AIDE (Advanced Intrusion Detection Environment) is an host based intrusion detection system written for Linux systems.
yum install aide
Edit the config file at
/etc/aide.conf if necessary. One important thing to
add would be the location of the DocumentRoot for webservers. On CentOS +
Apache2 this defaults to /var/www/html, and is exempt from the AIDE database
by the default config as it is a child of /var which is considered too
Run the prelink program before creating to initial database to prevent a flood
of false positives:
Create the initial database
aide --init AIDE, version 0.13.1 ### AIDE database at /var/lib/aide/aide.db.new.gz initialized.
Rename and move the ‘new’ database to the database name aide is configured to use (default: aide.db.gz).
mv /var/lib/aide/aide.db.new.gz /var/lib/aide/aide.db.gz
Run a test scan
aide --check AIDE, version 0.13.1 ### All files match AIDE database. Looks okay!
Next, create a cron.daily job to run an AIDE check and email the results
#!/bin/bash /usr/sbin/aide --check | /bin/mail -s "`hostname` AIDE Report" email@example.com
Don’t forget to +x it.
Ideally, the AIDE database, binaries, and configs should be moved to read-only media (ie. cdrom). The config and cron job will need to be modified to work with the new locations. Once a new package is installed or files are changed, the AIDE database will need to be updated else the new files will show up in the report. Even if the changed/added files are known, it’s a bad idea to use an outdated database, as it could be just those files which become compromised. This is especially true of webservers where updates to code could indicate a compromise
Updating the database
Prior to updating the database, remember to run
prelink -a if any packages
have been installed
To update the db run
aide --update. This will create a new aide.db.new.gz,
which will need to be renamed/moved to reflect the database location in the
More info is available at the AIDE manual