aide is a simple piece of the puzzle for detecting file modifications during an intrusion. It does have its limitations (e.g. rootkits, etc). One limitation, if I understand it correctly, is that if you want to utilize key signing of the database you have to compile it yourself. It is also recommended that the database be stored on read-only memory. Since, I back my system up fairly regularly I don't worry so much about whether an intruder is going to delete the database as much as I am concerned about them modifying the ASCII database.

The limitation to my script is you cannot schedule the tasks, but must run them interactively. There are other good solutions for running interactive tasks across multiple systems, and I will leave that for another time.

Here are my scripts for protecting the database. I'm sure others can write better bash scripts

aide-init.sh
Code:
#!/bin/bash

# Initializes/re-creates the aide database
# This should be run any time changes have been made to the system

cd /var/lib/aide

# Backup your old aide encrypted database
if [ -f aide.db.aes ]
then
  mv aide.db.aes aide.db.aes-`date +%F-%H-%M-%S`
fi

# Housekeeping: This file should not exist, but remove it if it does
if [ -f aide.db ]
then
  shred -z -n 7 -u aide.db
fi

# Housekeeping: This file should not exist, but remove it if it does
if [ -f aide.db.new ]
then
  shred -z -n 7 -u aide.db.new
fi

# Create a new aide.db.new file
aide --init

# Prompt for a password and store it in "$pwd"
IFS= read -s  -p Password: pwd
# Store the password in a temporary file
echo -n "$pwd" >$$.tmp
# Give the user a newline after they hit enter
echo

# Encrypt your new aide database
gpg2 --batch --passphrase-file $$.tmp -c --cipher-algo aes256 -o aide.db.aes aide.db.new

# Make the aide.db.new and temporary password file non-recoverable
shred -z -n 7 -u aide.db.new *.tmp
aide-check.sh
Code:
#!/bin/bash

# Compares the aide database against the current system

cd /var/lib/aide

# Housekeeping: This file should not exist, but remove it if it does
if [ -f aide.db ]
then
  shred -z -n 7 -u aide.db
fi

# Housekeeping: This file should not exist, but remove it if it does
if [ -f aide.db.new ]
then
  shred -z -n 7 -u aide.db.new
fi

# Make sure the encrypted database exists
if [ -f aide.db.aes ]
then
  # Prompt for a password and store it in "$pwd"
  IFS= read -s  -p Password: pwd
  # Store the password in a temporary file
  echo -n "$pwd" >$$.tmp
  # Give the user a newline after they hit enter
  echo

  # Decrypt the database
  gpg2 --batch --passphrase-file $$.tmp -d aide.db.aes >aide.db 2>/dev/null
else
  echo ERROR: There is no encrypted database!
  exit 1
fi

# Make sure the directory exists where the report will be stored
if [ ! -d /root/aide ]
then
  mkdir /root/aide
fi 

# Check for changes to the filesystem and generate a report
aide -CV >/root/aide/aide_`date +%F-%H-%M-%S`.txt

# Make the aide.db and temporary password files non-recoverable
shred -z -n 7 -u aide.db *.tmp