Fedora Linux

/etc/gshadow NORMAL
/etc/shadow NORMAL
/var/log p+n+u+g
# With AIDE's default verbosity level of 5, these would give lots of
# warnings upon tree traversal. It might change with future versions.
#
#=/lost+found DIR
#=/home DIR

Most of this file consists of selection lines , which contain two fields. The first field is used to specify files to process or, if prepended with ! , files to exclude from processing. This field is evaluated as a regular expression, so the pattern /lib will match any filename starting with /lib , including files such as /lib/lsb/init-functions .  

These regular expressions are treated as if they have ^ prepended (they match only at the start of filenames). To exactly match one filename, append $:

/var/log/messages$ >

The $ prevents this selection line from matching the logrotate history files (such as /var/log/messages.1).

The second field is a list of fingerprint qualities, drawn from the list included in the file as comments, separated with + characters. The values NORMAL and DIR are configured as group definitions, permitting easy reference to commonly used combinations of fingerprint qualities. In this case, NORMAL is defined as R+b+sha1 , meaning the predefined fingerprint-qualities group R , block count, and SHA1 checksums. R in turn means permissions, inode number, number of links, user, group, size, modification time, creation/inode change time, and MD5 checksum.

To add additional files to be fingerprinted, append entries to this file. For example, to verify that your web pages have not changed, append:

/var/www/html NORMAL

8.8.2. How Does It Work?

AIDE works by recording the fingerprint qualities in its database file as plain text (though the file is normally compressed using gzip ). Here is a sample of a fingerprint database:

@@begin_db
# This file was generated by Aide, version 0.11
# Time of generation was 2006-06-01 10:57:23
@@db_spec name lname attr perm bcount uid gid size mtime ctime inode lcount md5 sha1
/etc 0 541 40755 0 0 0 0 0 0 713153 0 0 0
/sbin 0 4029 40755 32 0 0 12288 MTE0MjkxODMyMg== MTE0MjkxODMyMg== 1880129 2 0 0
/root 0 4029 40750 16 0 0 4096 MTE0OTE2OTg2NQ== MTE0OTE2OTg2NQ== 1296641 8 0 0
/usr 0 4029 40755 16 0 0 4096 MTE0Mjg5MjIzOA== MTE0Mjg5MjIzOA== 1782881 14 0 0
...(Lines snipped)...
/boot/grub/grub.conf 0 16317 100600 4 0 0 599 MTE0Mjg5NTcwNw== MTE0Mjg5NTcwNw== 2011 1 zvjoV7HEEv/lHBdWPRNK9g== xJ2OrD9u9dqn9n3M2y/iKgxzoHk=
/boot/grub/reiserfs_stage1_5 0 16317 100644 20 0 0 9056 MTE0Mjg5NTcwOA== MTE0Mjg5NTcwOA== 2022 1 3QMuqfoxpKu/nMsBGE554Q== 6fWY3Yrk7M4+aW0voaqzOIxyQY8=
/boot/grub/jfs_stage1_5 0 16317 100644 18 0 0 8032 MTE0Mjg5NTcwOA== MTE0Mjg5NTcwOA== 2020 1 6favoJt1WCIN/dnckuHbfQ== aIlm2nFM9bVJSaE/rwLYehLgpRQ=
@@end_db

When run with the -C option, aide simply calculates a new fingerprint and compares the value with the old fingerprint, reporting any discrepancies.

8.8.3. What About...

8.8.3.1. ...an intruder altering the fingerprint database?

This is a very real possibility. To guard against this, the fingerprint database should be recorded on read- only media (such as a CD-R), stored on a different system, or stored on removable media that the system administrator can secure against alteration.

8.8.3.2. ...automating AIDE scans?

To automate daily AIDE scans, create the file /etc/cron.daily/50aide with these contents:

#!/bin/bash
/usr/sbin/aide --check 2>&1|mail -s 'AIDE scan results' root

Make the file executable by root :

# chown root /etc/cron.daily/50aide
# chmod u+rx /etc/cron.daily/50aide

An AIDE scan will then be performed daily, and the results will be mailed to root on the local system (or the user who receives root mail, as defined in /etc/aliases ).

8.8.4. Where Can I Learn More?

? The manpages for aide and aide.conf

? The AIDE online manual: http://www.cs.tut.fi/~rammer/aide/manual.html