AIDE : Install2025/07/21

	Install and configure Host Based IDS (Intrusion Detection System) [AIDE] (Advanced Intrusion Detection Environment).
[1]	Install AIDE.

[root@dlp ~]#

dnf -y install aide

[2]	Configure AIDE and initialize database. It's possible to use AIDE with default config but if you'd like to customize settings, change configuration file like follows.

[root@dlp ~]#

vi /etc/aide.conf

# line 27 : description for setting rules

# These are the default rules.
#
#p:      permissions
#i:      inode:
#n:      number of links
#u:      user
#g:      group
#s:      size
#b:      block count
#m:      mtime
#a:      atime
#c:      ctime
#S:      check for growing size
#acl:           Access Control Lists
#selinux        SELinux security context
#xattrs:        Extended file attributes
#md5:    md5 checksum
#sha1:   sha1 checksum
#sha256:        sha256 checksum
#sha512:        sha512 checksum
#rmd160: rmd160 checksum
#tiger:  tiger checksum
.....
.....

# initialize database

[root@dlp ~]#

aide --init

Start timestamp: 2025-07-21 10:10:30 +0900 (AIDE 0.18.6)
AIDE successfully initialized database.
New AIDE database written to /var/lib/aide/aide.db.new.gz

Number of entries:      61038

---------------------------------------------------
The attributes of the (uncompressed) database(s):
---------------------------------------------------

/var/lib/aide/aide.db.new.gz
 MD5       : TQIJYDCOcQvXSaQImJlOxg==
 SHA1      : 3gUxL61QzBLpD3RdyEshBFhFasQ=
 SHA256    : 6ZObxUwITpQAWzBYTeSiVbrXLReKqv9n
             DSzV7zDfjgQ=
 SHA512    : Jj+kjYy72ShUfqg6q+4lg2mO3CGuZaFF
             uHX7hv2Q3Q5EpEwMjZIMwTxzMgo3iAZq
             9qv8nS4AEgezs/zrVtpEZA==
 RMD160    : jnIPuYZL9I64wNiZiz3EOApTUG4=


End timestamp: 2025-07-21 10:10:42 +0900 (run time: 0m 12s)

# copy generated DB to master DB

[root@dlp ~]#

cp -p /var/lib/aide/aide.db.new.gz /var/lib/aide/aide.db.gz

[3]	Run checking.

[root@dlp ~]#

aide --check

# if there is no unmatch, it displayed [Looks okay]

Start timestamp: 2025-07-21 10:11:16 +0900 (AIDE 0.18.6)
AIDE found NO differences between database and filesystem. Looks okay!!

Number of entries:      61038

---------------------------------------------------
The attributes of the (uncompressed) database(s):
---------------------------------------------------

/var/lib/aide/aide.db.gz
 MD5       : TQIJYDCOcQvXSaQImJlOxg==
 SHA1      : 3gUxL61QzBLpD3RdyEshBFhFasQ=
 SHA256    : 6ZObxUwITpQAWzBYTeSiVbrXLReKqv9n
             DSzV7zDfjgQ=
 SHA512    : Jj+kjYy72ShUfqg6q+4lg2mO3CGuZaFF
             uHX7hv2Q3Q5EpEwMjZIMwTxzMgo3iAZq
             9qv8nS4AEgezs/zrVtpEZA==
 RMD160    : jnIPuYZL9I64wNiZiz3EOApTUG4=


End timestamp: 2025-07-21 10:11:56 +0900 (run time: 0m 40s)

# try to change a file and check again

[root@dlp ~]#

chmod 640 /root/anaconda-ks.cfg

[root@dlp ~]#

aide --check

# detected differences like follows

Start timestamp: 2025-07-21 10:12:29 +0900 (AIDE 0.18.6)
AIDE found differences between database and filesystem!!

Summary:
  Total number of entries:      61038
  Added entries:                0
  Removed entries:              0
  Changed entries:              1

---------------------------------------------------
Changed entries:
---------------------------------------------------

f = p..   ...A.. : /root/anaconda-ks.cfg

---------------------------------------------------
Detailed information about changes:
---------------------------------------------------

File: /root/anaconda-ks.cfg
 Perm      : -rw-------                       | -rw-r-----
 ACL       : A: user::rw-                     | A: user::rw-
             A: group::---                    | A: group::r--
             A: other::---                    | A: other::---
.....
.....

[4]	If there is no ploblem even if some differences are detected, then update database like follows.

[root@dlp ~]#

aide --update

Start timestamp: 2025-07-21 10:14:33 +0900 (AIDE 0.18.6)
AIDE found differences between database and filesystem!!
New AIDE database written to /var/lib/aide/aide.db.new.gz

Summary:
  Total number of entries:      61038
  Added entries:                0
  Removed entries:              0
  Changed entries:              1

---------------------------------------------------
Changed entries:
---------------------------------------------------

f = p..   ...A.. : /root/anaconda-ks.cfg

---------------------------------------------------
Detailed information about changes:
---------------------------------------------------

File: /root/anaconda-ks.cfg
 Perm      : -rw-------                       | -rw-r-----
 ACL       : A: user::rw-                     | A: user::rw-
             A: group::---                    | A: group::r--
             A: other::---                    | A: other::---
.....
.....

# update database

[root@dlp ~]#

cp -p /var/lib/aide/aide.db.new.gz /var/lib/aide/aide.db.gz

[5]	Add in Cron if you'd like to check regulary. Log file [/var/log/aide/aide.log] is updated every time, so if you's like to save log files, it needs to create a shell script or send results via email or others.

# for example, add daily check in Crontab and send results via email

[root@dlp ~]#

vi /etc/cron.d/aide

00 01 * * * root /usr/sbin/aide --update | mail -s 'Daily Check by AIDE' root

Matched Content