Skip to content

6.3.3 Ensure cryptographic mechanisms are used to protect the integrity of audit tool

Audit#

Verify that Advanced Intrusion Detection Environment (AIDE) is properly configured. Run the following script to verify: - AIDE is configured to use cryptographic mechanisms to protect the integrity of audit tools: - The following audit tool files include the options "p, i, n, u, g, s, b, acl, xattrs and sha512" - auditctl - auditd - ausearch - aureport - autrace - augenrules

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
#!/usr/bin/env bash
{
a_output=() a_output2=() l_tool_dir="$(readlink -f /sbin)"
a_items=("p" "i" "n" "u" "g" "s" "b" "acl" "xattrs" "sha512")
l_aide_cmd="$(whereis aide | awk '{print $2}')"
a_audit_files=("auditctl" "auditd" "ausearch" "aureport" "autrace" "augenrules")
if [ -f "$l_aide_cmd" ] && command -v "$l_aide_cmd" &>/dev/null; then
a_aide_conf_files=("$(find -L /etc -type f -name 'aide.conf')")
f_file_par_chk()
{
a_out2=()
for l_item in "${a_items[@]}"; do
! grep -Psiq -- '(\h+|\+)'"$l_item"'(\h+|\+)' <<< "$l_out" && \a_out2+=(" - Missing the \"$l_item\" option")
done
if [ "${#a_out2[@]}" -gt "0" ]; then
a_output2+=(" - Audit tool file: \"$l_file\"" "${a_out2[@]}")
else
a_output+=(" - Audit tool file: \"$l_file\" includes:" " \"${a_items[*]}\"")
fi
}
for l_file in "${a_audit_files[@]}"; do
if [ -f "$l_tool_dir/$l_file" ]; then
l_out="$("$l_aide_cmd" --config "${a_aide_conf_files[@]}" -p f:"$l_tool_dir/$l_file")"
f_file_par_chk
else
a_output+=(" - Audit tool file \"$l_file\" doesn't exist")
fi
done
else
a_output2+=(" - The command \"aide\" was not found" "Please install AIDE")
fi
if [ "${#a_output2[@]}" -le 0 ]; then
printf '%s\n' "" "- Audit Result:" " ** PASS **" "${a_output[@]}" ""
else
printf '%s\n' "" "- Audit Result:" " ** FAIL **" " - Reason(s) for audit failure:" "${a_output2[@]}"
[ "${#a_output[@]}" -gt 0 ] && printf '%s\n' "" "- Correctly set:" "${a_output[@]}" ""
fi
}

Note: The script is written to read the "winning" configuration setting, to include any configuration settings in files included as part of the @@x_include setting.

Remediation#

Run the following command to determine the absolute path to the non-symlinked version on the audit tools: 

# readlink -f /sbin

The output will be either /usr/sbin - OR - /sbin. Ensure the correct path is used. Edit /etc/aide/aide.conf and add or update the following selection lines replacing with the correct path returned in the command above: 

# Audit Tools
<PATH>/auditctl p+i+n+u+g+s+b+acl+xattrs+sha512
<PATH>/auditd p+i+n+u+g+s+b+acl+xattrs+sha512
<PATH>/ausearch p+i+n+u+g+s+b+acl+xattrs+sha512
<PATH>/aureport p+i+n+u+g+s+b+acl+xattrs+sha512
<PATH>/autrace p+i+n+u+g+s+b+acl+xattrs+sha512
<PATH>/augenrules p+i+n+u+g+s+b+acl+xattrs+sha512

Example: 

# printf '%s\n' "" "# Audit Tools" "$(readlink -f /sbin/auditctl)
p+i+n+u+g+s+b+acl+xattrs+sha512" "$(readlink -f /sbin/auditd)
p+i+n+u+g+s+b+acl+xattrs+sha512" "$(readlink -f /sbin/ausearch)
p+i+n+u+g+s+b+acl+xattrs+sha512" "$(readlink -f /sbin/aureport)
p+i+n+u+g+s+b+acl+xattrs+sha512" "$(readlink -f /sbin/autrace)
p+i+n+u+g+s+b+acl+xattrs+sha512" "$(readlink -f /sbin/augenrules)
p+i+n+u+g+s+b+acl+xattrs+sha512" >> /etc/aide/aide.conf

Note: - IF - /etc/aide/aide.conf includes a @@x_include statement: - and each executable config file must be owned by the current user or root - They must not be group or world-writable

Example: 

@@x_include /etc/aide.conf.d ^[a-zA-Z0-9_-]+$