#!/bin/bash
#
# kate: tab-indents off; tab-width 4; indent-width 4;
#
# This file implements the following CIS controls
# --------------------------------------------------------------------
#  1.3.2 Ensure filesystem integrity is regularly checked
#----------------------------------------------------------------------


if ! grep -qE '^!/var/log/journal' /etc/aide.conf; then
    echo '!/var/log/journal' >>/etc/aide.conf
fi


# TODO:
#   Need to launch a (background) script to populate the aide database

augtool --autosave --backup --noautoload >/dev/null <<'EOD'
    transform Cron_user.lns incl /var/spool/cron/root
    load

    ########################################################################
    # Ensure filesystem integrity is regularly checked (1.3.2)
    ########################################################################

    # Ensure the root crontab file exists
    set /files/var/spool/cron/root

    # Shh, we'll report directly to central monitoring, not via email
    set /files/var/spool/cron/root/MAILTO '""'


    # Ensure the aide --check entry exists and is set to the CIS mandated time
    defnode entry /files/var/spool/cron/root/entry[.="/usr/sbin/aide --check"] "/usr/sbin/aide --check"
    set $entry/time/minute     0
    set $entry/time/hour       5
    set $entry/time/dayofmonth *
    set $entry/time/month      *
    set $entry/time/dayofweek  *

    # The above entry is just for show (to AWS Inspector), we actually do the real work and monitoring here
    defnode entry /files/var/spool/cron/root/entry[.="/usr/libexec/ng-encis/update-aide-db"] "/usr/libexec/ng-encis/update-aide-db"
    set $entry/time/minute     45
    set $entry/time/hour       4
    set $entry/time/dayofmonth *
    set $entry/time/month      *
    set $entry/time/dayofweek  *


EOD

