Skip to main content
This section is a work in progress and may be incomplete. The instructions provided should work, but additional details and explanations may be added in future updates.

Why

You want to know when files/folders change on your server. Unauthorized changes could indicate a security breach or compromise. AIDE (Advanced Intrusion Detection Environment) monitors file system changes and alerts you to modifications.

How It Works

AIDE creates a database of file checksums, permissions, and attributes. It then periodically scans the system and compares against this database to detect any changes. When differences are found, it reports what has been added, removed, or modified.

Goals

  • AIDE installed and configured to monitor critical system files and folders
  • Daily automated scans with email alerts for any detected changes

Notes

  • After you make legitimate changes to monitored files/folders, you’ll need to update the AIDE database
  • The initial database creation can take some time depending on what you’re monitoring
  • You’ll want to customize which files/folders AIDE monitors based on your needs

References

Installation and Setup

1

Install AIDE

On Debian based systems:
sudo apt install aide aide-common
2

Configure AIDE

Make a backup of AIDE’s configuration file /etc/aide/aide.conf:
sudo cp --archive /etc/aide/aide.conf /etc/aide/aide.conf-COPY-$(date +"%Y%m%d%H%M%S")
The default configuration file /etc/aide/aide.conf is well commented and you should take a look at it and customize based on your requirements. The default settings monitor many important system directories.
Pay special attention to the paths that AIDE monitors. Add or remove paths based on your specific needs and server configuration.
3

Configure automatic execution

Configure AIDE to run daily by modifying /etc/default/aide:
sudo cp --archive /etc/default/aide /etc/default/aide-COPY-$(date +"%Y%m%d%H%M%S")
Set these options in /etc/default/aide:
SettingValueDescription
CRON_DAILY_RUNyesEnable daily cron job
MAILTOrootSend reports to root
QUIETREPORTSnoInclude full reports in emails
4

Initialize the AIDE database

Create the initial AIDE database:
sudo aideinit
This will scan your system and create the database. It may take several minutes.
On Debian systems, aideinit creates the database at /var/lib/aide/aide.db.new. After confirming it’s correct, it moves it to /var/lib/aide/aide.db.
5

Test AIDE

Test that everything works by making some changes:
sudo touch /etc/test.sh
sudo touch /root/test.sh

sudo aide.wrapper --check

sudo rm /etc/test.sh
sudo rm /root/test.sh

sudo aideinit -y -f
You should see output showing that AIDE detected the added files.

Updating The Database

Every time you make legitimate changes to files/folders that AIDE monitors, you’ll need to update the database to capture those changes: 
sudo aideinit -y -f

Daily Automated Scans

If you set CRON_DAILY_RUN to yes in /etc/default/aide, then cron will execute /etc/cron.daily/aide every day and email you the output with any detected changes.
Review AIDE reports regularly. Unexpected changes could indicate a security issue that needs investigation.

Build docs developers (and LLMs) love

Get started for freeTalk to us