Detecting File Changes with AIDE
The Advanced Intrusion Detection Environment (AIDE) is a program that takes a “fingerprint” of system files so that changes in those files can be detected. You can use it to detect a system intrusion, accidental file overwrites, and file corruption.
How Do I Do That?
To initialize the AIDE fingerprint database, execute it with the --init option:
# aide --init
AIDE, version 0.11
### AIDE database at /var/lib/aide/aide.db.new.gz initialized.It will take several minutes to run. When it is finished, a fingerprint database will be saved as /var/lib/aide/aide.db.new.gz. Rename it to /var/lib/aide/aide.db.gz to make it the active AIDE database:
# mv /var/lib/aide/aide.db.new.gz /var/lib/aide/aide.db.gzOnce the fingerprint database is configured, you can check for file changes using the --check argument:
# aide --check AIDE found differences between database and filesystem!! Start timestamp: 2006-06-01 12:50:01 Summary: Total number of files: 127172 Added files: 2 Removed files: 0 Changed files: 4 --------------------------------------------------- Added files: --------------------------------------------------- added:/root/.xauth0VekVw added:/root/.xauthcvqPrt --------------------------------------------------- Changed files: --------------------------------------------------- changed:/root changed:/root/.lesshst changed:/bin changed:/bin/date -------------------------------------------------- Detailed information about changes: --------------------------------------------------- ...Get Fedora Linux now with the O’Reilly learning platform.
O’Reilly members experience books, live events, courses curated by job role, and more from O’Reilly and nearly 200 top publishers.
