Create a user/group used to downgrade tcpdump privileges : doorway

adduser --system --group  --home /nonexistent --shell /usr/sbin/nologin --no-create-home tcpdump


Install the file integrity checker AIDE :

apt-get install aide

If you are paranoid, skip that part. I personally think that using that many checksums/hashes algorithms is overkill and I prefer to save some watts and use only 2 hashes from different families :

sed -i 's/^Checksums = \(.\+\)/#Checksums = \1\nChecksums = sha256+rmd160/' /etc/aide/aide.conf

Optionally ignore the noise associated to package updates

sed -i 's/\(^FILTERUPDATES=no$\)/#\1\nFILTERUPDATES=yes/' /etc/default/aide

Optionally copy the new DB after each AIDE run (makes ANR/ARF work reliably) and increase the number of lines included in the reports (this is really important since you'll be warned only once for each change) and because FILTERUPDATES=yes implies TRUNCATEDETAILS=yes.

sed -i 's/\(^COPYNEWDB=no$\)/#\1\nCOPYNEWDB=yes/' /etc/default/aide
sed -i 's/\(^LINES=[0-9]\+$\)/#\1\nLINES=10000/' /etc/default/aide

Initialize the database :