If you want to have a short overview about which files of installed RPM packages has been altered, you probably don’t want to deal with AIDE – a short script should be enough:
#!/bin/sh for i in $(rpm -qa|tr "n" " ") do RESULT="$(rpm -vV $i)" if [ "$?" != "0" ]; then echo "$i has been changed:" echo "$RESULT" echo "" fi done
Of course you should have a detailed look at the file list – modified files don’t have to be the result of an attack:
rootfiles-8.1-6.1.el6.noarch has been changed: ......... c /root/.bash_logout S.5....T. c /root/.bash_profile ......... c /root/.bashrc ......... c /root/.cshrc ......... c /root/.tcshrc
In this case, the bash profile of root has been modified.