Linux - SecurityThis forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.
Notices
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
Designated personnel must be notified if baseline configurations are changed in an unauthorized manner.
Basically, this is saying that any aide findings need to be emailed to "designated personnel"
Code:
AIDE does not have a configuration that will send a notification, so the cron job uses the mail application on the system to email the results of the file integrity run as in the following example:
# more /etc/cron.daily/aide
0 0 * * * /usr/sbin/aide --check | /bin/mail -s "$HOSTNAME - Daily aide integrity check run" root@sysname.mil
If the file integrity application does not notify designated personnel of changes, this is a finding.
I am running aide. My cron job does not run /usr/sbin/aide. Instead, it runs a script (~root/cron/aide). If there are any findings, the script will e-mail the "authorized poersonnel".
I do not pipe the output of aid to the mail program.
My question:
Is this a legitmate finding (because I am not implementing aide as documented in the STIG), or is it a False Finding, because I am meeting the requirement?
One very-simple thing that I do ... although I'm not looking for malicious acts, is to: "turn the directory into a git repository!"
This creates a hidden .git directory in the target location, and it immediately confers the full benefit of version control upon all of the files within the target directory and all subdirectories. Obviously, a determined intruder could guess that I had done this and could probably tamper with it, but "it sure has saved my bacon," a great many times, when it comes to ordinary system management tasks.
Is this a legitmate finding (because I am not implementing aide as documented in the STIG), or is it a False Finding, because I am meeting the requirement?
The important sentence in STIG V-71975 is "If the file integrity application does not notify designated personnel of changes, this is a finding."
V-71975 suggest using AIDE, but this is not mandatory:
Quote:
Originally Posted by STIG V-71975
If AIDE is not installed, ask the SA how file integrity checks are performed on the system.
The cron job in the document is also just an example.
In other words, you are not bound to use AIDE or even cron, as long as some sort of file integrity check is done at regular intervals, and the results are mailed to "designated personnel."
Whether or not your solution meets the requirement, depends on the contents of your script. You say you're not piping the output from AIDE to the mail program, but are you including it in the alert e-mail by some other means? If the answer is yes, then I'm pretty confident it's a false finding.
In other words, you are not bound to use AIDE or even cron, as long as some sort of file integrity check is done at regular intervals, and the results are mailed to "designated personnel."
Whether or not your solution meets the requirement, depends on the contents of your script. You say you're not piping the output from AIDE to the mail program, but are you including it in the alert e-mail by some other means? If the answer is yes, then I'm pretty confident it's a false finding.
I'm inclined to agree with you. However, I need some kind of documentation that says what you say. Some of the "Muckity-Mucks" need actual proof.
Can you point me to an official document that says this?
TIA
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.