AIDE (Advanced Intrusion Detection Environment) is a host-based intrusion detection tool that detects unauthorized changes to files and directories by comparing a live system snapshot against a baseline database. On RHEL 8, AIDE is available directly from the standard repositories and integrates cleanly with systemd for scheduled integrity checks. Detecting modified binaries, configuration files, or setuid executables is one of the most reliable ways to identify a compromised system. This tutorial covers installation, baseline creation, daily scheduling, and report interpretation.
Prerequisites
- RHEL 8 server with sudo or root access
- Active internet access or a configured local repository for package installation
- Sufficient disk space for the AIDE database (typically 50–200 MB depending on scope)
- A known-good system state — take the baseline immediately after provisioning or after a controlled change window
Step 1 — Install AIDE
AIDE is available in the default RHEL 8 AppStream repository. Install it with dnf and verify the installation.
# Install AIDE
sudo dnf install -y aide
# Verify installation and version
aide --version
# Review the default configuration file
wc -l /etc/aide.conf
head -30 /etc/aide.confStep 2 — Review and Customize /etc/aide.conf
The default /etc/aide.conf on RHEL 8 covers most critical paths, but understanding the rule syntax allows you to tune coverage. Rules define which file attributes AIDE tracks: permissions, ownership, checksums, size, inode, and more.
# Back up the default configuration
sudo cp /etc/aide.conf /etc/aide.conf.bak
# Key configuration directives:
# database = where AIDE reads the baseline
# database_out = where AIDE writes a new database
# gzip_dbout = compress the output database
grep -E "^database|^gzip" /etc/aide.conf
# Examine rule definitions (what attributes to check)
# p=permissions, i=inode, n=nlinks, u=uid, g=gid, s=size
# m=mtime, a=atime, c=ctime, S=sizegrow, md5=MD5 checksum, sha256=SHA-256
grep -E "^(NORMAL|CONTENT|PERMS|DATAONLY|ALLXTRAHASHES)" /etc/aide.conf | head -10
# Review which directories are monitored
grep -E "^/(etc|usr|bin|sbin|boot)" /etc/aide.conf
# Add a custom rule to monitor a web root directory
sudo tee -a /etc/aide.conf > /dev/null <<'EOF'
# Custom rules: monitor web root for content changes
/var/www/html CONTENT_EX
# Monitor custom application directory
/opt/myapp NORMAL
EOF
echo "Configuration customization complete"Step 3 — Initialize the Baseline Database
Before AIDE can detect changes it needs a baseline snapshot. Run aide --init on a known-good system. This process reads every monitored file, computes checksums, and writes a compressed database. It can take several minutes on a system with many files.
# Initialize the baseline database
# This will take several minutes — normal output shows files being scanned
sudo aide --init
# The new database is written to /var/lib/aide/aide.db.new.gz
ls -lh /var/lib/aide/
# Activate the database by renaming it to the read location
sudo mv /var/lib/aide/aide.db.new.gz /var/lib/aide/aide.db.gz
# Verify the database exists and is readable
sudo aide --check 2>&1 | head -5
# Expected: no differences found on a freshly initialized system
echo "Baseline database initialized and activated"
ls -lh /var/lib/aide/aide.db.gzStep 4 — Run an Integrity Check
Use aide --check to compare the live filesystem against the baseline database. AIDE will report added, removed, and changed files along with which attributes changed. Run this after any suspected intrusion or as part of a scheduled audit.
# Run a full integrity check (compares live system to aide.db.gz)
sudo aide --check
# Typical output sections:
# AIDE found differences between database and filesystem!
# Changed files:
# f ... /etc/passwd
# Added files:
# f ... /etc/cron.d/newjob
# Removed files:
# f ... /usr/bin/oldbinary
# Save the check report to a file for review
sudo aide --check > /var/log/aide-check-$(date +%Y%m%d).log 2>&1
# View summary statistics at the bottom of the report
tail -20 /var/log/aide-check-$(date +%Y%m%d).log
# Check return codes:
# 0 = no differences, 1 = new/removed files, 4 = changed files, 14 = all three
echo "Exit code: $?"Step 5 — Update the Database After Planned Changes
When authorized changes are made to the system — software updates, configuration changes — update the AIDE database so legitimate modifications do not appear as findings in future checks. Always perform the update only after verifying the changes were authorized.
# After applying an authorized system update or configuration change:
# Step 1: Run a check to document what changed before updating
sudo aide --check > /var/log/aide-pre-update-$(date +%Y%m%d).log 2>&1
echo "Pre-update check complete. Review /var/log/aide-pre-update-$(date +%Y%m%d).log"
# Step 2: Update the database (writes a new aide.db.new.gz)
sudo aide --update
# Step 3: Review the new database contents (optional)
ls -lh /var/lib/aide/
# Step 4: Activate the new database
sudo mv /var/lib/aide/aide.db.new.gz /var/lib/aide/aide.db.gz
# Step 5: Verify a clean check with the new baseline
sudo aide --check
echo "Database update complete. Exit code: $?"Step 6 — Schedule Daily Checks with a Systemd Timer
Automate daily integrity checks using a systemd service and timer rather than a cron job, which aligns with RHEL 8’s preferred scheduling mechanism. Configure the timer to email or log results automatically.
# Create a systemd service unit for AIDE checks
sudo tee /etc/systemd/system/aide-check.service > /dev/null < /var/log/aide-check-$(date +%Y%m%d).log 2>&1;
tail -5 /var/log/aide-check-$(date +%Y%m%d).log |
/usr/bin/logger -t aide-check'
EOF
# Create the systemd timer to run daily at 02:30
sudo tee /etc/systemd/system/aide-check.timer > /dev/null <<'EOF'
[Unit]
Description=Daily AIDE Integrity Check Timer
[Timer]
OnCalendar=*-*-* 02:30:00
RandomizedDelaySec=300
Persistent=true
[Install]
WantedBy=timers.target
EOF
# Enable and start the timer
sudo systemctl daemon-reload
sudo systemctl enable --now aide-check.timer
# Verify timer is scheduled
systemctl list-timers aide-check.timer
# Manually trigger a test run
sudo systemctl start aide-check.service
sudo journalctl -u aide-check.service -n 20 --no-pagerConclusion
You have installed AIDE on RHEL 8, customized its monitoring rules, created a baseline database, performed manual integrity checks, updated the database after authorized changes, and scheduled automated daily checks with a systemd timer. AIDE is most effective when integrated into a broader security program: combine it with auditd for event logging and SELinux for mandatory access control. Store AIDE database backups off-system so an attacker cannot modify both the filesystem and the baseline simultaneously.
Next steps: Configuring auditd for comprehensive system event logging on RHEL 8, Integrating AIDE reports with a centralized SIEM on RHEL 8, and Using OpenSCAP to benchmark AIDE configuration against CIS or STIG profiles on RHEL 8.
