Advanced Intrusion Detection Environment (AIDE) must verify the baseline SLEM 5 configuration at least weekly.

Overview

Finding ID	Version	Rule ID	IA Controls	Severity
V-261407	SLEM-05-651030	SV-261407r996637_rule		Medium

Description
Unauthorized changes to the baseline configuration could make the system vulnerable to various attacks or allow unauthorized access to SLEM 5. Changes to SLEM 5 configurations can have unintended side effects, some of which may be relevant to security. Detecting such changes and providing an automated response can help avoid unintended, negative consequences that could ultimately affect the security state of SLEM 5. SLEM 5's information system security manager (ISSM)/information system security officer (ISSO) and system administrator (SA) must be notified via email and/or monitoring system trap when there is an unauthorized modification of a configuration item.

Description

Unauthorized changes to the baseline configuration could make the system vulnerable to various attacks or allow unauthorized access to SLEM 5. Changes to SLEM 5 configurations can have unintended side effects, some of which may be relevant to security. Detecting such changes and providing an automated response can help avoid unintended, negative consequences that could ultimately affect the security state of SLEM 5. SLEM 5's information system security manager (ISSM)/information system security officer (ISSO) and system administrator (SA) must be notified via email and/or monitoring system trap when there is an unauthorized modification of a configuration item.

STIG	Date
SUSE Linux Enterprise Micro (SLEM) 5 Security Technical Implementation Guide	2024-06-04

Details

Check Text ( C-65136r996635_chk )
Verify SLEM 5 checks the baseline configuration using AIDE for unauthorized changes at least once weekly with the following command: Note: A file integrity tool other than AIDE may be used, but the tool must be executed at least once per week. > sudo grep -R aide /etc/crontab /etc/cron.* /etc/crontab: 30 04 * * * root /usr/sbin/aide If the file integrity application does not exist, or a "crontab" file does not exist in "/etc/crontab", the "/etc/cron.daily" subdirectory, or "/etc/cron.weekly" subdirectory, this is a finding.

Check Text ( C-65136r996635_chk )

Verify SLEM 5 checks the baseline configuration using AIDE for unauthorized changes at least once weekly with the following command:

Note: A file integrity tool other than AIDE may be used, but the tool must be executed at least once per week.

> sudo grep -R aide /etc/crontab /etc/cron.*
/etc/crontab: 30 04 * * * root /usr/sbin/aide

If the file integrity application does not exist, or a "crontab" file does not exist in "/etc/crontab", the "/etc/cron.daily" subdirectory, or "/etc/cron.weekly" subdirectory, this is a finding.

Fix Text (F-65044r996636_fix)
Configure SLEM 5 to check the baseline configuration for unauthorized changes at least once weekly. Add or modify the following line in the "/etc/cron.weekly/aide" file: 0 0 * * * /usr/sbin/aide --check \| /bin/mail -s "$HOSTNAME - Weekly AIDE integrity check run" root@example_server_name.mil