AlmaLinux OS 9 must have the Advanced Intrusion Detection Environment (AIDE) package installed.

An XCCDF Rule

Description

Without verification of the security functions, security functions may not operate correctly and the failure may go unnoticed. Security function is defined as the hardware, software, and/or firmware of the information system responsible for enforcing the system security policy and supporting the isolation of code and data on which the protection is based. Security functionality includes, but is not limited to, establishing system accounts, configuring access authorizations (i.e., permissions, privileges), setting events to be audited, and setting intrusion detection parameters. This requirement applies to operating systems performing security function verification/testing and/or systems and environments that require this functionality. Satisfies: SRG-OS-000445-GPOS-00199, SRG-OS-000446-GPOS-00200, SRG-OS-000363-GPOS-00150

ID: SV-269456r1050339_rule
Version: ALMA-09-045340
Severity: Medium
References: CCI-001744 CCI-002696 CCI-002699
Updated: about 2 months ago

Remediation Templates

Install AIDE, initialize it, and perform a manual check.

Install AIDE:

$ dnf install aide
Initialize AIDE:

$ /usr/sbin/aide --init

Example output:

Start timestamp: 2024-01-26 09:59:41 +0000 (AIDE 0.16)
AIDE initialized database at /var/lib/aide/aide.db.new.gz

Number of entries: 27922

---------------------------------------------------
The attributes of the (uncompressed) database(s):
---------------------------------------------------

/var/lib/aide/aide.db.new.gz
  MD5      : p2o2MgLyXqLfsHGmHWR9nQ==
  SHA1     : C5R2JcZCSv3KRz0dMrcQ0JZdZV4=
  SHA256   : tUAG19G4gskBEfN+Z9pyVJi13rHA9f7P
             d9R5OivGk40=
  SHA512   : u26Um0w9hzsMmwZHNssCsmuxVqr9kBx+
             Qx+9UBNQCBXlmWFCbq2Yx88BPCU5s/qy
             njPIODmPRg4I09jxs5KYjw==


End timestamp: 2024-01-26 09:59:49 +0000 (run time: 0m 8s)

The new database will need to be renamed to be read by AIDE:

$ mv /var/lib/aide/aide.db.new.gz /var/lib/aide/aide.db.gz

Perform a manual check:

$ /usr/sbin/aide --check

Example output:

Start timestamp: 2024-01-26 10:00:50 +0000 (AIDE 0.16)
AIDE found NO differences between database and filesystem. Looks okay!!

AlmaLinux OS 9 must have the Advanced Intrusion Detection Environment (AIDE) package installed.

Description

Remediation Templates

A Manual Procedure