| 1) Customize /etc/aide.conf to your liking. In particular, add |
| important directories and files which you would like to be |
| covered by integrity checks. Avoid files which are expected |
| to change frequently or which don't affect the safety of your |
| system. |
| |
| 2) Run "/usr/sbin/aide --init" to build the initial database. |
| With the default setup, that creates /var/lib/aide/aide.db.new.gz |
| |
| 3) Store /etc/aide.conf, /usr/sbin/aide and /var/lib/aide/aide.db.new.gz |
| in a secure location, e.g. on separate read-only media (such as |
| CD-ROM). Alternatively, keep MD5 fingerprints or GPG signatures |
| of those files in a secure location, so you have means to verify |
| that nobody modified those files. |
| |
| 4) Copy /var/lib/aide/aide.db.new.gz to /var/lib/aide/aide.db.gz |
| which is the location of the input database. |
| |
| 5) Run "/usr/sbin/aide --check" to check your system for inconsistencies |
| compared with the AIDE database. Prior to running a check manually, |
| ensure that the AIDE binary and database have not been modified |
| without your knowledge. |
| |
| Caution! |
| |
| With the default setup, an AIDE check is not run periodically as a |
| cron job. It cannot be guaranteed that the AIDE binaries, config |
| file and database are intact. It is not recommended that you run |
| automated AIDE checks without verifying AIDE yourself frequently. |
| In addition to that, AIDE does not implement any password or |
| encryption protection for its own files. |
| |
| It is up to you how to put a file integrity checker to good effect |
| and how to set up automated checks if you think it adds a level of |
| safety (e.g. detecting failed/incomplete compromises or unauthorized |
| modification of special files). On a compromised system, the |
| intruder could disable the automated check. Or he could replace the |
| AIDE binary, config file and database easily when they are not |
| located on read-only media. |
| |