Configure AIDE To Notify Personnel if Baseline Configurations Are Altered

An XCCDF Rule

Description

The operating system file integrity tool must be configured to notify designated personnel of any changes to configurations.

Rationale

Detecting changes in the system can help avoid unintended, and negative consequences that could affect the security state of the operating system

ID: xccdf_org.ssgproject.content_rule_aide_disable_silentreports
Severity: Medium
References: CCI-001744 CCI-002702

SRG-OS-000363-GPOS-00150 SRG-OS-000447-GPOS-00201

UBTU-20-010451

SV-238372r853449_rule
Updated: 10 months ago

- name: Gather the package facts
  package_facts:
    manager: auto
  tags:
  - DISA-STIG-UBTU-20-010451
  - aide_disable_silentreports  - configure_strategy
  - low_complexity
  - low_disruption
  - medium_severity
  - no_reboot_needed

- name: Configure AIDE To Notify Personnel if Baseline Configurations Are Altered
  block:

  - name: Check for duplicate values
    lineinfile:
      path: /etc/default/aide
      create: true
      regexp: (?i)^\s*SILENTREPORTS=
      state: absent
    check_mode: true
    changed_when: false
    register: dupes

  - name: Deduplicate values from /etc/default/aide
    lineinfile:
      path: /etc/default/aide
      create: true
      regexp: (?i)^\s*SILENTREPORTS=
      state: absent
    when: dupes.found is defined and dupes.found > 1

  - name: Insert correct line to /etc/default/aide
    lineinfile:
      path: /etc/default/aide
      create: true
      regexp: (?i)^\s*SILENTREPORTS=
      line: SILENTREPORTS=no
      state: present
  when: '"kernel" in ansible_facts.packages'
  tags:
  - DISA-STIG-UBTU-20-010451
  - aide_disable_silentreports
  - configure_strategy
  - low_complexity
  - low_disruption
  - medium_severity
  - no_reboot_needed

# Remediation is applicable only in certain platforms
if dpkg-query --show --showformat='${db:Status-Status}
' 'kernel' 2>/dev/null | grep -q installed; then

if [ -e "/etc/default/aide" ] ; then
        LC_ALL=C sed -i "/^\s*SILENTREPORTS=/Id" "/etc/default/aide"
else
    touch "/etc/default/aide"
fi
# make sure file has newline at the end
sed -i -e '$a\' "/etc/default/aide"

cp "/etc/default/aide" "/etc/default/aide.bak"
# Insert at the end of the file
printf '%s\n' "SILENTREPORTS=no" >> "/etc/default/aide"
# Clean up after ourselves.
rm "/etc/default/aide.bak"

else
    >&2 echo 'Remediation is not applicable, nothing was done'
fi

Configure AIDE To Notify Personnel if Baseline Configurations Are Altered

Description

Rationale

Remediation - Ansible

Remediation - Shell Script