1.3.1 Ensure AIDE is installed

Information

AIDE takes a snapshot of filesystem state including modification times, permissions, and file hashes which can then be used to compare against the current state of the filesystem to detect modifications to the system.

Rationale:

By monitoring the filesystem state compromised files can be detected to prevent or limit the exposure of accidental or malicious misconfigurations or modified binaries.

Solution

Install AIDE using the appropriate package manager or manual installation:

# yum install aide

Configure AIDE as appropriate for your environment. Consult the AIDE documentation for options.
Initialize AIDE:
Run the following commands:

# aide --init

# mv /var/lib/aide/aide.db.new.gz /var/lib/aide/aide.db.gz

References:

AIDE stable manual: http://aide.sourceforge.net/stable/manual.html




Notes:

The prelinking feature can interfere with AIDE because it alters binaries to speed up their start up times. Run prelink -ua to restore the binaries to their prelinked state, thus avoiding false positives from AIDE.

This Benchmark recommendation maps to:

Red Hat Enterprise Linux 7 Security Technical Implementation Guide:

Version 2, Release: 3 Benchmark Date: 26 Apr 2019



Vul ID: V-71975

Rule ID: SV-86599r2_rule

STIG ID: RHEL-07-020040

Severity: CAT II

See Also

https://workbench.cisecurity.org/files/2688

Item Details

Category: AUDIT AND ACCOUNTABILITY

References: 800-53|AU-3, CSCv7|14.9

Plugin: Unix

Control ID: a63478a14441e591c25395449825cd1cab03f9327ba740b1cd52eab926888508