1.3.2 Ensure filesystem integrity is regularly checked

Audit

Run the following commands to verify a cron job scheduled to run the aide check.

# grep -Prs '^([^#\n\r]+\h+)?(\/usr\/s?bin\/|^\h*)aide(\.wrapper)?\h+(--check|([^#\n\r]+\h+)?\$AIDEARGS)\b' /etc/cron.* /etc/crontab /var/spool/cron/

Ensure a cron job in compliance with site policy is returned.

OR

Run the following commands to verify that aidcheck.service and aidcheck.timer are enabled and aidcheck.timer is running

# systemctl is-enabled aidecheck.service
# systemctl is-enabled aidecheck.timer
# systemctl status aidecheck.timer

Remediation

If cron will be used to schedule and run aide check:

Run the following command:

# crontab -u root -e

Add the following line to the crontab:

0 5 * * * /usr/bin/aide.wrapper --config /etc/aide/aide.conf --check

OR If aidecheck.service and aidecheck.timer will be used to schedule and run aide check:

Create or edit the file /etc/systemd/system/aidecheck.service and add the following lines:

[Unit]
Description=Aide Check
[Service]
Type=simple
ExecStart=/usr/bin/aide.wrapper --config /etc/aide/aide.conf --check
[Install]
WantedBy=multi-user.target

Create or edit the file /etc/systemd/system/aidecheck.timer and add the following lines:

[Unit]
Description=Aide check every day at 5AM
[Timer]
OnCalendar=*-*-* 05:00:00
Unit=aidecheck.service
[Install]
WantedBy=multi-user.target

Run the following commands:

# chown root:root /etc/systemd/system/aidecheck.*
# chmod 0644 /etc/systemd/system/aidecheck.*
# systemctl daemon-reload
# systemctl enable aidecheck.service
# systemctl --now enable aidecheck.timer