AIDE (Advanced Intrusion Detection Environment) is a program for checking the integrity of a file and directory on any modern Unix-like system. It creates a database of files on the system, and then uses that database as a yardstick to ensure file integrity and detect system intrusions.
In this article, we will show how to install and use AIDE to check file and directory integrity in Fedora distribution.
How to Install AIDE in Fedora
1. The AIDE utility is included in Fedora Linux by default, therefore, you can use the default dnf package manager to install it as shown.
$ sudo dnf install aide
2. After the installation is complete, you need to create the initial AIDE database, which is a snapshot of the system in it’s normal state. This database will act as the yardstick against which all subsequent updates and changes will be measured.
Note that it is important to create the database on a new system before it is brought onto the network. And secondly, the default aide configuration enables checking a set of directories and files defined in the /etc/aide.conf file. You need to edit this file accordingly to configure more files and directories to be watched by aide.
Run the following command to generate the initial database:
$ sudo aide --init
3. To start using the database, remove the
.new substring from the initial database file name.
$ sudo mv /var/lib/aide/aide.db.new.gz /var/lib/aide/aide.db.gz
4. To further protect the AIDE database, you can change its default location by editing the configuration file and modify the DBDIR value and point it to the new location of the database.
@@define DBDIR /path/to/secret/db/location
For additional security, store the database configuration file and the /usr/sbin/aide binary file in a secure location such as a read-only media. Importantly, you can in fact increase security by signing the configuration and/or database.
Performing Integrity Checks in Fedora
5. To manually scan the Fedora system, run the following command.
$ sudo aide --check
The output of the above command shows differences between the database and the current state of the filesystem. It shows a summary of entries and detailed information about the changed entries.
6. For effective usage, you should configure AIDE to run as a cron job, to perform scheduled scans, either weekly (at the minimum) or daily (at the maximum).
For example, to schedule a scan at midnight everyday, add the following cron entry in the file /etc/crontab.
00 00 * * * root /usr/sbin/aide --check
Updating an AIDE Database
7. After confirming the changes of your system such as, package updates or configuration files modifications, update your baseline AIDE database with the following command.
$ sudo aide --update
aide --update command creates a new database file /var/lib/aide/aide.db.new.gz. To start using it for future scans, you need to rename it as shown before (remove the .new substring from the file name).
For additional information on AIDE you can check its man page.
$ man aide
For other Linux distributions, you can check out: How to Check Integrity of File and Directory Using “AIDE” in Linux.
AIDE is a powerful utility for checking integrity of files and directories on Unix-like operating systems such as Linux. In this article, we showed how to install and use AIDE in Fedora Linux. Do you have any question(s) or comments concerning AIDE, if yes, then use the feedback form to reach us.