AIDE (Advanced Intrusion Detection Environment) is a file and directory integrity checker. It creates a baseline database of file attributes and can detect unauthorized changes to protected files and directories.
Installation
- apt install aide - Install on Debian/Ubuntu
- yum install aide - Install on RHEL/CentOS
- dnf install aide - Install on Fedora
- pacman -S aide - Install on Arch Linux
Initial Setup
- aide --init - Initialize AIDE database
- mv /var/lib/aide/aide.db.new /var/lib/aide/aide.db - Rename database to make it active
- aideinit - Initialize AIDE (Ubuntu/Debian helper script)
Checking Integrity
- aide --check - Run integrity check
- aide --check --report=file:/var/log/aide/report.log - Check and save report to file
- aide -C - Check (same as --check)
- aide --check | tee /var/log/aide/aide-check.log - Check and display output
- aide --check --config=/etc/aide/aide.conf - Use specific config file
Updating Database
- aide --update - Update database after legitimate changes
- mv /var/lib/aide/aide.db.new /var/lib/aide/aide.db - Make updated database active
- aideinit -y - Update database (Ubuntu/Debian, auto-confirm)
Configuration File
- /etc/aide/aide.conf - Main configuration file
- /etc/aide/aide.conf.d/ - Configuration directory (some distributions)
- aide --config-check - Check configuration file syntax
Configuration Syntax
# Define a rule name
RuleName = p+i+n+u+g+s+m+c+md5+sha256
# Monitor a directory
/etc RuleName
# Monitor specific file
/etc/passwd RuleName
# Exclude patterns
!/etc/mtab
!/var/log
!/proc
!/sys
!/tmp
!/var/tmp
# Use predefined rules
/etc p+u+g
/bin p+u+g+i+nRule Attributes
- p - Permissions
- i - Inode
- n - Number of links
- u - User (owner)
- g - Group
- s - Size
- b - Block count
- m - mtime (modification time)
- a - atime (access time)
- c - ctime (inode change time)
- S - Growing size
- md5 - MD5 checksum
- sha1 - SHA1 checksum
- sha256 - SHA256 checksum
- sha512 - SHA512 checksum
- rmd160 - RIPEMD160 checksum
- tiger - Tiger checksum
- haval - Haval checksum
- gost - GOST checksum
- crc32 - CRC32 checksum
- E - Extended attributes
- I - Immutable bits
- l - Link name
- xattrs - Extended attributes (filesystem dependent)
- selinux - SELinux context
- acl - Access Control Lists
Common Configuration Examples
Monitor Critical System Files
# Critical system directories
/etc p+i+n+u+g+s+m+c+sha256
/bin p+i+n+u+g+s+m+c+sha256
/sbin p+i+n+u+g+s+m+c+sha256
/usr/bin p+i+n+u+g+s+m+c+sha256
/usr/sbin p+i+n+u+g+s+m+c+sha256
/lib p+i+n+u+g+s+m+c+sha256
/lib64 p+i+n+u+g+s+m+c+sha256
/usr/lib p+i+n+u+g+s+m+c+sha256
# Important configuration files
/etc/passwd p+i+n+u+g+s+m+c+sha256
/etc/shadow p+i+n+u+g+s+m+c+sha256
/etc/group p+i+n+u+g+s+m+c+sha256
/etc/sudoers p+i+n+u+g+s+m+c+sha256
/etc/ssh/sshd_config p+i+n+u+g+s+m+c+sha256Exclude Directories
# Exclude temporary and dynamic directories
!/tmp
!/var/tmp
!/proc
!/sys
!/dev
!/run
!/var/run
!/var/log
!/var/cache
!/var/lib/dpkg
!/var/lib/aptWeb Server Example
# Monitor web root
/var/www p+i+n+u+g+s+m+c+sha256
# Monitor web server config
/etc/apache2 p+i+n+u+g+s+m+c+sha256
/etc/nginx p+i+n+u+g+s+m+c+sha256
# Exclude logs
!/var/www/logs
!/var/log/apache2
!/var/log/nginxDatabase Files
- /var/lib/aide/aide.db - Active integrity database
- /var/lib/aide/aide.db.new - New database (after --update or --init)
- /var/lib/aide/aide.db.gz - Compressed database
- /var/lib/aide/aide.db.new.gz - Compressed new database
Automated Checks
Cron Job Example
# Daily AIDE check
0 2 * * * /usr/bin/aide --check | mail -s "AIDE Report $(hostname)" admin@example.com
# Weekly AIDE check with logging
0 3 * * 0 /usr/bin/aide --check --report=file:/var/log/aide/check-$(date +\%Y\%m\%d).logSystemd Timer Example
# /etc/systemd/system/aide-check.service
[Unit]
Description=AIDE Integrity Check
After=network.target
[Service]
Type=oneshot
ExecStart=/usr/bin/aide --check
StandardOutput=journal
StandardError=journal
# /etc/systemd/system/aide-check.timer
[Unit]
Description=Run AIDE check daily
Requires=aide-check.service
[Timer]
OnCalendar=daily
Persistent=true
[Install]
WantedBy=timers.targetInterpreting Results
- Total number of files - Files in database
- Added files - New files detected (not in database)
- Removed files - Files missing (in database but not on disk)
- Changed files - Files with modified attributes
Updating After Legitimate Changes
# After installing packages, updating configs, etc.
# 1. Run update to create new database
aide --update
# 2. Review changes in aide.db.new
aide --diff --config=/etc/aide/aide.conf
# 3. If changes are legitimate, activate new database
mv /var/lib/aide/aide.db.new /var/lib/aide/aide.db
# 4. Optionally compress old database
gzip /var/lib/aide/aide.db.oldComparing Databases
- aide --diff - Compare database with current system state
- aide --compare=/path/to/old/aide.db - Compare with specific database
Verbose Output
- aide --check -V - Verbose output
- aide --check --verbose - Verbose output (long form)
- aide --check -u - Update mode (shows what would be updated)
Limiting Checks
- aide --check --limit /etc - Check only /etc directory
- aide --check --limit /etc/passwd - Check specific file
Tips
- Initialize AIDE database on a clean, trusted system
- Store database backup on read-only media or remote location
- Use strong checksums (sha256/sha512) for better security
- Regularly update database after legitimate system changes
- Automate integrity checks with cron or systemd timers
- Review and investigate all reported changes immediately
- Exclude frequently changing directories (/tmp, /var/log, etc.)
- Monitor critical system binaries and configuration files
- Keep multiple database backups for forensic analysis
- Use compressed databases to save disk space
- Test configuration with --config-check before initialization
- Use verbose mode when investigating changes
- Combine AIDE with auditd for comprehensive file monitoring
- Document all legitimate changes before updating database
- Set up email alerts for automated integrity checks