Today I installed AIDE on a CentOS 5 server. This package is an alternative to the traditional Tripwire. The installation is done in a cinch with yum:
$ sudo yum -y install aide
The first thing that happened, was that this server had SElinux disabled. So I had to make the following changes to the supplied configuration file /etc/aide.conf
I added the following lines close to the top; these are copies of default rules but without the selinux checks (which would otherwise generate errors):
R = p+i+n+u+g+s+m+c+acl+xattrs+md5 L = p+i+n+u+g+acl+xattrs > = p+u+g+i+n+S+acl+xattrs DIR = p+i+n+u+g+acl+selinux+xattrs PERMS = p+i+u+g+acl
Then as root, initialize the database:
$ sudo aide --init AIDE, version 0.13.1 ### AIDE database at /var/lib/aide/aide.db.new.gz initialized.
Copy the new database, to make it the baseline to check against:
$ sudo cp /var/lib/aide/aide.db.new.gz /var/lib/aide/aide.db.gz
Then create a file named aidecheck in /etc/cron.daily with the following contents:
#!/bin/sh /bin/nice -n 18 /usr/sbin/aide --update | \ /bin/mail -s "AIDE check on host `hostname`" root cp /var/lib/aide/aide.db.new.gz /var/lib/aide/aide.db.gz
Be sure to make the file executable:
$ sudo chmod 755 /etc/cron.daily/aidecheck