Installing AIDE

AIDE stands for Advanced Intrusion Detection Environment (not System!) It collates information about files you specify, like checksums and permissions, into a database to be stored on external media. This can be especially useful in detecting files edited or placed on your system covertly by a cracker. For instance if your system is compromised “ls” could be replaced with a bash script that deletes all the files off the root tree.

Ideally you should run AIDE on a fresh system that has not been connected to a network, as if you have a malicious file already on your system then AIDE will just see it as any other file. You should also install AIDE on non-rewriteable media or storage, it depends how paranoid you are, personally I’m using it on a USB key. However if you are really security conscious you might consider using a multi-session CD-R to store the AIDE binary and database on. However the instructions are basically the same.

First download AIDE from the AIDE Sourceforge page move it into a directory and unpack it with:

tar xzf aide*

Go into the directory, making sure you have mounted whatever you are using (preferably a USB key) and configure it so that the binary will be installed on the removable storage and will look under the storage directories instead of looking at the default root tree.

./configure --prefix=/mnt/usbkey/aide --exec-prefix=/mnt/usbkey/aide

Next go into the directory that you installed it to (/mnt/usbkey/aide in my case) and make an etc directory to store the database and configuration files in:

mkdir etc

ncd etc

ntouch aide.conf

Next you have to fill in the configuration that you require in the .conf file. The manual should be handy in finding out which options you need. Caveat: apparently the configuration options like to be all lined up, so make sure you have two distinguishable columns; on the left the directories and on the right the rules.

Now that you’ve got the configuration file sorted out, move into the bin directory and initialise the database:

./aide --init

This should create a aide.new.db file or similar underneath the /mnt/usbkey/aide/etc folder. Change this to aide.db:

mv aide.new.db aide.db

Now sit back and relax, check that all your files are in order every so often–how often? Depends on how paranoid you are. To check just plug in your USB key and execute:

./aide --check