|
|
1e4393 |
1) Customize /etc/aide.conf to your liking. In particular, add
|
|
|
1e4393 |
important directories and files which you would like to be
|
|
|
1e4393 |
covered by integrity checks. Avoid files which are expected
|
|
|
1e4393 |
to change frequently or which don't affect the safety of your
|
|
|
1e4393 |
system.
|
|
|
1e4393 |
|
|
|
1e4393 |
2) Run "/usr/sbin/aide --init" to build the initial database.
|
|
|
1e4393 |
With the default setup, that creates /var/lib/aide/aide.db.new.gz
|
|
|
1e4393 |
|
|
|
1e4393 |
3) Store /etc/aide.conf, /usr/sbin/aide and /var/lib/aide/aide.db.new.gz
|
|
|
1e4393 |
in a secure location, e.g. on separate read-only media (such as
|
|
|
1e4393 |
CD-ROM). Alternatively, keep MD5 fingerprints or GPG signatures
|
|
|
1e4393 |
of those files in a secure location, so you have means to verify
|
|
|
1e4393 |
that nobody modified those files.
|
|
|
1e4393 |
|
|
|
1e4393 |
4) Copy /var/lib/aide/aide.db.new.gz to /var/lib/aide/aide.db.gz
|
|
|
1e4393 |
which is the location of the input database.
|
|
|
1e4393 |
|
|
|
1e4393 |
5) Run "/usr/sbin/aide --check" to check your system for inconsistencies
|
|
|
1e4393 |
compared with the AIDE database. Prior to running a check manually,
|
|
|
1e4393 |
ensure that the AIDE binary and database have not been modified
|
|
|
1e4393 |
without your knowledge.
|
|
|
1e4393 |
|
|
|
1e4393 |
Caution!
|
|
|
1e4393 |
|
|
|
1e4393 |
With the default setup, an AIDE check is not run periodically as a
|
|
|
1e4393 |
cron job. It cannot be guaranteed that the AIDE binaries, config
|
|
|
1e4393 |
file and database are intact. It is not recommended that you run
|
|
|
1e4393 |
automated AIDE checks without verifying AIDE yourself frequently.
|
|
|
1e4393 |
In addition to that, AIDE does not implement any password or
|
|
|
1e4393 |
encryption protection for its own files.
|
|
|
1e4393 |
|
|
|
1e4393 |
It is up to you how to put a file integrity checker to good effect
|
|
|
1e4393 |
and how to set up automated checks if you think it adds a level of
|
|
|
1e4393 |
safety (e.g. detecting failed/incomplete compromises or unauthorized
|
|
|
1e4393 |
modification of special files). On a compromised system, the
|
|
|
1e4393 |
intruder could disable the automated check. Or he could replace the
|
|
|
1e4393 |
AIDE binary, config file and database easily when they are not
|
|
|
1e4393 |
located on read-only media.
|
|
|
1e4393 |
|