3 Intrusion Detection With Aide; Setting Up A Aide Database - Novell LINUX ENTERPRISE DESKTOP 11 - SECURITY GUIDE 17-03-2009 Manual

13
Intrusion Detection with AIDE
Securing your systems is a mandatory task for any mission critical system. However,
regardless how hard you try, it is impossible to guarantee that the system is not compro-
mised. When administering important servers, where the integrity and security of your
data is critical, it is a good idea to do some extra checks from time to time to ensure
that the system is still under control of the administrator.
An easy check that often can reveal unwanted changes can be done by means of rpm.
The package manager has a built in verify function, that checks all the managed files
in the system for changes. To do a verify of all files, run the command rpm -Va.
However, this command will also display changes in configuration files and you will
have to do some filtering to detect important changes.
An additional problem to the method with rpm is that an intelligent attacker will modify
rpm itself to hide any changes that might have been done by some kind of root kit which
allows the attacker to gain control over your system. To solve this, you should implement
a secondary check that can also be run completely independent of the installed system.
This is where AIDE comes into play.

13.1 Setting Up a AIDE Database

The initialization of the AIDE database should be done directly after installing the
system. To be really sure that no bad things happened during or after the installation,
do a installation directly at the console, without any network attached to the computer.
Do not let the computer unattended or connected to any network before the AIDE cre-
ated its database.
Intrusion Detection with AIDE 115