Linux - SecurityThis forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.
Notices
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
You're close, but not quite there yet. You really have to do three things:
1) Set up an aide.conf file that tells Aide what directories to scan, and what to avoid. There should be an example file in the source code.
2) Run aide --update --config=/path/to/aide.conf This will establish a database of file signatures for using in future scans
3) Set up an Aide cron job to have it run on a regular basis. Mine runs once a day.
4) (OK, I lied about three things to do) Make an off-computer backup of your aide database.
If you want to be really paranoid, you could store the working copy of the aide database on a non-writable disk like a CD, but I've found it to be an acceptable risk to leave the aide database accessible on the hard drive and if I have suspicions, copy the backup and re-run aide. In my opinion, having and off computer backup is NOT optional.
Great! Thanks, but how do I know what files to scan??
That really depends upon your level of paranoia and the amount of log reading you want to do. I've got mine set up to scan the entire system except for a few directories that change constantly. I've excluded /sys, /dev, /proc and /tmp for pretty much that reason. Now be aware that many crackers will work in /tmp precisely for the same reason: it changes so much that people rarely really monitor it. I'm going on the assumption that if I do get cracked, the bad guys will have to first modify files in directories that I do monitor before they can really set up shop in /tmp. I also exclude several directories in /var like /var/logs and /var/lib/mysql where I've got my databases stored and I also exclude my /home directory. They just created too much noise in the reports.
It ends up being a little bit of give and take to find the number of directories to monitor versus the size of the report Aide will generate. I would start by monitoring a bit much and then pare back as you learn what directories just generate noise. But like I said, where that line is drawn is pretty much dependent on your own level of paranoia.
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.