Blame SOURCES/README.quickstart

6ac4f1
1) Customize /etc/aide.conf to your liking. In particular, add
6ac4f1
   important directories and files which you would like to be
6ac4f1
   covered by integrity checks. Avoid files which are expected
6ac4f1
   to change frequently or which don't affect the safety of your
6ac4f1
   system.
6ac4f1
6ac4f1
2) Run "/usr/sbin/aide --init" to build the initial database.
6ac4f1
   With the default setup, that creates /var/lib/aide/aide.db.new.gz
6ac4f1
6ac4f1
3) Store /etc/aide.conf, /usr/sbin/aide and /var/lib/aide/aide.db.new.gz
6ac4f1
   in a secure location, e.g. on separate read-only media (such as
6ac4f1
   CD-ROM). Alternatively, keep MD5 fingerprints or GPG signatures
6ac4f1
   of those files in a secure location, so you have means to verify
6ac4f1
   that nobody modified those files.
6ac4f1
6ac4f1
4) Copy /var/lib/aide/aide.db.new.gz to /var/lib/aide/aide.db.gz
6ac4f1
   which is the location of the input database.
6ac4f1
6ac4f1
5) Run "/usr/sbin/aide --check" to check your system for inconsistencies
6ac4f1
   compared with the AIDE database. Prior to running a check manually,
6ac4f1
   ensure that the AIDE binary and database have not been modified
6ac4f1
   without your knowledge.
6ac4f1
   
6ac4f1
   Caution! 
6ac4f1
   
6ac4f1
   With the default setup, an AIDE check is not run periodically as a
6ac4f1
   cron job. It cannot be guaranteed that the AIDE binaries, config
6ac4f1
   file and database are intact. It is not recommended that you run
6ac4f1
   automated AIDE checks without verifying AIDE yourself frequently.
6ac4f1
   In addition to that, AIDE does not implement any password or
6ac4f1
   encryption protection for its own files.
6ac4f1
   
6ac4f1
   It is up to you how to put a file integrity checker to good effect
6ac4f1
   and how to set up automated checks if you think it adds a level of
6ac4f1
   safety (e.g. detecting failed/incomplete compromises or unauthorized
6ac4f1
   modification of special files). On a compromised system, the
6ac4f1
   intruder could disable the automated check. Or he could replace the
6ac4f1
   AIDE binary, config file and database easily when they are not
6ac4f1
   located on read-only media. 
6ac4f1