AIDE is an open source host-based intrusion detection system which is a replacement for the well-known Tripwire integrity checker. It provide software integrity checking and it can detect that intrusions (monitor filesystem for unauthorized change such as find out if system binaries modified and a new cracked versions installed or not) have occurred on the system. How do I install and configure AIDE under Ubuntu LTS / Debian Linux 5.0 server?

It is a good practice to deploy any integrity checking software before system goes online in a production environment. If possible install this software before the system is connected to any network. AIDE is a host-based intrusion detection system (HIDS) it can monitor and analyses the internals of a computing system.

1.0 Debian / Ubuntu Linux Install AIDE

Type the following command:
# apt-get update && apt-get install aide

1.0.1 Configure and Customize AIDE

You need to customize /etc/aide/aide.conf to meet your requirements. The default configuration is acceptable for many environments.

  • /etc/aide/aide.conf and /etc/aide/aide.conf.d/ – Default AIDE configuration files.
  • /var/lib/aide/aide.db – Default location for AIDE database.
  • /var/lib/aide/ – Default location for newly-created AIDE database.

1.0.2 How Do I Build, Store, and Test Database?

aideinit creates a new AIDE database. It will initialize an AIDE database in the default database_out location (defined in /etc/aide/aide.conf). It will then prompt you to replace your existing AIDE database. aideinit attempts to automatically detect the correct locations of your database and database_out files based on your aide.conf settings. These settings may be overriden on the command line, as may the prompts. To generate a new database, enter:
# aideinit
Sample output:

Running aide --init...

Sample output:

AIDE, version 0.13.1
### AIDE database at /var/lib/aide/ initialized.

Finally, install the newly-generated database, enter:
# cp /var/lib/aide/ /var/lib/aide/aide.db
Next, run a manual check:
# aide -c /etc/aide/aide.conf --check
If this check produces any unexpected output, investigate. You need to move the database, as well as the configuration file /etc/aide/aide.conf and the aide binary to a secure offsite readonly location. This should be done to improve overall security. If attacker can modify the binary then you would not spot anything, so move it out or burn the files to the CD-ROM and use that for the checking. You can also use hashes of these files. Move files to offsite server.
# scp /var/lib/aide/aide.db* /usr/bin/aide /etc/aide/aide.conf /etc/aide/aide.conf.d/*
Use tools such as cdrecord to write the files on CDROM.

1.0.4 How Do Test Integrity of Any Binary?

Run the command (note: usually you only need to run aide -c /etc/aide/aide.conf –check):
# touch /bin/date
# aide -c /etc/aide/aide.conf --check

1.0.5 Cron To Implement Periodic Execution of Integrity Checking

By default, AIDE install itself for periodic execution at /etc/cron.daily/aide. This script will get executed once a day, which may be suitable for many server environments. If there is any problem with installed binaries (modified by you or a system update program such as apt-get or by an attacker), you will get an email (default sent to root user). You can customize email by editing /etc/default/aide file. You need to set MAILTO variable. This is the email address reports get mailed.

1.0.6 A Note About System Changes

AIDE mail may be an indication of an attack against your server. However, sometime you update system and configuration change or a software update. The following steps
should be repeated when configuration changes or software updates necessitate:
# aideinit
# cp /var/lib/aide/ /var/lib/aide/aide.db
# aide -c /etc/aide/aide.conf --check

Finally, move the files (database and aide binary) to readonly media or offsite server using scp (see steps described in section #1.02) .

Further Readings:

  • The man page aide.conf(5) provides detailed information about the configuration file format.
  • The man page aide(1) provides detailed information about the aide command options.
  • AIDE project home page

🐧 Get the latest tutorials on Linux, Open Source & DevOps via RSS feed or Weekly email newsletter.

🐧 6 comments so far... add one

CategoryList of Unix and Linux commands
Disk space analyzersncdu pydf
File Managementcat
FirewallAlpine Awall CentOS 8 OpenSUSE RHEL 8 Ubuntu 16.04 Ubuntu 18.04 Ubuntu 20.04
Network UtilitiesNetHogs dig host ip nmap
OpenVPNCentOS 7 CentOS 8 Debian 10 Debian 8/9 Ubuntu 18.04 Ubuntu 20.04
Package Managerapk apt
Processes Managementbg chroot cron disown fg jobs killall kill pidof pstree pwdx time
Searchinggrep whereis which
User Informationgroups id lastcomm last lid/libuser-lid logname members users whoami who w
WireGuard VPNAlpine CentOS 8 Debian 10 Firewall Ubuntu 20.04
6 comments… add one
  • Me Jul 7, 2009 @ 10:24

    Great tutorial.

    I was looking for something like this.


  • Me Jul 10, 2009 @ 10:17

    After touch /bin/date the
    sudo aide -c /etc/aide/aide.conf –check
    did not found the modification.. weird ?

    I also mv /bin/date /bin/date2

    same it did not detected it.. any ideas of why ?

    Ubuntu Server 8.04 64 bit

  • Pieter E Smit Sep 22, 2009 @ 13:43

    One mistake is that the config file on debian is not the one in etc.

    update-aide.conf > builds new config from etc to > /var/lib/aide/aide.conf.autogenerated

    To check use this config file e.g.
    aide -c /var/lib/aide/aide.conf.autogenerated

  • Ramone Burrell Apr 9, 2015 @ 17:22

    Thank you very much. This was very useful.

  • David Jan 6, 2016 @ 20:32

    Great site.

    The command in 1.0.6 should be

    aide –init

    • Arun Khan Aug 2, 2017 @ 5:34

      In Debian you have to use ‘aideinit’, it’s a wrapper.
      # aideinit –help will show the options.
      NB — using aide –init or –update creates a db file that generates error message when you run the –check

Leave a Reply

Your email address will not be published.

Use HTML <pre>...</pre> for code samples. Still have questions? Post it on our forum