How do I quickly set up AIDE on Linux?

Here is my version of an AIDE Cheat Sheet. I originally wrote this about a year ago, but it is still pretty much the same. This is not meant to be a perfect implementation guideline, just a cheat sheet to get you up and running quickly! There are more advanced features and security elements that I do not go into, that you should explore.

Did you notice that Tripwire is no longer included in Suse Linux? What do you do? You use Aide. And here’s how, in very brief steps.

First, install the aide package using Yast. Besides just the binaries, the package gives you a good baseline configuration file (/etc/aide.conf), and a good example script you can add to cron for regular checks:


Now, initialize the database for a baseline:

aide --config=/etc/aide.conf --init

…this creates /var/lib/aide/, a text-based database file that contains information about the filesystem, as instructed by /etc/aide.conf.

Next, copy it to the correct name so you can use it:

cp /var/lib/aide/ /var/lib/aide/aide.db

…this gives you a database to run your checks against. Make sure to keep a read-only copy of aide.db off of the system for later comparisons for security validations!

…I modified some files on my system so I could get a result. Otherwise, output is silent in the event of no detected changes.

So let’s run a check and see results (at the default verbose level 1 in aide.conf). It may take a loooooong time, so be patient…

aide --config=/etc/aide.conf --check

…and here’s the result:

AIDE found differences between database and filesystem!!
Total number of files:        215749
Added files:                  1
Removed files:                1
Changed files:                8

You can tweak the aide.conf to your taste. After that, you can do an update:

aide --config=/etc/aide.conf --update

…the update command also does the same thing as check, but it also creates a new database; by this I mean it creates a new ““, and during the update it is comparing it real-time with aide.db (which does not change, which is why it should be read-only!).

When changes are found, and you don’t want to see those changes in future reports, you can simply reinitialize the static database (aide.db). To do this, just re-run with --init, then copy to aide.db, as described above. Again, make sure to keep a read-only copy of aide.db off of the system for later comparisons for security validations!

If you wish to run a “--compare” to compare your databases, you must add the following to your aide.conf (if you don’t specify on the command line):
…note: the “--compare” does not examine the filesystem, it only compares the two databases!

Personally, I run aide once each night with the --update option. This way it makes a new, and still tells me what changed (since it compares the filesystem with aide.db. Then, I can manually copy over the aide.db database as described above, and keep a copy offline.

Note that aide is a bit processor-intensive. On my systems it utilizes 20-60% of the processor for about 4-8 minutes. I suppose your experience would depend upon how fast your disk channel is. Also, depending on the size of your filesystem and the settings in aide.conf, the database files can be many tens of MBs.

Here’s a script that I run each day from /etc/cron.daily:

aide --config=/etc/aide.conf --update

Here’s a script that I run manually after I’ve seen all of the changes that may have occured and I don’t want to be notified about them anymore:

echo "Initialize the db..."
aide --config=/etc/aide.conf --init
echo "Copy over the new db..."
cp /var/lib/aide/ /var/lib/aide/aide.db
# Replace this next line with a copy to offline storage!
# cp /var/lib/aide/ /removableMedia
echo "...Done! "

For more thorough documentation, here are some references:
man aide
man aide.conf

Leave a Comment

Your email address will not be published. Required fields are marked *