To reiterate, I've not run AIDE, therefore I'm unlikely to recommend as you suggest. If you want to investigate auditd, start by reading
https://access.redhat.com/documentation ... -hardening, you'll note that a number of models are mentioned. When I ran a medium sized cluster I used the CAPP model, but it doesn't seem to be supported by recent CentOSs. I use NISPOM at home, simply because I'm used to it.
- Controlled Access Protection Profile (CAPP). This is the basic US level of security, equivalent to the old C2 "Orange Book" standard. It is appropriate with Discretionary Access Controls (DAC).
- Labelled Security Protection Profile (LSPP). This is the enhanced US level of security, equivalent to the old B1 "Orange Book" standard. It is appropriate with Mandatory Access Controls (MAC).
- Rule Set Base Access Control (RSBAC). This is an alternatice system to SELinux.
- National Industrial Security Program Operating Manual (NISPOM). A US standard for companies working in the defence field.
- Federal Information Security Management Act (FISMA). US government.
- Payment Card Industry - Data Security Standard (PCI-DSS).
- Security Technical Implementation Guides (STIG). A public methodology sponsored by the US government.
For my small home network I let daemon just write to
/var/log/audit/audit.log and manage it through
logrotate(8). With the cluster I had all the nodes sending the audit trail back to a couple of servers which stored it on a dedicated disk, which was then subsequently archived. It kept the security people off my back! A cron job generated a daily report which I read as part of my morning routine.
Frankly it all depends upon your needs. If you have a security department that need an audit trail then
auditd makes sence. It was evaluated to EAL 4 for C5 and C6, I would hope it is as secure at C7 and C8. If all you have is a couple of machines that are no target for serious bad guys, go for something simpler.