It would be better to integrate tools like AIDE to detect, and log installed 3rd party software or packages. I put AIDE here as an example but another software could be integrated or developed for this purpose.
AIDE (Advanced Intrusion Detection Environment) is a Host-Based Intrusion Detection System (HIDS) for checking the integrity of files. AIDE creates a baseline database of files on an initial run and then checks this database against the system on subsequent runs.
The file properties that can be checked include:
- inode
- Permissions
- Modification time
- File contents, etc.
After installation and initial database initiation AIDE creates a baseline database.
For manual checking we use the aide --check command.
If nothing is installed:
[root@localhost ~]# aide --check Start timestamp: 2024-09-18 09:19:11 +0400 (AIDE 0.16) AIDE found NO differences between database and filesystem. Looks okay!! Number of entries: 49615 --------------------------------------------------- The attributes of the (uncompressed) database(s): --------------------------------------------------- /var/lib/aide/aide.db.gz MD5 : NQASl4IMhZVUdmiJUvTpfA== SHA1 : QoudgUJr7hQPCqUXoQNwO/uyxUg= RMD160 : WZzDWOQayHnQOlIfYwBXHvsQ7gA= TIGER : yIrRUdlr5gXsISZADKhfWJLExLwkFK9g SHA256 : Br6W26nNwJXFQ7bzl2X/r8MlQ0I+bKfC 4l13olpGA0I= SHA512 : En8oQUSUKPjtyT/dj6gZ8gn7v4vL20j9 Ht7ydSPJ63kbTEzokrKvojmwneWBLiq/ AS5kA0bBu1iQUz0cSiVEdA== End timestamp: 2024-09-18 09:19:25 +0400 (run time: 0m 14s)
AIDE's configuration file is located at /etc/aide.conf. We can customize which directories and files to monitor by editing this file.
Now for checking purposes I will install Metricbeat and Filebeat and check.
Attaching aide --check command output and aide.log file.