AIDE to the Rescue -- An Open Source Security Tool
By Arthur Messenger, February 06, 2003
The Advanced Intrusion Detection System (AIDE) is a multiple platform, open source, and GPL replacement for Tripwire. Both tools monitor system intrusions by building an initial database and doing file integrity checks against that database. AIDE came about because the original author Rami Lehti wanted to get past some of Tripwire's limitations. He didn't have the source for Tripwire, so he redid it from scratch. Lehti runs a CVS server over the Internet to take full advantage of the worldwide pool of programmers available to develop applications. In this article, we will look at AIDE installation and configuration, comparing it to Tripwire as necessary. If you decide to use AIDE, then you must read the man pages (man aide and man aide.conf) for the program. This article complements the documentation there.
Listing 4 Updated aide.conf
database=file:///mnt/cdrom/aide.db
database_out=file:///AIDE/Work/aide.db.new
verbose=20
report_url=stdout
report_url=file:///AIDE/Work/check.txt
warn_dead_symlinks=yes
config_version=v2
ReadOnly=p+i+n+u+g+s+m+md5 # read only files
Growing=>
Device=p+u+g+s
/bin ReadOnly
/boot ReadOnly
/dev Device
/etc ReadOnly
=/etc/mrtg$ ReadOnly
=/home$ ReadOnly
/initrd ReadOnly
/lib ReadOnly
/lost+found ReadOnly
/misc ReadOnly
/mnt ReadOnly
/sbin ReadOnly
/usr ReadOnly
/var/log Growing
!/var/log/[^/]*[0-9]$