PCTResearch Wiki

AIDE (Advanced Intrusion Detection Environment) is a host-based file integrity checker.
It monitors your filesystem for unauthorized changes (such as tampering with binaries, configs, or permissions).

Repository: github.com/aide/aide

sudo apt update
sudo apt install aide -y

This installs AIDE and creates a default configuration file at:

/etc/aide/aide.conf

AIDE uses a baseline database of file checksums, permissions, and other metadata.

Initialize it with:

sudo aideinit

This command:

Scans your system according to the rules in /etc/aide/aide.conf.

Creates a new database at:

/var/lib/aide/aide.db.new

Then rename it to make it the active baseline:

sudo mv /var/lib/aide/aide.db.new /var/lib/aide/aide.db

Tip: Run this step only when the system is in a known good state (no malware, correct configs).

You can now manually check for changes anytime:

sudo aide --check

If files have been added, removed, or modified, AIDE will print a detailed report.

Typical output:

AIDE found differences between database and filesystem!!
Summary:
  Total number of entries: 12345
  Added entries: 2
  Removed entries: 0
  Changed entries: 1

To view details, scroll through the terminal or redirect output to a file:

sudo aide --check | less

When you intentionally change system files (for example, after an update), rebuild the database:

sudo aide --update
sudo mv /var/lib/aide/aide.db.new /var/lib/aide/aide.db

This updates your baseline so AIDE won’t keep alerting you about legitimate changes.

To automate AIDE checks, add a cron job:

sudo nano /etc/cron.daily/aide

Paste this script:

#!/bin/bash
/usr/bin/aide --check | mail -s "AIDE Integrity Check Report - $(hostname)" root

Then make it executable:

sudo chmod +x /etc/cron.daily/aide

You can configure email delivery by setting up a local mailer (e.g., postfix or ssmtp) or redirect the report to a log file.

Edit /etc/aide/aide.conf to include or exclude directories.

Examples:

# Add custom directory
/etc   p+i+n+u+g+s+m+c+acl+selinux+xattrs+sha512
 
# Exclude temporary directories
!/tmp
!/var/tmp
!/run

Then reinitialize the database after saving changes:

sudo aideinit
sudo mv /var/lib/aide/aide.db.new /var/lib/aide/aide.db

Keep the AIDE database secure — store a copy offline or on read-only media.
If attackers can alter both your files and the AIDE database, they can hide their tracks.
 
Run after updates — rebuild the database only after verifying legitimate updates.
 
Integrate with monitoring — send reports to a centralized system (email, SIEM, or log server).

AIDE’s power comes from its configuration file, usually located at:

/etc/aide/aide.conf

This file defines:

Which files/directories to monitor

What attributes to check (permissions, owner, checksums, etc.)

Which paths to ignore

Below, I’ll show you how to:

1. Understand rule syntax

2. Define your own rules

3. Configure AIDE to monitor only what you need

4. Test your configuration safely

Each line in aide.conf has this general format:

<path or pattern>  <rule or rule name>

Examples:

/etc          NORMAL
/usr/bin      NORMAL
!/tmp

A line starting with ! means “exclude this path”.

A rule like NORMAL refers to a rule definition (explained next).

You can also directly specify what to check, like p+i+n+u+g+s+m+c+sha512.

Each letter corresponds to an attribute to check.

Here are the most useful ones:

Example combined rule:

p+i+n+u+g+s+m+c+sha512

→ Checks almost everything important, using SHA-512 for content integrity.

Open the configuration file:

sudo nano /etc/aide/aide.conf

Scroll to the bottom (after the default rules) and add your own:

# ===== Custom Rules =====
# Define a strong rule for system configuration files
CUSTOM = p+i+n+u+g+s+m+c+sha512
 
# Directories to monitor
/etc         CUSTOM
/usr/bin     CUSTOM
/usr/sbin    CUSTOM
/var/www     CUSTOM
 
# Exclude temporary and runtime directories
!/tmp
!/var/tmp
!/run
!/proc
!/sys
!/dev
!/mnt
!/media

/etc — monitors configuration files.
 
/usr/bin and /usr/sbin — monitors system executables.
 
/var/www — monitors your web server files (if applicable).
 
The excluded directories change too often or contain temporary data.

After editing the config, you must rebuild the database:

sudo aideinit
sudo mv /var/lib/aide/aide.db.new /var/lib/aide/aide.db

Run a manual check:

sudo aide --check

Change something intentionally (for testing):

sudo touch /etc/testfile

Run the check again:

sudo aide --check

You should see output like:

AIDE found differences between database and filesystem!!
Added entries: 1
/etc/testfile

Then remove the test file and update your database if all is well:

sudo rm /etc/testfile
sudo aide --update
sudo mv /var/lib/aide/aide.db.new /var/lib/aide/aide.db

If you want AIDE to run your custom configuration daily, ensure the cron job (from the previous setup) uses this command:

/usr/bin/aide --config /etc/aide/aide.conf --check

Use multiple rules for different sensitivity levels:

SYSTEM = p+i+n+u+g+s+m+c+sha512
LOGS   = p+u+g+s

Then apply them selectively:

/etc        SYSTEM
/var/log    LOGS

Protect your AIDE database:

Store a copy offline or on read-only media (/root/aide-backups or USB).

Example backup:

sudo cp /var/lib/aide/aide.db /root/aide-backups/aide.db.$(date +%F)

Combine with systemd service (optional):

You can create a systemd timer to run AIDE weekly instead of using cron.