2. About
● AIDE (Advanced Intrusion Detection
Environment) is a file integrity checker and
intrusion detection program
● Open Source version of old tripwire (they
stopped giving it out for free)
● Scan's all files when you ask it to check
● Included in redhat (and most other linux
distros)
● Doesn’t use inotify but actually scans the file
system :(
4. Configuration
● Config file /etc/aide.conf
Examples:
#p: permissions
#i: inode:
#n: number of links
#u: user
R = p+i+n+u+g+s+m+c+acl+selinux+xattrs+md5
NORMAL = R+rmd160+sha256
LSPP = R+sha256
/boot NORMAL
!/usr/src
/etc/exports NORMAL
5. Initialization
● /usr/sbin/aide --init
● Copy /etc/aide.conf, /usr/sbin/aide og
/var/lib/aide/aide.db.new.gz to somewhere
the hacker can't reach
● cp /var/lib/aide/aide.db.new.gz
/var/lib/aide/aide.db.gz