Detecting File Changes with AIDE

The Advanced Intrusion Detection Environment (AIDE) is a program that takes a âfingerprintâ of system files so that changes in those files can be detected. You can use it to detect a system intrusion, accidental file overwrites, and file corruption.

How Do I Do That?

To initialize the AIDE fingerprint database, execute it with the --init option:

# aide --init

AIDE, version 0.11

### AIDE database at /var/lib/aide/aide.db.new.gz initialized.

It will take several minutes to run. When it is finished, a fingerprint database will be saved as /var/lib/aide/aide.db.new.gz. Rename it to /var/lib/aide/aide.db.gz to make it the active AIDE database:

# mv /var/lib/aide/aide.db.new.gz /var/lib/aide/aide.db.gz

Once the fingerprint database is configured, you can check for file changes using the --check argument:

# aide --check AIDE found differences between database and filesystem!! Start timestamp: 2006-06-01 12:50:01 Summary: Total number of files: 127172 Added files: 2 Removed files: 0 Changed files: 4 --------------------------------------------------- Added files: --------------------------------------------------- added:/root/.xauth0VekVw added:/root/.xauthcvqPrt --------------------------------------------------- Changed files: --------------------------------------------------- changed:/root changed:/root/.lesshst changed:/bin changed:/bin/date -------------------------------------------------- Detailed information about changes: --------------------------------------------------- ...

Get Fedora Linux now with the O’Reilly learning platform.

O’Reilly members experience books, live events, courses curated by job role, and more from O’Reilly and nearly 200 top publishers.

Start your free trial

Fedora Linux by Chris Tyler

Detecting File Changes with AIDE

How Do I Do That?

Don’t leave empty-handed

It’s yours, free.

Check it out now on O’Reilly