The initialization of the AIDE database should be done directly after installing the system. To be really sure that no bad things happened during or after the installation, do a installation directly at the console, without any network attached to the computer. Do not let the computer unattended or connected to any network before the AIDE created its database.
To tell AIDE which attributes of which files should be checked, a configuration file must be created. Find an example configuration at /etc/aide.conf. This file is also a template and may be modified to create the actually used configuration. The first section of the configuration handles general configuration parameters like the location of the AIDE database file. More interesting for your local configurations are the Custom Rules and the Directories and Files sections. A typical rule looks like the following:
Binlib = p+i+n+u+g+s+b+m+c+md5+sha1
After defining the variable Binlib, the respective checking options are used in the files section. Important options include the following:
Table 12-1 Important AIDE Checking Options
|
Option |
Description |
|---|---|
|
p |
Check for the file permissions of the selected files or directories. |
|
i |
Check for the inode number. Every filename has a unique inode number that should not change. |
|
n |
Check for the number of links pointing to the respective file. |
|
u |
Check if the owner of the file changed. |
|
g |
Check if the group of the file changed. |
|
s |
Check if the file size changed. |
|
b |
Check if the block count used by the file changed. |
|
m |
Check if the modification time of the file changed. |
|
c |
Check if the files access time changed. |
|
md5 |
Check if the md5 checksum of the file changed. |
|
sha1 |
Check if the sha1 (160 Bit) checksum of the file changed. |
For a complete list of the available checking options, see /usr/share/doc/packages/aide/manual.html
Before you can start using AIDE, you have to define which files should be checked with what checking options. The definition of the file selection needs some knowledge about regular expression. There are three major possibilities to define the files to be checked. These are defined by the first letter of each line that defines a file selection:
Check if a file matches the following regular expression.
Select only the file that directly match the file specified after the
=. Note, for directories you should not use a
trialing /
.
This is similar to the selection with / but defines which files not to use.
A configuration, that checks for all files in /sbin with the options defined in Binlib but omits the directory /sbin/conf.d would look like the following:
/sbin Binlib !/sbin/conf.d
After creating the configuration file /etc/aide.conf, first check if the configuration is sane with the command:
aide --config-check
Any output of this command is a hint that the configuration is not alright. For example, if you get the following output:
aide --config-check 35:syntax error:! 35:Error while reading configuration:! Configuration error
The error is to be expected in line 36 of /etc/aide.conf. Note, that the error message contains the last successfully read line of the configuration file.
To actually initialize the AIDE database, run the command:
aide -i
This will create a new database at the location specified as database_out in the configuration file. By default, this is /var/lib/aide/aide.db.new. If you want to check if all of your configuration worked as expected, you can open this database file in a text viewer. Each of the checked files should appear at the beginning of a line in this file.
Finally, copy the generated database to a save location like a CD-R, a remote Server or an USB disk for later use.