Blame SOURCES/README.quickstart

21eb16
1) Customize /etc/aide.conf to your liking. In particular, add
21eb16
   important directories and files which you would like to be
21eb16
   covered by integrity checks. Avoid files which are expected
21eb16
   to change frequently or which don't affect the safety of your
21eb16
   system.
21eb16
21eb16
2) Run "/usr/sbin/aide --init" to build the initial database.
21eb16
   With the default setup, that creates /var/lib/aide/aide.db.new.gz
21eb16
21eb16
3) Store /etc/aide.conf, /usr/sbin/aide and /var/lib/aide/aide.db.new.gz
21eb16
   in a secure location, e.g. on separate read-only media (such as
21eb16
   CD-ROM). Alternatively, keep MD5 fingerprints or GPG signatures
21eb16
   of those files in a secure location, so you have means to verify
21eb16
   that nobody modified those files.
21eb16
21eb16
4) Copy /var/lib/aide/aide.db.new.gz to /var/lib/aide/aide.db.gz
21eb16
   which is the location of the input database.
21eb16
21eb16
5) Run "/usr/sbin/aide --check" to check your system for inconsistencies
21eb16
   compared with the AIDE database. Prior to running a check manually,
21eb16
   ensure that the AIDE binary and database have not been modified
21eb16
   without your knowledge.
21eb16
   
21eb16
   Caution! 
21eb16
   
21eb16
   With the default setup, an AIDE check is not run periodically as a
21eb16
   cron job. It cannot be guaranteed that the AIDE binaries, config
21eb16
   file and database are intact. It is not recommended that you run
21eb16
   automated AIDE checks without verifying AIDE yourself frequently.
21eb16
   In addition to that, AIDE does not implement any password or
21eb16
   encryption protection for its own files.
21eb16
   
21eb16
   It is up to you how to put a file integrity checker to good effect
21eb16
   and how to set up automated checks if you think it adds a level of
21eb16
   safety (e.g. detecting failed/incomplete compromises or unauthorized
21eb16
   modification of special files). On a compromised system, the
21eb16
   intruder could disable the automated check. Or he could replace the
21eb16
   AIDE binary, config file and database easily when they are not
21eb16
   located on read-only media. 
21eb16