Configure Periodic Execution of AIDE

Docs > Datadog Security > OOTB Rules > Configure Periodic Execution of AIDE

Classification:

compliance

Framework:

Control:

Description

At a minimum, AIDE should be configured to run a weekly scan. To implement a daily execution of AIDE at 4:05am using cron, add the following line to /etc/crontab:

05 4 * * * root /usr/bin/aide.wrapper --config /etc/aide/aide.conf --check

To implement a weekly execution of AIDE at 4:05am using cron, add the following line to /etc/crontab:

05 4 * * 0 root /usr/bin/aide.wrapper --config /etc/aide/aide.conf --check

AIDE can be executed periodically through other means; this is merely one example. The usage of cron’s special time codes, such as @daily and @weekly is acceptable.

Rationale

By default, AIDE does not install itself for periodic execution. Periodically running AIDE is necessary to reveal unexpected changes in installed files.

Unauthorized changes to the baseline configuration could make the system vulnerable to various attacks or allow unauthorized access to the operating system. Changes to operating system configurations can have unintended side effects, some of which may be relevant to security.

Detecting such changes and providing an automated response can help avoid unintended, negative consequences that could ultimately affect the security state of the operating system. The operating system’s Information Management Officer (IMO)/Information System Security Officer (ISSO) and System Administrators (SAs) must be notified via email and/or monitoring system trap when there is an unauthorized modification of a configuration item.

Remediation

Shell script

The following script can be run on the host to remediate the issue.

# Remediation is applicable only in certain platforms
if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then

DEBIAN\_FRONTEND=noninteractive apt-get install -y "aide"
DEBIAN\_FRONTEND=noninteractive apt-get install -y "crontabs"

# AiDE usually adds its own cron jobs to /etc/cron.daily. If script is there, this rule is
# compliant. Otherwise, we copy the script to the /etc/cron.weekly
if ! egrep -q '^(\/usr\/bin\/)?aide(\.wrapper)?\s+' /etc/cron.\*/\*; then
 cp -f /usr/share/aide/config/cron.daily/aide /etc/cron.weekly/
fi

else
 >&2 echo 'Remediation is not applicable, nothing was done'
fi

Ansible playbook

The following playbook can be run with Ansible to remediate the issue.

- name: Ensure AIDE is installed
 package:
 name:
 - aide
 - crontabs
 state: present
 when: ansible\_virtualization\_type not in ["docker", "lxc", "openvz", "podman", "container"]
 tags:
 - CJIS-5.10.1.3
 - DISA-STIG-UBTU-20-010074
 - NIST-800-53-CM-6(a)
 - NIST-800-53-SI-7
 - NIST-800-53-SI-7(1)
 - PCI-DSS-Req-11.5
 - PCI-DSSv4-11.5.2
 - aide\_periodic\_cron\_checking
 - low\_complexity
 - low\_disruption
 - medium\_severity
 - no\_reboot\_needed
 - restrict\_strategy

- name: Set cron package name - RedHat
 set\_fact:
 cron\_pkg\_name: cronie
 when:
 - ansible\_virtualization\_type not in ["docker", "lxc", "openvz", "podman", "container"]
 - ansible\_os\_family == "RedHat" or ansible\_os\_family == "Suse"
 tags:
 - CJIS-5.10.1.3
 - DISA-STIG-UBTU-20-010074
 - NIST-800-53-CM-6(a)
 - NIST-800-53-SI-7
 - NIST-800-53-SI-7(1)
 - PCI-DSS-Req-11.5
 - PCI-DSSv4-11.5.2
 - aide\_periodic\_cron\_checking
 - low\_complexity
 - low\_disruption
 - medium\_severity
 - no\_reboot\_needed
 - restrict\_strategy

- name: Set cron package name - Debian
 set\_fact:
 cron\_pkg\_name: cron
 when:
 - ansible\_virtualization\_type not in ["docker", "lxc", "openvz", "podman", "container"]
 - ansible\_os\_family == "Debian"
 tags:
 - CJIS-5.10.1.3
 - DISA-STIG-UBTU-20-010074
 - NIST-800-53-CM-6(a)
 - NIST-800-53-SI-7
 - NIST-800-53-SI-7(1)
 - PCI-DSS-Req-11.5
 - PCI-DSSv4-11.5.2
 - aide\_periodic\_cron\_checking
 - low\_complexity
 - low\_disruption
 - medium\_severity
 - no\_reboot\_needed
 - restrict\_strategy

- name: Install cron
 package:
 name: '{{ cron\_pkg\_name }}'
 state: present
 when: ansible\_virtualization\_type not in ["docker", "lxc", "openvz", "podman", "container"]
 tags:
 - CJIS-5.10.1.3
 - DISA-STIG-UBTU-20-010074
 - NIST-800-53-CM-6(a)
 - NIST-800-53-SI-7
 - NIST-800-53-SI-7(1)
 - PCI-DSS-Req-11.5
 - PCI-DSSv4-11.5.2
 - aide\_periodic\_cron\_checking
 - low\_complexity
 - low\_disruption
 - medium\_severity
 - no\_reboot\_needed
 - restrict\_strategy

- name: Configure Periodic Execution of AIDE
 cron:
 name: run AIDE check
 minute: 5
 hour: 4
 weekday: 0
 user: root
 job: /usr/bin/aide.wrapper --check
 when: ansible\_virtualization\_type not in ["docker", "lxc", "openvz", "podman", "container"]
 tags:
 - CJIS-5.10.1.3
 - DISA-STIG-UBTU-20-010074
 - NIST-800-53-CM-6(a)
 - NIST-800-53-SI-7
 - NIST-800-53-SI-7(1)
 - PCI-DSS-Req-11.5
 - PCI-DSSv4-11.5.2
 - aide\_periodic\_cron\_checking
 - low\_complexity
 - low\_disruption
 - medium\_severity
 - no\_reboot\_needed
 - restrict\_strategy