|
|
8b87dc |
1) Customize /etc/aide.conf to your liking. In particular, add
|
|
|
8b87dc |
important directories and files which you would like to be
|
|
|
8b87dc |
covered by integrity checks. Avoid files which are expected
|
|
|
8b87dc |
to change frequently or which don't affect the safety of your
|
|
|
8b87dc |
system.
|
|
|
8b87dc |
|
|
|
8b87dc |
2) Run "/usr/sbin/aide --init" to build the initial database.
|
|
|
8b87dc |
With the default setup, that creates /var/lib/aide/aide.db.new.gz
|
|
|
8b87dc |
|
|
|
8b87dc |
3) Store /etc/aide.conf, /usr/sbin/aide and /var/lib/aide/aide.db.new.gz
|
|
|
8b87dc |
in a secure location, e.g. on separate read-only media (such as
|
|
|
8b87dc |
CD-ROM). Alternatively, keep MD5 fingerprints or GPG signatures
|
|
|
8b87dc |
of those files in a secure location, so you have means to verify
|
|
|
8b87dc |
that nobody modified those files.
|
|
|
8b87dc |
|
|
|
8b87dc |
4) Copy /var/lib/aide/aide.db.new.gz to /var/lib/aide/aide.db.gz
|
|
|
8b87dc |
which is the location of the input database.
|
|
|
8b87dc |
|
|
|
8b87dc |
5) Run "/usr/sbin/aide --check" to check your system for inconsistencies
|
|
|
8b87dc |
compared with the AIDE database. Prior to running a check manually,
|
|
|
8b87dc |
ensure that the AIDE binary and database have not been modified
|
|
|
8b87dc |
without your knowledge.
|
|
|
8b87dc |
|
|
|
8b87dc |
Caution!
|
|
|
8b87dc |
|
|
|
8b87dc |
With the default setup, an AIDE check is not run periodically as a
|
|
|
8b87dc |
cron job. It cannot be guaranteed that the AIDE binaries, config
|
|
|
8b87dc |
file and database are intact. It is not recommended that you run
|
|
|
8b87dc |
automated AIDE checks without verifying AIDE yourself frequently.
|
|
|
8b87dc |
In addition to that, AIDE does not implement any password or
|
|
|
8b87dc |
encryption protection for its own files.
|
|
|
8b87dc |
|
|
|
8b87dc |
It is up to you how to put a file integrity checker to good effect
|
|
|
8b87dc |
and how to set up automated checks if you think it adds a level of
|
|
|
8b87dc |
safety (e.g. detecting failed/incomplete compromises or unauthorized
|
|
|
8b87dc |
modification of special files). On a compromised system, the
|
|
|
8b87dc |
intruder could disable the automated check. Or he could replace the
|
|
|
8b87dc |
AIDE binary, config file and database easily when they are not
|
|
|
8b87dc |
located on read-only media.
|
|
|
8b87dc |
|