AIDE (Advanced Intrusion Detection Environment) is an open-source file integrity monitoring tool that detects unauthorized changes to files on a Linux system. It creates a cryptographic baseline database of your file system and compares the current state against that baseline on every check, alerting you to any additions, deletions, or modifications. AIDE is recommended by the CIS RHEL 9 Benchmark and is a key control for satisfying PCI DSS Requirement 11.5 and similar file integrity monitoring requirements. This tutorial covers installing, configuring, and automating AIDE on RHEL 9.
Prerequisites
- RHEL 9 system with sudo or root access
- Active RHEL subscription or access to a configured dnf repository
- Basic familiarity with systemd timer units
Step 1 — Install AIDE
AIDE is available in the default RHEL 9 repositories. Install it with dnf and verify the installed version.
sudo dnf install -y aide
# Verify installation
aide --version
# Review the default configuration file location
ls -l /etc/aide.confStep 2 — Configure AIDE Monitoring Rules
The main configuration file is /etc/aide.conf. It defines which directories to monitor and which attributes to check for each. AIDE uses named rule groups — you can compose custom groups from individual attribute flags. The most critical directories to monitor are system binaries, libraries, and configuration files.
# Back up the default configuration
sudo cp /etc/aide.conf /etc/aide.conf.bak
# Review the default rule definitions (near the top of aide.conf)
grep -E "^(NORMAL|PERMS|DATAONLY|Full)" /etc/aide.conf | head -20
# Key attribute flags used in rules:
# p = permissions
# i = inode number
# n = number of links
# u = user (owner)
# g = group
# s = size
# b = block count
# m = mtime
# a = atime
# c = ctime
# md5 / sha256 / sha512 = checksums
# Add a custom comprehensive rule to aide.conf
sudo tee -a /etc/aide.conf > /dev/null << 'EOF'
# Custom rule: check permissions, ownership, and SHA-512 checksum
CUSTOM_STRICT = p+i+n+u+g+s+md5+sha512
# Monitor critical system directories
/etc CUSTOM_STRICT
/bin CUSTOM_STRICT
/sbin CUSTOM_STRICT
/usr/bin CUSTOM_STRICT
/usr/sbin CUSTOM_STRICT
/usr/lib CUSTOM_STRICT
/usr/lib64 CUSTOM_STRICT
/boot CUSTOM_STRICT
# Monitor cron directories
/etc/cron.d CUSTOM_STRICT
/etc/cron.daily CUSTOM_STRICT
/etc/cron.hourly CUSTOM_STRICT
/var/spool/cron CUSTOM_STRICT
# Exclude log files and frequently changing files
!/var/log
!/var/spool/postfix
!/etc/aide.conf
EOF
echo "AIDE configuration updated"Step 3 — Initialize the AIDE Database
Before AIDE can detect changes, you must initialize the baseline database. This process hashes every monitored file and records the results. Run this on a known-good system state immediately after installation or after applying verified system updates.
# Initialize the database (this can take several minutes on a busy system)
sudo aide --init
# The new database is created at a .new.gz path — move it to the active location
sudo mv /var/lib/aide/aide.db.new.gz /var/lib/aide/aide.db.gz
# Verify the database was created
ls -lh /var/lib/aide/aide.db.gz
# Optional: store a copy of the initial database offline or in read-only storage
# so it cannot be tampered with by an attacker who gains root access
sudo cp /var/lib/aide/aide.db.gz /root/aide.db.gz.baselineStep 4 — Run a Manual Integrity Check and Interpret Output
Once the database is initialized, run aide --check to compare the current file system state against the baseline. AIDE reports three categories: added files, removed files, and changed files. Changed files include a list of which attributes differ.
# Run an integrity check
sudo aide --check
# Example output structure:
#
# AIDE found differences between database and filesystem!!
#
# Added files:
# f++++++++++++++++: /etc/newfile.conf
#
# Removed files:
# f----------------: /etc/deletedfile.conf
#
# Changed files:
# f ... .C...: /etc/passwd
# Sha512 : old_hash != new_hash
# Mtime : OLD_TIME != NEW_TIME
# After investigating and confirming changes are authorized,
# re-initialize the database to update the baseline
sudo aide --update
sudo mv /var/lib/aide/aide.db.new.gz /var/lib/aide/aide.db.gzStep 5 — Automate Daily Checks with a systemd Timer
Running AIDE manually is not practical for ongoing monitoring. Create a systemd service and timer to run the check automatically every day and log the results.
# Create the systemd service unit
sudo tee /etc/systemd/system/aide-check.service > /dev/null < /dev/null << 'EOF'
[Unit]
Description=Run AIDE daily at 02:00
[Timer]
OnCalendar=*-*-* 02:00:00
Persistent=true
[Install]
WantedBy=timers.target
EOF
# Enable and start the timer
sudo systemctl daemon-reload
sudo systemctl enable --now aide-check.timer
# Verify the timer is active
sudo systemctl list-timers aide-check.timerStep 6 — Email AIDE Reports on Changes
A daily check is only useful if someone reviews the output. Create a wrapper script that runs the AIDE check and emails the result only when changes are detected. This avoids alert fatigue from nightly “all clear” emails.
# Ensure a mail transfer agent is available (postfix or mailx)
sudo dnf install -y postfix mailx
sudo systemctl enable --now postfix
# Create the wrapper script
sudo tee /usr/local/sbin/aide-report.sh > /dev/null < "$REPORT" 2>&1
EXIT_CODE=$?
# EXIT_CODE 0 = no changes, 1 = changes detected, 2-7 = errors
if [ "$EXIT_CODE" -ne 0 ]; then
mail -s "[AIDE ALERT] File integrity changes on $HOSTNAME"
"$RECIPIENT" < "$REPORT"
fi
rm -f "$REPORT"
exit $EXIT_CODE
EOF
sudo chmod 700 /usr/local/sbin/aide-report.sh
# Update the service to use the wrapper script
sudo sed -i 's|ExecStart=.*|ExecStart=/usr/local/sbin/aide-report.sh|'
/etc/systemd/system/aide-check.service
sudo systemctl daemon-reload
echo "AIDE email reporting configured"Conclusion
You have installed AIDE on RHEL 9, configured it to monitor critical system directories using checksum and attribute rules, initialized the baseline database, run manual integrity checks, automated daily checks with a systemd timer, and set up email alerting when changes are detected. AIDE provides a low-overhead but effective tripwire against unauthorized file modifications, satisfying file integrity monitoring requirements in PCI DSS, HIPAA, and CIS benchmarks.
Next steps: How to Configure auditd for System Auditing on RHEL 9, How to Harden the Linux Kernel with sysctl on RHEL 9, and How to Set Up SELinux Policies on RHEL 9.
