AIDE Manual version 0.16 The AIDE manual This manual is by no means complete, usable, readable, comprehensible, or error free. If you have any corrections, additions or constructive comments, please report them as bugs, patches or feature requests. This document was originally written by Rami Lehti with additions made by Marc Haber, Richard van den Berg and Hannes von Haugwitz. • • • • • • • • • AIDE (Advanced Intrusion Detection Environment) is an intrusion detection program. More specifically a file integrity checker. AIDE constructs a database of the files specified in aide.conf, AIDE's configuration file. The AIDE database stores various file attributes including: file type, permissions, inode number, user, group, file size, mtime and ctime, atime, growing size, number of links and link name.

AIDE also creates a cryptographic checksum or hash of each file using one or a combination of the following message digest algorithms: sha1, sha256, sha512, md5, rmd160, tiger, haval, crc32 (gost and whirlpool can be compiled in if mhash support is available). Additionally, the attributes acl, xattr, selinux and e2fsattrs can be used when explicitly enabled during compile time.

Typically, a system administrator will create an AIDE database on a new system before it is brought onto the network. This first AIDE database is a snapshot of the system in it's normal state and the yardstick by which all subsequent updates and changes will be measured. The database should contain information about key system binaries, libraries, header files, all files that are expected to remain the same over time. The database probably should not contain information about files which change frequently like log files, mail spools, proc filesystems, user's home directories, or temporary directories. After a break-in, an administrator may begin by examining the system using system tools like ls, ps, netstat, and who --- the very tools most likely to be trojaned. Imagine that ls has been doctored to not show any file named 'sniffedpackets.log' and that ps and netstat have been rewritten to not show any information for a process named 'sniffdaemond'. Even an administrator who had previously printed out on paper the dates and sizes of these key system files can not be certain by comparison that they have not been modified in some way.

Full Gameboy Advance Roms List. File dates and sizes can be manipulated, some better root-kits make this trivial. While it is possible to manipulate file dates and sizes, it is much more difficult to manipulate a single cryptographic checksum like md5, and exponentially more difficult to manipulate each of the entire array of checksums that AIDE supports.

By rerunning AIDE after a break-in, a system administrator can quickly identify changes to key files and have a fairly high degree of confidence as to the accuracy of these findings. Unfortunately, AIDE can not provide absolute sureness about change in files. Like any other system file, AIDE's binary and/or database can also be altered. I'm in a hurry. Bottom line about compilation. Image Optimizer Standard Edition Download. After you have installed all the necessary software do./configure;make;make install in the main AIDE directory of the unpacked source tree.