In this tutorial, you will learn how to install and configure AIDE on Ubuntu 20.04. AIDE stands for Advanced Intrusion Detection Environment.
AIDE is an intrusion detection system that detects changes to files on the local system. It creates a database from the regular expression rules that it finds from the config file. Once this database is initialized it can be used to verify the integrity of the files. It has several message digest algorithms (md5, sha1, rmd160, tiger, haval, etc.) that are used to check the integrity of the file. More algorithms can be added with relative ease. All of the usual file attributes can also be checked for inconsistencies. Some of the file properties that AIDE can check include file permissions, inodes, modification time, file contents, user, group, file size…
Installing AIDE on Ubuntu 20.04
Run System Update
Before you can procee, update and upgrade your system packages
sudo apt update
sudo apt upgradeInstall AIDE on Ubuntu 20.04
AIDE is available on the default Ubuntu repositories.
apt-cache policy aideaide:
Installed: (none)
Candidate: 0.16.1-1build2
Version table:
0.16.1-1build2 500
500 http://ke.archive.ubuntu.com/ubuntu focal/main amd64 PackagesSo you can simply be install it by executing the command below;
sudo apt install aideConfiguring AIDE on Ubuntu 20.04
AIDE has been successfully installed.
You can check the installed version and the options with which AIDE is compiled by executing the command below.
aide -vAide 0.16.1
Compiled with the following options:
WITH_MMAP
WITH_PCRE
WITH_POSIX_ACL
WITH_SELINUX
WITH_XATTR
WITH_E2FSATTRS
WITH_LSTAT64
WITH_READDIR64
WITH_ZLIB
WITH_MHASH
WITH_AUDIT
CONFIG_FILE = "/dev/null"
The general configuration file for AIDE is located under /etc/default/aide. The rules and configurations resides under /etc/aide/ and the AIDE database is located under /var/lib/aide/.
Initialize AIDE Database on Ubuntu 20.04
Before you can proceed with configuration of AIDE, you need to create new AIDE database. This can be done by using the aideinit script. The aideinit will create a new baseline database, /var/lib/aide/aide.db.new.
Creating a new AIDE database may take some few minutes though.
sudo aideinit...
Start timestamp: 2020-08-17 21:16:09 +0300 (AIDE 0.16.1)
AIDE initialized database at /var/lib/aide/aide.db.new
Verbose level: 6
Number of entries: 394993
---------------------------------------------------
The attributes of the (uncompressed) database(s):
---------------------------------------------------
/var/lib/aide/aide.db.new
RMD160 : GAsN4WEjhdn24HElaCb/daTKDjw=
TIGER : gwq53qWUr8hNSR2QnQficDJXungcT0B8
SHA256 : UpDqEtrLclqTqueWyXY5QOaivAMIhG1m
BXLExj07yaA=
SHA512 : lEj5QZJDraeraqx99J9Vi5AUBa3VPtH1
ZsWQret9+hXpvlyKV9jYzjLT/nSRYZjb
3yiwEOnk2N5Tsao+XEALew==
CRC32 : exgbFw==
HAVAL : 0EJFOeHe63tSE7qV0xdMHabpQr4kQkdy
6b0UxZbknxM=
GOST : hK/QHynp7XXi8tD3c1K5WLGCCnHcgMaS
HyQgh9uB5Os=
End timestamp: 2020-08-17 21:32:02 +0300 (run time: 6m 53s)
As you can see, a new baseline AIDE database has been created, /var/lib/aide/aide.db.new.
Install New AIDE Database
To install the newly created AIDE database, you need to copy it to place as follows;
cp /var/lib/aide/aide.db{.new,}Rebuild AIDE Configuration
To update AIDE runtime configuration, /etc/aide/aide.conf, execute the command below
update-aide.confThe command generates a new configuration file, /var/lib/aide/aide.conf.autogenerated. Copy the new configuration file to the default AIDE configs directory and overwrite the existing;
cp /var/lib/aide/aide.conf.autogenerated /etc/aide/aide.confCheck AIDE Database for any Inconsistencies
Once the new configuration is generated, run the manual database check against the new configuration by executing the command below;
aide -c /etc/aide/aide.conf -CThe command will basically try to check the deviation between the AIDE database and the filesystem. See the example output below;
...
Start timestamp: 2020-08-17 22:58:29 +0300 (AIDE 0.16.1)
AIDE found differences between database and filesystem!!
Verbose level: 6
Summary:
Total number of entries: 395004
Added entries: 8
Removed entries: 0
Changed entries: 13
---------------------------------------------------
Added entries:
---------------------------------------------------
d++++++++++++++++: /run/motd.d
d++++++++++++++++: /run/motd.d/fwupd
f++++++++++++++++: /run/motd.d/fwupd/85-fwupd
d++++++++++++++++: /run/systemd/dynamic-uid
l++++++++++++++++: /run/systemd/units/invocation:fwupd.service
d++++++++++++++++: /tmp/systemd-private-a6c413acea194aa1bd41d2936e4d4ea6-fwupd.service-Xwi4Fh
d++++++++++++++++: /tmp/systemd-private-a6c413acea194aa1bd41d2936e4d4ea6-fwupd.service-Xwi4Fh/tmp
f++++++++++++++++: /var/lib/aide/aide.db
---------------------------------------------------
Changed entries:
---------------------------------------------------
f >b... mc..C.. .: /etc/aide/aide.conf
d ... n .. : /run
d >.... mc.n .. : /run/systemd
f =.... mci.... : /run/systemd/resolve/stub-resolv.conf
f =.... mc..... : /run/systemd/timesync/synchronized
d >.... mc.. .. : /run/systemd/units
d =.... mc.. .. .: /var/cache/fwupd
f >b... mci.C.. .: /var/cache/fwupd/metadata.xmlb
d =.... mc.. .. .: /var/cache/private/fwupdmgr/fwupd
f >b... mci.C.. .: /var/cache/private/fwupdmgr/fwupd/lvfs-metadata.xml.gz
f =.... mci.C.. .: /var/cache/private/fwupdmgr/fwupd/lvfs-metadata.xml.gz.asc
f =.... mc..C.. .: /var/log/journal/088f282d218f4067987670b09ad3319e/system.journal
d ... .n .. .: /var/tmp
---------------------------------------------------
Detailed information about changes:
---------------------------------------------------
File: /etc/aide/aide.conf
Size : 6598 | 57485
Bcount : 16 | 120
Mtime : 2016-04-16 20:57:29 +0300 | 2020-08-17 22:58:04 +0300
Ctime : 2020-08-17 22:32:14 +0300 | 2020-08-17 22:58:04 +0300
RMD160 : kHZi6LuS1X5nlHkrtCLV9UdgDxo= | VS/qXLCjQQoZvM9PiMN0vognx+8=
TIGER : 4Xz+mZRAxr2kNIGOmTNJa/7Ftv+VpV37 | PlLfFDUNNN4gLjonNvJmrzyTGKeSwhLi
SHA256 : RN1UT38/wRA8N5o4M4MHU8N+G49sK9nB | kot4UpZLPPGlEUJdW8VtupXCjeITR4H6
0B5VVewz3h8= | HsG+rB0f6L8=
SHA512 : o4LOstw3erheco5dpKcKLadGav29Ud9E | spATSozxKYXnmS83qGHC9ijpT3RDFxMx
ZQd6cPiQZuQ7bsTZkx1MGEW+VYkhz5gj | 6/1vnTRZy/csfmaY6D9MBMkujB5blhFf
yKP7Fvoitf+jHcriq57Pgg== | mD+ynvYvCwyCVjNcRe5dGg==
CRC32 : S3Rhfg== | cEpRww==
HAVAL : +O7017egNOm+/TJW/3HxeQcxmz55pDM7 | elv71LkPurGiLw2qtG4cDF5xozVJccsG
S+TXtMWVN/E= | JRzZvSiA994=
GOST : 3NHf+nD39SudMxLJc5fkpkarUQ+unLQf | J5cKfKZL53NeV7TFaTZNJSKptrSXA0Io
NhV8dix9LIw= | oX5CeovHm/M=
Directory: /run
Linkcount: 30 | 31
Directory: /run/systemd
Size : 500 | 520
Mtime : 2020-08-17 21:15:49 +0300 | 2020-08-17 22:49:28 +0300
Ctime : 2020-08-17 21:15:49 +0300 | 2020-08-17 22:49:28 +0300
Linkcount: 23 | 24
File: /run/systemd/resolve/stub-resolv.conf
Mtime : 2020-08-17 22:38:02 +0300 | 2020-08-17 22:57:59 +0300
Ctime : 2020-08-17 22:38:02 +0300 | 2020-08-17 22:57:59 +0300
Inode : 659 | 640
File: /run/systemd/timesync/synchronized
Mtime : 2020-08-17 22:16:12 +0300 | 2020-08-17 22:50:20 +0300
Ctime : 2020-08-17 22:16:12 +0300 | 2020-08-17 22:50:20 +0300
Directory: /run/systemd/units
Size : 1420 | 1440
Mtime : 2020-08-17 22:37:42 +0300 | 2020-08-17 22:49:37 +0300
Ctime : 2020-08-17 22:37:42 +0300 | 2020-08-17 22:49:37 +0300
Directory: /var/cache/fwupd
Mtime : 2020-08-09 16:13:39 +0300 | 2020-08-17 22:49:36 +0300
Ctime : 2020-08-09 16:13:39 +0300 | 2020-08-17 22:49:36 +0300
File: /var/cache/fwupd/metadata.xmlb
Size : 1879141 | 1887049
Bcount : 3672 | 3688
Mtime : 2020-08-09 16:13:39 +0300 | 2020-08-17 22:49:36 +0300
Ctime : 2020-08-09 16:13:39 +0300 | 2020-08-17 22:49:36 +0300
Inode : 1181994 | 1181386
RMD160 : pYzImUr/9IKcF/SsT+tijWj6o48= | lNG+19YEXBaY429TNxZkLlZfuVY=
TIGER : mCYoqhqfFNesX1DBDyNE0YyU9DHANfsr | IO3tgHWnfLb+q4+hnVjJUEliGJsoiBtt
SHA256 : LZuTxCE1d4uxstnNw85aPmd3waqIiaUt | fchrp9FBGA0lcNqelgDUttBwUcedo+Yi
ED7Mux5lkvI= | niwWtEj+h2k=
SHA512 : 9/l4bMAUVMkk3MJxW/dG/kE6izzuwmzd | EaApKbI8wPTtUw+4q7g9VHMLQgmeH7lk
Mne02Yp6wtvH9b7lMhl6t5tGqIXMIy6h | lyet7Sc2YrP4sUE5ZDPX0OVut0+rFN5B
0gxhD5pBiJrAcpdwgUSvZw== | be75hImQJReXevqXgC+/eg==
CRC32 : PU7mFA== | spejqA==
HAVAL : ZJpdjXOB1L+AupLhbvX4pUPLA+31vYrJ | jiAxgrp+7q4U7v7vxRAUOwAVzbxCrqTl
WOaHdM9b55M= | JlJZrosn4fI=
GOST : wttUYlhB+GClZQkO85v2CaoSrM3ebi65 | HLlRZjmex/GvqPX0XHAk04Y5xsSyBWbN
+oZSpV60PGg= | UCqD96u9v48=
Directory: /var/cache/private/fwupdmgr/fwupd
Mtime : 2020-08-09 16:13:38 +0300 | 2020-08-17 22:49:35 +0300
Ctime : 2020-08-09 16:13:38 +0300 | 2020-08-17 22:49:35 +0300
File: /var/cache/private/fwupdmgr/fwupd/lvfs-metadata.xml.gz
Size : 424119 | 426248
Bcount : 832 | 840
Mtime : 2020-08-09 16:13:38 +0300 | 2020-08-17 22:49:35 +0300
Ctime : 2020-08-09 16:13:38 +0300 | 2020-08-17 22:49:35 +0300
Inode : 1181212 | 1180811
RMD160 : YFUDWdSVHPkiQcLISZDtJ20ky/A= | bjaeAnUPskzRnUT2R2T/j6YijII=
TIGER : t0kardgEjTOXg6kjTOGK1Mjx8jreOu0t | Y3T5gm10e0xJDigOB4ptR4P8a3gIm/BO
SHA256 : ytgCFZCZrZVDM/2pEwuMplVVQFovJtp/ | fXsj5k8OZd6253M1rKW5byDKBxVr+rJz
jn4/PtfIwMg= | d8iXbqQjp2Y=
SHA512 : xD+fcT1TfYyZ2P/64bwhqF8QfjLA3beU | KR0xDT3k5arE4UW6kkj1a9BcEwWmQYq5
3DEWBbHYh7RUXqsgw5M31XuPXd07yTGf | JU+IaCYSIZYTHyGqL/TNfcgs3r6IF3cC
PLF8BSXO+lg2FJutVTICnQ== | HR7aRxWRpCtZkXaa/LLb9Q==
CRC32 : 7iORCA== | 9AxJqw==
HAVAL : LU36UpTcbBHZreZtS1DVY/Mu7VAlwufB | Lg1NC9WNPmzu363oOCcwOGpqTCcKQXXB
dkh20rP9YN0= | fYZu63QXIdo=
GOST : UizSu5hJ9mvqCHDunME/8o1LtXGkpCBs | oKfk9n2Jb+MlDmQ7E6gPARIRR/FN6qV1
Fem5UwkVNso= | Rc88UrTd4Cg=
File: /var/cache/private/fwupdmgr/fwupd/lvfs-metadata.xml.gz.asc
Mtime : 2020-08-09 16:13:38 +0300 | 2020-08-17 22:49:35 +0300
Ctime : 2020-08-09 16:13:38 +0300 | 2020-08-17 22:49:35 +0300
Inode : 1181386 | 1181212
RMD160 : vQ1t+LGm8JuDNXaNfQf5Nu2uLBs= | qYgiTufncPHlLLPVTBTBnjwen70=
TIGER : C/FgkLFD0yvufVxCIJ1557UwwmB5gT6g | Hrr56nR+iS22evWzhCcjsaB3b18ex4n7
SHA256 : AZx4XHuXpkh5nNNJvwBbss02Q4JHar8m | u0qnWOIOXKe4MqWv2NoRA+aEiCv+RAoO
XVbklfUeh44= | hFC2pluDo3A=
SHA512 : oyfQwrMKK6ClBDTpfl1ws83JauDn2jZB | JfbGNhvPrpPBNmix0TGRhDira4Q+uAMj
zOrKNml9JckZUIyWfo+LXGxTfFFMFqda | 69NUjYgioKTLP3gHWy6ya0T/aaZW9nNG
SvNMs5h6hLHA6OgAjGeZAw== | r5Vp20NYg3ovJGecFN3r/w==
CRC32 : K4sNnw== | ju3ORQ==
HAVAL : QDsY4hzIXYWAntBnZdDHyUVhd78YzBmS | Wve1Dsn7wJ3Mg+tUIOQ0BJ1GuXj3OFXA
6EaWU+pYT6Q= | mDBV/Fe7Y4M=
GOST : 4atPHXn4P+PDrEWCb152oGA85SLNMaDu | K0ZAsfW3Su73/Rcfmg1Ktl73rTt6YogM
L4WsklT4hhA= | u+5mW4UGSIs=
File: /var/log/journal/088f282d218f4067987670b09ad3319e/system.journal
Mtime : 2020-08-17 22:49:37 +0300 | 2020-08-17 23:08:00 +0300
Ctime : 2020-08-17 22:49:37 +0300 | 2020-08-17 23:08:00 +0300
RMD160 : Yr9Qt19hUZ/vs5VHanGI0XWPsec= | sxiZM4GD9+bT7xpnQaQ2Y4BXgBg=
TIGER : n4IiYoU+90aNo48QP8NNJ+UqRpnYmSIj | Yc0FFEN093uNlzOju7CnxbgxAkGiGFeZ
SHA256 : MChIPiES5Fy1s2cPY6NrEzSj2QcukevK | 5bewLryKRLaDtmVztDAPnF4yXjCGPgvD
oIvAVvFr2IY= | D6L08jLUvMk=
SHA512 : 0Q1LGzvO2+GyEagYpI8L9Piwy2gK5mpk | 99Oh6/6dLkz2hLKxc9fLGMSL+9YPBzgH
Qh5m6r16cvD1eMVIvczF7xuh34wD3464 | AAuGk7aLHfJkOWDOBqAAL35+0J/7nipy
/ljj8kNwm9MTkTWO9AXs0Q== | 90PGDHUYX91R9R1ZPggD3A==
CRC32 : aKCqmw== | cWJs5g==
HAVAL : evOCIyBezEFHhlPo1udj0pzEe4yCyqLV | pHrfpI3QSMlc+mws8OwsLtSdTH2Ra8jU
aYmYblzdGl8= | e8bAgekKWpg=
GOST : +9GrDgi8EyOZk/msfzK3Tngs/d06/R16 | 2K0ZA6o9634mdHTTfeEWVQ1BGY9zB9eA
bbeLzmRnGMU= | GI9VMXJbAxs=
Directory: /var/tmp
Linkcount: 5 | 6
---------------------------------------------------
The attributes of the (uncompressed) database(s):
---------------------------------------------------
/var/lib/aide/aide.db
RMD160 : SHHCkuxGwovE79pnRzjF2FWY9l0=
TIGER : 4WDF8gbxMdVskus0b683V4qei0dmZ9OE
SHA256 : iWlmKb+neZVRRT66cce5oY8yYcj21F2d
RmQr0OZlAiU=
SHA512 : 2mne5zEs5MbQnsVf0HOCUgPf892GfGQF
duxUaOzNU9F7gFdpp7W1/LWYsq2IqkzV
kN0eJX0mq7vZaa37lr/kpg==
CRC32 : vLZ/gQ==
HAVAL : apU71suq+RVvyVm+OzkNE26OCSQ6d3AE
8g9DUVYavJY=
GOST : PICK1Cdw+Ma5OYP4JKhxRsyhQ8cXiBjG
XsbXV19I+0E=
End timestamp: 2020-08-17 23:14:03 +0300 (run time: 15m 34s)
From the output above, AIDE found a number of file system changes. Check the report.
Testing AIDE on Ubuntu 20.04
You can now create new files, edit some and even delete some and re-run AIDE check to actually see how AIDE can detect all these changes.
echo "1.2.3.4 test.kifarunix-demo.com" >> /etc/hoststouch /etc/newfilerm -rf /etc/issueAfter all that changes, re-run AIDE database check against the filesystem.
aide -c /etc/aide/aide.conf -CLimiting AIDES Integrity Checks to Specific Files/Directories
To limit the integrity checks to a specific entries for example /etc, pass the --limit REGEX option to AIDE check command where REGEX is the entry to check.
For example, check and update the database entries matching /etc, you would run aide command as shown below;
aide -c /etc/aide/aide.conf --limit /etc --checkTo exclude some directories, edit the configuration file, /etc/aide/aide.conf, and add the directories to ignore to the end of the file in the format;
!/home/
!/var/lib/
!/procUsing Custom AIDE Configuration
You can also create your own configuration and define what needs to be checked and what not. See example configuration below;
mkdir /home/koromicha/aidevim /home/koromicha/aide/aide.conf# Path for creating the databases
database=file:/home/koromicha/aide/aide.db
database_out=file:/home/koromicha/aide/aide.db.new
database_new=file:/home/koromicha/aide/aide.db.new
# Set your own AIDE rule.
MYRULE=p+n+u+g+s+m+c+xattrs+md5+sha512
# Directories/files to be monitored and rule to apply
#/etc MYRULE
#/bin MYRULE
#/usr/bin MYRULE
# Directories to ignore
/home MYRULE
!/procBasically, the rule set above checks, permissions, number of links, user, group, modification time, inode/file change time, extended file attributes, MD5 checksum, SHA512 checksum.
Initialize the database with the new configuration;
sudo aide -c /home/koromicha/aide/aide.conf -iCopy the database in place;
cp /home/koromicha/aide/aide.db{.new,}Verify the configuration file for errors by running the command below;
aide -c /home/koromicha/aide/aide.conf --config-check
Check the command exit status.
echo $?AIDE Diagnostics
According to AIDE man pages, the AIDE’s exit status is normally 0 if no errors occurred. Except when the –check, –compare or –update command was requested, in which case the exit status is defined as:
1 * (new files detected?) +
2 * (removed files detected?) +
4 * (changed files detected?)
Since those three cases can occur together, the respective error codes are added. For example, if there are new files and removed files detected, the exit status will be 1 + 2 = 3.
Additionally, the following exit codes are defined for generic error conditions:
14 Error writing error
15 Invalid argument error
16 Unimplemented function error
17 Invalid configureline error
18 IO error
19 Version mismatch error
NOTE: Whenever you make any AIDE configuration changes, remember to initialize the database to create a baseline.
Make changes like create a new directory, files;
rm -rf /home/koromicha/aide/aide.db.new
mkdir /home/koromicha/test-dir
touch /home/koromicha/test-fileYou can then run AIDE against your custom configuration.
aide -c /home/koromicha/aide/aide.conf -CStart timestamp: 2020-08-18 08:35:18 +0300 (AIDE 0.16.1)
AIDE found differences between database and filesystem!!
Summary:
Total number of entries: 59
Added entries: 4
Removed entries: 2
Changed entries: 2
---------------------------------------------------
Added entries:
---------------------------------------------------
f++++++++++++++++: /home/koromicha/aide/aide.conf
f++++++++++++++++: /home/koromicha/aide/aide.db
d++++++++++++++++: /home/koromicha/test-dir
f++++++++++++++++: /home/koromicha/test-file
---------------------------------------------------
Removed entries:
---------------------------------------------------
f----------------: /home/koromicha/aide/aide.db.new
f----------------: /home/koromicha/aide.conf
---------------------------------------------------
Changed entries:
---------------------------------------------------
d = ... mc n . : /home/koromicha
d = ... mc . . : /home/koromicha/aide
---------------------------------------------------
Detailed information about changes:
---------------------------------------------------
Directory: /home/koromicha
Mtime : 2020-08-18 08:26:21 +0300 | 2020-08-18 08:31:31 +0300
Ctime : 2020-08-18 08:26:21 +0300 | 2020-08-18 08:31:31 +0300
Linkcount: 9 | 10
Directory: /home/koromicha/aide
Mtime : 2020-08-18 08:27:52 +0300 | 2020-08-18 08:31:14 +0300
Ctime : 2020-08-18 08:27:52 +0300 | 2020-08-18 08:31:14 +0300
---------------------------------------------------
The attributes of the (uncompressed) database(s):
---------------------------------------------------
/home/koromicha/aide/aide.db
MD5 : w7Z1b0myNGwnbiexjCsY8Q==
SHA1 : PcxP7dFM/QifwAmkETeX2jdipEc=
RMD160 : cOFuj1oXo66UJszu++O3sJSgLtU=
TIGER : 0kW96KfuYLcqSemVRPIQdpItMMqjqk5O
SHA256 : CJxvbpOch28A0zbBds/WsVHwIoD2m9wR
Z3eZLE8nSkQ=
SHA512 : WhCWUC0HX2vcQLxS+CMe3iMmw4tjzM4N
72q+Ni+kn4AVMMB8MD6mDtouRYwtnEI0
nH7c+WdCoX303Y6dmjH65Q==
CRC32 : qhiKSQ==
HAVAL : bIk9sCi3W/CA2Xen1KHvr5558udvZZcl
PzAY/GgIRd4=
GOST : jpVKL+hk3+IaZ3J+zJkLaU1IlMWksrDo
+wNm5MOoWfA=
WHIRLPOOL: 2RcZzpfvzIkRRcfkw0TMXZT2zEFammH4
j5JT9ZO41knXTmMkJ4TT1PD4+uRNBFBW
Bylc3q2qfpC+Z1lPQ4lKkQ==
End timestamp: 2020-08-18 08:35:19 +0300 (run time: 0m 1s)
Sending AIDE Report via Mail
By default, AIDE sets up itself a daily execution script, /etc/cron.daily/aide, upon installation. The the output of checks is mailed to the user specified in the MAILTO= directive of the /etc/default/aide configuration file as detailed above.
To sent the AIDE report via mail, you need to edit the file, /etc/default/aide and set the value of MAILTO directive to your email ID such that it looks like below. The default recipient is root.
vim /etc/default/aide...
#MAILTO=root
[email protected]Most of the AIDE default parameter settings are defined in this file. It is highly commended for easy understanding, therefore go through this file to see what other options to enable or disable.
The email delivery can only work if you have configure your MTA for email transfer. Follow the link below to learn how to configure Postfix to use Gmail SMTP for relay;
Configure Postfix to Use Gmail SMTP on Ubuntu 20.04
Configure Postfix to Use Gmail SMTP on Ubuntu 18.04
Instead of using the cron mail recipient address above, you can edit Postfix mail aliases and set an alias for root to the email address you want to receive AIDE report on;
vim /etc/aliasespostmaster: root
root: [email protected]You can as well install a cron job to execute AIDE at specific time intervals;
sudo crontab -e*/10 * * * * aide -c /home/koromicha/aide/aide.conf -u && cp /home/koromicha/aide/aide.db{.new,}This will execute AIDE system check every 10 mins and email the report to [email protected] as per my setup.
It is also good to note that AIDE checks might be resource intensive and may cause a performance issue on your system during integrity checks.
Reference
man aide
man aide.conf
Related Tutorials
Install and Configure Tripwire Security Monitoring tool on CentOS 8
Install and Configure AIDE on Ubuntu 18.04
Install and Setup Lynis Security Auditing tool on CentOS 8
I noticed in Ubuntu, going back to 14.04, that AIDE does not have the syslog_format parameter. Any idea how I can get it to do single line logging to replicate this behavior?