Blame SOURCES/README.quickstart

11423e
1) Customize /etc/aide.conf to your liking. In particular, add
11423e
   important directories and files which you would like to be
11423e
   covered by integrity checks. Avoid files which are expected
11423e
   to change frequently or which don't affect the safety of your
11423e
   system.
11423e
11423e
2) Run "/usr/sbin/aide --init" to build the initial database.
11423e
   With the default setup, that creates /var/lib/aide/aide.db.new.gz
11423e
11423e
3) Store /etc/aide.conf, /usr/sbin/aide and /var/lib/aide/aide.db.new.gz
11423e
   in a secure location, e.g. on separate read-only media (such as
11423e
   CD-ROM). Alternatively, keep MD5 fingerprints or GPG signatures
11423e
   of those files in a secure location, so you have means to verify
11423e
   that nobody modified those files.
11423e
11423e
4) Copy /var/lib/aide/aide.db.new.gz to /var/lib/aide/aide.db.gz
11423e
   which is the location of the input database.
11423e
11423e
5) Run "/usr/sbin/aide --check" to check your system for inconsistencies
11423e
   compared with the AIDE database. Prior to running a check manually,
11423e
   ensure that the AIDE binary and database have not been modified
11423e
   without your knowledge.
11423e
   
11423e
   Caution! 
11423e
   
11423e
   With the default setup, an AIDE check is not run periodically as a
11423e
   cron job. It cannot be guaranteed that the AIDE binaries, config
11423e
   file and database are intact. It is not recommended that you run
11423e
   automated AIDE checks without verifying AIDE yourself frequently.
11423e
   In addition to that, AIDE does not implement any password or
11423e
   encryption protection for its own files.
11423e
   
11423e
   It is up to you how to put a file integrity checker to good effect
11423e
   and how to set up automated checks if you think it adds a level of
11423e
   safety (e.g. detecting failed/incomplete compromises or unauthorized
11423e
   modification of special files). On a compromised system, the
11423e
   intruder could disable the automated check. Or he could replace the
11423e
   AIDE binary, config file and database easily when they are not
11423e
   located on read-only media. 
11423e