AIDE Cheat Sheet
Overview
AIDE (Advanced Intrusion Detection Environment) is an open-source host-based intrusion detection system that monitors filesystem integrity by comparing the current state of files against a known-good baseline database. It checks file properties including permissions, ownership, size, modification time, and cryptographic hashes (MD5, SHA-256, SHA-512, WHIRLPOOL) to detect unauthorized changes, trojaned binaries, rootkit modifications, and configuration drift. AIDE is widely used in PCI DSS, HIPAA, and SOX compliance environments where file integrity monitoring is a mandatory control.
AIDE operates by first initializing a baseline database of the filesystem, then periodically checking the current state against that baseline. Any additions, deletions, or modifications are flagged and reported. Unlike real-time monitoring tools, AIDE performs scheduled checks (typically via cron), making it lightweight and suitable for production servers. It supports regex-based inclusion and exclusion rules, custom rule groups, and detailed reporting. AIDE is the recommended replacement for Tripwire in many enterprise Linux environments due to its active development and flexible configuration.
Installation
Red Hat / CentOS / Fedora
sudo dnf install aide
# Initialize the database
sudo aide --init
sudo mv /var/lib/aide/aide.db.new.gz /var/lib/aide/aide.db.gzUbuntu / Debian
sudo apt update
sudo apt install aide aide-common
# Initialize the database (Debian uses aideinit wrapper)
sudo aideinit
sudo cp /var/lib/aide/aide.db.new /var/lib/aide/aide.dbFrom Source
wget https://github.com/aide/aide/releases/download/v0.18.8/aide-0.18.8.tar.gz
tar xzf aide-0.18.8.tar.gz
cd aide-0.18.8
./configure --with-mhash --with-posix-acl --with-selinux \
--with-xattr --with-e2fsattrs --with-zlib
make
sudo make installCore Commands
| Command | Description |
|---|---|
aide --init | Create initial baseline database |
aide --check | Compare current filesystem against baseline |
aide --update | Check and create new database simultaneously |
aide --compare | Compare two databases |
aide --config-check | Validate configuration syntax |
aide --version | Display version information |
# Initialize baseline database
sudo aide --init --config=/etc/aide/aide.conf
# Move new database to active position
sudo mv /var/lib/aide/aide.db.new.gz /var/lib/aide/aide.db.gz
# Run integrity check
sudo aide --check --config=/etc/aide/aide.conf
# Update baseline (check + generate new baseline)
sudo aide --update --config=/etc/aide/aide.conf
# Validate configuration
sudo aide --config-check --config=/etc/aide/aide.conf
# Verbose output
sudo aide --check --verbose=255
# Check specific file
sudo aide --check --limit=/etc/passwdConfiguration
Main Configuration File
# /etc/aide/aide.conf
# Database locations
database_in=file:/var/lib/aide/aide.db.gz
database_out=file:/var/lib/aide/aide.db.new.gz
database_new=file:/var/lib/aide/aide.db.new.gz
# Gzip compression
gzip_dbout=yes
# Report settings
report_url=file:/var/log/aide/aide.log
report_url=stdout
report_level=changed_attributes
# Hash algorithms
HASH = sha256+sha512
# Custom rule groups
NORMAL = R+sha256+sha512
DIR = p+i+n+u+g+acl+selinux+xattrs
PERMS = p+u+g+acl+selinux+xattrs
LOG = p+u+g+n+acl+selinux+ftype
CONTENT = sha256+sha512+ftype
DATAONLY = p+n+u+g+s+acl+selinux+xattrs+sha256+sha512
# Predefined groups
# R = p+i+n+u+g+s+m+c+acl+selinux+xattrs+sha256
# L = p+i+n+u+g
# > = Growing log file: p+u+g+i+n+S+acl+selinux+xattrsMonitored Paths
# System binaries
/bin NORMAL
/sbin NORMAL
/usr/bin NORMAL
/usr/sbin NORMAL
/usr/local/bin NORMAL
/usr/local/sbin NORMAL
# Libraries
/lib NORMAL
/lib64 NORMAL
/usr/lib NORMAL
# Configuration files
/etc NORMAL
/etc/hosts$ CONTENT
/etc/passwd$ CONTENT
/etc/shadow$ CONTENT
/etc/group$ CONTENT
/etc/gshadow$ CONTENT
/etc/sudoers$ CONTENT
# Boot files
/boot NORMAL
# Kernel modules
/usr/lib/modules NORMAL
# Exclusions (directories to skip)
!/var/log
!/var/spool
!/var/cache
!/var/tmp
!/tmp
!/run
!/proc
!/sys
!/dev
!/var/lib/aide
!/var/lib/rpm
!/var/lib/dpkg
!/var/lib/dnfAdvanced Rule Definitions
# Custom attributes
# p = permissions
# i = inode number
# n = number of hard links
# u = user ownership
# g = group ownership
# s = file size
# m = modification time
# c = change time (ctime)
# S = check for growing size
# acl = POSIX ACLs
# selinux = SELinux context
# xattrs = extended attributes
# sha256 = SHA-256 hash
# sha512 = SHA-512 hash
# md5 = MD5 hash (deprecated, use for compatibility)
# ftype = file type
# Monitor SSH configuration strictly
/etc/ssh/sshd_config$ CONTENT+PERMS
/etc/ssh/ssh_config$ CONTENT+PERMS
/etc/ssh/ssh_host_.*_key$ PERMS
/etc/ssh/ssh_host_.*_key.pub$ CONTENT+PERMS
# Monitor cron strictly
/etc/crontab$ CONTENT+PERMS
/etc/cron.d DIR+CONTENT
/etc/cron.daily DIR+CONTENT
/etc/cron.hourly DIR+CONTENT
/etc/cron.weekly DIR+CONTENT
/etc/cron.monthly DIR+CONTENT
# Growing log files (only check they don't shrink)
/var/log/auth.log$ LOG+>
/var/log/syslog$ LOG+>
/var/log/secure$ LOG+>Advanced Usage
Automated Monitoring with Cron
# /etc/cron.d/aide-check
# Run daily integrity check at 4 AM
0 4 * * * root /usr/bin/aide --check --config=/etc/aide/aide.conf 2>&1 | mail -s "AIDE Report - $(hostname)" security@example.com
# Weekly database update (after reviewing changes)
0 5 * * 0 root /usr/bin/aide --update --config=/etc/aide/aide.conf && mv /var/lib/aide/aide.db.new.gz /var/lib/aide/aide.db.gzIntegration with Syslog
# Send AIDE alerts to syslog
cat > /usr/local/bin/aide-check.sh << 'SCRIPT'
#!/bin/bash
REPORT=$(/usr/bin/aide --check --config=/etc/aide/aide.conf 2>&1)
EXIT_CODE=$?
if [ $EXIT_CODE -ne 0 ]; then
echo "$REPORT" | logger -t aide -p auth.warning
echo "$REPORT" | mail -s "AIDE Alert: Changes Detected on $(hostname)" security@example.com
else
logger -t aide -p auth.info "AIDE check passed: no changes detected"
fi
SCRIPT
chmod +x /usr/local/bin/aide-check.shDatabase Management
# Compare two databases directly
aide --compare \
--config=/etc/aide/aide.conf \
--before=file:/var/lib/aide/aide.db.20260101.gz \
--after=file:/var/lib/aide/aide.db.20260201.gz
# Backup database before updates
cp /var/lib/aide/aide.db.gz /var/lib/aide/backup/aide.db.$(date +%Y%m%d).gz
# Store database on read-only media
sudo mount /dev/sr0 /mnt/cdrom
cp /var/lib/aide/aide.db.gz /mnt/cdrom/aide/Regex-Based Rules
# Match specific file patterns
/etc/.*\.conf$ CONTENT+PERMS
/usr/local/bin/custom-.*$ NORMAL
# Exclude specific patterns within monitored directories
!/var/log/.*\.gz$
!/var/log/journal/.*
# Monitor only specific subdirectories
/home/[^/]+/\.ssh DIR+CONTENT
/home/[^/]+/\.bashrc$ CONTENT
/home/[^/]+/\.profile$ CONTENTTroubleshooting
| Issue | Solution |
|---|---|
| Database initialization takes too long | Exclude large directories like /var, /home data dirs. Use !/path exclusions |
| False positives from package updates | Run aide --update and rotate database after planned maintenance |
Cannot open config file | Check path and permissions: ls -la /etc/aide/aide.conf |
Database not found | Initialize with aide --init and copy aide.db.new.gz to aide.db.gz |
| Permission errors during check | Run with sudo or as root for full filesystem access |
Check reports changes to /proc or /sys | Add exclusions: !/proc and !/sys in configuration |
| Memory issues with large filesystems | Reduce hash algorithms or split into multiple config files |
| Database corruption | Restore from backup or reinitialize: aide --init |