diff --git a/doc/metadata/rhel7/RHEL-07-021600.rst b/doc/metadata/rhel7/RHEL-07-021600.rst
index e3c695b7..8bcdaf10 100644
--- a/doc/metadata/rhel7/RHEL-07-021600.rst
+++ b/doc/metadata/rhel7/RHEL-07-021600.rst
@@ -1,7 +1,14 @@
 ---
 id: RHEL-07-021600
-status: not implemented
-tag: misc
+status: implemented
+tag: aide
 ---
 
-This STIG requirement is not yet implemented.
+CentOS 7 and Red Hat Enterprise Linux 7 already deploy a very secure AIDE
+configuration that checks access control lists (ACLs) and extended attributes
+by default. No configuration changes are applied on these systems.
+
+However, Ubuntu lacks the rules that include ACL and extended attribute checks.
+The tasks in the security role will add a small configuration block at the end
+of the AIDE configuration file to meet the requirements of this STIG, as well
+as RHEL-07-021610.
diff --git a/doc/metadata/rhel7/RHEL-07-021610.rst b/doc/metadata/rhel7/RHEL-07-021610.rst
index f4769a83..42951d52 100644
--- a/doc/metadata/rhel7/RHEL-07-021610.rst
+++ b/doc/metadata/rhel7/RHEL-07-021610.rst
@@ -1,7 +1,14 @@
 ---
 id: RHEL-07-021610
-status: not implemented
-tag: misc
+status: implemented
+tag: aide
 ---
 
-This STIG requirement is not yet implemented.
+CentOS 7 and Red Hat Enterprise Linux 7 already deploy a very secure AIDE
+configuration that checks access control lists (ACLs) and extended attributes
+by default. No configuration changes are applied on these systems.
+
+However, Ubuntu lacks the rules that include ACL and extended attribute checks.
+The tasks in the security role will add a small configuration block at the end
+of the AIDE configuration file to meet the requirements of this STIG, as well
+as RHEL-07-021600.
diff --git a/doc/metadata/rhel7/RHEL-07-021620.rst b/doc/metadata/rhel7/RHEL-07-021620.rst
index 1de539c5..f1eed1b8 100644
--- a/doc/metadata/rhel7/RHEL-07-021620.rst
+++ b/doc/metadata/rhel7/RHEL-07-021620.rst
@@ -1,7 +1,12 @@
 ---
 id: RHEL-07-021620
-status: not implemented
-tag: misc
+status: implemented
+tag: aide
 ---
 
-This STIG requirement is not yet implemented.
+The default AIDE configuration in CentOS 7 and Red Hat Enterprise Linux 7
+already uses SHA512 to validate file contents and directories. No changes are
+required on these systems.
+
+The tasks in the security role add a rule to end of the AIDE configuration on
+Ubuntu systems that uses SHA512 for validation.
diff --git a/files/aide_extra.conf b/files/aide_extra.conf
new file mode 100644
index 00000000..5c8586f9
--- /dev/null
+++ b/files/aide_extra.conf
@@ -0,0 +1,14 @@
+# Rules borrowed from CentOS/RHEL AIDE configuration
+# (SELinux was removed for Ubuntu compatibility.)
+FIPSR = p+i+n+u+g+s+m+c+acl+xattrs+sha256
+NORMAL = FIPSR+sha512
+
+# The following two lines apply the NORMAL rule (above this line) to the
+# /bin and /sbin directories to meet the requirements of two STIG controls:
+#
+#   RHEL-07-021600 - Verify ACLs
+#   RHEL-07-021610 - Verify extended attributes
+#
+/bin    NORMAL
+/sbin   NORMAL
+
diff --git a/tasks/rhel7stig/aide.yml b/tasks/rhel7stig/aide.yml
index bf1840a2..6afceca7 100644
--- a/tasks/rhel7stig/aide.yml
+++ b/tasks/rhel7stig/aide.yml
@@ -82,3 +82,21 @@
     - medium
     - aide
     - RHEL-07-020140
+
+# NOTE(mhayden): CentOS/RHEL already provide a very strict AIDE configuration
+# that meets the requirements of RHEL-07-021600 and RHEL-07-021610. That config
+# is borrowed for Ubuntu 16.04 here.
+- name: Configure AIDE to verify additional properties
+  blockinfile:
+    dest: "{{ aide_conf }}"
+    insertbefore: EOF
+    marker: "# {mark} MANAGED BY OPENSTACK-ANSIBLE-SECURITY"
+    block: "{{ lookup('file', 'aide_extra.conf') }}"
+  when:
+    - ansible_os_family | lower == 'ubuntu'
+  tags:
+    - low
+    - aide
+    - RHEL-07-021600
+    - RHEL-07-021610
+    - RHEL-07-021620