Benchmark 1.3.1 concerns the installation of Advanced Intrusion Detection Environment (AIDE)—a modern replacement for the venerable Tripwire utility that can scan the filesystem and checksum all the files, thus providing a reliable way of detecting modifications to the filesystem.

On the face of it, installing and using AIDE is a very good idea—however, if you have an environment with 100 machines in it and you update all of them, you will get 100 reports, each containing details of a large number of file changes. There are other solutions to this problem, including the open source OSSEC project (https://www.ossec.net/), but this is not checked for as part of the CIS Benchmark and so it is left for you to decide what the right solution is for your enterprise.

This, of course, is not to say that AIDE should not be used—far from it. Rather, it is to say that, if you choose to use AIDE, make sure you have processes in place to process and understand the reports, and to ensure that you can distinguish false positives (for example, a change in the checksum of a binary due to a package update) from genuinely malicious and unexpected modifications (for example, /bin/ls changes even though no package update has been performed).

Having looked at whether AIDE is a viable tool to install on your Linux infrastructure, we will proceed to look at how the CIS Benchmarks impact the default configuration of services at boot time.