AIDE (Advanced Intrusion Detection Environment) is a free
replacement for Tripwire. It does the same things as the
semi-free Tripwire and more.It creates a database from the
regular expression rules that it finds from the config file.
Once this database is initialized it can be used to verify the
integrity of the files. It has several message digest algorithms
(md5,sha1,rmd160,tiger,haval,etc.) that are used to check
the integrity of the file. More algorithms can be added with
relative ease. All of the usual file attributes can also be
checked for inconsistencies. It can read databases from older or
Install AIDE in Debian
#apt-get install aide
Reading Package Lists... Done
Building Dependency Tree... Done
The following NEW packages will be installed:
0 upgraded, 1 newly installed, 0 to remove and 1 not upgraded.
Need to get 444kB of archives.
After unpacking 1151kB of additional disk space will be used.
http://mirror.ox.ac.uk stable/main aide 0.10-6.1sarge2
Fetched 444kB in 1s (414kB/s)
Preconfiguring packages ...
Selecting previously deselected package aide.
(Reading database ... 12784 files and directories currently
Unpacking aide (from .../aide_0.10-6.1sarge2_i386.deb) ...
Setting up aide (0.10-6.1sarge2) ...
At the time of installation it will ask the following questions
and you need to answer as follows
Where should daily reports be mailed?
Daily reports are mailed to root by default. You may change that
here or in /etc/default/aide. ok
Initialize aide database? yes
It is advisable for you to first look over /var/lib/aide/aide.db.new
file before replacing the existing db. Would you like to replace
it anyway?Copy aide.db.new to aide.db? yes
This will complete the installation and the configuration file
located at /etc/aide/aide.conf.Check here for default
The configuration file defines a list of checks, such as the
Binlib = p+i+n+u+g+s+b+m+c+md5+sha1
Here we see the check called Binlib is defined as a combination
of different tests from the following table:
# Here are all the things we can check - these are the default
#n: number of links
#b: block count
#S: check for growing size
#md5: md5 checksum
#sha1: sha1 checksum
#rmd160: rmd160 checksum
#tiger: tiger checksum
#E: Empty group
#>: Growing logfile p+u+g+i+n+S
There are a number of tests defined for different
purposes, such as ConfFiles designed to cover things in /etc,
Logs for logfiles, etc.
Then these tests are applied to a group of directories.
So my previous example covering most of the important
directories looks like this for aide: