AIDE (Advanced Intrusion Detection Environment) is a free replacement for Tripwire. It does the same things as the semi-free Tripwire and more.It creates a database from the regular expression rules that it finds from the config file. Once this database is initialized it can be used to verify the integrity of the files. It has several message digest algorithms (md5,sha1,rmd160,tiger,haval,etc.) that are used to check the integrity of the file. More algorithms can be added with relative ease. All of the usual file attributes can also be checked for inconsistencies. It can read databases from older or newer versions.
Install AIDE in Debian
#apt-get install aide
Reading Package Lists... Done
Building Dependency Tree... Done
The following NEW packages will be installed:
0 upgraded, 1 newly installed, 0 to remove and 1 not upgraded.
Need to get 444kB of archives.
After unpacking 1151kB of additional disk space will be used.
Get:1 http://mirror.ox.ac.uk stable/main aide 0.10-6.1sarge2 [444kB]
Fetched 444kB in 1s (414kB/s)
Preconfiguring packages ...
Selecting previously deselected package aide.
(Reading database ... 12784 files and directories currently installed.)
Unpacking aide (from .../aide_0.10-6.1sarge2_i386.deb) ...
Setting up aide (0.10-6.1sarge2) ...
At the time of installation it will ask the following questions and you need to answer as follows
Where should daily reports be mailed?
Daily reports are mailed to root by default. You may change that here or in /etc/default/aide. ok
Initialize aide database? yes
It is advisable for you to first look over /var/lib/aide/aide.db.new file before replacing the existing db. Would you like to replace it anyway?Copy aide.db.new to aide.db? yes
This will complete the installation and the configuration file located at /etc/aide/aide.conf.Check here for default aide.conf file.
The configuration file defines a list of checks, such as the following:
Binlib = p+i+n+u+g+s+b+m+c+md5+sha1
Here we see the check called Binlib is defined as a combination of different tests from the following table:
# Here are all the things we can check - these are the default rules
#n: number of links
#b: block count
#S: check for growing size
#md5: md5 checksum
#sha1: sha1 checksum
#rmd160: rmd160 checksum
#tiger: tiger checksum
#E: Empty group
#>: Growing logfile p+u+g+i+n+S
There are a number of tests defined for different purposes, such as ConfFiles designed to cover things in /etc, Logs for logfiles, etc.
Then these tests are applied to a group of directories.
So my previous example covering most of the important directories looks like this for aide: