11/Aug/2006 tested on SuSE 10.1
The Advanced Intrusion Detection Environment (AIDE) works by creating a database containing information about the files on your system. The database is created from rules described in the configuration file aide.conf. When AIDE is run, this database is referenced to check for changes. Any changes not permitted by the configuration file are reported.
SuSE is now equiped with AIDE instead of Tripwire
# rpm -ihv aide-0.11-10.i586.rpm # cd /usr/share/doc/packages/aide/examples/etc/cron.daily/ # cp aide.sh /etc/cron.daily/
# verbose=1 verbose=3 ... # warn_dead_symlinks=yes ... # manpages can be trojaned, especially depending on *roff implementation /usr/man ManPages /usr/share/man ManPages /usr/local/man ManPages # check sources for modifications /usr/src L /usr/local/src L # Check headers for same /usr/include L /usr/local/include L
# aide --init # cd /var/lib/aide # cp aide.db.new aide.db
# aide --check
AIDE found differences between database and filesystem!! Start timestamp: 2006-08-10 10:58:21 Summary: Total number of files: 348565 Added files: 0 Removed files: 0 Changed files: 4 --------------------------------------------------- Changed files: --------------------------------------------------- changed:/etc changed:/etc/cups/certs changed:/etc/cups/certs/0 changed:/etc/named.conf
# aide --update # cd /var/lib/aide # cp aide.db.new aide.db
# cp /usr/share/doc/packages/aide/examples/etc/cron.daily/aide.sh /etc/cron.daily