After AIDEs configuration is ready, you can start to build an initial database with:
aide -i
The created database is usually stored in /usr/pkg/etc/, except you specified another path in aide.conf.
Since this database is the fingerprint each other AIDE comparison run uses to compare with, you should ensure its
integrity by protecting it. This can be done by cryptography (e.g. encrypt or sign the database with PGP/GnuPG) or
simply moving it to a protected media like CDROM or write protected floppy /
ZIP disk. If you are paranoid (Who isn't?), you can also move AIDEs binary
onto that media and deinstall the package to deceipt an intruder.
Now you can run AIDE to check the status of your filesystem, this is simply
done by
aide -C
AIDE now builds a new database with the current status of all files and
compares it against he initial database.
Excerpt from an databasy build with "heavy" macro:
/etc/ld.so.conf 4217405 100644 0 0 55 156666 1 56ALmHB6PCPZN8bkbYHXvg== R+47jcSQFV59spXxQip+VJd+Jdw=
/etc/ttyaction 4217405 100644 0 0 123 156667 1 wHSegaYfbPPg1MbNbvSVOQ== kufrktfUPSYfMp4zyym2M7pyJE8=
/etc/motd 4217405 100664 0 0 1551 156668 1 PQ27jGbXvZUXb+Jsi7uNkg== X82oOZx8XV47nA9zF939H7aHc+A=
/etc/hosts.equiv 4217405 100600 0 0 2 156669 1 Ch8ho0FzieDAoTOSx5p6iQ== 4Axzy+iVsOK5B7wmqjQs0xAKgEs=
Now /etc/motd has been modified and aide -c has been run, excerpt from the
produced report:
changed:/etc/motd
Detailed information about changes:
File: /etc/motd
Size : 1551 , 1547
Inode : 156668 , 156819
MD5 : PQ27jGbXvZUXb+Jsi7uNkg== , BPOFEUF6A8ttOxkeHnT2ow==
RMD160 : X82oOZx8XV47nA9zF939H7aHc+A= , S6ZmfxjVOSYPpoBrt5TS3Z7fnO0=