Blame SOURCES/README.quickstart

31807d
1) Customize /etc/aide.conf to your liking. In particular, add
31807d
   important directories and files which you would like to be
31807d
   covered by integrity checks. Avoid files which are expected
31807d
   to change frequently or which don't affect the safety of your
31807d
   system.
31807d
31807d
2) Run "/usr/sbin/aide --init" to build the initial database.
31807d
   With the default setup, that creates /var/lib/aide/aide.db.new.gz
31807d
31807d
3) Store /etc/aide.conf, /usr/sbin/aide and /var/lib/aide/aide.db.new.gz
31807d
   in a secure location, e.g. on separate read-only media (such as
31807d
   CD-ROM). Alternatively, keep MD5 fingerprints or GPG signatures
31807d
   of those files in a secure location, so you have means to verify
31807d
   that nobody modified those files.
31807d
31807d
4) Copy /var/lib/aide/aide.db.new.gz to /var/lib/aide/aide.db.gz
31807d
   which is the location of the input database.
31807d
31807d
5) Run "/usr/sbin/aide --check" to check your system for inconsistencies
31807d
   compared with the AIDE database. Prior to running a check manually,
31807d
   ensure that the AIDE binary and database have not been modified
31807d
   without your knowledge.
31807d
   
31807d
   Caution! 
31807d
   
31807d
   With the default setup, an AIDE check is not run periodically as a
31807d
   cron job. It cannot be guaranteed that the AIDE binaries, config
31807d
   file and database are intact. It is not recommended that you run
31807d
   automated AIDE checks without verifying AIDE yourself frequently.
31807d
   In addition to that, AIDE does not implement any password or
31807d
   encryption protection for its own files.
31807d
   
31807d
   It is up to you how to put a file integrity checker to good effect
31807d
   and how to set up automated checks if you think it adds a level of
31807d
   safety (e.g. detecting failed/incomplete compromises or unauthorized
31807d
   modification of special files). On a compromised system, the
31807d
   intruder could disable the automated check. Or he could replace the
31807d
   AIDE binary, config file and database easily when they are not
31807d
   located on read-only media. 
31807d