AIDE provides integrity monitoring for files on a Linux system and can notify system administrators of changes to critical files and packages.
By default, AIDE will examine and monitor all of the files on a host unless
directories are added to its exclusion list. The security role sets directories
to exclude from AIDE monitoring via the aide_exclude_dirs
variable. this
list excludes the most common directories that change very often via automated
methods.
The security role skips the AIDE initialization step by default to avoid system disruption or a reduction in performance. Deployers should determine the best time to initialize the database that does not interfere with the system’s operations.
To initialize the AIDE database, set the following Ansible variable and re-apply the role:
security_rhel7_initialize_aide: true
Warning
Even with the excluded directories, the first AIDE initialization can take a long time on some systems. During this time, the CPU and disks are very busy.
All of the tasks for these STIG requirements are included in
tasks/rhel7stig/aide.yml
.
Initializing the AIDE database and completing the first AIDE run causes increased disk I/O and CPU usage for extended periods. Therefore, the AIDE database is not automatically initialized by the tasks in the security role.
Deployers can enable the AIDE database initialization within the security role by setting the following Ansible variable:
security_rhel7_initialize_aide: yes
The cron job for AIDE is configured to send emails to the root user after each AIDE run.
CentOS 7 and Red Hat Enterprise Linux 7 already deploy a very secure AIDE configuration that checks access control lists (ACLs) and extended attributes by default. No configuration changes are applied on these systems.
However, Ubuntu lacks the rules that include ACL and extended attribute checks. The tasks in the security role will add a small configuration block at the end of the AIDE configuration file to meet the requirements of this STIG, as well as V-72071.
openSUSE Leap and SUSE Linux Enterprise 12 also lack a rule to check ACLs and extended attributes. The default configuration file is adjusted to include those as well.
CentOS 7 and Red Hat Enterprise Linux 7 already deploy a very secure AIDE configuration that checks access control lists (ACLs) and extended attributes by default. No configuration changes are applied on these systems.
However, Ubuntu lacks the rules that include ACL and extended attribute checks. The tasks in the security role will add a small configuration block at the end of the AIDE configuration file to meet the requirements of this STIG, as well as V-72069.
openSUSE Leap and SUSE Linux Enterprise 12 also lack a rule to check ACLs and extended attributes. The default configuration file is adjusted to include those as well.
The default AIDE configuration in CentOS 7, Red Hat Enterprise Linux 7, openSUSE Leap and SUSE Linux Enterprise 12 already uses SHA512 to validate file contents and directories. No changes are required on these systems.
The tasks in the security role add a rule to end of the AIDE configuration on Ubuntu systems that uses SHA512 for validation.
Except where otherwise noted, this document is licensed under Creative Commons Attribution 3.0 License. See all OpenStack Legal Documents.