Do STIGs force implementation?

scottieH · 05-17-2021, 06:13 PM

I'm running RHEL 7.9. Here's an example of what I'm asking:
RHEL-07-020040 V-71975
https://www.stigviewer.com/stig/red_...inding/V-71975

Designated personnel must be notified if baseline configurations are changed in an unauthorized manner.

Basically, this is saying that any aide findings need to be emailed to "designated personnel"

Code:

AIDE does not have a configuration that will send a notification, so the cron job uses the mail application on the system to email the results of the file integrity run as in the following example:

# more /etc/cron.daily/aide
0 0 * * * /usr/sbin/aide --check | /bin/mail -s "$HOSTNAME - Daily aide integrity check run" root@sysname.mil

If the file integrity application does not notify designated personnel of changes, this is a finding.

I am running aide. My cron job does not run /usr/sbin/aide. Instead, it runs a script (~root/cron/aide). If there are any findings, the script will e-mail the "authorized poersonnel".

I do not pipe the output of aid to the mail program.

My question:
Is this a legitmate finding (because I am not implementing aide as documented in the STIG), or is it a False Finding, because I am meeting the requirement?

sundialsvcs · 05-18-2021, 08:13 PM

One very-simple thing that I do ... although I'm not looking for malicious acts, is to: "turn the directory into a git repository!"

This creates a hidden .git directory in the target location, and it immediately confers the full benefit of version control upon all of the files within the target directory and all subdirectories. Obviously, a determined intruder could guess that I had done this and could probably tamper with it, but "it sure has saved my bacon," a great many times, when it comes to ordinary system management tasks.

Ser Olmy · 05-18-2021, 08:42 PM

Quote:

Originally Posted by scottieH

Is this a legitmate finding (because I am not implementing aide as documented in the STIG), or is it a False Finding, because I am meeting the requirement?

The important sentence in STIG V-71975 is "If the file integrity application does not notify designated personnel of changes, this is a finding."

V-71975 suggest using AIDE, but this is not mandatory:

Quote:

Originally Posted by STIG V-71975

If AIDE is not installed, ask the SA how file integrity checks are performed on the system.

The cron job in the document is also just an example.

In other words, you are not bound to use AIDE or even cron, as long as some sort of file integrity check is done at regular intervals, and the results are mailed to "designated personnel."

Whether or not your solution meets the requirement, depends on the contents of your script. You say you're not piping the output from AIDE to the mail program, but are you including it in the alert e-mail by some other means? If the answer is yes, then I'm pretty confident it's a false finding.

scottieH · 05-19-2021, 12:16 PM

Quote:

Originally Posted by Ser Olmy

In other words, you are not bound to use AIDE or even cron, as long as some sort of file integrity check is done at regular intervals, and the results are mailed to "designated personnel."

Whether or not your solution meets the requirement, depends on the contents of your script. You say you're not piping the output from AIDE to the mail program, but are you including it in the alert e-mail by some other means? If the answer is yes, then I'm pretty confident it's a false finding.

I'm inclined to agree with you. However, I need some kind of documentation that says what you say. Some of the "Muckity-Mucks" need actual proof.

Can you point me to an official document that says this?
TIA