Short tip: list of modified RPM packages
If you want to have a short overview about which files of installed RPM packages has been altered, you probably don't want to deal with AIDE - a short script should be enough:
1#!/bin/sh
2for i in $(rpm -qa|tr "n" " ")
3do
4 RESULT="$(rpm -vV $i)"
5 if [ "$?" != "0" ]; then
6 echo "$i has been changed:"
7 echo "$RESULT"
8 echo ""
9 fi
10done
Of course you should have a detailed look at the file list - modified files don't have to be the result of an attack:
1rootfiles-8.1-6.1.el6.noarch has been changed:
2......... c /root/.bash_logout
3S.5....T. c /root/.bash_profile
4......... c /root/.bashrc
5......... c /root/.cshrc
6......... c /root/.tcshrc
In this case, the bash profile of root has been modified.