In this section, we’ll look at a few integrity-checking tools that are currently available. This list is not comprehensive, but it is meant to be illustrative. Before you investigate using a third-party tool, however, you should check your documentation to see which tools are bundled in with your operating system.
BSD-derived operating systems come preconfigured with a set of security-checking scripts that are run automatically every night. Located in the directory /etc/periodic/security, these scripts perform a variety of functions, including the reporting of:
SUID files that have been newly created or removed, or that had their permissions changed
Changes in system mount points
New users created with a UID of 0
Users without a password
Many Linux distributions provide similar security-checking scripts to be run daily, weekly, and monthly.
In addition to the nightly security script, BSD systems contain a program called mtree that can create a database of file sizes, permissions, attributes, and cryptographic checksums. Once this database is built, the program can report any differences between the database and the files that are actually in the directory. Most BSD systems use the mtree program to create this database when the operating system is first installed, then periodically run the mtree program to report any files that have changed.
An example security output is shown ...