Checking Integrity With AIDE

This page has been converted from the Fedora Project Wiki and cleaned up for publishing here on the Fedora Docs Portal, but it has not yet been reviewed for technical accuracy. This means any information on this page may be outdated or inaccurate. Reviews for technical accuracy are greatly appreciated. If you want to help, see the README file in the source repository for instructions.

Advanced Intrusion Detection Environment (AIDE) is a utility that creates a database of files on the system, and then uses that database to ensure file integrity and detect system intrusions.

Installing AIDE

  1. To install the aide package:

    $ sudo dnf install aide
  2. To generate an initial database:

    $ sudo aide --init
    Start timestamp: 2018-07-11 12:35:47 +0200 (AIDE 0.16)
    AIDE initialized database at /var/lib/aide/aide.db.new.gz
    
    Number of entries:	150666
    
    ---------------------------------------------------
    The attributes of the (uncompressed) database(s):
    ---------------------------------------------------
    
    /var/lib/aide/aide.db.new.gz
      MD5      : 0isjEPsCORFk7laoGGz8tQ==
      SHA1     : j0aPLakWChM+TAuxfVIpy9nqBOE=
      RMD160   : nYyyx0AGZj4e5rwcz77afasXFrw=
      TIGER    : IBVo5A2A4En1kM6zDjD/MnlkN4QWeSOw
      SHA256   : YveypaI9c5PJNvPSZf8YFfjCMWfGUA8q
                 vyqLpLJWY0E=
      SHA512   : TiUYmHYflS3A+j17qw5mW78Fn2yXLpCF
                 1LE1/RhiqqtMn1MjkKDrr+3TE+/vWfa4
                 7253cDhNmC6hoFndkS67Xw==
    
    
    End timestamp: 2018-07-11 12:37:35 +0200 (run time: 1m 48s)
    In the default configuration, the aide --init command checks just a set of directories and files defined in the /etc/aide.conf file. To include additional directories or files in the AIDE database, and to change their watched parameters, edit /etc/aide.conf accordingly.
  3. To start using the database, remove the .new substring from the initial database file name:

    $ sudo mv /var/lib/aide/aide.db.new.gz /var/lib/aide/aide.db.gz
  4. To change the location of the AIDE database, edit the /etc/aide.conf file and modify the DBDIR value. For additional security, store the database, configuration, and the /usr/sbin/aide binary file in a secure location such as a read-only media.

    To avoid SELinux denials after the AIDE database location change, update your SELinux policy accordingly. See the SELinux User’s and Administrator’s Guide for more information.

Performing Integrity Checks

To initiate a manual check:

$ sudo aide --check
Start timestamp: 2018-07-11 12:41:20 +0200 (AIDE 0.16)
AIDE found differences between database and filesystem!!

Summary:
  Total number of entries:	150667
  Added entries:		1
  Removed entries:		0
  Changed entries:		2

---------------------------------------------------
Added entries:
---------------------------------------------------

f++++++++++++++++: /etc/cups/subscriptions.conf.O
...
[output truncated]

At a minimum, AIDE should be configured to run a weekly scan. At most, AIDE should be run daily. For example, to schedule a daily execution of AIDE at 04:05 a.m. using the cron command, see the Automating System Tasks chapter in the System Administrator’s Guide.

Add the following line to the /etc/crontab file:

 05 4 * * * root /usr/sbin/aide --check

Updating an AIDE Database

After verifying the changes of your system such as, package updates or configuration files adjustments, update your baseline AIDE database:

$ sudo aide --update

The aide --update command creates the /var/lib/aide/aide.db.new.gz database file. To start using it for integrity checks, remove the .new substring from the file name.

Additional Resources