Minimizing Aide's presence?
 

I have just started playing around with Aide as I am new to this form of security monitoring. I have Aide installed and configured somewhat, however I read, everywhere pretty much, that I need to have the binaries on a removable read only medium so that I can run Aide from there but not have anyone really know that it exists.

Ill be honest, Im not really sure how to implement this now that I have Aide installed already. I know where the configuration file, and database files are, but thats pretty much it. I have done some considerable searching in my file system and still havent been able to find any other files associated with Aide's operation.

1) Is it possible to maintain the current installation of Aide while performing this mobilization of Aide's associated files to separate media?
2) What files are necessary to copy over to this separate media in order to make Aide fully functional?
3) Once I have the files copied over onto a cd or something, can I just remove them from my computers file system? Do I need to tell the file system their location has changed?

I will keep reading up on this, but any help is greatly appreciated!

1) located the binary using: which aide
2) copied the binary to desired location
3) added the location to $PATH

now which shows the location of aide as being my new custom location

The idea behind it is that an intruder should have no clues as to what detection you run and that you will always have independent and known good means of verification.


If you're using a floppy or USB stick then the only things you need to do is to copy your aide binary, aide.conf and aide.db(.gz) to your preferred medium and edit aide.conf to point it to the database there but note that aide, if it was not compiled as a static binary depends on system libraries which may be or become subject to unexpected alteration. If you OTOH use some bootable medium then copying over those dependencies (and busybox!) will safeguard them against alteration but you should also adjust the mount points to check in your aide.conf too as "/" will be the root of the Live file system.


(Looking at CDROM deterioration why not extract a Live CDROM image, adjust contents and make your USB stick boot it using GRUB?) Yes, you can remove the files from your computer but I'd keep the removable medium as backup, I wouldn't alter any system paths for it and only use it in case you have suspicions. Also note that if you have more than one computer that Samhain provides a client-server setup where you can store hash databases on the server (provided it's properly secured and audited regularly) and request the clients database from there if you need to run checks. Another way could be to use webjob which can download (even over SSL) a binary, database and control file to run onto a not or no longer trusted client (though note unexpected system alteration then may still thwart operations).