Cheat sheet — Host & Boot Integrity¶
Companion to Module 11 — Host & Boot Integrity · CC BY 4.0 — print it, pin it, share it.
Last reviewed: 2026-07
AIDE — file-integrity baseline¶
aide --init # build the baseline db from aide.conf
aide --init --config=/lab/data/aide.conf # explicit config (Debian default is /etc/aide/aide.conf)
mv /var/lib/aide/aide.db.new /var/lib/aide/aide.db # promote new db → the trusted baseline
aide --check # re-fingerprint live host, diff vs baseline
aide --update # check AND write a fresh db.new in one pass
aide --version # confirm build + compiled-in defaults
aide --checkexit code is a bitfield, not 0/1 — non-zero means "differences found," which is the expected state after a real tamper. Key alarms on the report text, not the raw code.
aide.conf — rule groups and selection¶
# attribute groups: what to compare per file
p+i+n+u+g+s+b+m+c+sha256 # perms, inode, links, owner, group, size, blocks, mtime, ctime, hash
NORMAL = p+i+n+u+g+s+b+m+c+sha256 # name a reusable group
# selection lines: path <group> (leading '=' = this dir only, not recursive)
/srv/app NORMAL # watch the app tree strictly
/etc/cron.d NORMAL # watch the DIRECTORY → an ADDED cron job is caught
!/var/log # '!' = exclude (churns; would drown you in false positives)
!/proc
!/tmp
LOGONLY = p+u+g # relax: metadata only, ignore content churn
/var/log LOGONLY # watch permission/owner, not the ever-changing bytes
cryptsetup / LUKS — encryption at rest¶
cryptsetup luksFormat /dev/sdX # initialise a LUKS volume (DESTROYS existing data)
cryptsetup luksDump /dev/sdX # header + keyslot layout (no secrets shown)
cryptsetup luksOpen /dev/sdX secret # unlock → /dev/mapper/secret
cryptsetup luksClose secret # lock and remove the mapping
cryptsetup luksAddKey /dev/sdX # add another passphrase to a free keyslot
cryptsetup luksRemoveKey /dev/sdX # revoke a passphrase
cryptsetup status secret # is it open? cipher, keysize, device
cryptsetup luksHeaderBackup /dev/sdX --header-backup-file luks-hdr.img # SAVE THIS OFF-BOX
TPM 2.0 — measured boot & sealing (tpm2-tools)¶
tpm2_pcrread # dump all PCR banks (sha1/sha256) — what booted
tpm2_pcrread sha256:0,7 # just firmware (0) + Secure Boot state (7)
tpm2_getcap properties-fixed # TPM manufacturer / spec version
# seal a secret to the current PCR state (measured boot = detection, not prevention):
tpm2_createprimary -c primary.ctx
tpm2_create -C primary.ctx -u seal.pub -r seal.priv -i secret.bin
tpm2_load -C primary.ctx -u seal.pub -r seal.priv -c seal.ctx
tpm2_unseal -c seal.ctx # only releases if PCRs match the sealed state
# LUKS key sealed to a TPM PCR state → volume auto-unlocks only if the boot chain is unchanged:
systemd-cryptenroll /dev/sdX --tpm2-device=auto --tpm2-pcrs=7
Secure Boot — is the chain signature-verified?¶
mokutil --sb-state # "SecureBoot enabled" / "disabled"
mokutil --list-enrolled # keys the firmware trusts (incl. self-signed MOK)
bootctl status # systemd-boot: Secure Boot, TPM2, firmware info
# raw read of the firmware variable if mokutil is absent:
od -An -t u1 /sys/firmware/efi/efivars/SecureBoot-* # last byte 1 = enabled
Gotchas worth remembering¶
- The AIDE database is the real target, not the files. An attacker who roots the box can tamper a
binary, re-run
aide --init, and the next check reports clean. The db (ideally the binary and config too) must live where a compromised host can't write it — read-only media, or a separate host that pulls and verifies. Keep an off-box hash of the db and check it before trusting a "clean" result. - Re-baseline after every approved change. A package update legitimately rewrites watched files;
if you don't
--initover it, the next check drowns in noise. The discipline is knowing which changes are approved before you re-baseline — never re-init blindly to "make the alarm stop." luksHeaderBackupor the data is gone. LUKS keys live in the header keyslots; a corrupted or overwritten header means every passphrase is useless and the volume is unrecoverable. Back the header up off-disk the day you format.- TPM PCR-sealed keys break on legitimate updates. A firmware or kernel update changes the PCR values the key was sealed against, so the TPM refuses to release it. Always enrol a recovery passphrase alongside the TPM binding, or a routine patch locks you out of your own disk.
- Measured boot detects; it does not prevent. TPM PCRs record what booted into a tamper-evident log you attest later — nothing is blocked inline. Secure Boot is the prevention layer (refuses unsigned/tampered components); to boot a self-built kernel you enrol a self-signed MOK rather than disabling Secure Boot outright.
- File integrity is blind before the OS mounts. AIDE can't see firmware, bootloader, kernel, or initramfs — that window belongs to Secure Boot (prevent), measured boot/TPM (detect), and FDE (protect at rest). Every one of them has the same weak point: the reference it compares against.
Comments
Sign in with GitHub to comment. Choose the type: Feedback (errors or suggestions on this page) · Hints (help for fellow learners — no spoilers) · General (anything else).