Last updated: 20 Aug 2025
Approach: monitor the critical paths only; exclude chatty areas; rotate the DB; alert on real changes.
1) Install & init
sudo apt install -y aide
sudo aideinit
sudo mv /var/lib/aide/aide.db.new /var/lib/aide/aide.db2) Config (extract)
# /etc/aide/aide.conf.d/baseline.conf
@@define DBDIR /var/lib/aide
@@define LOGDIR /var/log/aide
# Rules
R = p+i+n+u+g+s+m+c+md5+sha256
# Critical paths
/etc R
/usr/bin R
/usr/sbin R
/sbin R
# Exclusions (chatty)
!/var/log/.*
!/tmp/.*
!/var/tmp/.*
!/proc/.*
!/sys/.*3) Run & schedule
sudo aide --check
# cron.daily is fine; or systemd timer if you prefer
4) Alerting
- Send the report to your SIEM; alarm on added/modified files in the critical paths.
- Investigate before updating the DB (
aide --update), or you’ll bless the compromise.