What is AIDE?

AIDE is an open-source file and directory integrity checker that creates a database of file attributes and compares them against the system to detect unauthorized changes. It’s essential for security monitoring and compliance requirements.

Prerequisites

  • Ubuntu Server (18.04, 20.04, 22.04, or 24.04)

  • Root or sudo privileges

  • Basic command-line knowledge

Step 1: Update Your System

First, ensure your system packages are up to date:

sudo apt update
sudo apt upgrade -y

Step 2: Install AIDE

Install AIDE using the APT package manager:

sudo apt install aide aide-common -y

Verify the installation:

aide --version

Step 3: Configure AIDE

The main configuration file is located at /etc/aide/aide.conf. Before making changes, create a backup:

sudo cp /etc/aide/aide.conf /etc/aide/aide.conf.backup

Understanding the Configuration File

Open the configuration file:

sudo nano /etc/aide/aide.conf
Key configuration sections include:**Database locations:**
```
database=file:/var/lib/aide/aide.db
database_out=file:/var/lib/aide/aide.db.new

Common rule definitions:

  • R = p+i+n+u+g+s+m+c+md5+sha256 (read-only files)

  • L = p+i+n+u+g (log files)

  • E = (empty, excludes)

  • > = (growing log files)

Step 4: Customize Monitoring Rules

Add directories you want to monitor. Here’s an example configuration:

# Monitor system binaries
/bin R
/sbin R
/usr/bin R
/usr/sbin R

# Monitor configuration files
/etc R

# Monitor libraries
/lib R
/lib64 R
/usr/lib R

# Exclude certain directories to reduce noise
!/var/log
!/var/cache
!/var/tmp
!/tmp
!/proc
!/sys
!/dev

Custom monitoring examples:

For web servers:

/var/www R

For application directories:

/opt/myapp R

For home directories (if needed):

/home R

Step 5: Initialize the AIDE Database

This creates the initial baseline database:

sudo aideinit

This process may take several minutes depending on your system size. The database will be created at /var/lib/aide/aide.db.new.

Once complete, move the new database to the active location:

sudo mv /var/lib/aide/aide.db.new /var/lib/aide/aide.db

Alternatively, use the helper script:

sudo cp /var/lib/aide/aide.db.new /var/lib/aide/aide.db

Step 6: Run Your First Check

Perform an integrity check:

sudo aide --check

Or using the helper script:

sudo aide.wrapper --check

Since this is the first check against a fresh database, you should see a message indicating no changes.

Step 7: Automate AIDE Checks with Cron

Create a daily automated check:

sudo nano /etc/cron.daily/aide-check

Add the following script:

#!/bin/bash
# Daily AIDE integrity check
AIDE_OUTPUT="/var/log/aide/aide-$(date +%Y%m%d).log"
# Create log directory if it doesn't exist
mkdir -p /var/log/aide
# Run AIDE check
/usr/bin/aide --check > "$AIDE_OUTPUT" 2>&1
# Check if changes were detected
if [ $? -ne 0 ]; then
    # Send email notification (configure mail first)
    echo "AIDE detected changes on $(hostname)" | mail -s "AIDE Alert" [email protected] -A "$AIDE_OUTPUT"
fi

Make it executable:

sudo chmod +x /etc/cron.daily/aide-check

Step 8: Configure Email Notifications (Optional)

Install mailutils:

sudo apt install mailutils -y

Configure postfix when prompted (choose “Internet Site” for basic setup).

Test email:

echo "AIDE test email" | mail -s "Test" [email protected]

Step 9: Update the Database After Legitimate Changes

When you make authorized changes to the system, update the AIDE database:

sudo aide --update

Then move the new database to replace the old one:

sudo mv /var/lib/aide/aide.db.new /var/lib/aide/aide.db

Step 10: Advanced Configuration Tips

Exclude Specific File Types

!/var/log/.*\.log$

Monitor Only Specific Changes

Create custom rules:

MyRule = p+i+n+u+g+s+m+sha256
/etc/custom-config MyRule

Increase Verbosity for Debugging

sudo aide --check --verbose=5

Best Practices

  1. Store the database securely: Consider storing the AIDE database on read-only media or a separate secure server

  2. Regular updates: Update the database after system updates and authorized changes

  3. Monitor logs: Regularly review AIDE reports for suspicious activity

  4. Test your configuration: After setup, make a test change and verify AIDE detects it

  5. Document exceptions: Keep records of why certain directories are excluded

  6. Integrate with SIEM: Send AIDE logs to your Security Information and Event Management system

Troubleshooting Common Issues

Issue: Database initialization takes too long

  • Exclude unnecessary directories like /proc, /sys, /dev

Issue: Too many false positives

  • Refine your rules to exclude frequently changing directories

  • Use the > rule for growing log files

Issue: Email notifications not working

  • Verify postfix is running: sudo systemctl status postfix

  • Check mail logs: sudo tail -f /var/log/mail.log

Verification

Test your setup by making a deliberate change:

sudo touch /bin/testfile
sudo aide --check

You should see AIDE report the new file.

Remove the test file and update the database:

sudo rm /bin/testfile
sudo aide --update
sudo mv /var/lib/aide/aide.db.new /var/lib/aide/aide.db

Conclusion

AIDE is a powerful tool for maintaining file integrity and detecting unauthorized changes on your Ubuntu server. Regular monitoring and proper configuration are essential for an effective security posture. Remember to keep your AIDE database updated after legitimate system changes and review reports regularly for any suspicious activity.


Reply

Avatar

or to participate

Keep Reading

© 2026 Deploy Digest.
Report abusePrivacy policyTerms of use
beehiivPowered by beehiiv