AIDE - Advanced Intrusion Detection Environment.
AIDE is a file and directory integrity checker and is available in Debian 11 "Bullseye" repository and LMDE5.
Advanced Intrusion Detection Environment - static binary AIDE is an intrusion detection system that detects changes to files on the local system.
It creates a database from the regular expression rules that it finds from the config file. Once this database is initialized it can be used to verify the integrity of the files. It has several message digest algorithms (md5, sha1, rmd160, tiger, haval, etc.) that are used to check the integrity of the file. More algorithms can be added with relative ease. All of the usual file attributes can also be checked for inconsistencies.
- supported message digest algorithms: md5, sha1, rmd160, tiger, crc32, sha256, sha512, whirlpool (additionally with libmhash: gost, haval, crc32b)
- supported file attributes: File type, Permissions, Inode, Uid, Gid, Link name, Size, Block count, Number of links, Mtime, Ctime and Atime
- support for Posix ACL, SELinux, XAttrs and Extended file system attributes if support is compiled in
- plain text configuration files and database for simplicity
- powerful regular expression support to selectively include or exclude files and directories to be monitored
- gzip database compression if zlib support is compiled in
- stand alone static binary for easy client/server monitoring configurations
- and many more...
The current stable version of AIDE is 0.17.4, but you need to download it here.
If you don't want to, you can install from Debians repository and get Version: 0.17.3-4+deb11u1.
How to install via a terminal window from Debian's repository:
sudo apt-get install aide
Other supported distributions:
- Debian: sudo apt install aide
- Ubuntu: sudo apt install aide
- LMDE5: sudo apt install aide
- FreeBSD: pkg install aide
- Gentoo: emerge aide
- Homebrew: brew install aide
- MacPorts: port install aide
- NixOS: nix-env -iA nixos.aide
- OpenBSD: pkg_add aide
- openSUSE: zypper install aide
- Red Hat | CentOS | Fedora: yum install aide
Run this command:
sudo aide -v
user@computer:~$ aide -v
Compiled with the following options:
Default config values:
config file: <none>
Available hashsum groups:
- md5: yes
- sha1: yes
- sha256: yes
- sha512: yes
- rmd160: yes
- tiger: yes
- crc32: yes
- crc32b: yes
- haval: yes
- whirlpool: yes
- gost: yes
- stribog256: no
- stribog512: no
Default compound groups:
You should open the configuration using your favorite editor:
sudo gedit /etc/aide.conf
It has directives that define the database location, report location, default rules, the directories/files to be included in the database.
You should research recommended settings:
PERMS = p+u+g+acl+selinux+xattrs
The PERMS rule is used for access control only, it will detect any changes to file or directories based on file/directory permissions, user, group, access control and permissions.
To check file content and file type:
CONTENT = sha256+ftype
An extended version of the previous rule, that checks extended content, file type and access:
CONTENT_EX = sha256+ftype+p+u+g+n+acl+selinux+xattrs
DATAONLY rule below will detect any changes in data inside all files/directories:
DATAONLY = p+n+u+g+s+acl+selinux+xattrs+sha256
Now that you have defined rules, you can specify the file and directories to watch. The following definition will check permissions for all files in root directory.
Check all files in the /root directory for any changes.
Will help you detect any changes in data inside all files/directory under /etc/
To detect any changes in data inside all files/directory under /etc/:
Use AIDE to Check File and Directory Integrity in Linux:
sudo aide --init
Now rename the database to /var/lib/aide/aide.db.gz before proceeding.
sudo mv /var/lib/aide/aide.db.new.gz /var/lib/aide/aide.db.gz
I recommended you move the database to a secure location.
Once the database is created, you can check the integrity of the files and directories:
sudo aide --check
It will comprare the snapshot in the database to the files/directories found on your system disk. If it finds changes,that you might not expect, it generates a report which you can then review.