4.11. Checking Integrity with AIDE
Advanced Intrusion Detection Environment (AIDE) is a utility that creates a database of files on the system, and then uses that database to ensure file integrity and detect system intrusions.
4.11.1. Installing AIDE
To install the aide package, enter the following command as
yum install aide
To generate an initial database, enter the following command as
aide --initAIDE, version 0.15.1 ### AIDE database at /var/lib/aide/aide.db.new.gz initialized.
In the default configuration, the
aide --initcommand checks just a set of directories and files defined in the
/etc/aide.conffile. To include additional directories or files in the AIDE database, and to change their watched parameters, edit
To start using the database, remove the
.newsubstring from the initial database file name:
mv /var/lib/aide/aide.db.new.gz /var/lib/aide/aide.db.gz
To change the location of the AIDE database, edit the
/etc/aide.conffile and modify the
DBDIRvalue. For additional security, store the database, configuration, and the
/usr/sbin/aidebinary file in a secure location such as a read-only media.
To avoid SELinux denials after the AIDE database location change, update your SELinux policy accordingly. See the SELinux User's and Administrator's Guide for more information.
4.11.2. Performing Integrity Checks
To initiate a manual check, enter the following command as
aide --checkAIDE 0.15.1 found differences between database and filesystem!! Start timestamp: 2017-03-30 14:12:56 Summary: Total number of files: 147173 Added files: 1 Removed files: 0 Changed files: 2 ...
At a minimum, AIDE should be configured to run a weekly scan. At most, AIDE should be run daily. For example, to schedule a daily execution of AIDE at 4:05 am using
cron(see the Automating System Tasks chapter in the System Administrator's Guide), add the following line to
05 4 * * * root /usr/sbin/aide --check
4.11.3. Updating an AIDE Database
After the changes of your system such as package updates or configuration files adjustments are verified, update your baseline AIDE database:
aide --updatecommand creates the
/var/lib/aide/aide.db.new.gzdatabase file. To start using it for integrity checks, remove the
.newsubstring from the file name.
4.11.4. Additional Resources
For additional information on AIDE, see the following documentation: