Detecting File Changes with AIDE

The Advanced Intrusion Detection Environment (AIDE) is a program that takes a “fingerprint” of system files so that changes in those files can be detected. You can use it to detect a system intrusion, accidental file overwrites, and file corruption.

How Do I Do That?

To initialize the AIDE fingerprint database, execute it with the --init option:

# aide --init

AIDE, version 0.11

### AIDE database at /var/lib/aide/ initialized.

It will take several minutes to run. When it is finished, a fingerprint database will be saved as /var/lib/aide/ Rename it to /var/lib/aide/aide.db.gz to make it the active AIDE database:

# mv /var/lib/aide/ /var/lib/aide/aide.db.gz

Once the fingerprint database is configured, you can check for file changes using the --check argument:

# aide --check AIDE found differences between database and filesystem!! Start timestamp: 2006-06-01 12:50:01 Summary: Total number of files: 127172 Added files: 2 Removed files: 0 Changed files: 4 --------------------------------------------------- Added files: --------------------------------------------------- added:/root/.xauth0VekVw added:/root/.xauthcvqPrt --------------------------------------------------- Changed files: --------------------------------------------------- changed:/root changed:/root/.lesshst changed:/bin changed:/bin/date -------------------------------------------------- Detailed information about changes: --------------------------------------------------- ...

Get Fedora Linux now with O’Reilly online learning.

O’Reilly members experience live online training, plus books, videos, and digital content from 200+ publishers.