side effects, some of which may\nbe relevant to security.\n<br /><br />\nDetecting such changes and providing an automated response can help avoid unintended,\nnegative consequences that could ultimately affect the security state of the operating\nsystem. The operating system's Information Management Officer (IMO)/Information System\nSecurity Officer (ISSO) and System Administrators (SAs) must be notified via email and/or\nmonitoring system trap when there is an unauthorized modification of a configuration item.", "severity": "medium", "references": {"cis-csc": ["1", "11", "12", "13", "14", "15", "16", "2", "3", "5", "7", "8", "9"], "cjis": ["5.10.1.3"], "cobit5": ["APO01.06", "BAI01.06", "BAI02.01", "BAI03.05", "BAI06.01", "BAI10.01", "BAI10.02", "BAI10.03", "BAI10.05", "DSS01.03", "DSS03.05", "DSS04.07", "DSS05.02", "DSS05.03", "DSS05.05", "DSS05.07", "DSS06.02", "DSS06.06"], "isa-62443-2009": ["4.3.4.3.2", "4.3.4.3.3", "4.3.4.4.4"], "isa-62443-2013": ["SR 3.1", "SR 3.3", "SR 3.4", "SR 3.8", "SR 4.1", "SR 6.2", "SR 7.6"], "iso27001-2013": ["A.11.2.4", "A.12.1.2", "A.12.2.1", "A.12.4.1", "A.12.5.1", "A.12.6.2", "A.14.1.2", "A.14.1.3", "A.14.2.2", "A.14.2.3", "A.14.2.4", "A.14.2.7", "A.15.2.1", "A.8.2.3"], "nist": ["SI-7", "SI-7(1)", "CM-6(a)"], "nist-csf": ["DE.CM-1", "DE.CM-7", "PR.DS-1", "PR.DS-6", "PR.DS-8", "PR.IP-1", "PR.IP-3"], "pcidss": ["Req-11.5"], "srg": ["SRG-OS-000363-GPOS-00150", "SRG-OS-000446-GPOS-00200", "SRG-OS-000447-GPOS-00201"], "anssi": ["R76"], "cis": ["6.1.2"], "pcidss4": ["11.5.2"], "stigid": ["UBTU-22-651025"], "stigref": ["SV-260585r958946_rule"]}, "control_references": {"anssi": ["R76"], "cis": ["6.1.2"], "pcidss4": ["11.5.2"], "stigid": ["UBTU-22-651025"]}, "components": [], "identifiers": {}, "ocil_clause": "AIDE is not configured to scan periodically", "ocil": "Verify the operating system routinely checks the baseline configuration for unauthorized changes.\n\nTo determine that periodic AIDE execution has been scheduled, run the following command:\n<pre>$ grep aide /etc/crontab</pre>\nThe output should return something similar to the following:\n<pre>05 4 * * * root /usr/bin/aide --config /etc/aide/aide.conf --check</pre>\n\nNOTE: The usage of special cron times, such as @daily or @weekly, is acceptable.", "oval_external_content": null, "fixtext": "Configure the file integrity to run at least weekly.\nEdit \"/etc/crontab\" and add or edit the following line:\n\n<pre>05 4 * * * root /usr/bin/aide --config /etc/aide/aide.conf --check</pre>", "checktext": "", "vuldiscussion": "", "srg_requirement": "Ubuntu 22.04 must notify the system administrator when Advanced Intrusion Detection Environment (AIDE) discovers anomalies in the operation of any security functions.", "warnings": [], "conflicts": [], "requires": [], "policy_specific_content": {"stig": {"srg_requirement": "Ubuntu 22.04 must routinely check the baseline configuration for unauthorized changes and notify the system administrator when anomalies in the operation of any security functions are discovered.", "vuldiscussion": "Unauthorized changes to the baseline configuration could make the system vulnerable to various attacks or allow unauthorized access to the operating system. Changes to operating system configurations can have unintended side effects, some of which may be relevant to security.\n\nDetecting such changes and providing an automated response can help avoid unintended, negative consequences that could ultimately affect the security state of the operating system. The operating system's Information Management Officer (IMO)/Information System Security Officer (ISSO) and System Administrators (SAs) must be notified via email and/or monitoring system trap when there is an unauthorized modification of a configuration item.\n\nNotifications provided by information systems include messages to local computer consoles, and/or hardware indications, such as lights.\n\nThis capability must take into account operational requirements for availability for selecting an appropriate response. The organization may choose to shut down or restart the information system upon security function anomaly detection.", "checktext": "Verify that Ubuntu 22.04 routinely executes a file integrity scan for changes to the system baseline. The command used in the example will use a daily occurrence.\n\nCheck the cron directories for scripts controlling the execution and notification of results of the file integrity application. For example, if AIDE is installed on the system, use the following commands:\n\n$ sudo ls -al /etc/cron.* | grep aide\n\n-rwxr-xr-x 1 root root 29 Nov 22 2015 aide\n\n$ sudo grep aide /etc/crontab /var/spool/cron/root\n\n/etc/crontab: 30 04 * * * root usr/sbin/aide\n/var/spool/cron/root: 30 04 * * * root usr/sbin/aide\n\n$ sudo more /etc/cron.daily/aide\n\n#!/bin/bash\n/usr/sbin/aide --check | /bin/mail -s \"$HOSTNAME - Daily aide integrity check run\" root@sysname.mil\n\nIf the file integrity application does not exist, a script file controlling the execution of the file integrity application does not exist, or the file integrity application does not notify designated personnel of changes, this is a finding.", "fixtext": "Configure the file integrity tool to run automatically on the system at least weekly and to notify designated personnel if baseline configurations are changed in an unauthorized manner. The AIDE tool can be configured to email designated personnel with the use of the cron system.\n\nThe following example output is generic. It will set cron to run AIDE daily and to send email at the completion of the analysis\n\n$ sudo more /etc/cron.daily/aide\n\n#!/bin/bash\n/usr/sbin/aide --check | /bin/mail -s \"$HOSTNAME - Daily aide integrity check run\" root@sysname.mil"}}, "platform": null, "platforms": [], "sce_metadata": {}, "inherited_platforms": ["system_with_kernel"], "cpe_platform_names": [], "inherited_cpe_platform_names": ["system_with_kernel"], "bash_conditional": null, "fixes": {}, "title": "Configure Periodic Execution of AIDE", "definition_location": "/aptdata/openscap/scap-security-guide/linux_os/guide/system/software/integrity/software-integrity/aide/aide_periodic_cron_checking/rule.yml", "template": null}