[Aide] Newbie Questions

[Steve West]

Hi folks,

I've looked over the manual and went through the mailing archives as
far back as APR 05 and I have a few questions still:

1. I'm sorry if this is a stupid question but anyone know what
directories & files I should monitor on a Redhat & CentOS 3.x/4.x
boxes? What if someone installs a rootkit ouside the location(s) being
checked, I assume they will go un-noticed.

2. One of our web servers was compromised and went un-noticed for
several weeks. :(  They got in via apache and installed some type of
ssh rootkit under /usr/local/. Rootkit hunter nor chkrootkit detect it
because it did not alter any binaries on system. Instead they tampered
with a number of log files (ie /var/log/wtmp, etc.) to wipe their
tracks clean. My question is can aide be used to ensure critical log
files are not tampered with? Or is this something left better to
another tool.

Any help is greatly appreciated!

thx,

SW