How to Set Up Checksum Monitoring with AIDE on RHEL 7

File integrity monitoring is a cornerstone of host-based intrusion detection. AIDE — Advanced Intrusion Detection Environment — creates a cryptographic baseline of your file system and compares the current state against that baseline to detect unauthorized changes. When an attacker modifies a system binary, alters a configuration file, or installs a rootkit, AIDE reports exactly what changed: the file path, which checksums differ, and what permission or ownership attributes were modified. On RHEL 7, AIDE integrates naturally with the existing security toolchain and satisfies file integrity monitoring requirements in CIS Benchmarks, PCI-DSS 11.5, and NIST SP 800-53 SI-7. This tutorial covers installing AIDE, configuring rules, initialising the baseline database, running checks, managing legitimate updates, and integrating AIDE reports into a cron-driven email workflow correlated with auditd.

Prerequisites

• RHEL 7 system with root access
• EPEL repository or a registered RHEL subscription for AIDE package access
• A working mail transfer agent (postfix or sendmail) for email reporting
• Sufficient disk space for the AIDE database (typically 50–200 MB depending on file system size)

Step 1: Install AIDE

AIDE is available in the base RHEL 7 repositories and does not require EPEL:

yum install -y aide
aide --version

The AIDE binary is installed at /usr/sbin/aide and the default configuration file is at /etc/aide.conf.

Step 2: Understand the AIDE Configuration File

The configuration file /etc/aide.conf has two sections: variable definitions at the top, and watch rules below. Review the defaults:

head -80 /etc/aide.conf

The top section defines named check groups (macros) that specify which attributes AIDE should compare:

# AIDE default check group definitions
CONTENT     = sha256+sha512+md5
CONTENT_EX  = sha256+sha512+md5+ftype+p+u+g+acl+selinux+xattrs
DATAONLY    = p+n+u+g+s+acl+selinux+xattrs+sha256+sha512
PERMS       = p+i+l+n+u+g+acl+selinux+xattrs
NORMAL      = sha256+sha512+ftype+p+u+g+acl+selinux+xattrs

The check group letters mean: p=permissions, i=inode, l=symlink target, n=number of hardlinks, u=user, g=group, s=size, md5=MD5 checksum, sha256=SHA-256 checksum, sha512=SHA-512 checksum, acl=ACL attributes, selinux=SELinux context.

Step 3: Configure Watch Rules

The watch rules section maps filesystem paths to check groups. AIDE applies rules in order; an exclamation mark prefix excludes a path. Create a custom rules file to protect the most critical directories:

cp /etc/aide.conf /etc/aide.conf.bak
cat > /etc/aide.conf << 'EOF'
# AIDE configuration for RHEL 7
# Database paths
database=file:/var/lib/aide/aide.db.gz
database_out=file:/var/lib/aide/aide.db.new.gz
database_new=file:/var/lib/aide/aide.db.new.gz
gzip_dbout=yes

# Report output
report_url=file:/var/log/aide/aide.log
report_url=stdout

# Check group definitions
CONTENT     = sha256+sha512+ftype
CONTENT_EX  = sha256+sha512+ftype+p+u+g+acl+selinux+xattrs
PERMS       = p+i+l+n+u+g+acl+selinux+xattrs
DATAONLY    = p+n+u+g+s+sha256+sha512+acl+selinux+xattrs
LOGS        = p+n+u+g

# Critical system binaries - full content + permissions check
/bin        CONTENT_EX
/sbin       CONTENT_EX
/usr/bin    CONTENT_EX
/usr/sbin   CONTENT_EX
/lib        CONTENT_EX
/lib64      CONTENT_EX
/usr/lib    CONTENT_EX
/usr/lib64  CONTENT_EX

# Boot files
/boot       CONTENT_EX

# Configuration files
/etc        CONTENT_EX

# Exclude frequently changing files in /etc
!/etc/mtab
!/etc/adjtime
!/etc/motd
!/etc/resolv.conf
!/etc/prelink.cache
!/etc/.pwd.lock
!/etc/audit/audit.rules
!/etc/aide.conf

# Exclude log files within /etc
!/etc/cups/ppd
!/etc/samba/passdb.tdb

# Kernel modules
/usr/lib/modules CONTENT_EX

# SELinux policy
/etc/selinux   CONTENT_EX

# Log directories - check permissions only, not content
/var/log       LOGS

# Exclude high-churn log files
!/var/log/audit/audit.log
!/var/log/aide/aide.log
!/var/log/cron
!/var/log/messages
!/var/log/secure
!/var/log/maillog
!/var/log/spooler
!/var/log/wtmp
!/var/log/btmp

# Root's home directory
/root   CONTENT_EX
!/root/.bash_history
EOF

Step 4: Initialise the Baseline Database

Before AIDE can detect changes, it needs a known-good snapshot of the file system. This should be run on a freshly provisioned system, immediately after installing and hardening it, before any application deployments:

mkdir -p /var/lib/aide /var/log/aide

# This can take 5-20 minutes on a typical system
aide --init

# The new database is written to the _out path specified in aide.conf
ls -lh /var/lib/aide/aide.db.new.gz

Activate the baseline by renaming the new database to the read path:

mv /var/lib/aide/aide.db.new.gz /var/lib/aide/aide.db.gz

Store a copy of this baseline in a secure, read-only location outside the monitored system — ideally a WORM storage device or a trusted remote server. If an attacker can modify the database, they can make their changes appear legitimate.

Step 5: Run an Integrity Check

Run AIDE against the current file system and compare it to the stored baseline:

aide --check 2>&1 | tee /var/log/aide/aide-$(date +%Y%m%d).log

On a clean system this produces output like:

AIDE, version 0.16

### All files match AIDE database. Looks okay!

If changes are detected, the output shows exactly what changed:

AIDE found differences between database and filesystem!!

Summary:
  Total number of entries:      42831
  Added entries:                2
  Removed entries:              0
  Changed entries:              3

---------------------------------------------------
Added entries:
---------------------------------------------------

f++++++++++++++++: /etc/nginx/conf.d/new-vhost.conf

---------------------------------------------------
Changed entries:
---------------------------------------------------

f   ...   : /etc/passwd
  SHA256   : oldHash != newHash
  Mtime    : 2026-05-10 08:21:00 != 2026-05-17 14:05:33
  Ctime    : 2026-05-10 08:21:00 != 2026-05-17 14:05:33

The leading characters in the output indicate what changed: f=file, d=directory, +=added attribute, -=removed attribute, the letters correspond to the check group attributes (p=permissions, u=user, g=group, s=size, etc).

Step 6: Update the Database After Legitimate Changes

After a planned system update, package installation, or approved configuration change, update the AIDE baseline to accept the new state. Never update without first reviewing the diff output:

# First, review what changed
aide --check 2>&1 | tee /tmp/aide-diff.txt
less /tmp/aide-diff.txt

# If all changes are expected and approved, generate a new database
aide --update

# The updated database is written to aide.db.new.gz
# Review it, then promote it to the active database
mv /var/lib/aide/aide.db.new.gz /var/lib/aide/aide.db.gz

Document the update in a change management ticket before running aide --update in production.

Step 7: Schedule Automated Checks with Cron and Email Reporting

Create a wrapper script that runs the AIDE check and emails the results:

cat > /usr/local/bin/aide-daily-check.sh << 'SCRIPT'
#!/bin/bash
LOGFILE="/var/log/aide/aide-$(date +%Y%m%d-%H%M).log"
REPORT_TO="[email protected]"
HOSTNAME=$(hostname -f)

/usr/sbin/aide --check > "$LOGFILE" 2>&1
EXIT_CODE=$?

if [ $EXIT_CODE -ne 0 ]; then
  SUBJECT="[AIDE ALERT] File integrity changes detected on $HOSTNAME"
else
  SUBJECT="[AIDE OK] Daily integrity check passed on $HOSTNAME"
fi

mail -s "$SUBJECT" "$REPORT_TO" < "$LOGFILE"

# Keep only the last 30 daily logs
find /var/log/aide/ -name 'aide-*.log' -mtime +30 -delete

exit $EXIT_CODE
SCRIPT

chmod 750 /usr/local/bin/aide-daily-check.sh

Schedule the check to run nightly at 2 AM:

cat > /etc/cron.d/aide-daily << 'EOF'
# Run AIDE file integrity check daily at 02:00
0 2 * * * root /usr/local/bin/aide-daily-check.sh
EOF

Step 8: Correlate AIDE with auditd

When AIDE reports that /etc/passwd changed, auditd can tell you exactly which process made that change and which user invoked it. If you followed the auditd configuration tutorial, you already have a watch rule on /etc/passwd. Correlate by timestamp:

# AIDE report says /etc/passwd changed at 14:05:33 on 17/05/2026
# Search auditd for activity around that time
ausearch -f /etc/passwd 
  --start 05/17/2026 14:00:00 
  --end 05/17/2026 14:10:00 
  --interpret

# Or search by the key defined in your audit rules
ausearch -k identity --start recent --interpret | grep passwd

This two-layer approach closes a common gap: AIDE tells you that something changed, and auditd tells you who changed it and how. Together they provide both detection and attribution, which is required to satisfy most compliance frameworks and is essential for effective incident response.

AIDE provides a reliable, low-overhead file integrity monitoring solution that requires no agents, no cloud connectivity, and no commercial licences. On RHEL 7, the combination of a carefully tuned /etc/aide.conf, a securely stored baseline, nightly cron checks, and email alerting gives you a baseline defence against unauthorised system changes. The most critical operational habit is reviewing and approving the diff output before every database update — the baseline is only trustworthy if you understand every deviation from it. Pair AIDE with auditd event correlation and you have a host intrusion detection capability that satisfies the file integrity monitoring controls required by CIS, PCI-DSS, and NIST frameworks without any additional tooling.