ComplianceAsCode · dodys · Dec 5, 2023 · Jun 20, 2023 · Nov 28, 2023 · Nov 28, 2023
diff --git a/components/aide.yml b/components/aide.yml
@@ -6,6 +6,7 @@ packages:
 rules:
 - aide_build_database
 - aide_check_audit_tools
+- aide_disable_silentreports
 - aide_periodic_cron_checking
 - aide_periodic_checking_systemd_timer
 - aide_scan_notification

diff --git a/...ide/system/software/integrity/software-integrity/aide/aide_disable_silentreports/rule.yml b/...ide/system/software/integrity/software-integrity/aide/aide_disable_silentreports/rule.yml
@@ -0,0 +1,51 @@
+documentation_complete: true
+
+prodtype: ubuntu1804,ubuntu2004
+
+title: 'Configure AIDE To Notify Personnel if Baseline Configurations Are Altered'
+
+description: |-
+    The operating system file integrity tool must be configured to notify designated personnel of any changes to configurations.
+
+rationale: |-
+    Detecting changes in the system can help avoid unintended, and negative consequences
+    that could affect the security state of the operating system
+
+severity: medium
+
+references:
+    disa: "CCI-001744,CCI-002702"
+    srg: "SRG-OS-000447-GPOS-00201,SRG-OS-000363-GPOS-00150"
+    stigid@ubuntu2004: UBTU-20-010437
+
+ocil_clause: 'silentreports is enabled in aide default configuration, or is missing'
+
+ocil: |-
+    Verify that Advanced Intrusion Detection Environment (AIDE) notifies the System Administrator
+    when anomalies in the operation of any security functions are discovered with the following command:
+    <pre># grep SILENTREPORTS {{{ aide_default_path }}} </pre>
+
+    SILENTREPORTS=no
+
+    If SILENTREPORTS is commented out, this is a finding.
+
+    If SILENTREPORTS is set to "yes", this is a finding.
+
+    If SILENTREPORTS is not set to "no", this is a finding.
+
+fixtext: |-
+    Configure the {{{ full_name }}} operating system to notify designated personnel if baseline configurations are changed in an unauthorized manner.
+
+    Modify the "SILENTREPORTS" parameter in the "{{{ aide_default_path }}}" file with a value of "no" if it does not already exist.
+
+srg_requirement:
+    {{{ full_name }}} must notify designated personnel if baseline configurations are changed in an unauthorized manner.
+
+template:
+    name: key_value_pair_in_file
+    vars:
+      path: '{{{ aide_default_path }}}'
+      key: 'SILENTREPORTS'
+      value: 'no'
+      sep: '='
+      sep_regex: '='
diff --git a/...ftware/integrity/software-integrity/aide/aide_disable_silentreports/tests/correct.pass.sh b/...ftware/integrity/software-integrity/aide/aide_disable_silentreports/tests/correct.pass.sh
@@ -0,0 +1,5 @@
+#!/bin/bash
+# platform = multi_platform_ubuntu
+# packages = aide
+
+echo "SILENTREPORTS=no" >> /etc/default/aide
diff --git a/...ty/software-integrity/aide/aide_disable_silentreports/tests/wrong_multiple_values.fail.sh b/...ty/software-integrity/aide/aide_disable_silentreports/tests/wrong_multiple_values.fail.sh
@@ -0,0 +1,9 @@
+#!/bin/bash
+# platform = multi_platform_ubuntu
+# packages = aide
+
+FILE=/etc/default/aide
+
+echo "SILENTREPORTS=no" >> $FILE
+echo "SILENTREPORTS=wrong" >> $FILE
+
diff --git a/...re/integrity/software-integrity/aide/aide_disable_silentreports/tests/wrong_value.fail.sh b/...re/integrity/software-integrity/aide/aide_disable_silentreports/tests/wrong_value.fail.sh
@@ -0,0 +1,12 @@
+#!/bin/bash
+# platform = multi_platform_ubuntu
+# packages = aide
+
+FILE=/etc/default/aide
+
+if grep -q "^SILENTREPORTS=" $FILE; then
+    sed -i "s/^SILENTREPORTS=.*$/SILENTREPORTS=wrong/g" $FILE
+else
+    echo "SILENTREPORTS=wrong" >> $FILE
+fi
+
diff --git a/products/ubuntu2004/product.yml b/products/ubuntu2004/product.yml
@@ -22,6 +22,7 @@ oval_feed_url: "https://people.canonical.com/~ubuntu-security/oval/com.ubuntu.fo
 
 aide_bin_path: "/usr/bin/aide.wrapper"
 aide_conf_path: "/etc/aide/aide.conf"
+aide_default_path: "/etc/default/aide"
 chrony_conf_path: "/etc/chrony/chrony.conf"
 
 cpes_root: "../../shared/applicability"

@@ -525,6 +525,7 @@ selections:
     - chronyd_sync_clock
 
     # UBTU-20-010437 The Ubuntu operating system must notify designated personnel if baseline configurations are changed in an unauthorized manner. The file integrity tool must notify the System Administrator when changes to the baseline configuration or anomalies in the oper
+    - aide_disable_silentreports
 
     # UBTU-20-010438 The Ubuntu operating system's Advance Package Tool (APT) must be configured to prevent the installation of patches, service packs, device drivers, or Ubuntu operating system components without verification they have been digitally signed using a certificate that is recognized and approved by the organization.
     - apt_conf_disallow_unauthenticated
@@ -566,6 +567,7 @@ selections:
     - aide_build_database
 
     # UBTU-20-010451 The Ubuntu operating system must notify designated personnel if baseline configurations are changed in an unauthorized manner. The file integrity tool must notify the System Administrator when changes to the baseline configuration or anomalies in the operation of any security functions are discovered.
+    # Same as UBTU-20-010437
 
     # UBTU-20-010453 The Ubuntu operating system must display the date and time of the last successful account logon upon logon.
     - display_login_attempts

@@ -2,6 +2,7 @@ aide_also_checks_audispd: 'yes'
 aide_also_checks_rsyslog: 'no'
 aide_bin_path: /usr/bin/aide.wrapper
 aide_conf_path: /etc/aide/aide.conf
+aide_default_path: /etc/default/aide
 audisp_conf_path: /etc/audit
 auid: 1000
 basic_properties_derived: true