WebsiteTemplate/cheatsheets/aide.html

<!DOCTYPE html>
<html lang="en">
    <head>
        <meta charset="UTF-8">
        <meta name="viewport" content="width=device-width, initial-scale=1.0">
        <meta http-equiv="Content-Security-Policy" content="default-src 'self'; script-src 'self'; style-src 'self'; font-src 'self' data:; img-src 'self' data:; connect-src 'self'; base-uri 'self'; form-action 'self' https://defcon.social https://bsky.app;">
        <meta http-equiv="X-Content-Type-Options" content="nosniff">
        <link rel="stylesheet" href="../assets/css/style.css">
        <link rel="icon" type="image/x-icon" href="../favicon.ico">
        <script>
		// Apply theme immediately to prevent flash
		(function() {
			const theme = localStorage.getItem('theme') || 
				(window.matchMedia && window.matchMedia('(prefers-color-scheme: dark)').matches ? 'dark' : 'light');
			document.documentElement.setAttribute('data-theme', theme);
		})();
	</script>
        <title>AIDE Cheatsheet - Cheatsheets - Launch Pad</title>
    </head>
    <body>
      <button class="theme-toggle" id="themeToggle" aria-label="Toggle dark mode">
        <svg class="theme-icon theme-icon-moon" xmlns="http://www.w3.org/2000/svg" width="24" height="24" viewBox="0 0 24 24" fill="none" stroke="currentColor" stroke-width="2" stroke-linecap="round" stroke-linejoin="round"><path d="M21 12.79A9 9 0 1 1 11.21 3 7 7 0 0 0 21 12.79z"></path></svg>
        <svg class="theme-icon theme-icon-sun" xmlns="http://www.w3.org/2000/svg" width="24" height="24" viewBox="0 0 24 24" fill="none" stroke="currentColor" stroke-width="2" stroke-linecap="round" stroke-linejoin="round" style="display: none;"><circle cx="12" cy="12" r="5"></circle><line x1="12" y1="1" x2="12" y2="3"></line><line x1="12" y1="21" x2="12" y2="23"></line><line x1="4.22" y1="4.22" x2="5.64" y2="5.64"></line><line x1="18.36" y1="18.36" x2="19.78" y2="19.78"></line><line x1="1" y1="12" x2="3" y2="12"></line><line x1="21" y1="12" x2="23" y2="12"></line><line x1="4.22" y1="19.78" x2="5.64" y2="18.36"></line><line x1="18.36" y1="5.64" x2="19.78" y2="4.22"></line></svg>
      </button>
      <br/><br/>
      <div class="name">
 __      _______________________  _________._________________________
\_   _____/ \______   \   /  _  \    /  _____/   /  _____/  |    |     \_   _____/
 |    __)    |       _/  /  /_\  \  /   \  ___  /   \  ___  |    |      |    __)_ 
 |     \     |    |   \ /    |    \ \    \_\  \ \    \_\  \ |    |___   |        \
 \___  /     |____|_  / \____|__  /  \______  /  \______  / |_______ \ /_______  /
     \/             \/          \/          \/          \/          \/         \/ 
      </div>
      <div class="blog-page-header">
        <div class="blog-header-content">
          <a href="/cheatsheets" class="back-link" title="Back to Cheatsheets">
            <svg xmlns="http://www.w3.org/2000/svg" width="42" height="42" viewBox="0 0 24 24" class="home-icon"><path fill="currentColor" d="M10 20v-6h4v6h5v-8h3L12 3 2 12h3v8z"/></svg>
          </a>
          <h1 class="blog-page-title">AIDE Cheatsheet</h1>
        </div>
      </div>
      <div class="blog-post-container">
        <div class="blog-posts-container" style="max-width: 900px; margin: 0 auto;">
          <div class="blog-post">
            <div class="blog-post-content">
              <p><a href="index.html">← Back to cheatsheets</a></p>
<p><a href="../index.html">← Home</a></p>
<hr>
<p>AIDE (Advanced Intrusion Detection Environment) is a file and directory integrity checker. It creates a baseline database of file attributes and can detect unauthorized changes to protected files and directories.</p>
<hr>
<h2>Installation</h2>
<ul>
<li>apt install aide - Install on Debian/Ubuntu</li>
</ul>
<ul>
<li>yum install aide - Install on RHEL/CentOS</li>
</ul>
<ul>
<li>dnf install aide - Install on Fedora</li>
</ul>
<ul>
<li>pacman -S aide - Install on Arch Linux</li>
</ul>
<hr>
<h2>Initial Setup</h2>
<ul>
<li>aide --init - Initialize AIDE database</li>
</ul>
<ul>
<li>mv /var/lib/aide/aide.db.new /var/lib/aide/aide.db - Rename database to make it active</li>
</ul>
<ul>
<li>aideinit - Initialize AIDE (Ubuntu/Debian helper script)</li>
</ul>
<hr>
<h2>Checking Integrity</h2>
<ul>
<li>aide --check - Run integrity check</li>
</ul>
<ul>
<li>aide --check --report=file:/var/log/aide/report.log - Check and save report to file</li>
</ul>
<ul>
<li>aide -C - Check (same as --check)</li>
</ul>
<ul>
<li>aide --check | tee /var/log/aide/aide-check.log - Check and display output</li>
</ul>
<ul>
<li>aide --check --config=/etc/aide/aide.conf - Use specific config file</li>
</ul>
<hr>
<h2>Updating Database</h2>
<ul>
<li>aide --update - Update database after legitimate changes</li>
</ul>
<ul>
<li>mv /var/lib/aide/aide.db.new /var/lib/aide/aide.db - Make updated database active</li>
</ul>
<ul>
<li>aideinit -y - Update database (Ubuntu/Debian, auto-confirm)</li>
</ul>
<hr>
<h2>Configuration File</h2>
<ul>
<li>/etc/aide/aide.conf - Main configuration file</li>
</ul>
<ul>
<li>/etc/aide/aide.conf.d/ - Configuration directory (some distributions)</li>
</ul>
<ul>
<li>aide --config-check - Check configuration file syntax</li>
</ul>
<h3>Configuration Syntax</h3>
<pre><code># Define a rule name
RuleName = p+i+n+u+g+s+m+c+md5+sha256

# Monitor a directory
/etc RuleName

# Monitor specific file
/etc/passwd RuleName

# Exclude patterns
!/etc/mtab
!/var/log
!/proc
!/sys
!/tmp
!/var/tmp

# Use predefined rules
/etc p+u+g
/bin p+u+g+i+n</code></pre>
<hr>
<h2>Rule Attributes</h2>
<ul>
<li>p - Permissions</li>
</ul>
<ul>
<li>i - Inode</li>
</ul>
<ul>
<li>n - Number of links</li>
</ul>
<ul>
<li>u - User (owner)</li>
</ul>
<ul>
<li>g - Group</li>
</ul>
<ul>
<li>s - Size</li>
</ul>
<ul>
<li>b - Block count</li>
</ul>
<ul>
<li>m - mtime (modification time)</li>
</ul>
<ul>
<li>a - atime (access time)</li>
</ul>
<ul>
<li>c - ctime (inode change time)</li>
</ul>
<ul>
<li>S - Growing size</li>
</ul>
<ul>
<li>md5 - MD5 checksum</li>
</ul>
<ul>
<li>sha1 - SHA1 checksum</li>
</ul>
<ul>
<li>sha256 - SHA256 checksum</li>
</ul>
<ul>
<li>sha512 - SHA512 checksum</li>
</ul>
<ul>
<li>rmd160 - RIPEMD160 checksum</li>
</ul>
<ul>
<li>tiger - Tiger checksum</li>
</ul>
<ul>
<li>haval - Haval checksum</li>
</ul>
<ul>
<li>gost - GOST checksum</li>
</ul>
<ul>
<li>crc32 - CRC32 checksum</li>
</ul>
<ul>
<li>E - Extended attributes</li>
</ul>
<ul>
<li>I - Immutable bits</li>
</ul>
<ul>
<li>l - Link name</li>
</ul>
<ul>
<li>xattrs - Extended attributes (filesystem dependent)</li>
</ul>
<ul>
<li>selinux - SELinux context</li>
</ul>
<ul>
<li>acl - Access Control Lists</li>
</ul>
<hr>
<h2>Common Configuration Examples</h2>
<h3>Monitor Critical System Files</h3>
<pre><code># Critical system directories
/etc            p+i+n+u+g+s+m+c+sha256
/bin            p+i+n+u+g+s+m+c+sha256
/sbin           p+i+n+u+g+s+m+c+sha256
/usr/bin        p+i+n+u+g+s+m+c+sha256
/usr/sbin       p+i+n+u+g+s+m+c+sha256
/lib            p+i+n+u+g+s+m+c+sha256
/lib64          p+i+n+u+g+s+m+c+sha256
/usr/lib        p+i+n+u+g+s+m+c+sha256

# Important configuration files
/etc/passwd     p+i+n+u+g+s+m+c+sha256
/etc/shadow     p+i+n+u+g+s+m+c+sha256
/etc/group      p+i+n+u+g+s+m+c+sha256
/etc/sudoers    p+i+n+u+g+s+m+c+sha256
/etc/ssh/sshd_config p+i+n+u+g+s+m+c+sha256</code></pre>
<h3>Exclude Directories</h3>
<pre><code># Exclude temporary and dynamic directories
!/tmp
!/var/tmp
!/proc
!/sys
!/dev
!/run
!/var/run
!/var/log
!/var/cache
!/var/lib/dpkg
!/var/lib/apt</code></pre>
<h3>Web Server Example</h3>
<pre><code># Monitor web root
/var/www        p+i+n+u+g+s+m+c+sha256

# Monitor web server config
/etc/apache2    p+i+n+u+g+s+m+c+sha256
/etc/nginx      p+i+n+u+g+s+m+c+sha256

# Exclude logs
!/var/www/logs
!/var/log/apache2
!/var/log/nginx</code></pre>
<hr>
<h2>Database Files</h2>
<ul>
<li>/var/lib/aide/aide.db - Active integrity database</li>
</ul>
<ul>
<li>/var/lib/aide/aide.db.new - New database (after --update or --init)</li>
</ul>
<ul>
<li>/var/lib/aide/aide.db.gz - Compressed database</li>
</ul>
<ul>
<li>/var/lib/aide/aide.db.new.gz - Compressed new database</li>
</ul>
<hr>
<h2>Automated Checks</h2>
<h3>Cron Job Example</h3>
<pre><code># Daily AIDE check
0 2 * * * /usr/bin/aide --check | mail -s "AIDE Report $(hostname)" admin@example.com

# Weekly AIDE check with logging
0 3 * * 0 /usr/bin/aide --check --report=file:/var/log/aide/check-$(date +\%Y\%m\%d).log</code></pre>
<h3>Systemd Timer Example</h3>
<pre><code># /etc/systemd/system/aide-check.service
[Unit]
Description=AIDE Integrity Check
After=network.target

[Service]
Type=oneshot
ExecStart=/usr/bin/aide --check
StandardOutput=journal
StandardError=journal

# /etc/systemd/system/aide-check.timer
[Unit]
Description=Run AIDE check daily
Requires=aide-check.service

[Timer]
OnCalendar=daily
Persistent=true

[Install]
WantedBy=timers.target</code></pre>
<hr>
<h2>Interpreting Results</h2>
<ul>
<li>Total number of files - Files in database</li>
</ul>
<ul>
<li>Added files - New files detected (not in database)</li>
</ul>
<ul>
<li>Removed files - Files missing (in database but not on disk)</li>
</ul>
<ul>
<li>Changed files - Files with modified attributes</li>
</ul>
<hr>
<h2>Updating After Legitimate Changes</h2>
<pre><code># After installing packages, updating configs, etc.
# 1. Run update to create new database
aide --update

# 2. Review changes in aide.db.new
aide --diff --config=/etc/aide/aide.conf

# 3. If changes are legitimate, activate new database
mv /var/lib/aide/aide.db.new /var/lib/aide/aide.db

# 4. Optionally compress old database
gzip /var/lib/aide/aide.db.old</code></pre>
<hr>
<h2>Comparing Databases</h2>
<ul>
<li>aide --diff - Compare database with current system state</li>
</ul>
<ul>
<li>aide --compare=/path/to/old/aide.db - Compare with specific database</li>
</ul>
<hr>
<h2>Verbose Output</h2>
<ul>
<li>aide --check -V - Verbose output</li>
</ul>
<ul>
<li>aide --check --verbose - Verbose output (long form)</li>
</ul>
<ul>
<li>aide --check -u - Update mode (shows what would be updated)</li>
</ul>
<hr>
<h2>Limiting Checks</h2>
<ul>
<li>aide --check --limit /etc - Check only /etc directory</li>
</ul>
<ul>
<li>aide --check --limit /etc/passwd - Check specific file</li>
</ul>
<hr>
<h2>Tips</h2>
<ul>
<li>Initialize AIDE database on a clean, trusted system</li>
</ul>
<ul>
<li>Store database backup on read-only media or remote location</li>
</ul>
<ul>
<li>Use strong checksums (sha256/sha512) for better security</li>
</ul>
<ul>
<li>Regularly update database after legitimate system changes</li>
</ul>
<ul>
<li>Automate integrity checks with cron or systemd timers</li>
</ul>
<ul>
<li>Review and investigate all reported changes immediately</li>
</ul>
<ul>
<li>Exclude frequently changing directories (/tmp, /var/log, etc.)</li>
</ul>
<ul>
<li>Monitor critical system binaries and configuration files</li>
</ul>
<ul>
<li>Keep multiple database backups for forensic analysis</li>
</ul>
<ul>
<li>Use compressed databases to save disk space</li>
</ul>
<ul>
<li>Test configuration with --config-check before initialization</li>
</ul>
<ul>
<li>Use verbose mode when investigating changes</li>
</ul>
<ul>
<li>Combine AIDE with auditd for comprehensive file monitoring</li>
</ul>
<ul>
<li>Document all legitimate changes before updating database</li>
</ul>
<ul>
<li>Set up email alerts for automated integrity checks</li>
</ul>
<hr>
<p><a href="index.html">← Back to cheatsheets</a></p>
<p><a href="../index.html">← Home</a></p>
            </div>
          </div>
        </div>
      </div>
      <script async type="text/javascript" src="../blog/analytics.js"></script>
      <script src="../theme.js"></script>
    </body>
</html>