Configure AIDE To Notify Personnel if Baseline Configurations Are Altered

An XCCDF Rule

Description

The operating system file integrity tool must be configured to notify designated personnel of any changes to configurations.

Rationale

Detecting changes in the system can help avoid unintended, and negative consequences that could affect the security state of the operating system

ID: xccdf_org.ssgproject.content_rule_aide_disable_silentreports
Severity: Medium
References: CCI-001744 CCI-002702

SRG-OS-000363-GPOS-00150 SRG-OS-000447-GPOS-00201
Updated: 8 months ago

- name: Configure AIDE To Notify Personnel if Baseline Configurations Are Altered
  block:

  - name: Check for duplicate values
    lineinfile:
      path: ''      create: true
      regexp: ^\s*SILENTREPORTS=
      state: absent
    check_mode: true
    changed_when: false
    register: dupes

  - name: 'Deduplicate values from '
    lineinfile:
      path: ''
      create: true
      regexp: ^\s*SILENTREPORTS=
      state: absent
    when: dupes.found is defined and dupes.found > 1

  - name: 'Insert correct line to '
    lineinfile:
      path: ''
      create: true
      regexp: ^\s*SILENTREPORTS=
      line: SILENTREPORTS=no
      state: present
  when: ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
  tags:
  - aide_disable_silentreports
  - configure_strategy
  - low_complexity
  - low_disruption
  - medium_severity
  - no_reboot_needed

# Remediation is applicable only in certain platforms
if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then

if [ -e "" ] ; then
    
    LC_ALL=C sed -i "/^\s*SILENTREPORTS=/Id" ""else
    touch ""
fi
# make sure file has newline at the end
sed -i -e '$a\' ""

cp "" ".bak"
# Insert at the end of the file
printf '%s\n' "SILENTREPORTS=no" >> ""
# Clean up after ourselves.
rm ".bak"

else
    >&2 echo 'Remediation is not applicable, nothing was done'
fi

Configure AIDE To Notify Personnel if Baseline Configurations Are Altered

Description

Rationale

Remediation - Ansible

Remediation - Shell Script