Many file integrity checkers are available, and each has its pros and cons. Here is a useful review of the most popular. Compare the bulleted lists and experiment with those that meet your demands. Included are Samhain and Tripwire, which are the two checkers we focus upon in Prepping the Environment for Samhain and Tripwire through Recognizing Malicious Activity with Samhain and Tripwire.
Afick stands for Another File Integrity Checker, is written in Perl, is licensed under the GPL, and runs on AIX, Linux, and Windows. However, Afick does not protect its database. I strongly recommend you move the hash database to read-only media and/or sign it with GPG (although checking will not verify the GPG signature). Some of Afick's key characteristics are listed as follows:
Hash functions supported: MD5.
Database: sdbm, scrambled, but not protected otherwise.
Documentation: man 1 afick, man 1 afickonfig, README, index.html.
User Interface: command line, tk and webmin module.
Security: none.
Project's last update: 2.8.3 released on July 10, 2006. Considered active at time of this writing.
Management tools: Request for Comment document (RFC).
An acronym for Advanced Intrusion Detection Environment, Aide is written in the C language and licensed under the GPL. It is the default file integrity checker shipped with Fedora Core 3, 4, and 5 in the Extra package repository. Aide is replacing the older open source Tripwire, now retired from Red Hat distributions due to licensing issues. Characteristics are:
Hash functions supported: MD5, SHA1, RIPEMD 160, Tiger, Haval, gost (multiple functions can be used simultaneously).
Database: postgresql.
User interface: command line.
Security: user-contributed files include scripts to GPG sign configuration and database files. Configuration files and databases can embed an HMAC for data integrity checking. The shared key used for this HMAC computation is configured at the time of build. Therefore, I strongly recommend you build the tool from scratch so you have an opportunity to provide your own shared key.
Project's last update: 0.12-rc1 released on July 15, 2006. At time of this writing, it's considered active.
Management tools: RFC.
In order to provide adequate protection, aide must not be easily substituted. I recommend storing the aide binary on read-only media.
A simple file integrity checker written in C and licensed under the GPL, integrit uses the gnupg algorithms for its hash implementation. Key characteristics are:
Hash functions supported: RipeMD160.
Database: cdb or hashtbl.
User interface: command line.
Security: Reports include a hash of the database file itself, which can be used to verify tampering attempts.
Project's last update: 4.0 released on April 19, 2006. At time of writing, considered active.
Management tools: RFC.
Make sure the integrit binary is stored on read-only media to avoid successful attacks.
Remote Filesystem Checker (RFC) is a set of bash scripts aimed at reducing the administration burden for operators managing multiple hosts running filesystem integrity checkers. Acting as an interface to afick, aide, and integrit, this collection of scripts is released under the GPL. The following features are available:
Centralized database creation and updates.
Centralized log reporting.
Secured communication with remote clients using SSH.
The project's last update was version 3.3.0, released November 17, 2005. Project is active at time of this writing.
Complete, well-secured, and supported by a commercial organization, Samhain is a file integrity checker written in C and released under the GPL license. Beltane, a sister project, provides a web-based centralized console to Samhain and allows for monitoring file integrity across several hosts. Beltane 1 is released under the GPL while Beltane 2 is a commercial product equipped with a faster and more efficient engine that supports a higher number of clients.
Hash functions supported: Tiger by default. Optional: MD5 and SHA-1.
Database: proprietary, fixed size record format.
User interface: command line and Web UI through Beltane.
Security: Configuration and database files can be PGP-signed. Embedding the PGP signing key fingerprint in the samhain binary is another possibility that increases security. In stealth mode, samhain runs without revealing its presence. This mode includes the use of steganography for hiding configuration data inside image files.
Project's last update: version 2.2.2, released July 17, 2006. Project is active at time of this writing.
Management tools: Beltane, Prelude-IDS.
Because of its open license and security features, Samhain is my personal all-time favorite tool for file integrity checking.
Released under the GPL, Open Source Tripwire is based on code contributed by Tripwire Inc. back in 2000. It has not seen many releases since, but the latest update is fairly recent.
Hash functions supported: MD5 or SHA-1.
Database: custom file format.
User interface: command line.
Security: uses a public/private key scheme to sign configuration and database files.
Project's last update: version 2.4.0.1, released December 1, 2005. Project is deemed active at time of this writing.
Management tools: Tripwire Enterprise, Demarc (a web-based multipurpose security monitoring console), FICC (a command-line interface-oriented solution to manage multiple tripwire monitored hosts), and Prelude-IDS (through its log-monitoring daemon).