Wiki

User Tools

Site Tools

Trace:
aide:aide_configuration

Differences

This shows you the differences between two versions of the page.

Link to this comparison view

Both sides previous revisionPrevious revision
Next revision		Previous revision
aide:aide_configuration [2016/07/16 20:51] peteraide:aide_configuration [2019/11/25 22:10] (current) – removed peter
Line 1: Line 1:
-====== AIDE - AIDE Configuration ====== 
- 
-The default configuration of AIDE is quite fine.  But it can be tweaked if required. 
- 
-===== Who to send the report to? ===== 
- 
-Reports which are created once a day can be sent to a custom email address. The variable **MAILTO** should be changed to whichever email address you like: 
- 
-The default is to send reports to root on localhost. 
- 
-To change it, open and edit **/etc/default/aide** 
- 
- 
-===== Configuring aide ===== 
- 
-Most AIDE configuration is in file **/etc/aide/aide.conf**.  This file is pretty well documented and default rules are descent but we are going to make some slight changes. 
- 
-AIDE aims at reporting files that changed since the last snapshot (/var/lib/aide/aide.db).  A good security measure is to keep that file on a read-only device such as a floppy disk or a cdrom.  If your machine has such a device, you could use the snapshot from that device.  So let say that you have a copy of aide.db on a cdrom.  To use that snapshot, you could change: 
- 
-<file bash /etc/aide/aide.conf> 
-database=file:/var/lib/aide/aide.db 
-</file> 
- 
-to 
- 
-<file bash /etc/aide/aide.conf> 
-database=file:/media/cdrom/aide.db 
-</file> 
- 
-instead.  That way, if an intruder get into your machine, he won't be able to modify **aide.db**. 
- 
-Ok, now let see what is going on in /etc/aide/aide.conf. 
- 
-By default, AIDE checks for changes in Binaries and Libraries directories.  Those changes are matched to the BinLib rule, which basically check for any changes in permissions, ownership, modification, access and creation date, size change, md5 and sha1 signature, inode, number of links and block count. 
- 
-Then, it also check for modifications in the log files against the rule Logs.  Because log files tends to grow, you cannot use a signature there and you also have to asked aide not to check for size modification (S). 
- 
-Okie, this should be enough to get to understand how aide works.  Reading through /etc/aide/aide.conf is a good place to learn more. 
- 
-To me, there is actually another place I would like aide to go and check.  This is /etc/ To do so, I added: 
- 
-<file bash /etc/aide/aide.conf> 
-/etc ConfFiles 
-</file> 
- 
-in /etc/aide/aide.conf, this will check for changes in /etc/. 
- 
  
aide/aide_configuration.1468702268.txt.gz · Last modified: 2020/07/15 09:30 (external edit)
Donate Powered by PHP Valid HTML5 Valid CSS Driven by DokuWiki