mediumsystemunverified
Ensure AIDE uses only SHA-512 hashing
aide-sha512-hashing · RHEL ≥ 10 · 1 impl
Description
The AIDE file integrity tool must use SHA-512 (and no weaker algorithm such as md5/sha1/tiger/whirlpool) for its checksums.
Rationale
Weak hash algorithms in the integrity baseline allow undetected tampering via hash collisions.
Check → Remediate
Checkcommand
conf=/etc/aide.conf
[ -f "$conf" ] || { echo "FAIL: no /etc/aide.conf"; exit 1; }
if grep -iE '^[^#]*\b(md5|sha1|sha224|sha256|sha384|rmd160|tiger|whirlpool|haval|crc32|gost)\b' "$conf" >/dev/null 2>&1; then
echo "FAIL: AIDE config references a non-SHA-512 hash"; exit 1
fi
if ! grep -iE '^[^#]*\bsha512\b' "$conf" >/dev/null 2>&1; then echo "FAIL: AIDE does not use sha512"; exit 1; fi
echo "OK: AIDE uses sha512 only"; exit 0
- expected_exit:
- 0
Remediatemanual
- note:
- Configure AIDE rules in /etc/aide.conf to use sha512 and remove md5/sha1/other weak hashes.
Framework references
STIG
V-280979 / RHEL-10-200632
NIST 800-53
CM-6SI-7
#aide#integrity#crypto#stig