The default configuration of AIDE is quite fine. But it can be tweaked if required.
By default, AIDE checks for changes in Binaries and Libraries directories. Those changes are matched to the BinLib rule, which basically check for any changes in permissions, ownership, modification, access and creation date, size change, md5 and sha1 signature, inode, number of links and block count.
Then, it also check for modifications in the log files against the rule Logs. Because log files tends to grow, you cannot use a signature there and you also have to asked aide not to check for size modifications.
Okie, this should be enough to get to understand how aide works. Reading through /etc/aide/aide.conf is a good place to learn more.
Most AIDE configuration is in file /etc/aide/aide.conf. This file is pretty well documented and default rules are descent but we are going to make some slight changes.
AIDE aims at reporting files that changed since the last snapshot (/var/lib/aide/aide.db). A good security measure is to keep that file on a read-only device such as a floppy disk or a cdrom. If your machine has such a device, you could use the snapshot from that device. So let say that you have a copy of aide.db on a cdrom. To use that snapshot, you could change:
database=file:/var/lib/aide/aide.db
to
database=file:/media/cdrom/aide.db
That way, if an intruder get into your machine, they won't be able to modify aide.db.
Ok, now let see what is going on in /etc/aide/aide.conf.
Include /etc/ directory to AIDE checking. To do this add:
/etc ConfFiles
in /etc/aide/aide.conf, this will check for changes in /etc/.
Reports which are created once a day can be sent to a custom email address. The variable MAILTO should be changed to whichever email address you like:
The default is to send reports to root on localhost.
To change it, open and edit /etc/default/aide
... # This is the email address reports get mailed to # default is root # This variable is expanded before it is used, so you can use variables # here. For example, MAILTO=$FQDN-aide@domain.example will send the # report to host.name.example-aide@domain.example is the local FQDN is # host.name.example. #MAILTO=root MAILTO=admin@sharewiz.net ...