File Integrity Verification

File Integrity Verification

File integrity verification answers the question: "Have these files been modified?" This matters for two scenarios: verifying that downloaded files were not corrupted or tampered with during transfer, and detecting unauthorized modifications to system files after a potential compromise. Ubuntu provides built-in checksum tools for the first case and the AIDE host-based intrusion detection system for the second.

Checksums with sha256sum and md5sum

# Generate a SHA-256 checksum
sha256sum ubuntu-24.04-server-amd64.iso

sha256sum output

8762f7e74e4d64d72fceb5f70682e6b069932deedb4949c6975d0f0fe0a91be3  ubuntu-24.04-server-amd64.iso

# Verify against a known good hash
echo "8762f7e74e4d64d72fceb5f70682e6b069932deedb4949c6975d0f0fe0a91be3  ubuntu-24.04-server-amd64.iso" | sha256sum --check

Expected output when file is intact

ubuntu-24.04-server-amd64.iso: OK

# If the hash doesn't match:
# ubuntu-24.04-server-amd64.iso: FAILED
# sha256sum: WARNING: 1 computed checksum did NOT match

# SHA-256 checksum of multiple files
sha256sum /etc/passwd /etc/shadow /etc/sudoers

# Save checksums to a file for later verification
sha256sum /etc/passwd /etc/shadow /etc/sudoers > /root/system-checksums.txt

# Verify later
sha256sum --check /root/system-checksums.txt

# MD5 (deprecated for security but still used for integrity checks)
md5sum filename.tar.gz

# SHA-512 (strongest, slowest)
sha512sum important-file.tar.gz

Verifying downloaded files

# Ubuntu ISOs always come with a SHA256SUMS file — verify BEFORE installing
# Step 1: Download the ISO and its checksum file
curl -LO https://releases.ubuntu.com/24.04/ubuntu-24.04-server-amd64.iso
curl -LO https://releases.ubuntu.com/24.04/SHA256SUMS
curl -LO https://releases.ubuntu.com/24.04/SHA256SUMS.gpg

# Step 2: Verify the GPG signature on the checksum file
gpg --keyid-format long --verify SHA256SUMS.gpg SHA256SUMS

# Step 3: Verify the ISO against the signed checksum file
sha256sum --check SHA256SUMS --ignore-missing

Expected output from gpg verification

gpg: Signature made Fri Apr 26 14:00:00 2024 UTC
gpg:                using RSA key 843938DF228D22F7B3742BC0D94AA3F0EFE21092
gpg: Good signature from "Ubuntu CD Image Automatic Signing Key (2012) <cdimage@ubuntu.com>"

Host-based intrusion detection with AIDE

AIDE (Advanced Intrusion Detection Environment) creates a database of file hashes, permissions, and other attributes. You can run it periodically to detect any unauthorized file changes.

# Install AIDE
sudo apt install -y aide aide-common

# Configure what to monitor (edit before first run)
sudo nano /etc/aide/aide.conf
# Default config monitors: /bin, /sbin, /usr/bin, /usr/sbin, /etc, /boot

# Initialize the AIDE database (first run — may take 5-10 minutes)
sudo aideinit

After aideinit completes

Running aide --init...
Start timestamp: 2024-06-01 14:00:00 +0000 (AIDE 0.17.3)
AIDE initialized database at /var/lib/aide/aide.db.new
Saved AIDE database at /var/lib/aide/aide.db

# Check for changes against the database
sudo aide --check

aide --check output showing a changed file

Start timestamp: 2024-06-01 15:00:00 +0000
AIDE found differences between database and filesystem!!

Changed files:
---------------------------------------------------
f ...    Mtime    : 2024-06-01 14:30:00 → 2024-06-01 14:55:00
         SHA256   : abcdef12... → 99887766...
File: /etc/passwd

# After authorized changes (system updates), update the database
sudo aide --update
# New database is at /var/lib/aide/aide.db.new
# Move it to replace the current database:
sudo mv /var/lib/aide/aide.db.new /var/lib/aide/aide.db

# Automate daily checks (add to cron)
echo "0 4 * * * root /usr/bin/aide --check 2>&1 | mail -s 'AIDE Check: $(hostname)' admin@company.com" |     sudo tee /etc/cron.d/aide-check

debsums for package file verification

# Install debsums
sudo apt install -y debsums

# Check all installed package files against expected checksums
sudo debsums --all

# Check only changed files
sudo debsums --changed

# Check a specific package
sudo debsums nginx

debsums output showing a modified file

/etc/nginx/nginx.conf FAILED (configuration)
# "configuration" means the change is expected (user-modified config)

/usr/sbin/nginx OK
/usr/bin/nginx-debug FAILED
# FAILED on a binary = potential tampering, investigate immediately

Conclusion

Use sha256sum to verify checksums of downloaded files — always verify Ubuntu ISOs before installation. For system integrity monitoring, install AIDE, run aideinit after a known-clean installation, and schedule daily aide --check runs to detect unauthorized modifications. Use debsums --changed to quickly check if any installed package files have been modified. A binary that debsums reports as FAILED warrants immediate investigation.