Chapter 3. AIDE Introduction
Mike Fedora Project McGrath
Fedora Infrastructure Lead
Fedora Project
AIDE - Advanced Intrusion Detection Environment is an application that tracks information about files on a host. It can track things like inode, owner, md5sum, mtime, atime, ctime, etc. Upon first run aide tracks files listed in /etc/aide.conf and creates a new database file in /var/lib/aide. Runs after this then check the current files against the db file, or update the database if those files have changed.
Aide is useful for administrators to determine if important files have changed without proper proceedures or, for example, if a machine has been hacked and /bin/bash has been changed to a shell that has a trojan built into it. The most secure way to run aide is to store these database files off of the machine they are tracking. While we list some files that must be monitored, admins may wish to monitor more. This is recommended but each environment must decide for themselves the balance between usability and security.