Setting Up an AIDE Database

[Important]Initialize AIDE Database After Installation

Before you install your system, verify the checksum of your medium (see Abschnitt „Überprüfen von Medien“ (Kapitel 9, Häufige Probleme und deren Lösung, ↑Start).) to make sure you do not use a compromised source. After you have installed the system, initialize the AIDE database. To be really sure that all went well during and after the installation, do an installation directly on the console, without any network attached to the computer. Do not leave the computer unattended or connected to any network before AIDE creates its database.

To tell AIDE which attributes of which files should be checked, use the configuration file /etc/aide.conf. This file is also a template and has to be modified to create the actual configuration. The first section of the configuration handles general configuration parameters like the location of the AIDE database file. More relevant for your local configurations are the Custom Rules and the Directories and Files sections. A typical rule looks like the following:

Binlib     = p+i+n+u+g+s+b+m+c+md5+sha1

After defining the variable Binlib, the respective checking options are used in the files section. Important options include the following:

Table 12.1. Important AIDE Checking Options

Option

Description

p

Check for the file permissions of the selected files or directories.

i

Check for the inode number. Every filename has a unique inode number that should not change.

n

Check for the number of links pointing to the relevant file.

u

Check if the owner of the file has changed.

g

Check if the group of the file has changed.

s

Check if the file size has changed.

b

Check if the block count used by the file has changed.

m

Check if the modification time of the file has changed.

c

Check if the files access time has changed.

md5

Check if the md5 checksum of the file has changed.

sha1

Check if the sha1 (160 Bit) checksum of the file has changed.


A configuration that checks for all files in /sbin with the options defined in Binlib but omits the directory /sbin/conf.d/ would look like the following:

/sbin  Binlib
!/sbin/conf.d

To create the AIDE database, proceed as follows:

  1. Open the file /etc/aide.conf.

  2. Define which files should be checked with which checking options. For a complete list of available checking options, see /usr/share/doc/packages/aide/manual.html. The definition of the file selection needs some knowledge about regular expressions. Save your modifications.

  3. Check if the configuration file is valid. Run the command:

    aide --config-check

    Any output of this command is a hint that the configuration is not valid. For example, if you get the following output:

    aide --config-check
    35:syntax error:!
    35:Error while reading configuration:!
    Configuration error

    The error is to be expected in line 36 of /etc/aide.conf. Note that the error message contains the last successfully read line of the configuration file.

  4. Initialize the AIDE database. Run the command:

    aide -i
  5. Copy the generated database to a save location like a CD-R or DVD-R, a remote server or a USB disk for later use.

    [Important]

    This step is essential as it avoids compromising your database. It is recommended to use a medium which can be written only once to prevent the database being modified. Never leave the database on the computer which you want to monitor.