Differences

This shows you the differences between two versions of the page.

--- aide:aide_configuration [2019/11/24 14:52] – peter
+++ aide:aide_configuration [2019/11/25 22:10] (current) – removed peter
@@ Line 1: / Line 1: @@
-====== AIDE - AIDE Configuration ======
-The default configuration of AIDE is quite fine.  But it can be tweaked if required.
-By default, AIDE checks for changes in Binaries and Libraries directories.  Those changes are matched to the BinLib rule, which basically check for any changes in permissions, ownership, modification, access and creation date, size change, md5 and sha1 signature, inode, number of links and block count.
-Then, it also check for modifications in the log files against the rule Logs.  Because log files tends to grow, you cannot use a signature there and you also have to asked aide not to check for size modifications.
-Okie, this should be enough to get to understand how aide works.  Reading through /etc/aide/aide.conf is a good place to learn more.
-----
-===== Who to send the report to? =====
-Reports which are created once a day can be sent to a custom email address. The variable **MAILTO** should be changed to whichever email address you like:
-The default is to send reports to root on localhost.
-To change it, open and edit **/etc/default/aide**
-<file bash /etc/default/aide>
-...
-# This is the email address reports get mailed to
-# default is root
-# This variable is expanded before it is used, so you can use variables
-# here. For example, MAILTO=$FQDN-aide@domain.example will send the
-# report to host.name.example-aide@domain.example is the local FQDN is
-# host.name.example.
-#MAILTO=root
-MAILTO=admin@sharewiz.net
-...
-</file>
-===== Configuring aide =====
-Most AIDE configuration is in file **/etc/aide/aide.conf**.  This file is pretty well documented and default rules are descent but we are going to make some slight changes.
-AIDE aims at reporting files that changed since the last snapshot (/var/lib/aide/aide.db).  A good security measure is to keep that file on a read-only device such as a floppy disk or a cdrom.  If your machine has such a device, you could use the snapshot from that device.  So let say that you have a copy of aide.db on a cdrom.  To use that snapshot, you could change:
-<file bash /etc/aide/aide.conf>
-database=file:/var/lib/aide/aide.db
-</file>
-to
-<file bash /etc/aide/aide.conf>
-database=file:/media/cdrom/aide.db
-</file>
-That way, if an intruder get into your machine, they won't be able to modify **aide.db**.
-Ok, now let see what is going on in /etc/aide/aide.conf.
-To me, there is actually another place I would like aide to go and check.  This is /etc/.  To do so, I added:
-<file bash /etc/aide/aide.conf>
-/etc ConfFiles
-</file>
-in /etc/aide/aide.conf, this will check for changes in /etc/.