AIDE Install on CentOS 5.2

Installation:

yum install aide

Configuration and Setup:

Edit the config file (/etc/aide.conf) if necessary. One important thing to add would be the location of the DocumentRoot for webservers. On CentOS + Apache22 this defaults to /var/www/html, and is exempt from the AIDE databse by the default config as it is a child of /var which is considered too volatile.

Run the prelink program before creating to initial database to prevent a flood of false positives:

prelink -a

Create the initial database:

aide --init

AIDE, version 0.13.1
### AIDE database at /var/lib/aide/aide.db.new.gz initialized.

Rename and move the ‘new’ database to the database name aide is configured to use (default: aide.db.gz).

mv /var/lib/aide/aide.db.new.gz /var/lib/aide/aide.db.gz

Run a test scan:

aide --check

AIDE, version 0.13.1
### All files match AIDE database. Looks okay!

Create a cron.daily job to run an AIDE check and email the results:

#!/bin/bash
/usr/sbin/aide --check | /bin/mail -s "`hostname` AIDE Report" your@email.com

Don’t forget to +x it.

The AIDE database, binaries, and configs should be moved to read-only media (ie. cdrom). The config and cron job will need to be modified to work with the new locations.

Once a new package is installed or files are changed, the AIDE database will need to be updated else the new files will show up in the report. Even if the changed/added files are known, it’s a bad idea to use an outdated database, as it could be just those files which become compromised — and will be overlooked in the report. This is especially true of webservers where updates to code could introduce unknown vulnerabilities.

Before updating the database, remember to run prelink -a if any packages have been installed

To update the db:

aide --update

This will create a new aide.db.new.gz, which will need to be renamed/moved to reflect the database location in the config.

More info: http://www.cs.tut.fi/~rammer/aide/manual.html