Advanced Intrusion Detection Environment (AIDE) is a tool to compare changes within files or directories. The hashes will be stored in the local database on the first run. After that, it will be compared on each subsequent run. If the hash content is different from the that in database, it will be recorded in logs. What’s more, we could configure the report and email reminder as well.
Its working principle is analogous to using md5sum to calculate the MD5 hash of a file. Then, we could compare the value of MD5 to check whether the file changes or not.
Commands: -i, --init Initialize the database -C, --check Check the database -u, --update Check and update the database non-interactively -E, --compare Compare two databases
Miscellaneous: -D, --config-check Test the configuration file -v, --version Show version of AIDE and compilation options -h, --help Show this help message
Options: -c [cfgfile] --config=[cfgfile] Get config options from [cfgfile] -l [REGEX] --limit=[REGEX] Limit command to entries matching [REGEX] -B "OPTION" --before="OPTION" Before configuration file is read define OPTION -A "OPTION" --after="OPTION" After configuration file is read define OPTION -r [reporter] --report=[reporter] Write report output to [reporter] url -V[level] --verbose=[level] Set debug message level to [level]
After learning the usage of aide command, Let’s Initialize the database.
--------------------------------------------------- The attributes of the (uncompressed) database(s): ---------------------------------------------------
End timestamp: 2025-05-22 03:06:00 -0400 (run time: 10m 42s)
Checking the database
Note: The default database generated by aide is called aide.db.new.gz. While, when we check the database, it will check the database called aide.db.gz. Therefore, it is necessary for us to modify the name of the initialized database.
1 2 3 4
[root@director ~]# aide --check Couldn't open file /var/lib/aide/aide.db.gz for reading [root@director ~]# mv /var/lib/aide/aide.db.new.gz /var/lib/aide/aide.db.gz
After changing the name, Let’s check the database again!
[root@director ~]# aide --check Start timestamp: 2025-05-22 03:09:45 -0400 (AIDE 0.16) AIDE found NO differences between database and filesystem. Looks okay!!
Number of entries: 146260
--------------------------------------------------- The attributes of the (uncompressed) database(s): ---------------------------------------------------
--------------------------------------------------- The attributes of the (uncompressed) database(s): ---------------------------------------------------
[root@director ~]# aide --update Start timestamp: 2025-05-22 03:51:02 -0400 (AIDE 0.16) AIDE found differences between database and filesystem!! New AIDE database written to /var/lib/aide/aide.db.new.gz
Summary: Total number of entries: 146260 Added entries: 0 Removed entries: 0 Changed entries: 8
--------------------------------------------------- The attributes of the (uncompressed) database(s): ---------------------------------------------------
Copyright Notice: This article is licensed under a Creative Commons Attribution-NonCommercial-ShareAlike 4.0 International License. Please attribute the original author and source when sharing.
Wechat
Alipay
