You may be wondering about the different types of checks AIDE can perform. The checks are described again in Table 12.2.
It's probably helpful to break down the types of AIDE checks into categories. There are three basic categories of AIDE checks: what I will term standard checks, grouped checks, and checksums. The standard type of AIDE check looks for information that can be gathered from the file or the file's descriptor. These checks are listed in Table 12.3.
These standard checks all utilize filesystem functions that are built-in or native in Linux and can be found from the inode entry for the file. As such, running a given standard check is less resource intensive than a checksum check. Some of these checks lend themselves to certain files, whereas others will cause the file to show up in a report nearly every time the check is run. For example, the Ctime of a given file should not change unless the file is deleted or replaced with another. It may not be readily apparent what some of the standard checks actually do. Table 12.4 describes what may be the more obscure checks within this group.
On the other hand, grouped checks combine some of the more commonly used standard checks, as described in Table 12.5.
Finally, checksums utilize cryptographic checksums of the files, as explained earlier in the chapter and defined in Table 12.6.
The differences in the various checksum check types can be explained simply as the differences in the cryptographic algorithms used to create the checksums. I'll leave it up to you to do further research on the types of cryptographic algorithms used by AIDE. I recommend Applied Cryptography, by Bruce Schneier, as a great reference for this purpose. |