top of page
Search

Advanced Intrusion Detection Environment (AIDE) on RHEL / Rocky / CentOS

Penguin with magnifying glass beside text "AIDE on RHEL/Rocky/CentOS" and a computer alert. Background of digital blue and red lights.

System integrity is one of the most overlooked areas in Linux security. Firewalls, SELinux, and antivirus tools are common, but they do not tell you if critical system files were modified silently. This is where AIDE (Advanced Intrusion Detection Environment) fits perfectly.

In this blog, I’ll walk through what AIDE is, how it works, how to configure it properly, and how to interpret its output on RHEL, Rocky Linux, and CentOS. All commands shown below were executed manually on a test system.

What is AIDE?

AIDE is a host-based intrusion detection system (HIDS). It works by:


  1. Creating a baseline database of important system files

  2. Recording attributes like:

    • Permissions

    • Ownership

    • File size

    • Inode

    • Timestamps

    • Cryptographic hashes (SHA256 by default)

  3. Periodically comparing the current system state against this baseline


If any protected file changes, AIDE reports it.

In simple terms: AIDE tells you what changed, where it changed, and how it changed.

When should you use AIDE?


AIDE is useful when:

  • You want to detect unauthorized file changes

  • You manage mail servers, web servers, or compliance systems

  • You need post-compromise forensic visibility

  • You want lightweight security without heavy agents

It is especially common in PCI-DSS, ISO 27001, and SOC environments.


Installing AIDE


AIDE is available in default repositories.

[root@siddhesh ~]# dnf install -y aide

Sample Output

Last metadata expiration check: 0:01:12 ago on Tue 06 Jan 2026 06:40:10 PM IST.
Dependencies resolved.

Installed:
  aide-0.16-14.el9.x86_64

Complete!

Understanding AIDE Configuration


The main configuration file is:

/etc/aide.conf

Open it:

[root@siddhesh ~]# vim /etc/aide.conf

You’ll notice rule definitions like this:

NORMAL = p+i+n+u+g+s+m+c+acl+selinux+xattrs+sha256

This means AIDE checks:

Flag

Meaning

p

Permissions

i

Inode

n

Number of links

u

User owner

g

Group owner

s

Size

m

Modify time

c

Change time

sha256

File checksum

Default Directories Monitored

By default, AIDE monitors critical paths such as: 

/bin
/sbin
/usr/bin
/usr/sbin
/etc

Example entry:

/etc    NORMAL

This is intentional — if someone modifies /etc/passwd or /etc/ssh/sshd_config, AIDE should catch it.

Initializing the AIDE Database


Before AIDE can detect changes, you must create a baseline database.

[root@siddhesh ~]# aide --init

Sample Output

Start timestamp: 2026-01-06 18:47:12
AIDE initializing database...
Scanning files...
Added files: 153421
Database initialized
End timestamp: 2026-01-06 18:48:55

This creates:

/var/lib/aide/aide.db.new.gz

Rename it as the active database:

[root@siddhesh ~]# mv /var/lib/aide/aide.db.new.gz /var/lib/aide/aide.db.gz
⚠️ Important: Always initialize AIDE on a clean, trusted system.

Running an Integrity Check


To compare the current system state against the baseline:

[root@siddhesh ~]# aide --check

Sample Output (No Changes)

Start timestamp: 2026-01-06 19:01:10
AIDE found NO differences between database and filesystem.
End timestamp: 2026-01-06 19:02:03

This is what you want to see on a healthy system.


Simulating a Real Change


Let’s modify a protected file to see how AIDE reacts.

[root@siddhesh ~]# echo "# test change" >> /etc/hosts

Now re-run AIDE:

[root@siddhesh ~]# aide --check

Detailed Output

Start timestamp: 2026-01-06 19:05:22

Summary:
  Total number of files:        153421
  Added files:                 0
  Removed files:               0
  Changed files:               1

Changed files:
----------------

File: /etc/hosts
  Size     : 412 -> 425
  Mtime    : 2026-01-06 18:59:11 -> 2026-01-06 19:04:55
  Ctime    : 2026-01-06 18:59:11 -> 2026-01-06 19:04:55
  SHA256   : Yf9F...abc -> 8ZpQ...xyz

End timestamp: 2026-01-06 19:05:29

How to Read This


  • Size changed → file content modified

  • Mtime/Ctime changed → modification detected

  • SHA256 changed → confirms content alteration


This is a high-confidence alert.


Updating the Database After Legitimate Changes


System updates will naturally modify files. After verifying changes are valid, update the database:

[root@siddhesh ~]# aide --update

Then replace the database:

[root@siddhesh ~]# mv /var/lib/aide/aide.db.new.gz /var/lib/aide/aide.db.gz

Automating AIDE with Cron


Most administrators run AIDE daily.


[root@siddhesh ~]# crontab -e

Add:

0 3 * * * /usr/sbin/aide --check

This runs AIDE every day at 03:00 AM.


Best Practices


  • Store AIDE database on read-only or remote storage

  • Do not monitor frequently changing paths like /var/log

  • Review alerts before updating the database

  • Combine AIDE with SELinux and auditd


Conclusion


AIDE is simple, reliable, and extremely effective when configured correctly. It won’t stop an attacker, but it will tell you exactly what was touched, which is critical during investigations.

For production servers on RHEL, Rocky, or CentOS, AIDE should be a default part of your hardening checklist.


Comments

Rated 0 out of 5 stars.
No ratings yet
Add a rating
bottom of page