Configure AIDE To Notify Personnel if Baseline Configurations Are Altered

An XCCDF Rule

Description

The operating system file integrity tool must be configured to notify designated personnel of any changes to configurations.

Rationale

Detecting changes in the system can help avoid unintended, and negative consequences that could affect the security state of the operating system

ID: xccdf_org.ssgproject.content_rule_aide_disable_silentreports
Severity: Medium
References: CCI-001744 CCI-002702

SRG-OS-000363-GPOS-00150 SRG-OS-000447-GPOS-00201
Updated: 11 months ago

# Remediation is applicable only in certain platforms
if dpkg-query --show --showformat='${db:Status-Status}
' 'kernel' 2>/dev/null | grep -q installed; then

if [ -e "" ] ; then
        LC_ALL=C sed -i "/^\s*SILENTREPORTS=/Id" ""
else
    touch ""
fi
# make sure file has newline at the end
sed -i -e '$a\' ""

cp "" ".bak"
# Insert at the end of the file
printf '%s\n' "SILENTREPORTS=no" >> ""
# Clean up after ourselves.
rm ".bak"

else
    >&2 echo 'Remediation is not applicable, nothing was done'
fi

- name: Gather the package facts
  package_facts:
    manager: auto
  tags:
  - aide_disable_silentreports
  - configure_strategy  - low_complexity
  - low_disruption
  - medium_severity
  - no_reboot_needed

- name: Configure AIDE To Notify Personnel if Baseline Configurations Are Altered
  block:

  - name: Check for duplicate values
    lineinfile:
      path: ''
      create: true
      regexp: (?i)^\s*SILENTREPORTS=
      state: absent
    check_mode: true
    changed_when: false
    register: dupes

  - name: 'Deduplicate values from '
    lineinfile:
      path: ''
      create: true
      regexp: (?i)^\s*SILENTREPORTS=
      state: absent
    when: dupes.found is defined and dupes.found > 1

  - name: 'Insert correct line to '
    lineinfile:
      path: ''
      create: true
      regexp: (?i)^\s*SILENTREPORTS=
      line: SILENTREPORTS=no
      state: present
  when: '"kernel" in ansible_facts.packages'
  tags:
  - aide_disable_silentreports
  - configure_strategy
  - low_complexity
  - low_disruption
  - medium_severity
  - no_reboot_needed

Configure AIDE To Notify Personnel if Baseline Configurations Are Altered

Description

Rationale

Remediation - Shell Script

Remediation - Ansible