What Is AIDE?
AIDE (Advanced Intrusion Detection Environment) monitors files for unauthorized changes. It creates a database of file attributes (checksums, permissions, timestamps) and alerts you when files are modified.
Installation
sudo apt install -y aideConfigure Monitored Paths
Edit /etc/aide/aide.conf:
# Monitor critical system directories
/etc NORMAL
/bin NORMAL
/sbin NORMAL
/usr/bin NORMAL
/usr/sbin NORMAL
# Monitor web files
/var/www NORMAL
# Exclude frequently changing files
!/var/log
!/var/cache
!/tmp
!/proc
!/sysInitialize Database
sudo aideinit
# This creates the initial baseline — takes a few minutes
sudo cp /var/lib/aide/aide.db.new /var/lib/aide/aide.dbRun a Check
sudo aide --checkOutput shows any files that were added, removed, or modified since the baseline was created.
Automated Checks
# Run daily and email results
0 5 * * * /usr/bin/aide --check | mail -s "AIDE Report $(hostname)" admin@example.comUpdate Database After Legitimate Changes
# After applying updates or deploying code
sudo aide --update
sudo cp /var/lib/aide/aide.db.new /var/lib/aide/aide.dbWhat to Monitor
/etc— configuration files/bin,/sbin,/usr/bin— system binaries/var/www— web application files- Cron directories
- SSH authorized_keys files
Limitations
- Cannot detect changes in real-time (runs periodically)
- Database itself needs protection
- Generates noise after system updates (update baseline after patching)