Change Details

It would be better to integrate tools like **AIDE** to detect, and log installed 3rd party software or packages. I AIDE put here as an example but another software could be integrated or developed for this purpose. **AIDE **(Advanced Intrusion Detection Environment) is a Host-Based Intrusion Detection System (HIDS) for checking the integrity of files. AIDE creates a baseline database of files on an initial run and then checks this database against the system on subsequent runs. The file properties that can be checked include: - inode - Permissions - Modification time - File contents, etc. After installation and initial database initiation AIDE creates a baseline database. For manual checking we use the **aide --check** command. If nothing is installed: ``` [root@localhost ~]# aide --check Start timestamp: 2024-09-18 09:19:11 +0400 (AIDE 0.16) AIDE found NO differences between database and filesystem. Looks okay!! Number of entries: 49615 --------------------------------------------------- The attributes of the (uncompressed) database(s): --------------------------------------------------- /var/lib/aide/aide.db.gz MD5 : NQASl4IMhZVUdmiJUvTpfA== SHA1 : QoudgUJr7hQPCqUXoQNwO/uyxUg= RMD160 : WZzDWOQayHnQOlIfYwBXHvsQ7gA= TIGER : yIrRUdlr5gXsISZADKhfWJLExLwkFK9g SHA256 : Br6W26nNwJXFQ7bzl2X/r8MlQ0I+bKfC 4l13olpGA0I= SHA512 : En8oQUSUKPjtyT/dj6gZ8gn7v4vL20j9 Ht7ydSPJ63kbTEzokrKvojmwneWBLiq/ AS5kA0bBu1iQUz0cSiVEdA== End timestamp: 2024-09-18 09:19:25 +0400 (run time: 0m 14s) ``` AIDE's configuration file is located at **/etc/aide.conf**. We can customize which directories and files to monitor by editing this file. Now for checking purposes I will install **Metricbeat** and **Filebeat** and check. Attaching **aide --check** command output and **aide.log** file. {F4830637} {F4830636}

It would be better to integrate tools like **AIDE** to detect, and log installed 3rd party software or packages. I put AIDE here as an example but another software could be integrated or developed for this purpose. **AIDE **(Advanced Intrusion Detection Environment) is a Host-Based Intrusion Detection System (HIDS) for checking the integrity of files. AIDE creates a baseline database of files on an initial run and then checks this database against the system on subsequent runs. The file properties that can be checked include: - inode - Permissions - Modification time - File contents, etc. After installation and initial database initiation AIDE creates a baseline database. For manual checking we use the **aide --check** command. If nothing is installed: ``` [root@localhost ~]# aide --check Start timestamp: 2024-09-18 09:19:11 +0400 (AIDE 0.16) AIDE found NO differences between database and filesystem. Looks okay!! Number of entries: 49615 --------------------------------------------------- The attributes of the (uncompressed) database(s): --------------------------------------------------- /var/lib/aide/aide.db.gz MD5 : NQASl4IMhZVUdmiJUvTpfA== SHA1 : QoudgUJr7hQPCqUXoQNwO/uyxUg= RMD160 : WZzDWOQayHnQOlIfYwBXHvsQ7gA= TIGER : yIrRUdlr5gXsISZADKhfWJLExLwkFK9g SHA256 : Br6W26nNwJXFQ7bzl2X/r8MlQ0I+bKfC 4l13olpGA0I= SHA512 : En8oQUSUKPjtyT/dj6gZ8gn7v4vL20j9 Ht7ydSPJ63kbTEzokrKvojmwneWBLiq/ AS5kA0bBu1iQUz0cSiVEdA== End timestamp: 2024-09-18 09:19:25 +0400 (run time: 0m 14s) ``` AIDE's configuration file is located at **/etc/aide.conf**. We can customize which directories and files to monitor by editing this file. Now for checking purposes I will install **Metricbeat** and **Filebeat** and check. Attaching **aide --check** command output and **aide.log** file. {F4830637} {F4830636}

It would be better to integrate tools like **AIDE** to detect, and log installed 3rd party software or packages. I AIDE putI put AIDE here as an example but another software could be integrated or developed for this purpose. **AIDE **(Advanced Intrusion Detection Environment) is a Host-Based Intrusion Detection System (HIDS) for checking the integrity of files. AIDE creates a baseline database of files on an initial run and then checks this database against the system on subsequent runs. The file properties that can be checked include: - inode - Permissions - Modification time - File contents, etc. After installation and initial database initiation AIDE creates a baseline database. For manual checking we use the **aide --check** command. If nothing is installed: ``` [root@localhost ~]# aide --check Start timestamp: 2024-09-18 09:19:11 +0400 (AIDE 0.16) AIDE found NO differences between database and filesystem. Looks okay!! Number of entries: 49615 --------------------------------------------------- The attributes of the (uncompressed) database(s): --------------------------------------------------- /var/lib/aide/aide.db.gz MD5 : NQASl4IMhZVUdmiJUvTpfA== SHA1 : QoudgUJr7hQPCqUXoQNwO/uyxUg= RMD160 : WZzDWOQayHnQOlIfYwBXHvsQ7gA= TIGER : yIrRUdlr5gXsISZADKhfWJLExLwkFK9g SHA256 : Br6W26nNwJXFQ7bzl2X/r8MlQ0I+bKfC 4l13olpGA0I= SHA512 : En8oQUSUKPjtyT/dj6gZ8gn7v4vL20j9 Ht7ydSPJ63kbTEzokrKvojmwneWBLiq/ AS5kA0bBu1iQUz0cSiVEdA== End timestamp: 2024-09-18 09:19:25 +0400 (run time: 0m 14s) ``` AIDE's configuration file is located at **/etc/aide.conf**. We can customize which directories and files to monitor by editing this file. Now for checking purposes I will install **Metricbeat** and **Filebeat** and check. Attaching **aide --check** command output and **aide.log** file. {F4830637} {F4830636}