STIGQter: STIG Summary: SUSE Linux Enterprise Server 15 Security Technical Implementation Guide Version: 1 Release: 2 Benchmark Date: 23 Apr 2021:

Advanced Intrusion Detection Environment (AIDE) must verify the baseline SUSE operating system configuration at least weekly.

DISA Rule

SV-234851r622137_rule

Vulnerability Number

V-234851

Group Title

SRG-OS-000363-GPOS-00150

Rule Version

SLES-15-010420

Severity

CAT II

CCI(s)

• CCI-001744 - The information system implements organization-defined security responses automatically if baseline configurations are changed in an unauthorized manner.
• CCI-002696 - The information system verifies correct operation of organization-defined security functions.
• CCI-002699 - The information system performs verification of the correct operation of organization-defined security functions: when the system is in an organization-defined transitional state; upon command by a user with appropriate privileges; and/or on an organization-defined frequency.

Weight

10

Fix Recommendation

Configure the SUSE operating system to check the baseline configuration for unauthorized changes at least once weekly.

If the "aide" package is not installed, install it with the following command:

> sudo zypper in aide

Configure the file integrity tool to automatically run on the system at least weekly. The following example output is generic. It will set cron to run AIDE weekly, but other file integrity tools may be used:

> cat /etc/cron.weekly/aide
0 0 * * * /usr/sbin/aide --check | /bin/mail -s "aide integrity check run for <system name>" root@notareal.email

Check Contents

Verify the SUSE operating system checks the baseline configuration for unauthorized changes at least once weekly.

Note: A file integrity tool other than AIDE may be used, but the tool must be executed at least once per week.

Check to see if the "aide" package is installed on the system with the following command:

> zypper info aide | grep "Installed"

Installed: Yes

If the "aide" package is not installed, ask the SA how file integrity checks are performed on the system.

Check for the presence of a cron job running daily or weekly on the system that executes AIDE to scan for changes to the system baseline. The command used in the following example looks at the daily cron job:

Check the "/etc/cron" subdirectories for a "crontab" file controlling the execution of the file integrity application. For example, if AIDE is installed on the system, use the following command:

> sudo grep -R aide /etc/crontab /etc/cron.*
/etc/crontab: 30 04 * * * /etc/aide

If the file integrity application does not exist, or a "crontab" file does not exist in "/etc/crontab", the "/etc/cron.daily" subdirectory, or "/etc/cron.weekly" subdirectory, this is a finding.

Vulnerability Number

V-234851

Documentable

False

Rule Version

SLES-15-010420

Severity Override Guidance

Verify the SUSE operating system checks the baseline configuration for unauthorized changes at least once weekly.

Note: A file integrity tool other than AIDE may be used, but the tool must be executed at least once per week.

Check to see if the "aide" package is installed on the system with the following command:

> zypper info aide | grep "Installed"

Installed: Yes

If the "aide" package is not installed, ask the SA how file integrity checks are performed on the system.

Check for the presence of a cron job running daily or weekly on the system that executes AIDE to scan for changes to the system baseline. The command used in the following example looks at the daily cron job:

Check the "/etc/cron" subdirectories for a "crontab" file controlling the execution of the file integrity application. For example, if AIDE is installed on the system, use the following command:

> sudo grep -R aide /etc/crontab /etc/cron.*
/etc/crontab: 30 04 * * * /etc/aide

If the file integrity application does not exist, or a "crontab" file does not exist in "/etc/crontab", the "/etc/cron.daily" subdirectory, or "/etc/cron.weekly" subdirectory, this is a finding.

Check Content Reference

M

Target Key

5274

Comments