Create a user/group used to downgrade tcpdump privileges : doorway
adduser --system --group --home /nonexistent --shell /usr/sbin/nologin --no-create-home tcpdump
Install the file integrity checker AIDE :
apt-get install aide
If you are paranoid, skip that part. I personally think that using that many checksums/hashes algorithms is overkill and I prefer to save some watts and use only 2 hashes from different families :
sed -i 's/^Checksums = \(.\+\)/#Checksums = \1\nChecksums = sha256+rmd160/' /etc/aide/aide.conf
Optionally ignore the noise associated to package updates
sed -i 's/\(^FILTERUPDATES=no$\)/#\1\nFILTERUPDATES=yes/' /etc/default/aide
Optionally copy the new DB after each AIDE run (makes ANR/ARF work reliably) and increase the number of lines included in the reports (this is really important since you'll be warned only once for each change) and because FILTERUPDATES=yes implies TRUNCATEDETAILS=yes.
sed -i 's/\(^COPYNEWDB=no$\)/#\1\nCOPYNEWDB=yes/' /etc/default/aide sed -i 's/\(^LINES=[0-9]\+$\)/#\1\nLINES=10000/' /etc/default/aide
Initialize the database :
aideinit