Protect your filesystem integrity

In accordance with CIS Distribution Independent Linux Benchmark v2.0.0, chapter: 1.3.1

AIDE (Advanced Intrusion Detection Environment, [eyd]) is a file and directory integrity checker.

It creates a database from the regular expression rules that it finds from the config file(s). Once this database is initialized it can be used to verify the integrity of the files.

It has several message digest algorithms (see below) that are used to check the integrity of the file. All of the usual file attributes can also be checked for inconsistencies.

It can read databases from older or newer versions. See the manual pages within the distribution for further info.


Installing (Debian 10 Buster)

# apt-get install aide

Configure Debian defaults

An explanation of each option can be found inside the configuration file.

# vim /etc/default/aide

Excluding files & directories

Exclusion is done with regex and can be negated by “!”.

# vim /etc/aide/aide.conf

Add to the bottom of config to exclude files that are expected to change every day.


Update Aide Configuration

# update-aide.conf

Initialise the database

“-y” for yes, and “-f” for force

# aideinit -y -f

Automatic daily reports

Debian runs a script daily to check for changes to the filesystem. Run it manually if you can’t wait until tomorrow:

# /etc/cron.daily/aide

Then check your administrative users email