What is AIDE?AIDE (Advanced Intrusion Detection Environment) is a free replacement for Tripwire. It does the same things as the semi-free Tripwire and more. There are other free replacements available so why build a new one? All the other replacements do not achieve the level of Tripwire. And I wanted a program that would exceed the limitations of Tripwire.
AIDE is not installed by default. Install it with the command:
# yum install aide
Customize /etc/aide.conf to meet your requirements. The default conﬁguration is acceptable for many
Generate a new database:
# /usr/sbin/aide --init
By default, the database will be written to the ﬁle /var/lib/aide/aide.db.new.gz.
The database, as well as the conﬁguration ﬁle /etc/aide.conf and the binary /usr/sbin/aide (or hashes
of these ﬁles) should be copied and stored in a secure location. Storing these copies or hashes on read-only
media may provide further conﬁdence that they will not be altered.
Install the newly-generated database:
# cp /var/lib/aide/aide.db.new.gz /var/lib/aide/aide.db.gz
Run a manual check:
# /usr/sbin/aide --check
If this check produces any unexpected output, investigate.
Implement checking with whatever frequency is required by your security policy. A once-daily check may be
suitable for many environments. For example, to implement a daily execution of AIDE at 4:05am, add the
following line to /etc/crontab:
05 4 * * * root /usr/sbin/aide --check