AIDE (Advanced Intrusion Detection Environment) is a file integrity monitoring tool that creates a database of file attributes on your system, then compares against it to detect unauthorized changes. It tracks permissions, ownership, file size, timestamps, and cryptographic hashes – catching modifications that could indicate a security breach, rootkit installation, or configuration drift.
This guide walks through installing and configuring AIDE on RHEL 10 / Rocky Linux 10 and Ubuntu 24.04. We cover database initialization, running integrity checks, detecting file changes, automating scans with cron, and setting up email alerts for violations.
Prerequisites
Before starting, make sure you have the following in place:
- A server running RHEL 10 / Rocky Linux 10 or Ubuntu 24.04 LTS
- Root or sudo access to the system
- A working mail transfer agent (Postfix or similar) if you want email alerts
- Basic familiarity with Linux file permissions and system administration
Step 1: Install AIDE on Linux
AIDE is available in the default repositories for both RHEL-based and Debian-based distributions. Install it using your system’s package manager.
Install AIDE on RHEL 10 / Rocky Linux 10
On RHEL-based systems, AIDE ships in the AppStream repository:
sudo dnf install aide -yInstall AIDE on Ubuntu 24.04
On Ubuntu, install AIDE from the main repository:
sudo apt update
sudo apt install aide -yUbuntu may prompt you to configure Postfix during installation if it is not already set up. Choose “Internet Site” or “Local only” depending on your mail setup.
Verify the installation by checking the AIDE version:
aide --versionYou should see the AIDE version and compiled-in options confirming the installation:
Aide 0.18.8
Compiled with the following options:
WITH_MHASH
WITH_PCRE2
WITH_POSIX_ACL
WITH_SELINUX
WITH_XATTR
WITH_E2FSATTRS
WITH_CAPABILITIES
CONFIG_FILE = "/etc/aide.conf"Step 2: Configure AIDE Rules
The AIDE configuration file defines which directories to monitor and what file attributes to check. The config file location differs by distribution:
- RHEL 10 / Rocky Linux 10:
/etc/aide.conf - Ubuntu 24.04:
/etc/aide/aide.conf
Open the configuration file for editing:
sudo vi /etc/aide.confOn Ubuntu, use /etc/aide/aide.conf instead. The default configuration monitors critical system directories. Here is an example of a production-ready custom rule set:
# Custom rule definitions
# FULL = check everything
FULL = p+i+n+u+g+s+m+c+S+sha256+sha512+xattrs+selinux+acl
# NORMAL = standard monitoring (skip access time)
NORMAL = p+i+n+u+g+s+m+c+S+sha256+xattrs
# PERMS = permissions and ownership only
PERMS = p+u+g+acl+selinux+xattrs
# LOG = growing log files (track permissions, ignore size/hash)
LOG = p+u+g+i+n+S
# Critical system binaries - full monitoring
/bin FULL
/sbin FULL
/usr/bin FULL
/usr/sbin FULL
/usr/lib FULL
/usr/lib64 FULL
# Configuration files
/etc NORMAL
# Kernel and boot files
/boot FULL
# Skip directories that change frequently
!/var/log
!/var/spool
!/var/cache
!/tmp
!/run
!/proc
!/sys
# Monitor cron directories
/etc/cron.d NORMAL
/etc/cron.daily NORMAL
/etc/cron.hourly NORMAL
/etc/cron.weekly NORMAL
/etc/cron.monthly NORMAL
/etc/crontab NORMAL
# SSH configuration
/etc/ssh FULL
# Authentication files
/etc/passwd FULL
/etc/shadow FULL
/etc/group FULL
/etc/gshadow FULL
/etc/sudoers FULL
/etc/sudoers.d FULLThe exclamation mark (!) prefix excludes directories from monitoring. Directories like /var/log and /tmp change constantly during normal operations and would generate false positives. Focus monitoring on binaries, configs, and authentication files where unauthorized changes matter most.
Step 3: Initialize the AIDE Database
Before AIDE can detect changes, it needs a baseline database of your current system state. The initialization process scans every monitored file and records its attributes and hashes. This takes several minutes depending on how many files are monitored.
Initialize on RHEL 10 / Rocky Linux 10
Run the initialization command to create the baseline database:
sudo aide --initAIDE writes the new database to /var/lib/aide/aide.db.new.gz. Copy it to the active database location:
sudo cp /var/lib/aide/aide.db.new.gz /var/lib/aide/aide.db.gzInitialize on Ubuntu 24.04
On Ubuntu, use the aideinit wrapper script which handles both initialization and database placement:
sudo aideinitThe aideinit script creates the database and automatically copies it to the correct location. You should see output confirming the database was generated:
Running aide --init...
Start timestamp: 2026-03-22 10:15:32 +0000 (AIDE 0.18.8)
AIDE initialized database at /var/lib/aide/aide.db.new
New AIDE database written to /var/lib/aide/aide.db.new
Overwrite /var/lib/aide/aide.db with new database? [Yn] YStep 4: Run First Integrity Check
With the baseline database in place, run your first integrity check to confirm everything is working. A clean system should report no changes:
sudo aide --checkIf no files have been modified since initialization, the output confirms zero changes:
Start timestamp: 2026-03-22 10:20:45 +0000 (AIDE 0.18.8)
AIDE found NO differences between database and filesystem. Looks okay!!
Number of entries: 85743
---------------------------------------------------
The attributes of the (uncompressed) database(s):
---------------------------------------------------
/var/lib/aide/aide.db
SHA256 : xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxThis confirms AIDE is properly configured and the baseline database matches the current system state.
Step 5: Simulate File Changes and Detect Them
To verify AIDE catches real modifications, create a deliberate change and run a check. This is an important validation step before relying on AIDE in production.
Add a test user to the system:
sudo useradd testintruderModify a monitored configuration file:
echo "# test change" | sudo tee -a /etc/ssh/sshd_configNow run the AIDE check to see if it detects these modifications:
sudo aide --checkAIDE reports every modified, added, and removed file with a detailed breakdown of which attributes changed:
Start timestamp: 2026-03-22 10:25:30 +0000 (AIDE 0.18.8)
AIDE found differences between database and filesystem!!
Summary:
Total number of entries: 85745
Added entries: 2
Removed entries: 0
Changed entries: 4
---------------------------------------------------
Added entries:
---------------------------------------------------
f++++++++++++++++: /etc/subuid
f++++++++++++++++: /etc/subgid
---------------------------------------------------
Changed entries:
---------------------------------------------------
f ... ..S.8C. .. . : /etc/passwd
f ... ..S.8C. .. . : /etc/shadow
f ... ..S.8C. .. . : /etc/group
f ... ..S.8C. .. . : /etc/ssh/sshd_configAIDE detected every change – the new user accounts in /etc/passwd, /etc/shadow, /etc/group, and the modification to /etc/ssh/sshd_config. The S flag indicates file size changed, 8 shows the SHA256 hash changed, and C means the modification time changed.
Clean up the test changes after verification:
sudo userdel testintruder
sudo sed -i '/# test change/d' /etc/ssh/sshd_configStep 6: Update the AIDE Database After Approved Changes
After applying legitimate changes to your system – software updates, config adjustments, new packages – you need to update the AIDE baseline. Without updating, every subsequent check will flag those approved changes as violations.
Use the --update flag to generate a new database that reflects the current state while also showing what changed:
sudo aide --updateThis creates a new database file at /var/lib/aide/aide.db.new.gz. Review the listed changes to confirm they are expected, then replace the active database:
sudo cp /var/lib/aide/aide.db.new.gz /var/lib/aide/aide.db.gzOn Ubuntu, the paths may differ slightly:
sudo cp /var/lib/aide/aide.db.new /var/lib/aide/aide.dbAlways review the change report before replacing the database. If you see unexpected modifications – files you did not change, binaries with new hashes, or new SUID files – investigate before accepting the new baseline. Blindly updating the database after a compromise defeats the purpose of file integrity monitoring.
Step 7: Automate AIDE Checks with Cron
Running manual checks is impractical for production systems. Set up a daily automated scan using cron that logs results and only sends alerts when changes are detected.
Create a shell script for the daily AIDE check:
sudo vi /usr/local/bin/aide-check.shAdd the following content to the script:
#!/bin/bash
# Daily AIDE integrity check
LOGDIR="/var/log/aide"
LOGFILE="$LOGDIR/aide-check-$(date +%Y%m%d).log"
mkdir -p "$LOGDIR"
/usr/bin/aide --check > "$LOGFILE" 2>&1
RETVAL=$?
if [ $RETVAL -ne 0 ]; then
echo "AIDE detected file integrity changes on $(hostname)" | \
mail -s "AIDE Alert: File Changes Detected on $(hostname)" root -A "$LOGFILE"
fi
# Keep logs for 30 days
find "$LOGDIR" -name "aide-check-*.log" -mtime +30 -delete
exit $RETVALMake the script executable and set up the cron job:
sudo chmod 700 /usr/local/bin/aide-check.shAdd a daily cron entry that runs the check at 3:00 AM:
echo "0 3 * * * root /usr/local/bin/aide-check.sh" | sudo tee /etc/cron.d/aide-checkSet proper permissions on the cron file – cron ignores files that are group-writable or world-writable:
sudo chmod 644 /etc/cron.d/aide-checkAlternative: Systemd Timer
If you prefer systemd timers over cron, create a service unit and timer. First, create the service file:
sudo vi /etc/systemd/system/aide-check.serviceAdd the following service definition:
[Unit]
Description=AIDE file integrity check
After=local-fs.target
[Service]
Type=oneshot
ExecStart=/usr/local/bin/aide-check.sh
Nice=19
IOSchedulingClass=idleCreate the timer unit:
sudo vi /etc/systemd/system/aide-check.timerAdd the timer configuration to run daily at 3:00 AM:
[Unit]
Description=Daily AIDE integrity check
[Timer]
OnCalendar=*-*-* 03:00:00
Persistent=true
RandomizedDelaySec=300
[Install]
WantedBy=timers.targetEnable and start the timer:
sudo systemctl daemon-reload
sudo systemctl enable --now aide-check.timerVerify the timer is active and check when the next run is scheduled:
sudo systemctl list-timers aide-check.timerThe output shows the timer schedule and the next trigger time:
NEXT LEFT LAST PASSED UNIT ACTIVATES
Sun 2026-03-23 03:00:00 UTC 16h left - - aide-check.timer aide-check.serviceStep 8: Email Alerts for AIDE Integrity Violations
The cron script from Step 7 already includes basic email alerting. For this to work, your system needs a functioning mail transfer agent. Install Postfix if you do not already have one configured.
Install Postfix on RHEL 10 / Rocky Linux 10
Install and enable Postfix for sending alert emails:
sudo dnf install postfix mailx -y
sudo systemctl enable --now postfixInstall Postfix on Ubuntu 24.04
On Ubuntu, install Postfix and the bsd-mailx package:
sudo apt install postfix bsd-mailx -y
sudo systemctl enable --now postfixTo send alerts to a specific email address instead of the local root mailbox, update the script’s mail command. Open the check script:
sudo vi /usr/local/bin/aide-check.shChange the mail recipient from root to your actual email address:
echo "AIDE detected file integrity changes on $(hostname)" | \
mail -s "AIDE Alert: File Changes Detected on $(hostname)" [email protected] -A "$LOGFILE"Test the email delivery by running a manual check:
sudo /usr/local/bin/aide-check.shIf Postfix is configured to relay through an external SMTP server, ensure your firewall allows outbound traffic on port 25/587. Check the mail queue with mailq if emails are not arriving.
AIDE Check Attributes Reference
AIDE uses single-character flags to define which file attributes to monitor. Understanding these flags is essential for writing effective rules in /etc/aide.conf. The following table lists all available check attributes:
| Attribute | Description |
|---|---|
p | File permissions (rwx bits, setuid, setgid, sticky) |
i | Inode number |
n | Number of hard links |
u | User ownership (UID) |
g | Group ownership (GID) |
s | File size |
S | File size (only report if size grew – useful for logs) |
m | Modification time (mtime) |
c | Status change time (ctime) |
a | Access time (atime) – usually excluded to reduce noise |
md5 | MD5 checksum (legacy – use sha256 or sha512 instead) |
sha256 | SHA-256 cryptographic hash |
sha512 | SHA-512 cryptographic hash |
xattrs | Extended file attributes |
selinux | SELinux security context (RHEL/Rocky only) |
acl | POSIX Access Control Lists |
e2fsattrs | ext2/3/4 filesystem attributes (immutable, append-only, etc.) |
caps | Linux capabilities assigned to the file |
Combine attributes with the + operator to build custom rules. For example, p+u+g+sha256 monitors permissions, ownership, and SHA-256 hash without tracking timestamps. Use the S (uppercase) attribute instead of s for log files where you expect size to increase but want to detect unexpected shrinkage.
For high-security environments, use sha256+sha512 together for dual-hash verification. Avoid relying on md5 alone as it is cryptographically broken, though AIDE still supports it for backward compatibility. On RHEL-based systems, always include selinux in your rules since SELinux context changes can indicate misconfigured SELinux policies or tampering.
Conclusion
AIDE is now configured, initialized, and running automated integrity checks on your RHEL 10 or Ubuntu 24.04 system. The daily scans will catch unauthorized file modifications, new binaries, permission changes, and configuration drift – giving you early warning of potential security incidents.
For production hardening, store the AIDE database on read-only media or a remote server so attackers cannot tamper with the baseline. Consider integrating AIDE alerts with a centralized logging system like Wazuh or OSSEC for correlation with other security events. Protect the AIDE configuration file and binary with proper access controls, and always review change reports before updating the baseline database. For additional file integrity coverage, refer to the AIDE project on GitHub for advanced configuration options and community-maintained rule sets.
