AIDE (Advanced Intrusion Detection Environment) is a free file integrity
checker, therefor it creates a database from the regular expression rules
that it finds from the config file.
Once this database is initialized it can be
used to verify the integrity of the files. It has several message
digest algorithms (md5, sha1, rmd160, tiger, haval, etc.) that are used to
check the integrity of the file.
All of the usual file attributes can also be checked
for inconsistencies. This allows one to check if files have been
manipulated for example by a worm, virus or intruder (e. g. a root-kit has been installed).
After installation finished you have to configure AIDE and create a
database, containing the data for each file chosen to be checked.
The default path to the configuration file is /usr/pkg/etc/aide.conf, but
this can be altered using the option --config=configfile.
The configurationfile is easy to edit, it contains the directories to check and the options
which should be used to check them.
database = file:///etc/aide.db
# path to AIDE database in URl format
database_new = file:///root/aide.db.new
# path to new AIDE database which shall be created
report_url = file:///root/aide.report
# path to generated report
#p : permissions
#n : number of links
#u : user
#g : group
#s : size
#b : block count
#m : mtime
#c : ctime
#a : atime
#i : inode
#S : check for growing size
#E : empty group
#md5 : MD5 checksum
#sha1 : SHA1 checksum
#rmd160 : RMD160 checksum
#tiger : TIGER checksum
#R : p+i+n+u+g+s+m+c+md5
#L : p+i+n+u+g
#> : growing logfile and p+g+u+n+i+S
These options are almost self-explanatory, each submitted option will check in and compare
the regarding fileattribute. "R", "L" and ">" are just macros for the mentioned options, so
you can also build your own macro in the same way, e.g.:
daemon : md5+sha1+rmd160+tiger
heavy : sha1+p+u+g+m+c+a+i+n
"daemon" will create and check MD5, SHA1, RMD160 and TIGER checksums.
Now it's time to configure the files to be checked:
# check with heavy-settings
#check with specified options
# do not check
This also done very easily, just list each directory and the options which should apply to it.
Directories that should not be checked e. g. because they change very often, like /var/spool, or privacy of users
might be violated, can be excluded with a single !.
After AIDEs configuration is ready, you can start to build an initial database with:
The created database is usually stored in /usr/pkg/etc/, except you specified another path in aide.conf.
Since this database is the fingerprint each other AIDE comparison run uses to compare with, you should ensure its
integrity by protecting it. This can be done by cryptography (e.g. encrypt or sign the database with PGP/GnuPG) or
simply moving it to a protected media like CDROM or write protected floppy /
ZIP disk. If you are paranoid (Who isn't?), you can also move AIDEs binary
onto that media and deinstall the package to deceipt an intruder.
Now you can run AIDE to check the status of your filesystem, this is simply
AIDE now builds a new database with the current status of all files and
compares it against he initial database.
Excerpt from an databasy build with "heavy" macro: