HxHippy

File Integrity Monitoring

Monitor file changes with AIDE, Tripwire, and other FIM tools.

Last updated: 2025-01-15

File Integrity Monitoring

Detect unauthorized changes to critical system files.

AIDE (Advanced Intrusion Detection Environment)

Installation

# Install AIDE
sudo apt install aide

# Initialize database
sudo aideinit

# Move database into place
sudo cp /var/lib/aide/aide.db.new /var/lib/aide/aide.db

Configuration

# /etc/aide/aide.conf

# Define what to check
NORMAL = p+i+n+u+g+s+b+m+c+md5+sha256

# Directories to monitor
/boot   NORMAL
/bin    NORMAL
/sbin   NORMAL
/lib    NORMAL
/lib64  NORMAL
/usr    NORMAL
/etc    NORMAL

# Exclude volatile files
!/var/log
!/var/run
!/var/cache
!/tmp

Running Checks

# Run manual check
sudo aide --check

# Update database after legitimate changes
sudo aide --update
sudo cp /var/lib/aide/aide.db.new /var/lib/aide/aide.db

Automated Checks

# /etc/cron.daily/aide-check
#!/bin/bash
/usr/bin/aide --check | mail -s "AIDE Report" [email protected]

Tripwire

Installation

# Install Tripwire
sudo apt install tripwire

# Initialize database
sudo tripwire --init

Configuration

# Edit policy file
sudo twadmin --create-polfile /etc/tripwire/twpol.txt

# Run check
sudo tripwire --check

# Update database
sudo tripwire --update --twrfile /var/lib/tripwire/report/<latest>.twr

OSSEC Syscheck

<!-- /var/ossec/etc/ossec.conf -->
<syscheck>
  <frequency>7200</frequency>
  <scan_on_start>yes</scan_on_start>

  <!-- Directories to monitor -->
  <directories check_all="yes">/etc,/bin,/sbin</directories>
  <directories check_all="yes">/usr/bin,/usr/sbin</directories>

  <!-- Files to ignore -->
  <ignore>/etc/mtab</ignore>
  <ignore>/etc/resolv.conf</ignore>
  <ignore type="sregex">.log$</ignore>
</syscheck>

Quick Comparison

Tool Complexity Integration Best For
AIDE Low Standalone Simple FIM
Tripwire Medium Standalone Enterprise
OSSEC Medium Full HIDS Comprehensive
auditd Low Built-in Real-time

Interpreting Results

# AIDE output example
File: /etc/passwd
 SHA256 : old_hash != new_hash
 Mtime  : old_time != new_time

# Actions:
# 1. Investigate change
# 2. If legitimate, update database
# 3. If unauthorized, incident response

Best Practices

Practice Implementation
Baseline Create after fresh install
Regular checks Daily or more frequent
Secure database Store offline or encrypted
Alert integration Forward to SIEM/email
Change management Update DB after patches
intermediate Auditing Updated 2025-01-15
  • file integrity
  • aide
  • tripwire
  • fim
  • change detection
  • security