AIDE (Advanced Intrusion Detection Environment, [eyd]) is a file and directory integrity checker.
It creates a database from the regular expression rules that it finds from the config file(s). Once this database is initialized it can be used to verify the integrity of the files.
It has several message digest algorithms (see below) that are used to check the integrity of the file. All of the usual file attributes can also be checked for inconsistencies.
It can read databases from older or newer versions. See the manual pages within the distribution for further info.
Installing (Debian 10 Buster)
# apt-get install aide
Configure Debian defaults
An explanation of each option can be found inside the configuration file.
# vim /etc/default/aide
CRON_DAILY_RUN=yes MAILTO=root QUIETREPORTS=no COPYNEWDB=yes
Excluding files & directories
Exclusion is done with regex and can be negated by “!”.
# vim /etc/aide/aide.conf
Add to the bottom of config to exclude files that are expected to change every day.
!/var/log/.* !/tmp/.* !/run/.* !/var/www/clients/.*/.*/log/.* !/var/www/clients/.*/.*/web/stats/.* !/var/lib/awstats/.* !/var/lib/clamav.* !/var/lib/dhcp/.* !/var/lib/fail2ban/.* !/var/lib/letsencrypt/.* !/var/lib/monit/.* !/var/lib/mysql/.* !/var/lib/rkhunter/.* !/var/lib/systemd/.* !/var/spool/postfix/.* !/var/lib/automysqlbackup/.* !/var/backups/.* !/var/www/webalizer/.* !/var/lib/apt/lists/.* !/usr/local/ispconfig/server/temp !/home/j/.bash_history !/var/cache/apt !/root
Update Aide Configuration
Initialise the database
“-y” for yes, and “-f” for force
# aideinit -y -f
Automatic daily reports
Debian runs a script daily to check for changes to the filesystem. Run it manually if you can’t wait until tomorrow:
Then check your administrative users email