Implementing File Integrity Monitoring on Alpine Linux 🔒

File integrity monitoring (FIM) is like having a security guard for your files! 👮 It watches your important system files and alerts you when something changes unexpectedly. This helps detect intrusions, malware, or unauthorized modifications. Let’s set up a robust FIM system on Alpine Linux! 🚀

What is File Integrity Monitoring? 🤔

FIM works by:

• Creating checksums - Mathematical fingerprints of files
• Regular scanning - Checking if files have changed
• Alerting - Notifying you of unauthorized changes
• Logging - Keeping records of all modifications

Think of it as a tamper-evident seal for your digital files! 🔐

Installing AIDE (Advanced Intrusion Detection Environment) 📦

AIDE is a popular open-source FIM tool:

# Update package list
sudo apk update

# Install AIDE
sudo apk add aide

# Install additional tools
sudo apk add findutils coreutils

# Check installation
aide --version

Initial AIDE Configuration 🔧

Let’s configure AIDE for your system:

# Create AIDE configuration directory
sudo mkdir -p /etc/aide

# Basic AIDE configuration
sudo cat > /etc/aide/aide.conf << 'EOF'
# AIDE Configuration File

# Database locations
database=file:/var/lib/aide/aide.db
database_out=file:/var/lib/aide/aide.db.new

# Report settings
report_url=file:/var/log/aide/aide.log
report_url=stdout

# Rule definitions
NORMAL = p+u+g+s+m+c+md5+sha256
DIR = p+u+g
LOG = p+u+g+n+S

# Directories to monitor
/boot NORMAL
/bin NORMAL
/sbin NORMAL
/lib NORMAL
/usr/bin NORMAL
/usr/sbin NORMAL
/etc NORMAL

# Exclude volatile files
!/etc/mtab
!/etc/resolv.conf
!/var/log
!/var/cache
!/tmp
!/proc
!/sys
EOF

Initializing the AIDE Database 📊

Create the initial baseline:

# Create necessary directories
sudo mkdir -p /var/lib/aide /var/log/aide

# Initialize AIDE database
sudo aide --init

# Move the new database to production
sudo mv /var/lib/aide/aide.db.new /var/lib/aide/aide.db

echo "✅ AIDE database initialized!"

Running File Integrity Checks 🔍

Check for file changes:

# Run a check
sudo aide --check

# Check with verbose output
sudo aide --check --verbose

# Update database after legitimate changes
sudo aide --update
sudo mv /var/lib/aide/aide.db.new /var/lib/aide/aide.db

Creating Custom FIM Scripts 📝

Build your own monitoring tools:

# Simple file integrity checker
cat > ~/fim_check.sh << 'EOF'
#!/bin/sh
# Custom File Integrity Monitor

WATCH_DIR="/etc"
HASH_FILE="/var/lib/fim/hashes.db"
ALERT_LOG="/var/log/fim_alerts.log"

# Create directories
mkdir -p /var/lib/fim /var/log

# Function to generate hashes
generate_hashes() {
    echo "Generating file hashes for $WATCH_DIR..."
    find "$WATCH_DIR" -type f -exec sha256sum {} \; > "$HASH_FILE.new"
    mv "$HASH_FILE.new" "$HASH_FILE"
    echo "✅ Hash database created"
}

# Function to check integrity
check_integrity() {
    echo "Checking file integrity..."
    
    # Generate current hashes
    find "$WATCH_DIR" -type f -exec sha256sum {} \; > "$HASH_FILE.current"
    
    # Compare with baseline
    if [ -f "$HASH_FILE" ]; then
        diff "$HASH_FILE" "$HASH_FILE.current" > /tmp/fim_diff
        
        if [ -s /tmp/fim_diff ]; then
            echo "⚠️  Changes detected!"
            echo "$(date): File changes detected" >> "$ALERT_LOG"
            cat /tmp/fim_diff >> "$ALERT_LOG"
            cat /tmp/fim_diff
        else
            echo "✅ No changes detected"
        fi
    else
        echo "❌ No baseline found. Run with --init first"
    fi
    
    rm -f "$HASH_FILE.current" /tmp/fim_diff
}

# Main logic
case "$1" in
    --init)
        generate_hashes
        ;;
    --check)
        check_integrity
        ;;
    *)
        echo "Usage: $0 {--init|--check}"
        exit 1
        ;;
esac
EOF

chmod +x ~/fim_check.sh

Monitoring Specific Files 🎯

Watch critical system files:

# Create targeted monitoring script
cat > ~/monitor_critical.sh << 'EOF'
#!/bin/sh
# Monitor Critical System Files

CRITICAL_FILES="
/etc/passwd
/etc/shadow
/etc/group
/etc/sudoers
/etc/ssh/sshd_config
/boot/config.txt
"

HASH_DIR="/var/lib/fim/critical"
mkdir -p "$HASH_DIR"

for file in $CRITICAL_FILES; do
    if [ -f "$file" ]; then
        # Generate hash
        current_hash=$(sha256sum "$file" | cut -d' ' -f1)
        hash_file="$HASH_DIR/$(echo $file | tr '/' '_').hash"
        
        if [ -f "$hash_file" ]; then
            stored_hash=$(cat "$hash_file")
            if [ "$current_hash" != "$stored_hash" ]; then
                echo "⚠️  ALERT: $file has been modified!"
                echo "Old hash: $stored_hash"
                echo "New hash: $current_hash"
            fi
        else
            # Store initial hash
            echo "$current_hash" > "$hash_file"
            echo "📝 Stored hash for $file"
        fi
    fi
done
EOF

chmod +x ~/monitor_critical.sh

Automated Monitoring with Cron 🕐

Set up automatic checks:

# Add to crontab
crontab -e

# Add these lines:
# Check every hour
0 * * * * /usr/bin/aide --check > /var/log/aide/aide-check.log 2>&1

# Check critical files every 30 minutes
*/30 * * * * /home/user/monitor_critical.sh >> /var/log/fim.log 2>&1

# Daily report
0 2 * * * /usr/bin/aide --check --report > /var/log/aide/daily-report.log

Real-time File Monitoring 👁️

Use inotify for instant alerts:

# Install inotify-tools
sudo apk add inotify-tools

# Real-time monitoring script
cat > ~/realtime_monitor.sh << 'EOF'
#!/bin/sh
# Real-time File Monitor

WATCH_PATHS="/etc /bin /sbin"
LOG_FILE="/var/log/realtime_fim.log"

echo "Starting real-time file monitoring..."
echo "Watching: $WATCH_PATHS"

inotifywait -mr \
    --timefmt '%Y-%m-%d %H:%M:%S' \
    --format '%T %w%f %e' \
    -e modify,attrib,move,create,delete \
    $WATCH_PATHS |
while read date time file event; do
    echo "$date $time: $event - $file" | tee -a "$LOG_FILE"
    
    # Alert on critical changes
    case "$file" in
        */passwd|*/shadow|*/sudoers)
            echo "🚨 CRITICAL: Change detected in $file!" | tee -a "$LOG_FILE"
            # Send alert (email, notification, etc.)
            ;;
    esac
done
EOF

chmod +x ~/realtime_monitor.sh

Creating FIM Reports 📊

Generate detailed reports:

# Report generation script
cat > ~/fim_report.sh << 'EOF'
#!/bin/sh
# FIM Report Generator

REPORT_DIR="/var/log/fim/reports"
REPORT_FILE="$REPORT_DIR/fim_report_$(date +%Y%m%d).html"

mkdir -p "$REPORT_DIR"

cat > "$REPORT_FILE" << 'HTML'
<!DOCTYPE html>
<html>
<head>
    <title>FIM Report</title>
    <style>
        body { font-family: Arial, sans-serif; margin: 20px; }
        .alert { color: red; font-weight: bold; }
        .safe { color: green; }
        table { border-collapse: collapse; width: 100%; }
        th, td { border: 1px solid #ddd; padding: 8px; text-align: left; }
        th { background-color: #f2f2f2; }
    </style>
</head>
<body>
    <h1>File Integrity Monitoring Report</h1>
    <p>Generated: $(date)</p>
    
    <h2>Summary</h2>
    <table>
        <tr><th>Check Type</th><th>Status</th><th>Details</th></tr>
HTML

# Add AIDE results
if [ -f /var/log/aide/aide.log ]; then
    if grep -q "changed" /var/log/aide/aide.log; then
        echo '<tr><td>AIDE Check</td><td class="alert">Changes Detected</td><td>See detailed log</td></tr>' >> "$REPORT_FILE"
    else
        echo '<tr><td>AIDE Check</td><td class="safe">No Changes</td><td>System intact</td></tr>' >> "$REPORT_FILE"
    fi
fi

echo '</table></body></html>' >> "$REPORT_FILE"
echo "Report generated: $REPORT_FILE"
EOF

chmod +x ~/fim_report.sh

Integrating with System Logging 📝

Send FIM alerts to syslog:

# Configure rsyslog for FIM
sudo cat >> /etc/rsyslog.conf << 'EOF'

# FIM logging
:programname, isequal, "aide" /var/log/aide.log
:programname, isequal, "fim" /var/log/fim.log
& stop
EOF

# Restart rsyslog
sudo rc-service rsyslog restart

Advanced AIDE Rules 🔧

Create custom monitoring rules:

# Extended AIDE configuration
sudo cat >> /etc/aide/aide.conf << 'EOF'

# Custom rules
SENSITIVE = p+i+n+u+g+s+m+c+md5+sha512+rmd160+tiger
LOGS = p+n+u+g+S
CONFIGS = p+u+g+m+c+md5+sha256

# Web server files
/var/www NORMAL
!/var/www/*/cache
!/var/www/*/tmp

# Database files
/var/lib/mysql SENSITIVE
/var/lib/postgresql SENSITIVE

# Configuration files
/etc/nginx CONFIGS
/etc/apache2 CONFIGS
EOF

Troubleshooting FIM Issues 🔧

Database Corruption

# Rebuild AIDE database
sudo rm -f /var/lib/aide/aide.db
sudo aide --init
sudo mv /var/lib/aide/aide.db.new /var/lib/aide/aide.db

Performance Issues

# Optimize AIDE checks
# Use less intensive hash algorithms for non-critical files
# Exclude frequently changing directories

FIM Best Practices 📌

1. Regular baseline updates - Update after legitimate changes
2. Protect FIM databases - Store securely, possibly offline
3. Monitor FIM tools - Ensure monitoring tools aren’t compromised
4. Test alerts - Verify notification systems work
5. Document changes - Keep records of authorized modifications

Quick Reference 📝

# Initialize AIDE
sudo aide --init

# Run check
sudo aide --check

# Update database
sudo aide --update

# Check specific directory
sudo aide --check --limit /etc

# Verbose output
sudo aide --check -V 255

Conclusion 🎯

You’ve successfully set up file integrity monitoring on Alpine Linux! With AIDE configured, custom scripts ready, and automated monitoring in place, you’ll know immediately when critical files change. This adds a powerful layer of security to your system. Stay vigilant and keep your files protected! 🛡️✨