1.3.2 Ensure filesystem integrity is regularly checked

[scfast]

Profile Applicability:  Level 1 - Server  Level 1 - Workstation

Description: Periodic checking of the filesystem integrity is needed to detect changes to the filesystem.

Rationale: Periodic file checking allows the system administrator to determine on a regular basis if critical files have been changed in an unauthorized fashion.

Audit: Run the following commands to verify a cron job scheduled to run the aide check.

# grep -Prs '^([^#\n\r]+\h+)?(\/usr\/s?bin\/|^\h*)aide(\.wrapper)?\h+(--
check|([^#\n\r]+\h+)?\$AIDEARGS)\b' /etc/cron.* /etc/crontab /var/spool/cron/

Ensure a cron job in compliance with site policy is returned. OR Run the following commands to verify that aidcheck.service and aidcheck.timer are enabled and aidcheck.timer is running

# systemctl is-enabled aidecheck.service
# systemctl is-enabled aidecheck.timer
# systemctl status aidecheck.timer

References:

1. https://github.com/konstruktoid/hardening/blob/master/config/aidecheck.service
2. https://github.com/konstruktoid/hardening/blob/master/config/aidecheck.timer

Additional Information: The checking in this recommendation occurs every day at 5am. Alter the frequency and time of the checks in compliance with site policy systemd timers, timer file aidecheck.timer and service file aidecheck.service, have been included as an optional alternative to using cron Ubuntu advises using /usr/bin/aide.wrapper rather than calling /usr/bin/aide directly in order to protect the database and prevent conflicts