AIDE (Advanced Intrusion Detection Environment, [eyd]) is a file and directory integrity checker.
It creates a database from the regular expression rules that it finds from the config file(s). Once this database is initialized it can be used to verify the integrity of the files.
It has several message digest algorithms (see below) that are used to check the integrity of the file. All of the usual file attributes can also be checked for inconsistencies.
It can read databases from older or newer versions. See the manual pages within the distribution for further info.
source: https://aide.github.io/
Installing (Debian 10 Buster)
# apt-get install aideConfigure Debian defaults
An explanation of each option can be found inside the configuration file.
# vim /etc/default/aideCRON_DAILY_RUN=yes MAILTO=root QUIETREPORTS=no COPYNEWDB=yes
Excluding files & directories
Exclusion is done with regex and can be negated by “!”.
# vim /etc/aide/aide.confAdd to the bottom of config to exclude files that are expected to change every day.
!/var/log/.* !/tmp/.* !/run/.* !/var/www/clients/.*/.*/log/.* !/var/www/clients/.*/.*/web/stats/.* !/var/lib/awstats/.* !/var/lib/clamav.* !/var/lib/dhcp/.* !/var/lib/fail2ban/.* !/var/lib/letsencrypt/.* !/var/lib/monit/.* !/var/lib/mysql/.* !/var/lib/rkhunter/.* !/var/lib/systemd/.* !/var/spool/postfix/.* !/var/lib/automysqlbackup/.* !/var/backups/.* !/var/www/webalizer/.* !/var/lib/apt/lists/.* !/usr/local/ispconfig/server/temp !/home/j/.bash_history !/var/cache/apt !/root
Update Aide Configuration
# update-aide.confInitialise the database
“-y” for yes, and “-f” for force
# aideinit -y -fAutomatic daily reports
Debian runs a script daily to check for changes to the filesystem. Run it manually if you can’t wait until tomorrow:
# /etc/cron.daily/aideThen check your administrative users email