Red Hat Training

A Red Hat training course is available for Red Hat Enterprise Linux

4.11. Checking Integrity with AIDE

Advanced Intrusion Detection Environment (AIDE) is a utility that creates a database of files on the system, and then uses that database to ensure file integrity and detect system intrusions.

4.11.1. Installing AIDE

To install the aide package, enter the following command as root:
~]# yum install aide
To generate an initial database, enter the following command as root:
~]# aide --init

AIDE, version 0.15.1

### AIDE database at /var/lib/aide/aide.db.new.gz initialized.

Note

In the default configuration, the aide --init command checks just a set of directories and files defined in the /etc/aide.conf file. To include additional directories or files in the AIDE database, and to change their watched parameters, edit /etc/aide.conf accordingly.
To start using the database, remove the .new substring from the initial database file name:
~]# mv /var/lib/aide/aide.db.new.gz /var/lib/aide/aide.db.gz
To change the location of the AIDE database, edit the /etc/aide.conf file and modify the DBDIR value. For additional security, store the database, configuration, and the /usr/sbin/aide binary file in a secure location such as a read-only media.

Important

To avoid SELinux denials after the AIDE database location change, update your SELinux policy accordingly. See the SELinux User's and Administrator's Guide for more information.

4.11.2. Performing Integrity Checks

To initiate a manual check, enter the following command as root:
~]# aide --check
AIDE 0.15.1 found differences between database and filesystem!!
Start timestamp: 2017-03-30 14:12:56

Summary:
  Total number of files:	147173
  Added files:			1
  Removed files:		0
  Changed files:		2
...
At a minimum, AIDE should be configured to run a weekly scan. At most, AIDE should be run daily. For example, to schedule a daily execution of AIDE at 4:05 am using cron (see the Automating System Tasks chapter in the System Administrator's Guide), add the following line to /etc/crontab:
05 4 * * * root /usr/sbin/aide --check

4.11.3. Updating an AIDE Database

After the changes of your system such as package updates or configuration files adjustments are verified, update your baseline AIDE database:
~]# aide --update
The aide --update command creates the /var/lib/aide/aide.db.new.gz database file. To start using it for integrity checks, remove the .new substring from the file name.

4.11.4. Additional Resources

For additional information on AIDE, see the following documentation: