L15. File Integrity Monitoring with AIDE
Video generating
Check back soon for the video lesson on File Integrity Monitoring with AIDE
If an attacker modifies a critical system binary or configuration file, how would you know? File integrity monitoring (FIM) creates a baseline snapshot of your filesystem and alerts you when something changes. Learn how to set up AIDE, run integrity checks, and schedule automated scans.
What Is File Integrity Monitoring?
File Integrity Monitoring (FIM) is a security control that detects unauthorized changes to files on your system. It works by:
- Creating a database (baseline) of cryptographic hashes for monitored files
- Periodically scanning those files and comparing their current hashes to the baseline
- Reporting any files that have been added, modified, or deleted
FIM answers a critical question: has anything changed that should not have changed?
Why FIM Matters
Attackers often modify system files to maintain access or hide their presence:
- Replacing
/usr/bin/sshwith a trojaned version that captures passwords - Adding a backdoor user to
/etc/passwd - Modifying
/etc/crontabto run a reverse shell on a schedule - Altering log files to remove evidence
Without FIM, these changes can go undetected for months. FIM is a requirement in several compliance frameworks including PCI DSS (Requirement 11.5) and is a recommended control in CIS benchmarks.
Introduction to AIDE
AIDE (Advanced Intrusion Detection Environment) is an open-source FIM tool that is available on all major Linux distributions. It is lightweight, file-based, and straightforward to configure.Installing AIDE
# Debian/Ubuntu
sudo apt install aide# RHEL/CentOS
sudo dnf install aide
Configuring AIDE
AIDE's configuration file defines which directories to monitor and which file attributes to track:
# View the config (location varies by distribution)
cat /etc/aide/aide.conf # Debian/Ubuntu
cat /etc/aide.conf # RHEL/CentOSConfiguration Syntax
# Define a rule set for what attributes to check
NORMAL = p+i+n+u+g+s+m+c+md5+sha256# Monitor directories using the rule set
/etc NORMAL
/bin NORMAL
/sbin NORMAL
/usr/bin NORMAL
/usr/sbin NORMAL
# Exclude directories that change frequently
!/var/log
!/var/cache
!/tmp
The attribute flags specify what AIDE tracks for each file:
| Flag | Attribute |
|---|---|
| p | Permissions |
| i | Inode number |
| n | Number of hard links |
| u | User owner |
| g | Group owner |
| s | File size |
| m | Modification time |
| c | Change time (inode change) |
| md5 | MD5 hash |
| sha256 | SHA-256 hash |
Initializing the Database
Before AIDE can detect changes, it needs a baseline:
# Generate the initial database
sudo aideinit # Debian/Ubuntu# Or manually on RHEL/CentOS
sudo aide --init
This process can take several minutes as AIDE hashes every monitored file. Once complete, you need to activate the database:
# Debian/Ubuntu (aideinit handles this automatically)
# RHEL/CentOS: move the new database into place
sudo cp /var/lib/aide/aide.db.new.gz /var/lib/aide/aide.db.gzRunning Integrity Checks
# Run a check comparing current state to the baseline
sudo aide --checkUnderstanding the Output
AIDE reports three categories of changes:
Added entries:
f++++++++++: /etc/cron.d/suspicious-jobChanged entries:
f ...C..S : /etc/passwd
f ...C..S : /usr/bin/ssh
Removed entries:
f-----------: /usr/bin/legitimate-tool
Each letter in the change summary indicates which attribute changed. When /etc/passwd shows changes to content (C) and size (S), someone has modified the file.
Updating the Baseline
After you make legitimate changes (installing packages, updating configurations), you need to update the baseline so those changes are not flagged again:
# Update the database to reflect current state
sudo aide --update# Move the new database into place
sudo cp /var/lib/aide/aide.db.new.gz /var/lib/aide/aide.db.gz
Only update the baseline after verifying that the changes are legitimate. Blindly updating after every alert defeats the purpose of FIM.
Scheduling Automated Scans with Cron
Manual checks are useful, but automated daily scans catch changes that might otherwise go unnoticed:
# Add a cron job for a daily AIDE check at 3 AM
sudo crontab -e# Add this line:
0 3 * * * /usr/bin/aide --check | mail -s "AIDE Report" admin@example.com
On systems without a mail relay, you can write the output to a file:
0 3 * * * /usr/bin/aide --check > /var/log/aide/daily-check-$(date +\%Y\%m\%d).log 2>&1Alternatives to AIDE
AIDE is not the only FIM tool available:
| Tool | Notes |
|---|---|
| AIDE | Simple, file-based, no daemon required |
| OSSEC/Wazuh | Full HIDS with FIM, log analysis, and rootkit detection |
| Tripwire | Commercial with an open-source version available |
| Samhain | Supports centralized monitoring across multiple servers |
| auditd file watches | Kernel-level, real-time (covered in the previous lesson) |
Best Practices
- Initialize the baseline immediately after hardening a fresh install
- Store a copy of the baseline database offline or on a separate system
- Review alerts before updating the baseline: never update blindly
- Exclude directories that change frequently (/var/log, /tmp, /var/cache) to reduce noise
- Combine FIM with auditd for both periodic snapshots and real-time kernel-level monitoring
- ✓FIM detects unauthorized changes by comparing current file hashes against a known-good baseline database
- ✓AIDE must be initialized on a clean system: a compromised baseline includes the attacker's modifications
- ✓The baseline should only be updated after verifying that detected changes are legitimate
- ✓FIM is required by PCI DSS (Requirement 11.5) and recommended by CIS benchmarks
- ✓Combine AIDE (periodic snapshots) with auditd (real-time monitoring) for comprehensive file change detection
1. Why is it critical to initialize the AIDE database on a known-clean system?
2. What should you do when AIDE reports changes to /etc/passwd after you added a new user account?
3. Which compliance framework explicitly requires file integrity monitoring as a security control?