Blame SOURCES/README.quickstart

bc4ae4
1) Customize /etc/aide.conf to your liking. In particular, add
bc4ae4
   important directories and files which you would like to be
bc4ae4
   covered by integrity checks. Avoid files which are expected
bc4ae4
   to change frequently or which don't affect the safety of your
bc4ae4
   system.
bc4ae4
bc4ae4
2) Run "/usr/sbin/aide --init" to build the initial database.
bc4ae4
   With the default setup, that creates /var/lib/aide/aide.db.new.gz
bc4ae4
bc4ae4
3) Store /etc/aide.conf, /usr/sbin/aide and /var/lib/aide/aide.db.new.gz
bc4ae4
   in a secure location, e.g. on separate read-only media (such as
bc4ae4
   CD-ROM). Alternatively, keep MD5 fingerprints or GPG signatures
bc4ae4
   of those files in a secure location, so you have means to verify
bc4ae4
   that nobody modified those files.
bc4ae4
bc4ae4
4) Copy /var/lib/aide/aide.db.new.gz to /var/lib/aide/aide.db.gz
bc4ae4
   which is the location of the input database.
bc4ae4
bc4ae4
5) Run "/usr/sbin/aide --check" to check your system for inconsistencies
bc4ae4
   compared with the AIDE database. Prior to running a check manually,
bc4ae4
   ensure that the AIDE binary and database have not been modified
bc4ae4
   without your knowledge.
bc4ae4
   
bc4ae4
   Caution! 
bc4ae4
   
bc4ae4
   With the default setup, an AIDE check is not run periodically as a
bc4ae4
   cron job. It cannot be guaranteed that the AIDE binaries, config
bc4ae4
   file and database are intact. It is not recommended that you run
bc4ae4
   automated AIDE checks without verifying AIDE yourself frequently.
bc4ae4
   In addition to that, AIDE does not implement any password or
bc4ae4
   encryption protection for its own files.
bc4ae4
   
bc4ae4
   It is up to you how to put a file integrity checker to good effect
bc4ae4
   and how to set up automated checks if you think it adds a level of
bc4ae4
   safety (e.g. detecting failed/incomplete compromises or unauthorized
bc4ae4
   modification of special files). On a compromised system, the
bc4ae4
   intruder could disable the automated check. Or he could replace the
bc4ae4
   AIDE binary, config file and database easily when they are not
bc4ae4
   located on read-only media. 
bc4ae4