![]() | Initialize AIDE Database After Installation |
---|---|
Before you install your system, verify the checksum of your medium (see Abschnitt „Überprüfen von Medien“ (Kapitel 9, Häufige Probleme und deren Lösung, ↑Start).) to make sure you do not use a compromised source. After you have installed the system, initialize the AIDE database. To be really sure that all went well during and after the installation, do an installation directly on the console, without any network attached to the computer. Do not leave the computer unattended or connected to any network before AIDE creates its database. |
To tell AIDE which attributes of which files should be checked, use the
configuration file /etc/aide.conf
. This file is also
a template and has to be modified to create the actual configuration. The
first section of the configuration handles general configuration
parameters like the location of the AIDE database file. More relevant
for your local configurations are the Custom
Rules
and the Directories and Files
sections. A typical rule looks like the following:
Binlib = p+i+n+u+g+s+b+m+c+md5+sha1
After defining the variable Binlib
, the respective
checking options are used in the files section. Important options include
the following:
Table 12.1. Important AIDE Checking Options
Option |
Description |
---|---|
p |
Check for the file permissions of the selected files or directories. |
i |
Check for the inode number. Every filename has a unique inode number that should not change. |
n |
Check for the number of links pointing to the relevant file. |
u |
Check if the owner of the file has changed. |
g |
Check if the group of the file has changed. |
s |
Check if the file size has changed. |
b |
Check if the block count used by the file has changed. |
m |
Check if the modification time of the file has changed. |
c |
Check if the files access time has changed. |
md5 |
Check if the md5 checksum of the file has changed. |
sha1 |
Check if the sha1 (160 Bit) checksum of the file has changed. |
A configuration that checks for all files in /sbin
with the options defined in Binlib
but omits the
directory /sbin/conf.d/
would look like the
following:
/sbin Binlib !/sbin/conf.d
To create the AIDE database, proceed as follows:
Open the file /etc/aide.conf
.
Define which files should be checked with which checking options. For a
complete list of available checking options, see
/usr/share/doc/packages/aide/manual.html
. The
definition of the file selection needs some knowledge about regular
expressions. Save your modifications.
Check if the configuration file is valid. Run the command:
aide --config-check
Any output of this command is a hint that the configuration is not valid. For example, if you get the following output:
aide --config-check 35:syntax error:! 35:Error while reading configuration:! Configuration error
The error is to be expected in line 36 of
/etc/aide.conf
. Note that the error message
contains the last successfully read line of the configuration file.
Initialize the AIDE database. Run the command:
aide -i
Copy the generated database to a save location like a CD-R or DVD-R, a remote server or a USB disk for later use.
![]() | |
This step is essential as it avoids compromising your database. It is recommended to use a medium which can be written only once to prevent the database being modified. Never leave the database on the computer which you want to monitor. |