Uploaded image for project: 'RHEL'
  1. RHEL
  2. RHEL-83776

Default aide.conf file is not aligned with RHEL standards

Linking RHIVOS CVEs to...Migration: Automation ...Sync from "Extern...XMLWordPrintable

    • aide-0.19.2-4.el9
    • No
    • Low
    • rhel-security-special-projects
    • ssg_security
    • 7
    • 1
    • False
    • False
    • Hide

      None

      Show
      None
    • Yes
    • None
    • Rebase
    • Hide
      Version: 0.19.2
      List of highlights:
      1. Security Updates: Fixed two security bugs (CVE-2025-54389 and CVE-2025-54409)
      2. Major Library Change: Switched the underlying cryptographic library from libmhash to libnettle
      3. Backwards incompatible changes: the configuration options database, summarize_changes, and grouped have been removed and replaced with new names (database_in, report_summarize_changes, and report_grouped).
      4. Default Configuration Update: The outdated default aide.conf file was completely refreshed with new attributes and rules, requiring users to review and integrate these changes.
      5. New Logging and Reporting System: The old --verbose and verbose options were removed. New, more flexible log_level and report_level options were introduced, along with named log levels for better debugging.
      6. New File Attributes and Hashsums: Added support for Linux capabilities and restricted rules based on file system type (fstype attribute).
      7. Improved Command-line Tools: Added the --dry-init command to test initial database creation without writing the file, and the --path-check command to test rule matching.

      All detailed changes, including numerous smaller bug fixes and improvements, can be found in the documentation file at /usr/share/doc/aide/NEWS.
      Show
      Version: 0.19.2 List of highlights: 1. Security Updates: Fixed two security bugs (CVE-2025-54389 and CVE-2025-54409) 2. Major Library Change: Switched the underlying cryptographic library from libmhash to libnettle 3. Backwards incompatible changes: the configuration options database, summarize_changes, and grouped have been removed and replaced with new names (database_in, report_summarize_changes, and report_grouped). 4. Default Configuration Update: The outdated default aide.conf file was completely refreshed with new attributes and rules, requiring users to review and integrate these changes. 5. New Logging and Reporting System: The old --verbose and verbose options were removed. New, more flexible log_level and report_level options were introduced, along with named log levels for better debugging. 6. New File Attributes and Hashsums: Added support for Linux capabilities and restricted rules based on file system type (fstype attribute). 7. Improved Command-line Tools: Added the --dry-init command to test initial database creation without writing the file, and the --path-check command to test rule matching. All detailed changes, including numerous smaller bug fixes and improvements, can be found in the documentation file at /usr/share/doc/aide/NEWS.
    • Proposed
    • Unspecified
    • Unspecified
    • Unspecified
    • None

      What were you trying to do that didn't work?

      Our customers expect that the default /etc/aide.conf will handle standard RHEL installations, but in fact it's not, there are multiple issues such as the ones below:

      1. Log files are expected to grow
        Logs in /var/log have the following rule: 
        LOG = p+u+g+n+S+acl+selinux+xattrs
/var/log LOG+ANF+ARF

        This above allows creation and deletiong of new files, but LOG enforces files to be *growing* (S), which is not true when logrotate is installed on the system.

      2. Persistent journal files are not handled correctly
        The persistent journal is stored in /var/log/journal, hence fall into LOG rule.
        Unfortunately since some minor release of RHEL9, the journal files get an extended attribute user.crtime_usec which updates when the file rotates.
        I think that a new rule has to be crafted for the journal, e.g. 
        /var/log/journal LOG+ANF+ARF-S-xattrs

      What is the impact of this issue to you?

      Compliance issues.

      Please provide the package NVR for which the bug is seen:

      aide-0.16-102.el9

      How reproducible is this bug?:

      Always

      Steps to reproduce (for the journal)

      1. Create /var/log/journal directory and reboot for changes to take effect
      2. Execute aide --init and save the new database as the reference
      3. Rotate the journal 
        # journalctl --rotate
      4. Execute aide --check

      Expected results

      No diff found

      Actual results

      File: /var/log/journal/b5af1fc93c0a4c7eae36e167138931d5/system.journal
  XAttrs   : num=1                            | num=1
             [1] user.crtime_usec <=> pE2614g | [1] user.crtime_usec <=> UBje9Ig
             wBgA=                            | wBgA=

      Steps to reproduce (for standard logs)

      1. Execute aide --init and save the new database as the reference
      2. Rotate the logs 
        # logrotate -f /etc/logrotate.conf
      3. Execute aide --check

      Expected results

      No diff found

      Actual results

      File: /var/log/firewalld
  Size     : 759                              | 0

File: /var/log/wtmp
  Size     : 100224                           | 0

              rh-ee-alakatos Attila Lakatos
              rhn-support-rmetrich Renaud Métrich
              Attila Lakatos
              SSG Security QE SSG Security QE
              Votes:
              0 Vote for this issue
              Watchers:
              9 Start watching this issue

                Created:
                Updated: