CoursesLinux hardeningAudit & compliance

File integrity monitoring

AIDE: know when the system changes.

Advanced10 min · lesson 15 of 16

Hardening and auditing tell you about access; file integrity monitoring tells you when the system itself changes. The idea is simple and powerful: take a cryptographic baseline of the important files (their hashes, permissions, ownership, sizes) while the system is known-good, then periodically re-check against that baseline. Anything that changed unexpectedly — a modified system binary, a new file in a sensitive directory, an altered config — surfaces immediately. AIDE is the common tool on Linux.

terminal
$ sudo apt install aide
$ sudo aideinit # build the baseline database (do this on a clean system)
$ sudo cp /var/lib/aide/aide.db.new /var/lib/aide/aide.db
# later — scheduled daily — compare current state to the baseline:
$ sudo aide --check
... changed: /usr/bin/curl (this had better be an update you made!)

What to watch, and the update problem

You baseline the things that should not change on their own: system binaries in /usr/bin and /bin, kernel and boot files, and sensitive configs in /etc. You exclude the things that constantly change — logs, caches, spools — or every scan is pure noise. The operational subtlety is legitimate change: a package update alters real system binaries, so your process must be "update the baseline deliberately after an approved change," which turns the tool into a check that every change was intentional. An unexplained change to a system binary is a strong compromise signal.

Protect the baseline

The integrity database is the reference an attacker would love to quietly update to hide their changes, so it must be protected: store a copy off the host (or on read-only media), so even if the local database is tampered with, you have a trustworthy reference to compare against. Like the audit trail, integrity monitoring is only as good as your confidence that the evidence itself has not been altered — which is a recurring theme, and exactly why the detection course pushes everything off-box.

Baseline on a clean system, or you baseline the compromise
File integrity monitoring only works if the initial baseline was taken from a genuinely clean system — if you baseline a host that is already compromised, you have just recorded the attacker’s implants as "normal," and every future check will call them fine. Build the baseline immediately after a fresh, trusted install and before the host is exposed, keep a copy off-box, and update it only through your deliberate change process. A baseline of unknown provenance is worse than none, because it looks authoritative.