File integrity monitoring
AIDE: know when the system changes.
Hardening and auditing tell you about access; file integrity monitoring tells you when the system itself changes. The idea is simple and powerful: take a cryptographic baseline of the important files (their hashes, permissions, ownership, sizes) while the system is known-good, then periodically re-check against that baseline. Anything that changed unexpectedly — a modified system binary, a new file in a sensitive directory, an altered config — surfaces immediately. AIDE is the common tool on Linux.
$ sudo apt install aide$ sudo aideinit # build the baseline database (do this on a clean system)$ sudo cp /var/lib/aide/aide.db.new /var/lib/aide/aide.db# later — scheduled daily — compare current state to the baseline:$ sudo aide --check... changed: /usr/bin/curl (this had better be an update you made!)
What to watch, and the update problem
You baseline the things that should not change on their own: system binaries in /usr/bin and /bin, kernel and boot files, and sensitive configs in /etc. You exclude the things that constantly change — logs, caches, spools — or every scan is pure noise. The operational subtlety is legitimate change: a package update alters real system binaries, so your process must be "update the baseline deliberately after an approved change," which turns the tool into a check that every change was intentional. An unexplained change to a system binary is a strong compromise signal.
Protect the baseline
The integrity database is the reference an attacker would love to quietly update to hide their changes, so it must be protected: store a copy off the host (or on read-only media), so even if the local database is tampered with, you have a trustworthy reference to compare against. Like the audit trail, integrity monitoring is only as good as your confidence that the evidence itself has not been altered — which is a recurring theme, and exactly why the detection course pushes everything off-box.