41 lines
1.9 KiB
Plaintext
41 lines
1.9 KiB
Plaintext
1) Customize /etc/aide.conf to your liking. In particular, add
|
|
important directories and files which you would like to be
|
|
covered by integrity checks. Avoid files which are expected
|
|
to change frequently or which don't affect the safety of your
|
|
system.
|
|
|
|
2) Run "/usr/sbin/aide --init" to build the initial database.
|
|
With the default setup, that creates /var/lib/aide/aide.db.new.gz
|
|
|
|
3) Store /etc/aide.conf, /usr/sbin/aide and /var/lib/aide/aide.db.new.gz
|
|
in a secure location, e.g. on separate read-only media (such as
|
|
CD-ROM). Alternatively, keep MD5 fingerprints or GPG signatures
|
|
of those files in a secure location, so you have means to verify
|
|
that nobody modified those files.
|
|
|
|
4) Copy /var/lib/aide/aide.db.new.gz to /var/lib/aide/aide.db.gz
|
|
which is the location of the input database.
|
|
|
|
5) Run "/usr/sbin/aide --check" to check your system for inconsistencies
|
|
compared with the AIDE database. Prior to running a check manually,
|
|
ensure that the AIDE binary and database have not been modified
|
|
without your knowledge.
|
|
|
|
Caution!
|
|
|
|
With the default setup, an AIDE check is not run periodically as a
|
|
cron job. It cannot be guaranteed that the AIDE binaries, config
|
|
file and database are intact. It is not recommended that you run
|
|
automated AIDE checks without verifying AIDE yourself frequently.
|
|
In addition to that, AIDE does not implement any password or
|
|
encryption protection for its own files.
|
|
|
|
It is up to you how to put a file integrity checker to good effect
|
|
and how to set up automated checks if you think it adds a level of
|
|
safety (e.g. detecting failed/incomplete compromises or unauthorized
|
|
modification of special files). On a compromised system, the
|
|
intruder could disable the automated check. Or he could replace the
|
|
AIDE binary, config file and database easily when they are not
|
|
located on read-only media.
|
|
|