Advanced Intrusion Detection Environment (AIDE) must verify the baseline SLEM 5 configuration at least weekly.
An XCCDF Rule
Description
<VulnDiscussion>Unauthorized changes to the baseline configuration could make the system vulnerable to various attacks or allow unauthorized access to SLEM 5. Changes to SLEM 5 configurations can have unintended side effects, some of which may be relevant to security. Detecting such changes and providing an automated response can help avoid unintended, negative consequences that could ultimately affect the security state of SLEM 5. SLEM 5's information system security manager (ISSM)/information system security officer (ISSO) and system administrator (SA) must be notified via email and/or monitoring system trap when there is an unauthorized modification of a configuration item.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>
- ID
- SV-261407r996637_rule
- Severity
- Medium
- References
- Updated
Remediation - Manual Procedure
Configure SLEM 5 to check the baseline configuration for unauthorized changes at least once weekly.
Add or modify the following line in the "/etc/cron.weekly/aide" file:
0 0 * * * /usr/sbin/aide --check | /bin/mail -s "$HOSTNAME - Weekly AIDE integrity check run" root@example_server_name.mil