How to Check Integrity of File and Directory Using AIDE in Linux?

AIDE (Advanced Intrusion Detection Environment) is a file and directory integrity checker for Linux systems. It creates a database snapshot of your system's files and directories, then uses this baseline to detect unauthorized changes, tampering, or corruption. AIDE monitors file attributes including permissions, ownership, size, timestamps, and cryptographic checksums.

File integrity checking is crucial for system security, data protection, and compliance requirements. When files are modified without authorization, it can indicate security breaches, malware infections, or system corruption that requires immediate attention.

Installing AIDE on Linux

System Requirements

Before installing AIDE, ensure your system meets these requirements

• Root or sudo privileges for installation and database management

• Sufficient disk space for the AIDE database (typically 10-50 MB depending on system size)

• Supported Linux distribution (Ubuntu, Debian, CentOS, Fedora, RHEL, etc.)

Installation Steps

Install AIDE using your distribution's package manager

Ubuntu/Debian:

sudo apt update
sudo apt install aide aide-common

CentOS/RHEL/Fedora:

sudo yum install aide
# or for newer versions
sudo dnf install aide

Verify the installation

aide --version

Setting Up an AIDE Database

Understanding the AIDE Database

The AIDE database is a compressed file containing cryptographic checksums and metadata for all monitored files and directories. This baseline snapshot enables AIDE to detect any changes during subsequent integrity checks. The database stores information such as file permissions, ownership, size, modification times, and hash values.

Creating the Initial Database

Initialize the AIDE database with default settings

sudo aideinit

This creates the database file at /var/lib/aide/aide.db.new.gz. The process may take several minutes to scan your entire filesystem. Once complete, move the new database to its working location

sudo mv /var/lib/aide/aide.db.new.gz /var/lib/aide/aide.db.gz

Customizing AIDE Configuration

Edit the AIDE configuration file to customize monitoring rules

sudo nano /etc/aide/aide.conf

Common configuration examples

# Exclude a directory from monitoring
!/home/user/temp

# Monitor specific files with custom rules
/etc/passwd p+i+n+u+g+s+m+c+md5+sha1

# Monitor log files for size changes only
/var/log LOG

# Define custom rule for executables
BinLib = p+i+n+u+g+s+b+m+c+md5+sha1
/bin BinLib
/usr/bin BinLib

After modifying the configuration, regenerate the database

sudo aideinit
sudo mv /var/lib/aide/aide.db.new.gz /var/lib/aide/aide.db.gz

Checking File and Directory Integrity

Running Integrity Checks

Perform a comprehensive integrity check against the existing database

sudo aide --check

For verbose output with detailed information

sudo aide --check --verbose

Understanding AIDE Output

AIDE output includes several key sections

• Summary Total files checked, added, removed, and changed

• Added files New files since the last database update

• Removed files Files that no longer exist

• Changed files Files with modified attributes

Sample output interpretation

AIDE found differences between database and filesystem!!

Added files:
f = p+i+n+u+g+s+m+c+md5+sha1 : /etc/newconfig.conf

Changed files:
f = p+i+n+u+g+s+m+c+md5+sha1 : /etc/passwd
  Mtime    : 2024-01-15 10:30:25              , 2024-01-16 14:22:18
  Ctime    : 2024-01-15 10:30:25              , 2024-01-16 14:22:18
  MD5      : 5d41402abc4b2a76b9719d911017c592 , 7d865e959b2466918c9863afca942d0f

Common AIDE Rules and Attributes

Automating AIDE Checks

Schedule regular AIDE checks using cron for continuous monitoring

# Edit crontab
sudo crontab -e

# Add daily check at 2 AM
0 2 * * * /usr/bin/aide --check | mail -s "AIDE Report" admin@example.com

Create a script for automated database updates after authorized changes

#!/bin/bash
# Update AIDE database
sudo aide --update
sudo mv /var/lib/aide/aide.db.new.gz /var/lib/aide/aide.db.gz
echo "AIDE database updated successfully"

Troubleshooting Common Issues

• Database not found Ensure the database exists at /var/lib/aide/aide.db.gz

• Permission denied Run AIDE commands with sudo privileges

• Configuration errors Check syntax in /etc/aide/aide.conf

• Large number of changes Verify if changes are legitimate before updating the database

Conclusion

AIDE provides robust file and directory integrity monitoring for Linux systems by creating cryptographic baselines and detecting unauthorized changes. Regular AIDE checks help maintain system security, detect intrusions, and ensure data integrity. Proper configuration and automated monitoring make AIDE an essential tool for system administrators and security professionals.