aide

Initialize the database

$ sudo aide [[-i|--init]]

$ sudo aide [[-C|--check]]

$ sudo aide [[-E|--compare]]

$ sudo aide [[-u|--update]]

$ sudo aide [[-c|--config]] [path/to/config_file]

$ sudo aide [[-l|--limit]] [regex]

$ sudo aide [[-r|--report]] [reporterurl]

aide [-C] [-c config_file] [-D debug_level] [-h] [-i] [-r report_file] [-s] [-u] [-V] [-v] [--before-init=file] [--after-check=file] [--limit-cpu=limit] [--url=url]

-c config_file, --config=config_file
    Specifies the path to the configuration file. By default, AIDE looks for /etc/aide/aide.conf or /etc/aide.conf.

-C, --check
    Checks the integrity of files against the database. This is the default action if no command-line option is specified.

-i, --init
    Initializes the AIDE database. This creates a baseline snapshot of your system's files and their attributes. It should be run on a clean, trusted system.

-u, --update
    Updates the AIDE database. This mode is used after legitimate system changes (e.g., software updates) to create a new database that incorporates these changes, effectively creating a new baseline.

-h, --help
    Displays a brief help message with available options.

-V, --version
    Shows the AIDE version information and compilation options.

-v, --verbose
    Increases the verbosity of the output. Can be specified multiple times for more detailed messages.

-D debug_level, --debug=debug_level
    Sets the debug level for troubleshooting. Higher numbers provide more detailed debug information.

-r report_file, --report=report_file
    Writes the integrity check report to the specified file instead of standard output.

-s, --strict
    Enables strict checking of the configuration file, exiting if any warnings are encountered.

--limit-cpu=limit
    Limits the CPU usage percentage AIDE can consume during its operation.

--before-init=file
    Executes the specified script or command before the database initialization (aide -i) begins.

--after-check=file
    Executes the specified script or command after the integrity check (aide -C) completes.

--url=url
    Allows specifying a configuration file via a URL (e.g., file://, http://), useful for remote configuration management.

AIDE (Advanced Intrusion Detection Environment) is a powerful and versatile file and directory integrity checker for Unix-like operating systems. It is primarily used as a proactive security measure to detect unauthorized modifications to system files and binaries, which could indicate a compromise, malware infection, or accidental changes.

AIDE works by creating a cryptographic hash database (a "snapshot") of selected files and directories on the system. This database stores various attributes like checksums (MD5, SHA256, etc.), file permissions, ownership, inode number, and modification times. Once the baseline database is established, subsequent runs of AIDE compare the current state of the files against this stored baseline. Any discrepancies – new files, deleted files, or modified attributes – are reported, alerting administrators to potential security incidents. Its flexibility lies in its highly configurable rules, allowing users to specify exactly which files to monitor and what attributes to track, making it an essential tool for maintaining system integrity and compliance.

AIDE is a powerful tool, but its effectiveness relies on several factors:

Baseline Integrity: The initial database must be created on a system that is known to be clean and uncompromised. If the baseline is infected, AIDE will fail to detect existing threats.
Database Security: The AIDE database file is critical. It should be stored on read-only media, on a separate secure system, or at least in a location not easily accessible or modifiable by an attacker.
False Positives: Legitimate system changes (e.g., software updates, log file rotations, temporary file creations) can trigger alerts. Proper configuration of rules to ignore expected changes is crucial to minimize noise.
Performance Overhead: On very large file systems, especially with deep directory structures and many files, AIDE scans can be resource-intensive and time-consuming. Careful configuration of what to monitor can mitigate this.
Detection Scope: AIDE detects changes to files. It cannot detect zero-day exploits that don't modify files or sophisticated rootkits that operate solely in memory and actively hide their presence from the filesystem. It should be part of a layered security strategy.

The behavior of AIDE is entirely controlled by its configuration file, typically located at /etc/aide/aide.conf or /etc/aide.conf. This file defines:
Databases: Paths to the input and output database files.
Rules: Which files and directories to monitor, and which attributes (e.g., permissions, inode, number of links, user, group, size, mtime, atime, ctime, checksums) to check for each.
Exclusions: Paths to ignore (e.g., temporary files, log files that change frequently).
The file uses a simple syntax with rules specified using regular expressions and predefined attribute sets (e.g., R for regular file attributes, P for permissions, L for links, E for entire file, MD5, SHA256 for checksums). Proper configuration is crucial for effective monitoring and minimizing false positives.

AIDE primarily operates in three distinct modes:
Initialize (aide -i): Creates the initial integrity database. This is a crucial step and should be performed only after ensuring the system is in a known good state.
Check (aide -C): Compares the current state of files against the stored database, reporting any discrepancies. This is the primary mode for detecting unauthorized changes.
Update (aide -u): Generates a new database based on the current system state, but only after performing a check against the old database. It's typically used after legitimate system modifications (e.g., OS updates) to establish a new baseline, ensuring that only expected changes are incorporated into the new database.

AIDE was designed as a free, open-source alternative to proprietary file integrity monitoring tools like Tripwire. Development began in the late 1990s, with its initial public release occurring around 1999. It quickly gained popularity due to its flexibility, comprehensive features, and open-source nature, allowing for community contributions and audits. Over the years, it has undergone continuous development, adding support for more hashing algorithms (like SHA256, SHA512), improved configuration options, and better performance, making it a robust and widely adopted tool for system integrity monitoring in various Linux and Unix-like environments. Its design emphasizes security through cryptographic integrity checks and a highly configurable rule-based system.

chkrootkit(8), rkhunter(8), tripwire(8), md5sum(1), sha256sum(1), openssl(1)