documentation_complete: true


title: 'Configure Notification of Post-AIDE Scan Details'

description: |-
    AIDE should notify appropriate personnel of the details of a scan after the scan has been run.
    If AIDE has already been configured for periodic execution in <tt>/etc/crontab</tt>, append the
    following line to the existing AIDE line:
    <pre> | /bin/mail -s "$(hostname) - AIDE Integrity Check" root@localhost</pre>
    Otherwise, add the following line to <tt>/etc/crontab</tt>:
    <pre>05 4 * * * root {{{ aide_bin_path }}} --check | /bin/mail -s "$(hostname) - AIDE Integrity Check" root@localhost</pre>
    AIDE can be executed periodically through other means; this is merely one example.

rationale: |-
    Unauthorized changes to the baseline configuration could make the system vulnerable
    to various attacks or allow unauthorized access to the operating system. Changes to
    operating system configurations can have unintended side effects, some of which may
    be relevant to security.
    <br /><br />
    Detecting such changes and providing an automated response can help avoid unintended,
    negative consequences that could ultimately affect the security state of the operating
    system. The operating system's Information Management Officer (IMO)/Information System
    Security Officer (ISSO) and System Administrators (SAs) must be notified via email and/or
    monitoring system trap when there is an unauthorized modification of a configuration item.

severity: medium

identifiers:
    cce@rhel8: CCE-82891-3
    cce@rhel9: CCE-90844-2
    cce@rhel10: CCE-90177-7
    cce@sle12: CCE-83048-9
    cce@sle15: CCE-91214-7
    cce@slmicro5: CCE-93722-7
    cce@slmicro6: CCE-94730-9

references:
    cis-csc: 1,11,12,13,15,16,2,3,5,7,8,9
    cobit5: BAI01.06,BAI06.01,BAI10.01,BAI10.02,BAI10.03,BAI10.05,DSS01.03,DSS03.05,DSS05.02,DSS05.05,DSS05.07
    isa-62443-2009: 4.3.4.3.2,4.3.4.3.3
    isa-62443-2013: 'SR 6.2,SR 7.6'
    iso27001-2013: A.12.1.2,A.12.4.1,A.12.5.1,A.12.6.2,A.14.2.2,A.14.2.3,A.14.2.4,A.14.2.7,A.15.2.1
    nist: CM-6(a),CM-3(5)
    nist-csf: DE.CM-1,DE.CM-7,PR.IP-1,PR.IP-3
    nist@sle12: SI-6d
    srg: SRG-OS-000363-GPOS-00150,SRG-OS-000446-GPOS-00200,SRG-OS-000447-GPOS-00201
    stigid@ol7: OL07-00-020040
    stigid@ol8: OL08-00-010360
    stigid@sle12: SLES-12-010510
    stigid@sle15: SLES-15-010570

ocil_clause: 'AIDE has not been configured or has not been configured to notify personnel of scan details'

ocil: |-
    To determine that periodic AIDE execution has been scheduled, run the following command:
{{% if product in ["sle15", "slmicro5", "slmicro6"] %}}
    <pre>$ sudo systemctl status  aidecheck-notify|grep loaded</pre>
    The output should return that the service is loaded.
    Also we should make sure that notification service is started by the check:
    <pre>$ sudo systemctl list-dependencies --reverse aidecheck-notify</pre>,
    which should display the aidecheck.service in the dependency tree
{{% else %}}
    <pre>$ grep aide /etc/crontab</pre>
    The output should return something similar to the following:
    <pre>05 4 * * * root {{{ aide_bin_path }}} --check | /bin/mail -s "$(hostname) - AIDE Integrity Check" root@localhost</pre>
    The email address that the notifications are sent to can be changed by overriding
    <pre><sub idref="var_aide_scan_notification_email" /></pre>.
{{% endif %}}

fixtext: |-
    Configure the file integrity tool to run automatically on the system at least weekly and to notify designated personnel if baseline configurations are changed in an unauthorized manner.
    The AIDE tool can be configured to email designated personnel with the use of the cron system.

    The following example output is generic. It will set cron to run AIDE daily and to send email at the completion of the analysis.
{{% if product in ["sle15", "slmicro5", "slmicro6"] %}}
    $ cat > /etc/systemd/system/aidecheck-notify.service <<NOTIFYEOF
    [Unit]
        Description=Status email for AIDE check result
        After=aidecheck.service
        [Service]
        Type=forking
        ExecStart=/bin/sh -c 'cat /tmp/aide-report.log | /bin/mail -s "$(hostname) - AIDE Integrity Check"  $var_aide_scan_notification_email'
    NOTIFYEOF
{{% else %}}
    $ sudo more /etc/cron.daily/aide

    #!/bin/bash

    {{{ aide_bin_path }}} --check | /bin/mail -s "$HOSTNAME - Daily aide integrity check run" root@sysname.mil
{{% endif %}}

srg_requirement: |-
    The {{{ full_name }}} file integrity tool must notify the system administrator when changes to the baseline configuration or anomalies in the operation of any security functions are discovered within an organizationally defined frequency.