System-Integrity-Analyzer.sh

#!/bin/bash
# System Integrity Analyzer
#
# This script performs comprehensive system integrity checks to detect unauthorized
# file modifications, rootkits, and other system compromises.
#
# Options:
# 1. Initialize AIDE database
# 2. Update AIDE database
# 3. Check system integrity with AIDE
# 4. Scan for rootkits with chkrootkit
# 5. Scan for rootkits with rkhunter
# 6. Check for hidden processes
# 7. Check for unauthorized SUID/SGID binaries
# 8. Verify installed package integrity
# 9. Check for suspicious cron jobs
# 10. Check for suspicious kernel modules
# 11. Monitor file changes in real-time
# 12. Check for unauthorized network listeners
# 13. Generate system integrity report
# 14. Schedule automated integrity checks
# 15. Compare current state with baseline
# 16. Exit

# Check for required tools
check_required_tools() {
    missing_tools=()

    command -v aide >/dev/null 2>&1 || missing_tools+=("aide")
    command -v chkrootkit >/dev/null 2>&1 || missing_tools+=("chkrootkit")
    command -v rkhunter >/dev/null 2>&1 || missing_tools+=("rkhunter")
    command -v inotifywait >/dev/null 2>&1 || missing_tools+=("inotify-tools")

    if [ ${#missing_tools[@]} -gt 0 ]; then
        echo "The following required tools are missing:"
        for tool in "${missing_tools[@]}"; do
            echo "- $tool"
        done
        echo "Install them with: apt-get install ${missing_tools[*]}"
        return 1
    fi
    return 0
}

# Function to display menu
show_menu() {
    clear
    echo "===== System Integrity Analyzer ====="
    echo "1. Initialize AIDE database"
    echo "2. Update AIDE database"
    echo "3. Check system integrity with AIDE"
    echo "4. Scan for rootkits with chkrootkit"
    echo "5. Scan for rootkits with rkhunter"
    echo "6. Check for hidden processes"
    echo "7. Check for unauthorized SUID/SGID binaries"
    echo "8. Verify installed package integrity"
    echo "9. Check for suspicious cron jobs"
    echo "10. Check for suspicious kernel modules"
    echo "11. Monitor file changes in real-time"
    echo "12. Check for unauthorized network listeners"
    echo "13. Generate system integrity report"
    echo "14. Schedule automated integrity checks"
    echo "15. Compare current state with baseline"
    echo "16. Exit"
    echo "====================================="
    echo "Enter your choice [1-16]: "
}

# Function to initialize AIDE database
initialize_aide_database() {
    echo "Initializing AIDE database. This may take some time..."
    sudo aide --init
    if [ $? -eq 0 ]; then
        sudo mv /var/lib/aide/aide.db.new /var/lib/aide/aide.db
        echo "AIDE database initialized successfully."
    else
        echo "Failed to initialize AIDE database."
    fi
}

# Function to update AIDE database
update_aide_database() {
    echo "Updating AIDE database. This may take some time..."
    sudo aide --update
    if [ $? -eq 0 ]; then
        sudo mv /var/lib/aide/aide.db.new /var/lib/aide/aide.db
        echo "AIDE database updated successfully."
    else
        echo "Failed to update AIDE database."
    fi
}

# Function to check system integrity with AIDE
check_system_integrity() {
    echo "Checking system integrity with AIDE. This may take some time..."
    report_file="aide_report_$(date +%Y%m%d_%H%M%S).txt"
    sudo aide --check > "$report_file" 2>&1
    echo "Integrity check completed. Report saved to $report_file"

    # Display summary
    added=$(grep -c "added" "$report_file")
    removed=$(grep -c "removed" "$report_file")
    changed=$(grep -c "changed" "$report_file")

    echo "Summary:"
    echo "- Added files: $added"
    echo "- Removed files: $removed"
    echo "- Changed files: $changed"

    if [ $added -gt 0 ] || [ $removed -gt 0 ] || [ $changed -gt 0 ]; then
        echo "WARNING: System integrity compromised! Review the report for details."
    else
        echo "System integrity verified. No changes detected."
    fi
}

    # Display summary of chkrootkit results
    infected=$(grep -c "INFECTED" "$report_file")
    suspicious=$(grep -c -E "suspicious|WARNING" "$report_file")

    echo "Summary:"
    echo "- Infected items: $infected"
    echo "- Suspicious items: $suspicious"

    if [ $infected -gt 0 ] || [ $suspicious -gt 0 ]; then
        echo "WARNING: Possible rootkit detected! Review the report for details."
        grep -E "INFECTED|suspicious|WARNING" "$report_file"
    else
        echo "No rootkits detected."
    fi
}

# Function to scan for rootkits with rkhunter
scan_with_rkhunter() {
    echo "Scanning for rootkits with rkhunter. This may take some time..."
    report_file="rkhunter_report_$(date +%Y%m%d_%H%M%S).txt"
    sudo rkhunter --checkall --skip-keypress --report-warnings-only > "$report_file" 2>&1
    echo "Rootkit scan completed. Report saved to $report_file"

    # Display summary of rkhunter results
    warnings=$(grep -c "Warning" "$report_file")

    echo "Summary:"
    echo "- Warnings: $warnings"

    if [ $warnings -gt 0 ]; then
        echo "WARNING: Possible security issues detected! Review the report for details."
        grep "Warning" "$report_file"
    else
        echo "No security issues detected."
    fi
}

# Function to check for hidden processes
check_hidden_processes() {
    echo "Checking for hidden processes..."
    report_file="hidden_processes_report_$(date +%Y%m%d_%H%M%S).txt"

    echo "Hidden Processes Report - $(date)" > "$report_file"
    echo "=================================" >> "$report_file"

    # Get list of processes from ps
    ps_pids=$(ps -ef | awk '{print $2}' | sort -n | uniq)

    # Get list of processes from /proc
    proc_pids=$(find /proc -maxdepth 1 -regex '/proc/[0-9]+' | awk -F/ '{print $3}' | sort -n | uniq)

    # Find processes in /proc but not in ps
    hidden_pids=$(comm -13 <(echo "$ps_pids") <(echo "$proc_pids"))

    if [ -n "$hidden_pids" ]; then
        echo "WARNING: Hidden processes detected!" | tee -a "$report_file"
        echo "Hidden PIDs:" | tee -a "$report_file"
        for pid in $hidden_pids; do
            echo "PID: $pid" | tee -a "$report_file"
            if [ -d "/proc/$pid" ]; then
                echo "  Command: $(cat /proc/$pid/cmdline 2>/dev/null | tr '\0' ' ')" | tee -a "$report_file"
                echo "  Owner: $(stat -c %U /proc/$pid 2>/dev/null)" | tee -a "$report_file"
                echo "  Created: $(stat -c %w /proc/$pid 2>/dev/null)" | tee -a "$report_file"
            fi
            echo | tee -a "$report_file"
        done
    else
        echo "No hidden processes detected." | tee -a "$report_file"
    fi

    echo "Check completed. Report saved to $report_file"
}

# Function to check for unauthorized SUID/SGID binaries
check_suid_sgid() {
    echo "Checking for unauthorized SUID/SGID binaries..."
    report_file="suid_sgid_report_$(date +%Y%m%d_%H%M%S).txt"

    echo "SUID/SGID Binary Report - $(date)" > "$report_file"
    echo "=================================" >> "$report_file"

    # Create baseline if it doesn't exist
    baseline_file="/var/lib/integrity_checker/suid_sgid_baseline.txt"
    if [ ! -f "$baseline_file" ]; then
        echo "Baseline not found. Creating baseline of SUID/SGID binaries..."
        sudo mkdir -p /var/lib/integrity_checker
        sudo find / -type f \( -perm -4000 -o -perm -2000 \) -exec ls -la {} \; 2>/dev/null | sort > "$baseline_file"
        echo "Baseline created. Run this check again to detect changes."
        return
    fi

    # Find current SUID/SGID binaries
    current_file=$(mktemp)
    sudo find / -type f \( -perm -4000 -o -perm -2000 \) -exec ls -la {} \; 2>/dev/null | sort > "$current_file"

    # Compare with baseline
    echo "New SUID/SGID binaries (not in baseline):" >> "$report_file"
    diff_output=$(comm -13 "$baseline_file" "$current_file")
    if [ -n "$diff_output" ]; then
        echo "$diff_output" >> "$report_file"
        echo "WARNING: New SUID/SGID binaries detected!" | tee -a "$report_file"
        echo "$diff_output" | head -10 | tee -a "$report_file"
        if [ $(echo "$diff_output" | wc -l) -gt 10 ]; then
            echo "...and $(( $(echo "$diff_output" | wc -l) - 10 )) more. See report for details." | tee -a "$report_file"
        fi
    else
        echo "None found." >> "$report_file"
        echo "No new SUID/SGID binaries detected."
    fi

    echo "Missing SUID/SGID binaries (in baseline but not found now):" >> "$report_file"
    missing_output=$(comm -23 "$baseline_file" "$current_file")
    if [ -n "$missing_output" ]; then
        echo "$missing_output" >> "$report_file"
        echo "WARNING: Some SUID/SGID binaries from baseline are missing!" | tee -a "$report_file"
    else
        echo "None missing." >> "$report_file"
    fi

    # Clean up
    rm "$current_file"
    echo "Check completed. Report saved to $report_file"
}

# Function to verify installed package integrity
verify_package_integrity() {
    echo "Verifying integrity of installed packages. This may take some time..."
    report_file="package_integrity_report_$(date +%Y%m%d_%H%M%S).txt"

    echo "Package Integrity Report - $(date)" > "$report_file"
    echo "=================================" >> "$report_file"

    # Determine package manager
    if command -v dpkg >/dev/null 2>&1; then
        echo "Using dpkg for package verification..." | tee -a "$report_file"
        echo "Verifying all installed packages..." | tee -a "$report_file"

        # Get list of installed packages
        packages=$(dpkg --get-selections | grep -v deinstall | awk '{print $1}')

        # Check each package
        failed_packages=0
        for package in $packages; do
            echo -n "Checking $package... "
            output=$(sudo dpkg --verify "$package" 2>&1)
            if [ -n "$output" ]; then
                echo "FAILED" | tee -a "$report_file"
                echo "Package: $package" >> "$report_file"
                echo "$output" >> "$report_file"
                echo >> "$report_file"
                failed_packages=$((failed_packages + 1))
            else
                echo "OK"
            fi
        done

        echo "Verification complete. $failed_packages packages failed integrity check." | tee -a "$report_file"

    elif command -v rpm >/dev/null 2>&1; then
        echo "Using rpm for package verification..." | tee -a "$report_file"
        echo "Verifying all installed packages..." | tee -a "$report_file"

        # Verify all packages and save failures
        output=$(sudo rpm -Va --nomtime --nomode --nomd5 --nolinkto 2>&1)

        if [ -n "$output" ]; then
            echo "Failed integrity checks:" >> "$report_file"
            echo "$output" >> "$report_file"
            failed_count=$(echo "$output" | wc -l)
            echo "Verification complete. $failed_count files failed integrity check." | tee -a "$report_file"
            echo "WARNING: Some files failed integrity check! See report for details." | tee -a "$report_file"
        else
            echo "Verification complete. All packages passed integrity check." | tee -a "$report_file"
            echo "All packages passed integrity check."
        fi
    else
        echo "No supported package manager found (dpkg or rpm)." | tee -a "$report_file"
    fi

    echo "Package verification completed. Report saved to $report_file"
}

# Function to check for suspicious cron jobs
check_suspicious_cron() {
    echo "Checking for suspicious cron jobs..."
    report_file="suspicious_cron_report_$(date +%Y%m%d_%H%M%S).txt"

    echo "Suspicious Cron Jobs Report - $(date)" > "$report_file"
    echo "=================================" >> "$report_file"

    # Check system crontabs
    echo "System Crontabs:" >> "$report_file"
    for crontab in /etc/crontab /etc/cron.d/* /etc/cron.hourly/* /etc/cron.daily/* /etc/cron.weekly/* /etc/cron.monthly/*; do
        if [ -f "$crontab" ]; then
            echo "Checking $crontab..." | tee -a "$report_file"
            suspicious_entries=$(grep -E '(wget|curl|nc|netcat|bash -i|sh -i|python -c|perl -e|base64|eval|gzip -d|\
b(\/tmp|\/var\/tmp|\/dev\/shm)\/|reverse shell|connect-back|backdoor)' "$crontab" 2>/dev/null)
            if [ -n "$suspicious_entries" ]; then
                echo "WARNING: Suspicious entries found in $crontab:" | tee -a "$report_file"
                echo "$suspicious_entries" | tee -a "$report_file"
            fi
        fi
    done

    # Check user crontabs
    echo -e "\nUser Crontabs:" >> "$report_file"
    for user in $(cut -f1 -d: /etc/passwd); do
        crontab_file=$(sudo -u "$user" crontab -l 2>/dev/null)
        if [ $? -eq 0 ]; then
            suspicious_entries=$(echo "$crontab_file" | grep -E '(wget|curl|nc|netcat|bash -i|sh -i|python -c|perl -e|base64|eval|gzip -d|\
b(\/tmp|\/var\/tmp|\/dev\/shm)\/|reverse shell|connect-back|backdoor)' 2>/dev/null)
            if [ -n "$suspicious_entries" ]; then
                echo "WARNING: Suspicious entries found in $user's crontab:" | tee -a "$report_file"
                echo "$suspicious_entries" | tee -a "$report_file"
            fi
        fi
    done

    echo "Cron job check completed. Report saved to $report_file"
}

# Function to check for suspicious kernel modules
check_suspicious_modules() {
    echo "Checking for suspicious kernel modules..."
    report_file="suspicious_modules_report_$(date +%Y%m%d_%H%M%S).txt"

    echo "Suspicious Kernel Modules Report - $(date)" > "$report_file"
    echo "=================================" >> "$report_file"

    # List loaded modules
    echo "Loaded Kernel Modules:" >> "$report_file"
    lsmod | sort >> "$report_file"

    # Check for hidden modules (modules not in lsmod but present in /proc/modules)
    echo -e "\nChecking for hidden modules..." | tee -a "$report_file"
    lsmod_modules=$(lsmod | awk '{print $1}' | grep -v "Module" | sort)
    proc_modules=$(cat /proc/modules | awk '{print $1}' | sort)

    hidden_modules=$(comm -13 <(echo "$lsmod_modules") <(echo "$proc_modules"))
    if [ -n "$hidden_modules" ]; then
        echo "WARNING: Hidden kernel modules detected!" | tee -a "$report_file"
        echo "$hidden_modules" | tee -a "$report_file"
    else
        echo "No hidden modules detected." | tee -a "$report_file"
    fi

    # Check for suspicious module names
    echo -e "\nChecking for suspicious module names..." | tee -a "$report_file"
    suspicious_modules=$(lsmod | grep -E '(hide|backdoor|rootkit|intercept|hook|stealth)' | awk '{print $1}')
    if [ -n "$suspicious_modules" ]; then
        echo "WARNING: Suspicious module names detected!" | tee -a "$report_file"
        echo "$suspicious_modules" | tee -a "$report_file"
    else
        echo "No suspicious module names detected." | tee -a "$report_file"
    fi

    # Check module info
    echo -e "\nDetailed information for all modules:" >> "$report_file"
    for module in $(lsmod | awk '{print $1}' | grep -v "Module"); do
        echo -e "\nModule: $module" >> "$report_file"
        modinfo "$module" 2>/dev/null >> "$report_file"

        # Check if module is unsigned
        signature=$(modinfo "$module" 2>/dev/null | grep -i "signature")
        if [ -z "$signature" ]; then
            echo "WARNING: Unsigned module $module detected!" | tee -a "$report_file"
        fi
    done

    echo "Kernel module check completed. Report saved to $report_file"
}

# Function to monitor file changes in real-time
monitor_file_changes() {
    echo "Monitoring file changes in real-time. Press Ctrl+C to stop."

    # Check if inotifywait is available
    if ! command -v inotifywait >/dev/null 2>&1; then
        echo "Error: inotifywait not found. Install inotify-tools package."
        return 1
    fi

    # Ask for directories to monitor
    read -p "Enter critical directories to monitor (space-separated, e.g., /etc /bin): " directories

    # Use default directories if none specified
    if [ -z "$directories" ]; then
        directories="/etc /bin /sbin /usr/bin /usr/sbin /boot"
        echo "Using default directories: $directories"
    fi

    echo "Starting real-time file monitoring on: $directories"
    echo "Recording events: create, modify, delete, move, attrib"
    echo "Log file: file_changes_$(date +%Y%m%d_%H%M%S).log"
    echo "Press Ctrl+C to stop monitoring."

    # Start monitoring
    inotifywait -m -r -e create,modify,delete,move,attrib $directories | while read path action file; do
        timestamp=$(date +"%Y-%m-%d %H:%M:%S")
        echo "$timestamp | $path | $action | $file" | tee -a "file_changes_$(date +%Y%m%d).log"
    done
}

# Function to check for unauthorized network listeners
check_network_listeners() {
    echo "Checking for unauthorized network listeners..."
    report_file="network_listeners_report_$(date +%Y%m%d_%H%M%S).txt"

    echo "Network Listeners Report - $(date)" > "$report_file"
    echo "=================================" >> "$report_file"

    # Get all listening ports and processes
    echo "Active Network Listeners:" >> "$report_file"
    sudo netstat -tulpn | grep LISTEN >> "$report_file"

    # Create baseline if it doesn't exist
    baseline_file="/var/lib/integrity_checker/network_listeners_baseline.txt"
    if [ ! -f "$baseline_file" ]; then
        echo "Baseline not found. Creating baseline of network listeners..."
        sudo mkdir -p /var/lib/integrity_checker
        sudo netstat -tulpn | grep LISTEN | sort > "$baseline_file"
        echo "Baseline created. Run this check again to detect changes."
        return
    fi

    # Find current listeners
    current_file=$(mktemp)
    sudo netstat -tulpn | grep LISTEN | sort > "$current_file"

    # Compare with baseline
    echo -e "\nNew network listeners (not in baseline):" >> "$report_file"
    diff_output=$(comm -13 "$baseline_file" "$current_file")
    if [ -n "$diff_output" ]; then
        echo "$diff_output" >> "$report_file"
        echo "WARNING: New network listeners detected!" | tee -a "$report_file"
        echo "$diff_output" | tee -a "$report_file"
    else
        echo "None found." >> "$report_file"
        echo "No new network listeners detected."
    fi

    # Check for suspicious ports
    echo -e "\nChecking for suspicious ports..." | tee -a "$report_file"
    suspicious_ports=$(grep -E ':(4444|1337|31337|6666|6667|6668|6669|31415|47012)' "$current_file")
    if [ -n "$suspicious_ports" ]; then
        echo "WARNING: Suspicious network ports detected!" | tee -a "$report_file"
        echo "$suspicious_ports" | tee -a "$report_file"
    else
        echo "No suspicious ports detected." | tee -a "$report_file"
    fi

    # Clean up
    rm "$current_file"
    echo "Network listener check completed. Report saved to $report_file"
}

# Function to generate system integrity report
generate_integrity_report() {
    echo "Generating comprehensive system integrity report..."
    report_dir="system_integrity_report_$(date +%Y%m%d_%H%M%S)"
    mkdir -p "$report_dir"

    echo "System Integrity Report - $(date)" > "$report_dir/summary.txt"
    echo "=================================" >> "$report_dir/summary.txt"

    # System information
    echo "Collecting system information..."
    echo -e "\n== System Information ==" >> "$report_dir/summary.txt"
    echo "Hostname: $(hostname)" >> "$report_dir/summary.txt"
    echo "Kernel: $(uname -r)" >> "$report_dir/summary.txt"
    echo "Distribution: $(lsb_release -d 2>/dev/null | cut -f2- || cat /etc/*release | head -n1)" >> "$report_dir/summary.txt"

    # User accounts
    echo "Analyzing user accounts..."
    echo -e "\n== User Accounts ==" >> "$report_dir/summary.txt"
    echo "Users with UID 0:" >> "$report_dir/summary.txt"
    grep ":0:" /etc/passwd >> "$report_dir/summary.txt"

    echo "Recently added users:" >> "$report_dir/summary.txt"
    last_week=$(date -d "7 days ago" +%s)
    for user in $(cut -d: -f1,3 /etc/passwd); do
        username=$(echo "$user" | cut -d: -f1)
        uid=$(echo "$user" | cut -d: -f2)
        if [ -d "/home/$username" ]; then
            create_time=$(stat -c %W "/home/$username")
            if [ "$create_time" -gt "$last_week" ]; then
                echo "$username (UID: $uid) - created on $(date -d @"$create_time" +"%Y-%m-%d")" >> "$report_dir/summary.txt"
            fi
        fi
    done

    # SUID/SGID binaries
    echo "Checking SUID/SGID binaries..."
    echo -e "\n== SUID/SGID Binaries ==" >> "$report_dir/summary.txt"
    echo "Unusual SUID/SGID binaries:" >> "$report_dir/summary.txt"
    find / -type f \( -perm -4000 -o -perm -2000 \) -not -path "/usr/bin/*" -not -path "/usr/sbin/*" -not -path "/bin/*" -not -path "/sbin/*" 2>/dev/null | sort >> "$report_dir/suid_sgid.txt"
    count=$(wc -l < "$report_dir/suid_sgid.txt")
    echo "Found $count unusual SUID/SGID binaries. See suid_sgid.txt for details." >> "$report_dir/summary.txt"

    # Network connections
    echo "Analyzing network connections..."
    echo -e "\n== Network Connections ==" >> "$report_dir/summary.txt"
    sudo netstat -tualnp > "$report_dir/network_connections.txt"
    listening=$(grep LISTEN "$report_dir/network_connections.txt" | wc -l)
    established=$(grep ESTABLISHED "$report_dir/network_connections.txt" | wc -l)
    echo "Listening connections: $listening" >> "$report_dir/summary.txt"
    echo "Established connections: $established" >> "$report_dir/summary.txt"
    echo "See network_connections.txt for details." >> "$report_dir/summary.txt"

    # Running processes
    echo "Analyzing running processes..."
    echo -e "\n== Running Processes ==" >> "$report_dir/summary.txt"
    ps -eo pid,ppid,user,cmd --sort=pid > "$report_dir/processes.txt"
    process_count=$(wc -l < "$report_dir/processes.txt")
    echo "Total processes: $process_count" >> "$report_dir/summary.txt"
    echo "See processes.txt for details." >> "$report_dir/summary.txt"

    # Loaded kernel modules
    echo "Analyzing kernel modules..."
    echo -e "\n== Kernel Modules ==" >> "$report_dir/summary.txt"
    lsmod > "$report_dir/kernel_modules.txt"
    module_count=$(wc -l < "$report_dir/kernel_modules.txt")
    echo "Loaded modules: $module_count" >> "$report_dir/summary.txt"
    echo "See kernel_modules.txt for details." >> "$report_dir/summary.txt"

    # Scheduled tasks
    echo "Checking scheduled tasks..."
    echo -e "\n== Scheduled Tasks ==" >> "$report_dir/summary.txt"
    find /etc/cron* -type f | xargs cat 2>/dev/null > "$report_dir/cron_system.txt"
    for user in $(cut -f1 -d: /etc/passwd); do
        sudo -u "$user" crontab -l 2>/dev/null >> "$report_dir/cron_users.txt" || true
    done

    # Run quick AIDE check if available
    if command -v aide >/dev/null 2>&1; then
        echo "Running quick AIDE check..."
        echo -e "\n== AIDE Integrity Check ==" >> "$report_dir/summary.txt"
        sudo aide --check 2>&1 | head -20 > "$report_dir/aide_check.txt"
        changes=$(grep -c "changed" "$report_dir/aide_check.txt")
        echo "Files changed: $changes (truncated output, see aide_check.txt)" >> "$report_dir/summary.txt"
    fi

    echo "Comprehensive system integrity report generated in directory: $report_dir"
}

# Function to schedule automated integrity checks
schedule_automated_checks() {
    echo "Scheduling automated integrity checks..."

    # Create the script to be executed by cron
    script_path="/usr/local/bin/integrity_check.sh"
    sudo tee "$script_path" > /dev/null <<'EOF'
#!/bin/bash
# Automated integrity check script

REPORT_DIR="/var/log/integrity_reports"
mkdir -p "$REPORT_DIR"

# Generate report filename with date
REPORT_FILE="$REPORT_DIR/integrity_report_$(date +%Y%m%d_%H%M%S).txt"
echo "System Integrity Check - $(date)" > "$REPORT_FILE"
echo "=================================" >> "$REPORT_FILE"

# Run AIDE check
if command -v aide >/dev/null 2>&1; then
    echo -e "\n== AIDE Integrity Check ==" >> "$REPORT_FILE"
    aide --check 2>&1 >> "$REPORT_FILE"
fi

# Check for new SUID/SGID binaries
echo -e "\n== SUID/SGID Binary Check ==" >> "$REPORT_FILE"
find / -type f \( -perm -4000 -o -perm -2000 \) -not -path "/proc/*" 2>/dev/null | sort > /tmp/suid_sgid_current.txt
if [ -f /var/lib/integrity_checker/suid_sgid_baseline.txt ]; then
    echo "New SUID/SGID binaries:" >> "$REPORT_FILE"
    comm -13 /var/lib/integrity_checker/suid_sgid_baseline.txt /tmp/suid_sgid_current.txt >> "$REPORT_FILE"
else
    echo "No baseline found for comparison." >> "$REPORT_FILE"
fi

# Check for suspicious network listeners
echo -e "\n== Network Listeners Check ==" >> "$REPORT_FILE"
netstat -tulpn | grep LISTEN >> "$REPORT_FILE"

# Check for suspicious kernel modules
echo -e "\n== Kernel Module Check ==" >> "$REPORT_FILE"
lsmod | grep -E '(hide|backdoor|rootkit|intercept|hook|stealth)' >> "$REPORT_FILE" || echo "No suspicious modules found." >> "$REPORT_FILE"

# Email the report if mail is available
if command -v mail >/dev/null 2>&1; then
    mail -s "System Integrity Report - $(date +%Y-%m-%d)" root < "$REPORT_FILE"
fi

# Rotate reports (keep last 30)
find "$REPORT_DIR" -name "integrity_report_*" -type f | sort | head -n -30 | xargs rm -f
EOF

    # Make the script executable
    sudo chmod +x "$script_path"

    # Ask for schedule
    echo "How often would you like to run the integrity checks?"
    echo "1. Hourly"
    echo "2. Daily"
    echo "3. Weekly"
    read -p "Select schedule [1-3]: " schedule_choice

    # Create cron entry
    case $schedule_choice in
        1) cron_schedule="0 * * * *" ;;  # Hourly
        2) cron_schedule="0 0 * * *" ;;  # Daily at midnight
        3) cron_schedule="0 0 * * 0" ;;  # Weekly on Sunday at midnight
        *) cron_schedule="0 0 * * *" ;;  # Default to daily
    esac

    # Add to crontab
    cronfile=$(mktemp)
    sudo crontab -l 2>/dev/null > "$cronfile" || true
    echo "$cron_schedule $script_path" >> "$cronfile"
    sudo crontab "$cronfile"
    rm "$cronfile"

    echo "Automated integrity checks scheduled with cron."
    echo "Schedule: $cron_schedule"
    echo "Script installed at: $script_path"
    echo "Reports will be saved to: /var/log/integrity_reports/"
}

# Function to compare current state with baseline
compare_with_baseline() {
    echo "Comparing current system state with baseline..."

    # Check if baseline exists
    if [ ! -d "/var/lib/integrity_checker" ]; then
        echo "No baseline found. Would you like to create one? (y/n)"
        read create_baseline
        if [[ "$create_baseline" == "y" || "$create_baseline" == "Y" ]]; then
            create_full_baseline
        fi
        return
    fi

    report_file="baseline_comparison_$(date +%Y%m%d_%H%M%S).txt"
    echo "System Baseline Comparison - $(date)" > "$report_file"
    echo "=================================" >> "$report_file"

    # Compare SUID/SGID binaries
    if [ -f "/var/lib/integrity_checker/suid_sgid_baseline.txt" ]; then
        echo -e "\n== SUID/SGID Binary Comparison ==" >> "$report_file"
        echo "Finding current SUID/SGID binaries..."
        current_suid=$(mktemp)
        sudo find / -type f \( -perm -4000 -o -perm -2000 \) -exec ls -la {} \; 2>/dev/null | sort > "$current_suid"

        echo "New SUID/SGID binaries:" >> "$report_file"
        new_suid=$(comm -13 "/var/lib/integrity_checker/suid_sgid_baseline.txt" "$current_suid")
        if [ -n "$new_suid" ]; then
            echo "$new_suid" >> "$report_file"
            echo "WARNING: New SUID/SGID binaries detected!" | tee -a "$report_file"
        else
            echo "None found." >> "$report_file"
        fi

        echo "Missing SUID/SGID binaries:" >> "$report_file"
        missing_suid=$(comm -23 "/var/lib/integrity_checker/suid_sgid_baseline.txt" "$current_suid")
        if [ -n "$missing_suid" ]; then
            echo "$missing_suid" >> "$report_file"
            echo "WARNING: Some SUID/SGID binaries from baseline are missing!" | tee -a "$report_file"
        else
            echo "None missing." >> "$report_file"
        fi

        rm "$current_suid"
    else
        echo "No SUID/SGID baseline found." >> "$report_file"
    fi

    # Compare network listeners
    if [ -f "/var/lib/integrity_checker/network_listeners_baseline.txt" ]; then
        echo -e "\n== Network Listeners Comparison ==" >> "$report_file"
        echo "Finding current network listeners..."
        current_listeners=$(mktemp)
        sudo netstat -tulpn | grep LISTEN | sort > "$current_listeners"

        echo "New network listeners:" >> "$report_file"
        new_listeners=$(comm -13 "/var/lib/integrity_checker/network_listeners_baseline.txt" "$current_listeners")
        if [ -n "$new_listeners" ]; then
            echo "$new_listeners" >> "$report_file"
            echo "WARNING: New network listeners detected!" | tee -a "$report_file"
        else
            echo "None found." >> "$report_file"
        fi

        echo "Missing network listeners:" >> "$report_file"
        missing_listeners=$(comm -23 "/var/lib/integrity_checker/network_listeners_baseline.txt" "$current_listeners")
        if [ -n "$missing_listeners" ]; then
            echo "$missing_listeners" >> "$report_file"
            echo "WARNING: Some network listeners from baseline are missing!" | tee -a "$report_file"
        else
            echo "None missing." >> "$report_file"
        fi

        rm "$current_listeners"
    else
        echo "No network listeners baseline found." >> "$report_file"
    fi

    # Compare kernel modules
    if [ -f "/var/lib/integrity_checker/kernel_modules_baseline.txt" ]; then
        echo -e "\n== Kernel Modules Comparison ==" >> "$report_file"
        echo "Finding current kernel modules..."
        current_modules=$(mktemp)
        lsmod | sort > "$current_modules"

        echo "New kernel modules:" >> "$report_file"
        new_modules=$(comm -13 "/var/lib/integrity_checker/kernel_modules_baseline.txt" "$current_modules")
        if [ -n "$new_modules" ]; then
            echo "$new_modules" >> "$report_file"
            echo "WARNING: New kernel modules detected!" | tee -a "$report_file"
        else
            echo "None found." >> "$report_file"
        fi

        echo "Missing kernel modules:" >> "$report_file"
        missing_modules=$(comm -23 "/var/lib/integrity_checker/kernel_modules_baseline.txt" "$current_modules")
        if [ -n "$missing_modules" ]; then
            echo "$missing_modules" >> "$report_file"
            echo "WARNING: Some kernel modules from baseline are missing!" | tee -a "$report_file"
        else
            echo "None missing." >> "$report_file"
        fi

        rm "$current_modules"
    else
        echo "No kernel modules baseline found." >> "$report_file"
    fi

    echo "Baseline comparison completed. Report saved to $report_file"
}

# Function to create a full system baseline
create_full_baseline() {
    echo "Creating full system baseline..."

    # Create baseline directory
    sudo mkdir -p /var/lib/integrity_checker

    # SUID/SGID binaries baseline
    echo "Creating SUID/SGID binaries baseline..."
    sudo find / -type f \( -perm -4000 -o -perm -2000 \) -exec ls -la {} \; 2>/dev/null | sort > "/var/lib/integrity_checker/suid_sgid_baseline.txt"

    # Network listeners baseline
    echo "Creating network listeners baseline..."
    sudo netstat -tulpn | grep LISTEN | sort > "/var/lib/integrity_checker/network_listeners_baseline.txt"

    # Kernel modules baseline
    echo "Creating kernel modules baseline..."
    lsmod | sort > "/var/lib/integrity_checker/kernel_modules_baseline.txt"

    # Initialize AIDE database if available
    if command -v aide >/dev/null 2>&1; then
        echo "Initializing AIDE database..."
        sudo aide --init
        sudo cp /var/lib/aide/aide.db.new /var/lib/aide/aide.db
    fi

    echo "Full system baseline created successfully."
}

# Main function
main() {
    # Check for root privileges
    if [ "$(id -u)" != "0" ]; then
        echo "This script must be run as root or with sudo."
        exit 1
    fi

    # Check for required tools
    check_required_tools

    while true; do
        show_menu
        read choice

        case $choice in
            1) initialize_aide_database ;;
            2) update_aide_database ;;
            3) check_system_integrity ;;
            4) scan_with_chkrootkit ;;
            5) scan_with_rkhunter ;;
            6) check_hidden_processes ;;
            7) check_suid_sgid ;;
            8) verify_package_integrity ;;
            9) check_suspicious_cron ;;
            10) check_suspicious_modules ;;
            11) monitor_file_changes ;;
            12) check_network_listeners ;;
            13) generate_integrity_report ;;
            14) schedule_automated_checks ;;
            15) compare_with_baseline ;;
            16) echo "Exiting..."; exit 0 ;;
            *) echo "Invalid option. Press Enter to continue..."; read ;;
        esac

        echo
        echo "Operation completed. Press Enter to continue..."
        read
    done
}

# Start the script
main