Difference between revisions of "AIDE"

From ArchWiki
Jump to: navigation, search
(Update AIDE Manual links)
Line 58: Line 58:
See <code>man aide.conf</code>
See <code>man aide.conf</code>
and the [http://www.cs.tut.fi/~rammer/aide/manual.html AIDE Manual]
and the [http://aide.sourceforge.net/stable/manual.html AIDE Manual]
for documentation on the config file.
for documentation on the config file.
Line 110: Line 110:
== See also ==
== See also ==
* [http://www.cs.tut.fi/~rammer/aide/manual.html AIDE Manual]
* [http://aide.sourceforge.net/stable/manual.html AIDE Manual]
* [http://www.gentoo.org/doc/en/security/security-handbook.xml?part=1&chap=13#doc_chap1 Gentoo Docs - Intrusion Detection]
* [http://www.gentoo.org/doc/en/security/security-handbook.xml?part=1&chap=13#doc_chap1 Gentoo Docs - Intrusion Detection]
* [http://www.la-samhna.de/library/scanners.html Samhain Labs - file integrity checkers]
* [http://www.la-samhna.de/library/scanners.html Samhain Labs - file integrity checkers]

Revision as of 17:37, 13 January 2012

This template has only maintenance purposes. For linking to local translations please use interlanguage links, see Help:i18n#Interlanguage links.

Local languages: Català – Dansk – English – Español – Esperanto – Hrvatski – Indonesia – Italiano – Lietuviškai – Magyar – Nederlands – Norsk Bokmål – Polski – Português – Slovenský – Česky – Ελληνικά – Български – Русский – Српски – Українська – עברית – العربية – ไทย – 日本語 – 正體中文 – 简体中文 – 한국어

External languages (all articles in these languages should be moved to the external wiki): Deutsch – Français – Română – Suomi – Svenska – Tiếng Việt – Türkçe – فارسی

AIDE is a host-based intrusion detection system (HIDS) for checking the integrity of files. It does this by creating a baseline database of files on an initial run, and then checks this database against the system on subsequent runs. File properties that can be checked against include inode, permissions, modification time, file contents, etc.

AIDE only does file integrity checks. It does not check for rootkits or parse logfiles for suspicious activity, like some other HIDS (such as OSSEC) do. For these features, you can use an additional HIDS (see here for a possibly biased comparison), or use standalone rootkit scanners (rkhunter, chkrootkit) and log monitoring solutions (logwatch, logcheck).



Install aide from the Official Repositories.


The default config file at /etc/aide.conf has pretty sane defaults and is heavily commented. It works by including directories to check, like /bin, /lib, and /sbin. You may wish instead to include everything by default, and exclude volatile directories that change often. Here's an example of such a configuration:

@@define DBDIR /var/lib/aide
@@define LOGDIR /var/log/aide



NORMAL = R+rmd160+sha256
LOG = >

/var/log LOG

See man aide.conf and the AIDE Manual for documentation on the config file.


To check your configuration, use aide -D.

To initialize the database, use aide -i. Depending on your configuration and system, this command can take a while to complete.

You can check the system against the baseline database using aide -C, or update the baseline db using aide -u

For more info, see man aide.


AIDE can be run manually if desired, but you may want to run it automatically instead. How you set this up will depend on your cron daemon and MUA (if email notification is desired).

If cron is set up to automatically mail all job output, it can be as simple as

#!/bin/bash -e

# these should be the same as what's defined in /etc/aide.conf

if [ ! -f "$database" ]; then
        echo "$database not found" >&2
        exit 1

aide -u || true

mv $database $database.back
mv $database_out $database

For examples of more complicated cron scripts see here or here.


Since the database is stored on the root filesystem, attackers can easily modify it to cover their tracks if they compromise yuor system. You may want to copy the database to offline, read-only media and perform checks against this copy periodically.

See also