aide

Initialize the database

$ sudo aide [[-i|--init]]

$ sudo aide [[-C|--check]]

$ sudo aide [[-E|--compare]]

$ sudo aide [[-u|--update]]

$ sudo aide [[-c|--config]] [path/to/config_file]

$ sudo aide [[-l|--limit]] [regex]

$ sudo aide [[-r|--report]] [reporterurl]

aide [options] [ACTION]

-A DIR, --after=DIR
    Use database from DIR as "after" state for comparisons

-B DIR, --before=DIR
    Use database from DIR as "before" state for comparisons

-c FILE, --config=FILE
    Specify configuration file (default: /etc/aide.conf)

-C DB, --compare=DB
    Compare with specified database file

--check
    Check current filesystem against database and report changes

-D, --diff
    Show a detailed diff of changes between databases/filesystem

-E, --exclude=PATTERN
    Exclude files/directories matching shell glob PATTERN

-f FILE, --file=FILE
    Operate only on specified file

-g GROUP, --group=GROUP
    Select rules/groups from config for processing

--init
    Initialize/create new database from current filesystem

-r, --report=FORMAT
    Specify report format (e.g., stderr, syslog, mail)

-s DB, --save-db=DB
    Save new database to DB after checks

--update
    Update database with current filesystem state (like init+check)

-v, --verbose
    Increase verbosity level (can repeat)

AIDE (Advanced Intrusion Detection Environment) is a powerful host-based intrusion detection system designed to monitor file and filesystem integrity on Unix-like systems.

It works by creating a comprehensive database that snapshots attributes of specified files and directories, including permissions, inode, user/group ownership, file size, content digests (e.g., MD5, SHA-1, SHA-256), and timestamps. During subsequent checks, AIDE compares the current state against this database to detect unauthorized changes, such as those caused by malware, rootkits, or misconfigurations.

Key features include customizable rules via a domain-specific language in configuration files (typically /etc/aide.conf), support for multiple hash algorithms, email notifications on discrepancies, and actions like initialization (--init), verification (--check), database updates (--update), and diffs (--diff).

AIDE is lightweight, efficient for scheduled cron jobs, and integrates well with tools like logwatch. It's particularly useful in security auditing, compliance (e.g., PCI-DSS), and forensic analysis, though it requires careful rule tuning to minimize false positives from legitimate updates.

Requires root privileges for full filesystem access; initial database creation (--init) must be done post-installation; prone to false positives if rules include volatile files (e.g., logs); databases can grow large on big filesystems; not real-time monitoring (use cron); cryptographic weaknesses in older hashes like MD5.

Uses a rule language like R=sha256+perm+gid to define attributes monitored per path/group. See aide.conf(5) for syntax; default rules cover /bin, /sbin, /etc, etc.

Typically /var/lib/aide/aide.db.gz (current) and aide.db.new.gz (updated). Use aide --init initially, then cron aide --check.

AIDE originated in 1999 with version 0.1 by Rami Lehtinen, inspired by Tripwire. Development shifted to the AIDE developers group around 2002. Key milestones: v0.50 (2004) added ACLs/xattrs; v0.60+ (2010s) improved RHEL integration, SHA-256 support, and performance. Maintained actively on GitHub; latest stable ~0.18 (2023). Widely used in enterprise Linux distros like RHEL/CentOS.

tripwire(8), rkhunter(1), chkrootkit(8), debsums(1)