AIDE (Advanced Intrusion Detection Environment, [eyd]) is a file and directory integrity checker.
It creates a database from the regular expression rules that it finds from the config file(s). Once this database is initialized it can be used to verify the integrity of the files. It has several message digest algorithms (see below) that are used to check the integrity of the file. All of the usual file attributes can also be checked for inconsistencies. It can read databases from older or newer versions. See the manual pages within the distribution for further info.
Step 1: Install Packages
This installation expects apache to be already running
# sudo apt install aide-dynamic aide-common
Step 2: Configure AIDE
Change aide default settings /etc/default/aide
... # Set this to no to disable daily aide runs CRON_DAILY_RUN=yes # This is the email address reports get mailed to # default is root # This variable is expanded before it is used, so you can use variables # here. For example, MAILTO=$FQDN-aide@domain.example will send the # report to host.name.example-aide@domain.example is the local FQDN is # host.name.example. MAILTO=admin@mydomain.org # This parameter defines what to do with a new database created by # COMMAND=update. It is ignored if COMMAND!=update. # no: Do not copy new database to old database. This is the default. # yes: Copy new database to old database. This means that changes to the # file system are only reported once. Possibly dangerous. # ifnochange: Copy new database to old database if no changes have # been reported. This is needed for ANF/ARF to work reliably. COPYNEWDB=yes ...
Step 3: Initialize Database
Build the initial database of checksums run the following command:
# aideinit --config=/etc/aide/aide.conf