Blame SOURCES/README.quickstart

1e4393
1) Customize /etc/aide.conf to your liking. In particular, add
1e4393
   important directories and files which you would like to be
1e4393
   covered by integrity checks. Avoid files which are expected
1e4393
   to change frequently or which don't affect the safety of your
1e4393
   system.
1e4393
1e4393
2) Run "/usr/sbin/aide --init" to build the initial database.
1e4393
   With the default setup, that creates /var/lib/aide/aide.db.new.gz
1e4393
1e4393
3) Store /etc/aide.conf, /usr/sbin/aide and /var/lib/aide/aide.db.new.gz
1e4393
   in a secure location, e.g. on separate read-only media (such as
1e4393
   CD-ROM). Alternatively, keep MD5 fingerprints or GPG signatures
1e4393
   of those files in a secure location, so you have means to verify
1e4393
   that nobody modified those files.
1e4393
1e4393
4) Copy /var/lib/aide/aide.db.new.gz to /var/lib/aide/aide.db.gz
1e4393
   which is the location of the input database.
1e4393
1e4393
5) Run "/usr/sbin/aide --check" to check your system for inconsistencies
1e4393
   compared with the AIDE database. Prior to running a check manually,
1e4393
   ensure that the AIDE binary and database have not been modified
1e4393
   without your knowledge.
1e4393
   
1e4393
   Caution! 
1e4393
   
1e4393
   With the default setup, an AIDE check is not run periodically as a
1e4393
   cron job. It cannot be guaranteed that the AIDE binaries, config
1e4393
   file and database are intact. It is not recommended that you run
1e4393
   automated AIDE checks without verifying AIDE yourself frequently.
1e4393
   In addition to that, AIDE does not implement any password or
1e4393
   encryption protection for its own files.
1e4393
   
1e4393
   It is up to you how to put a file integrity checker to good effect
1e4393
   and how to set up automated checks if you think it adds a level of
1e4393
   safety (e.g. detecting failed/incomplete compromises or unauthorized
1e4393
   modification of special files). On a compromised system, the
1e4393
   intruder could disable the automated check. Or he could replace the
1e4393
   AIDE binary, config file and database easily when they are not
1e4393
   located on read-only media. 
1e4393