File Integrity Monitoring
Detect unauthorized changes to critical system files.
AIDE (Advanced Intrusion Detection Environment)
Installation
# Install AIDE
sudo apt install aide
# Initialize database
sudo aideinit
# Move database into place
sudo cp /var/lib/aide/aide.db.new /var/lib/aide/aide.db
Configuration
# /etc/aide/aide.conf
# Define what to check
NORMAL = p+i+n+u+g+s+b+m+c+md5+sha256
# Directories to monitor
/boot NORMAL
/bin NORMAL
/sbin NORMAL
/lib NORMAL
/lib64 NORMAL
/usr NORMAL
/etc NORMAL
# Exclude volatile files
!/var/log
!/var/run
!/var/cache
!/tmp
Running Checks
# Run manual check
sudo aide --check
# Update database after legitimate changes
sudo aide --update
sudo cp /var/lib/aide/aide.db.new /var/lib/aide/aide.db
Automated Checks
# /etc/cron.daily/aide-check
#!/bin/bash
/usr/bin/aide --check | mail -s "AIDE Report" [email protected]
Tripwire
Installation
# Install Tripwire
sudo apt install tripwire
# Initialize database
sudo tripwire --init
Configuration
# Edit policy file
sudo twadmin --create-polfile /etc/tripwire/twpol.txt
# Run check
sudo tripwire --check
# Update database
sudo tripwire --update --twrfile /var/lib/tripwire/report/<latest>.twr
OSSEC Syscheck
<!-- /var/ossec/etc/ossec.conf -->
<syscheck>
<frequency>7200</frequency>
<scan_on_start>yes</scan_on_start>
<!-- Directories to monitor -->
<directories check_all="yes">/etc,/bin,/sbin</directories>
<directories check_all="yes">/usr/bin,/usr/sbin</directories>
<!-- Files to ignore -->
<ignore>/etc/mtab</ignore>
<ignore>/etc/resolv.conf</ignore>
<ignore type="sregex">.log$</ignore>
</syscheck>
Quick Comparison
| Tool |
Complexity |
Integration |
Best For |
| AIDE |
Low |
Standalone |
Simple FIM |
| Tripwire |
Medium |
Standalone |
Enterprise |
| OSSEC |
Medium |
Full HIDS |
Comprehensive |
| auditd |
Low |
Built-in |
Real-time |
Interpreting Results
# AIDE output example
File: /etc/passwd
SHA256 : old_hash != new_hash
Mtime : old_time != new_time
# Actions:
# 1. Investigate change
# 2. If legitimate, update database
# 3. If unauthorized, incident response
Best Practices
| Practice |
Implementation |
| Baseline |
Create after fresh install |
| Regular checks |
Daily or more frequent |
| Secure database |
Store offline or encrypted |
| Alert integration |
Forward to SIEM/email |
| Change management |
Update DB after patches |
intermediate | Auditing | Updated 2025-01-15
- file integrity
- aide
- tripwire
- fim
- change detection
- security