Added files:

---------------------------------------------------

added:/root/.xauth0VekVw

added:/root/.xauthcvqPrt

---------------------------------------------------

Changed files:

---------------------------------------------------

changed:/root

changed:/root/.lesshst

changed:/bin

changed:/bin/date

--------------------------------------------------

Detailed information about changes:

---------------------------------------------------

Directory: /root

Mtime : 2006-06-01 09:51:05 , 2006-06-01 11:43:23

Ctime : 2006-06-01 09:51:05 , 2006-06-01 11:43:23

File: /root/.lesshst

Mtime : 2006-06-01 10:57:21 , 2006-06-01 12:47:34

Ctime : 2006-06-01 10:57:21 , 2006-06-01 12:47:34

Directory: /bin

Mtime : 2006-03-21 00:18:37 , 2006-06-01 12:49:18

Ctime : 2006-03-21 00:18:37 , 2006-06-01 12:49:18

File: /bin/date

Size : 54684 , 2003

Bcount : 128 , 16

Permissions: -rwxr-xr-x , -rws--x--x

Mtime : 2006-02-11 01:43:13 , 2006-06-01 12:49:18

Ctime : 2006-03-21 00:11:18 , 2006-06-01 12:49:32

Inode : 1986165 , 1977386

MD5 : sGkOBZz1ixmfifDWyS5PNw== , RUhh+HqFShK4bABDxePEtw==

SHA1 : mY4z3oD64L+e36a7s2LQ32E4k+8= , NAkwd0kI05k8svWFerYN5k8C1t0=  

In this case, AIDE has detected a change in /bin/date and in /root/.lesshst (the history for the less command). The change to date is of particular note because that is a commonly used program, and the new version is configured with the set-user-ID bit set, meaning that any user typing date will execute a program with superuser privileges.

Since some files are expected to change in specific ways, the qualities that AIDE checks for each file and directory are configurable. Table 8-6 summarizes the default configuration.

Table 8-6. Default AIDE fingerprint configuration

AIDE is configured using the text file /etc/aide.conf ; the default contents of this file are:

# Sample configuration file for AIDE.

@@define DBDIR /var/lib/aide

# The location of the database to be read

database=file:@@{DBDIR}/aide.db.gz

# The location of the database to be written

#database_out=sqclass="underline" host:port:database:login_name:passwd:table

#database_out=file:aide.db.new

database_out=file:@@{DBDIR}/aide.db.new.gz

# Whether to gzip the output to database

gzip_dbout=yes

# Default

verbose=5

report_url=file:/var/log/aide.log

report_url=stdout

#report_url=stderr

#NOT IMPLEMENTED report_url=mailto:root@foo.com

#NOT IMPLEMENTED report_url=syslog:LOG_AUTH

# These are the default rules

#

#p: permissions

#i: inode:

#n: number of links

#u: user

#g: group

#s: size

#b: block count

#m: mtime

#a: atime

#c: ctime

#S: check for growing size

#md5: md5 checksum

#sha1: sha1 checksum

#rmd160: rmd160 checksum

#tiger: tiger checksum

#havaclass="underline" haval checksum

#gost: gost checksum

#crc32: crc32 checksum

#R: p+i+n+u+g+s+m+c+md5

#L: p+i+n+u+g

#E: Empty group

#>: Growing logfile p+u+g+i+n+S

# You can create custom rules like this

NORMAL = R+b+sha1

DIR = p+i+n+u+g

# Next decide what directories/files you want in the database

/boot NORMAL

/bin NORMAL

/sbin NORMAL

/lib NORMAL

/opt NORMAL

/usr NORMAL

/root NORMAL

# Check only permissions, inode, user and group for /etc, but

# cover some important files closely

/etc p+i+u+g

!/etc/mtab

/etc/exports NORMAL

/etc/fstab NORMAL

/etc/passwd NORMAL

/etc/group NORMAL

/etc/gshadow NORMAL

/etc/shadow NORMAL

/var/log p+n+u+g

# With AIDE's default verbosity level of 5, these would give lots of

# warnings upon tree traversal. It might change with future versions.

#

#=/lost\+found DIR

#=/home DIR

Most of this file consists of selection lines , which contain two fields. The first field is used to specify files to process or, if prepended with ! , files to exclude from processing. This field is evaluated as a regular expression, so the pattern /lib will match any filename starting with /lib , including files such as /lib/lsb/init-functions .