Profile Applicability:
Level 1
Description:
Regularly verifying filesystem integrity helps detect unauthorized changes to system files, potential malware infections, or accidental corruption. Tools like AIDE or Tripwire compare current filesystem states against known baselines to alert administrators of discrepancies.
Rationale:
Automated integrity checks provide early detection of tampering or errors, enabling timely response and maintaining system trustworthiness.
Impact:
Pros:
Detects unauthorized modifications and potential security breaches.
Supports compliance with security policies and standards.
Cons:
Requires system resources for scanning and maintenance.
False positives may require investigation.
Default Value:
Filesystem integrity checking may not be configured or scheduled by default on many systems
Pre-requisites:
Root or sudo privileges to install, configure, and run integrity checking tools.
Initial baseline of filesystem state must be established.
Remediation:
Test Plan:
Using Linux command line:
Verify integrity checking tool is installed, e.g., AIDE:
rpm -q aide # RPM-based dpkg -l aide # Debian-based
Check that integrity checks are scheduled via cron or systemd timers.
Review recent integrity check reports/logs for alerts.
Implementation Plan:
Using Linux command line:
Install integrity checking tool if missing:
RPM-based:yum install aide -y
Debian-based:
apt install aide -y
Initialize the baseline database:
aide --init mv /var/lib/aide/aide.db.new.gz /var/lib/aide/aide.db.gz
Schedule regular integrity checks using cron or systemd timers.
Configure alerting for integrity violations.
Backout Plan:
Using Linux command line:
Disable or remove integrity checking if it causes issues.
Revert to previous system state if false positives disrupt operations.
References:
CIS Amazon Linux 2 Benchmark v3.0.0
AIDE Official Documentation