A systems administrator is investigating a Linux web server that is exhibiting erratic behavior after a recent, unannounced application update. The administrator suspects that the update may have been tampered with, potentially modifying critical system binaries. To detect if any unauthorized changes have occurred to the filesystem, which of the following security tools should be used?
The correct answer is AIDE (Advanced Intrusion Detection Environment). AIDE is a host-based intrusion detection system (HIDS) and file integrity checker. It creates a baseline database of file attributes, such as permissions, hashes, and timestamps, and then compares this baseline to the current state of the system to detect any modifications. This is the most direct way to address the administrator's suspicion that system binaries have been altered.
nmap is a network scanner used to discover hosts and open ports on a network; it does not check local file integrity.
netstat is a command-line tool that displays network connections, routing tables, and interface statistics. It is used for network troubleshooting, not for verifying file integrity.
SELinux (Security-Enhanced Linux) is a mandatory access control (MAC) security module. Its primary function is to enforce security policies to prevent unauthorized actions, not to detect changes that have already occurred.