It would be better to integrate tools like AIDE to detect, and log installed 3rd party software or packages. I put AIDE here as an example but another software could be integrated or developed for this purpose.
AIDE (Advanced Intrusion Detection Environment) is a Host-Based Intrusion Detection System (HIDS) for checking the integrity of files. AIDE creates a baseline database of files on an initial run and then checks this database against the system on subsequent runs.
The file properties that can be checked include:
- inode
- Permissions
- Modification time
- File contents, etc.
After installation and initial database initiation AIDE creates a baseline database.
For manual checking we use the aide --check command.
If nothing is installed:
[root@localhost ~]# aide --check
Start timestamp: 2024-09-18 09:19:11 +0400 (AIDE 0.16)
AIDE found NO differences between database and filesystem. Looks okay!!
Number of entries: 49615
---------------------------------------------------
The attributes of the (uncompressed) database(s):
---------------------------------------------------
/var/lib/aide/aide.db.gz
MD5 : NQASl4IMhZVUdmiJUvTpfA==
SHA1 : QoudgUJr7hQPCqUXoQNwO/uyxUg=
RMD160 : WZzDWOQayHnQOlIfYwBXHvsQ7gA=
TIGER : yIrRUdlr5gXsISZADKhfWJLExLwkFK9g
SHA256 : Br6W26nNwJXFQ7bzl2X/r8MlQ0I+bKfC
4l13olpGA0I=
SHA512 : En8oQUSUKPjtyT/dj6gZ8gn7v4vL20j9
Ht7ydSPJ63kbTEzokrKvojmwneWBLiq/
AS5kA0bBu1iQUz0cSiVEdA==
End timestamp: 2024-09-18 09:19:25 +0400 (run time: 0m 14s)AIDE's configuration file is located at /etc/aide.conf. We can customize which directories and files to monitor by editing this file.
Now for checking purposes I will install Metricbeat and Filebeat and check.
Attaching aide --check command output and aide.log file.