For the risk-averse administrator (and of course this is all about risk-aversion) it is advisable to also run the AIDE binary from a trusted source. This excludes the risk that some attacker also modified the aide binary to hide his traces.
To accomplish this task, AIDE must be run from a rescue system that is independent of the installed system. With SUSE Linux it is relatively easy to extend the rescue system with arbitrary programs, and thus add the needed functionality.
Before you can start using the rescue system, you need to provide two packages to the system. These are included with the same syntax as you would add a driver update disk to the system. For a detailed description about the possibilities of linuxrc that are used for this purpose, see http://en.opensuse.org/Linuxrc. In the following, one possible way to accomplish this task is discussed.
Procedure 12.1. Starting a Rescue System with AIDE
Provide an FTP server as a second machine.
Copy the packages aide
and
mhash
to the FTP server directory, in our case
/srv/ftp/
. Replace the placeholders
ARCH
and VERSION
with the corresponding values:
cp DVD1/suse/ARCH
/aideVERSION
.ARCH
.rpm /srv/ftp cp DVD1/suse/ARCH
/mhashVERSION
.ARCH
.rpm /srv/ftp
Create an info file /srv/ftp/info.txt
that
provides the needed boot parameters for the rescue system:
dud:ftp://ftp.example.com/aideVERSION
.ARCH
.rpm dud:ftp://ftp.example.com/mhashVERSION
.ARCH
.rpm
Replace your FTP domain name, VERSION
and
ARCH
with the values used on your system.
Restart the server that needs to go through an AIDE check with the Rescue system from your DVD. Add the following string to the boot parameters:
info=ftp://ftp.example.com/info.txt
This parameter tells linuxrc to also read in all information from the
info.txt
file.
After the rescue system has booted, the AIDE program is ready for use.