Software: aide
Advanced Intrusion Detection Environment scans all your files and creates a database.
You can do a rescan every time to see what files has been changed. By default it runs once a day and sends you a mail. Of cause you should copy away the database from your server in case you think you server has been compromised.
Install
Requirements: Configured MTA (postfix, sendmail, …), mails for root@localhost must be forwarded to your email address.
The installation is quite easy on Ubuntu
sudo apt-get install aide
Config
This really depends on your system. When you don’t have users connected to your system it might be a good idea to include /home. Otherwise you will have to exclude /home from getting checked.
So I’ve removed the file /etc/aide/aide.conf.d/99_aide_root and created another one for my customizations.
/etc/aide/aide.conf.d/99_aide_custom
/var/log/aide* FreqRotLog /var/log/syslog* FreqRotLog !/opt/example/cache/* !/opt/example/log/*
Don’t worry if you forget something. In the first mail you will get informed about changed in those files and you can exclude them later.
Execute
To create the database you need to type
sudo aideinit Overwrite existing /var/lib/aide/aide.db.new [Yn]? y Running aide --init... AIDE, version 0.15.1 ### AIDE database at /var/lib/aide/aide.db.new initialized. Overwrite /var/lib/aide/aide.db [yN]? y
You will get a mail everyday telling you if something has been changed.
But what if someone breaks into your system and create a new database file?
The answer depends on how important it is for you.
Easy way: Compare the hash value of your database file.
sudo /etc/cron.daily/aide
You will get your first mail afterwards. The hash values are in that file and should be the same in the next mail you receive.
If you want to have it more secure you should copy the database file to your computer as well.
In case you want to check your system later you can use it to verify the integrity of your system.
Remember: Do this every time you change something
For more information check the manual