Hardening Linux Server With AIDE

What is AIDE?

AIDE is an Intrusion Detection System for checking file integrity. This is done through the comparison of database files. AIDE is capable of checking inode, permissions, modification time and file content changes.


Installation is very simple for AIDE you just need to install the package. For openSUSE you can just install it from the default OSS or security repo from OBS.

zypper in aide


First of all we need to tell AIDE what directories to monitor as well as where to store the database files that it will use to compare the state of the system.

Open up /etc/aide.conf in your favorite text editor and check out the following values.

The “database” is where the “good” or initial state of the system is stored, this can be on the local system but it may be a good idea to store this on a read only network mount if you are running AIDE on a production server. When AIDE runs it will create a “new” or “current” state database and perform a comparison with the known good state and notify you if there are differences detected.


When AIDE prints out its messages it can be configured by the administrator to only provide certain details. AIDE is very flexible in what it can display, a full list can be found here(http://aide.sourceforge.net/stable/manual.html)

Binlib          = p+i+n+u+g+s+b+m+c+sha256+sha512
ConfFiles       = p+i+n+u+g+s+b+m+c+sha256+sha512
Logs            = p+i+n+u+g+S
Devices         = p+i+n+u+g+s+b+c+sha256+sha512
Databases       = p+n+u+g
StaticDir       = p+i+n+u+g
ManPages        = p+i+n+u+g+s+b+m+c+sha256+sha512

Further down in the configuration file you will find definitions for what directories AIDE should ignore, which it should track and what rule they fall under.

To tell AIDE to ignore a directory simply put a “!” before its declaration:


To track a directory and match it to a rule simply declare the rule you wish to match right after the directory.

/etc                                    ConfFiles

For example the /etc rule matching a changed file would result in the following output:

File: /etc/resolv.conf
Size     : 76                               , 49
Mtime    : 2016-03-13 15:05:13              , 2016-03-14 13:25:26
Ctime    : 2016-03-13 15:05:13              , 2016-03-14 13:25:26
Inode    : 772672                           , 772869
SHA256   : qCbGw+A+0SnH+O0FflNzPdV1erRYhuPj , NxfZibNn41iitzt6HyCtPaW9t/K+e23T
SHA512   : weUPRQHqB0nzlhi2SEwhRD49LPUxKG0y , gI8iXh74BsDY8Ol3x4YlzepHtk8uFyxD

Its important to understand the basics of this configuration file as it makes AIDE a very flexible auditing tool.


The easiest way to schedule regular AIDE audits is to make use of cron and running a script. As the root user you can create a file /root/bin/aide.sh and add the following lines:


# these should be the same as what's defined in /etc/aide.conf

The first thing the script needs to do is to check if the “good” state database exists. If it does not then the script should exit as it cannot make the comparison.

if [ ! -f "$database" ]; then
    echo "$database not found" >&2
    exit 1

This next part is relevant on desktop systems because they change far too often for a single state to always be good. Instead the script will copy the previous runs “new” database over the old “good” database and then generate a new database of the current state.

mv $database_out $database
aide -u
aide --check --verbose > /tmp/aide.txt

Once that is done the script needs to see if there was any difference found, and if there was to send the data to the administrator.

grep "Looks okay" /tmp/aide.txt &> /dev/null

if [[ $? == "0" ]]; then
    echo "No difference found!" | mail -s "AIDE Report" $ADDR
    cat /tmp/aide.txt | mail -s "AIDE Report" $ADDR

Lastly the script should remove the file it created in /tmp

rm /tmp/aide.txt

Save the file and open a terminal as root and enter the /etc/cron.daily and create a symlink to the aide.sh script

cd /etc/cron.daily/
ln -s /root/bin/aide.sh aide.sh

Note that if you are finding the daily scheduled time to be inconvenient you can edit the /etc/sysconfig/cron file and change DAILY_TIME value. For example:


Once that is done, wait for the DAILY_TIME value to be hit then see if it emails the user you defined in the script.

This entry was posted in Hardening, Linux and tagged , , . Bookmark the permalink.

2 Responses to Hardening Linux Server With AIDE

  1. Pingback: Links 24/3/2016: GNOME 3.20, Tomb Raider Arriving On GNU/Linux | Techrights

  2. Pingback: Harden your server (AIDE) | 0ddn1x: tricks with *nix

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )


Connecting to %s