I'm looking at the man pages for AIDE.
Code:
# Here are all the things we can check - these are the default rules
#
#p: permissions
#ftype: file type
#i: inode
#n: number of links
#l: link name
#u: user
#g: group
#s: size
#b: block count
#m: mtime
#a: atime
#c: ctime
#S: check for growing size
#I: ignore changed filename
#md5: md5 checksum
#sha1: sha1 checksum
#sha256: sha256 checksum
#sha512: sha512 checksum
#rmd160: rmd160 checksum
#tiger: tiger checksum
#haval: haval checksum
#crc32: crc32 checksum
#R: p+ftupe+i+l+n+u+g+s+m+c+md5
#L: p+ftype+i+l+n+u+g
#E: Empty group
#>: Growing file p+ftype+l+u+g+i+n+S
#The following are available if you have mhash support enabled:
#gost: gost checksum
#whirlpool: whirlpool checksum
#The following are available and added to the default groups R, L and >
#only when explicitly enabled using configure:
#acl: access control list
#selinux SELinux security context
#xattrs: extended file attributes
#e2fsattrs: file attributes on a second extended file system
# You can also create custom rules - my home made rule definition goes like this
#
MyRule = p+i+n+u+g+s+b+m+c+md5+sha1
https://aide.github.io/doc/#config
I don't see
OwnerMode anywhere. So, unless you define it as a custom rule, it won't work.
UPDATE
I the STIG says to run this command:
Code:
$ sudo egrep "[+]?acl" /etc/aide.conf
I ran it on my machine and I do not have the line 'VarFile = OwnerMode+n+l+X+acl'
Here is the rest of the text:
Code:
If the "acl" rule is not being used on all selection lines in the "/etc/aide.conf" file, is commented out, or ACLs are not being checked by another file integrity tool, this is a finding.
It is NOT saying you need to have the specific line 'VarFile = OwnerMode+n+l+X+acl' in your config file.
My grep shows something like this:
Code:
FIPSR=p+i+...+acl+...+sha256
ALL=FIPSR+acl+...
NORMAL=FIPSR+sha512
DIR=p+i+...+acl+...
and so on
Farther down in the config file, you'll see lines something like this:
Code:
/bin NORMAL
...
/etc/fstab NORMAL
Since the NORMAL rule contains the FIPSR rule. which contains acl rule, anything with NORMAL is using the acl rule, which meets the requirement.
My scanner isn't smart enough to know this, so I always get a finding. I write it up as a false finding and show that the config file is correct.
Alternative
Add '+acl' to all of the lines that are supposed to have it. (Note, not all are. Ex. log files).
To do this, you config file would then look something like this:
Code:
/bin NORMAL+acl
...
/etc/fstab NORMAL+acl
Although, it's a bit of a PITA. If you do this, it is possible you'll get another finding that the aid.conf file was modified after install.