If you run Linux server, you must make sure nobody change your files without you knowing. Sometimes hackers can enter your system and change important files like config files or system binaries so they can control your server forever. We can stop this with tool called AIDE which means Advanced Intrusion Detection Environment. It is like guard that takes pictures of all your files and compares them later to see if someone changed something. In this guide, I will show you how to set up AIDE and make it run automatically every day using systemd timer so you don’t have to do it manually.
Before we start installing, we must understand how AIDE works. AIDE looks at directories you tell it to check in configuration file which is /etc/aide.conf. It reads every file and makes cryptographic hashes. A hash is like fingerprint of file. If hacker change only one character in important file, the hash will change completely and AIDE will notice it immediately. When you first setup AIDE, you make baseline database. This database is the normal state of your system. Every check after that will compare current files with this database. If they are different, AIDE will show you error and tell you which file is modified.
First, we must initialize the database for AIDE. If you already install AIDE on your Ubuntu or Debian or Fedora, you can run the initialization command. To make the first database, you must open your terminal and type this command:
sudo aide --initThis command will take some minutes because it must scan every file on your system. Do not close terminal while it is running. It will calculate hashes for thousands of files. When it is finished, it will create new database file. But this file is named aide.db.new.gz and AIDE cannot use it for checking yet.
Because AIDE looks for database named aide.db.gz, we must rename the file we just created. We can do this easily with move command. Type this in your terminal:
sudo mv /var/lib/aide/aide.db.new.gz /var/lib/aide/aide.db.gzNow, the baseline database is in correct place. AIDE is ready to perform check on your system files.
Now we must test if check command is working correctly. We do this by typing this command:
sudo aide --checkSince we just created database, there should be no changes on system files. The command should run and tell you that there are zero differences. If it shows some differences, it might be because some logs or temporary files changed while you were running initialization. But usually, it should be clean.
We do not want to run check command manually every day because we can forget and it is very boring. We want system to do it automatically. We can use systemd service for this. Systemd is manager for services in Linux. We will create a service file that tells systemd how to run AIDE. Let write the service file with this command:
sudo tee /etc/systemd/system/aide-check.service > /dev/null <<'EOF'
[Unit]
Description=AIDE file integrity check
After=local-fs.target[Service]
Type=oneshot
ExecStart=/usr/sbin/aide --check
Nice=15
IOSchedulingClass=idle
EOFLet me explain what this code means. In [Unit] section, we have Description which is just text to describe service. We also have After=local-fs.target which means systemd will wait until all local hard drives are mounted before running this service. This is important because if hard drives are not ready, AIDE cannot find files. In [Service] section, we have Type=oneshot. This means the service runs once and then exits. It is not daemon that runs constantly. ExecStart is the actual command that runs AIDE check. Nice=15 is very helpful because it gives service lower priority. If server is busy, AIDE will not take all CPU power. IOSchedulingClass=idle is also very good because it tells system to only let AIDE read disk when other programs are not using disk. This prevents your server from lagging.
Now we need timer to trigger this service every day. Systemd timer is much better than old cron job. Let create the timer file with this command:
sudo tee /etc/systemd/system/aide-check.timer > /dev/null <<'EOF'
[Unit]
Description=Run AIDE file integrity check daily[Timer]
OnCalendar=daily
Persistent=true
RandomizedDelaySec=30m[Install]
WantedBy=timers.target
EOFLet me explain this timer file. In [Timer] section, we have OnCalendar=daily which means it will run once every day. Persistent=true is very important feature. If your server is turned off when timer should run, systemd will remember this and run service immediately when server starts again. If we don’t use this, we might miss many checks. RandomizedDelaySec=30m is also very useful. It adds random delay up to 30 minutes before starting check. This is good if you have many virtual machines on same physical host, so they do not all start checking files at same exact second, which can make physical disk very slow. In [Install] section, we have WantedBy=timers.target which means timer will start when system boots up.
Now we have created both files. But systemd does not know about them yet because we just wrote them to disk. We must tell systemd to reload its configuration files. Run this command:
sudo systemctl daemon-reloadAfter reloading, we must enable and start the timer so it can start counting time. We can do both with single command:
sudo systemctl enable --now aide-check.timerThe --now option is very cool because it starts timer immediately without needing separate start command.
We want to make sure our timer is active and running. We can check list of active timers in systemd with this command:
sudo systemctl list-timers aide-check.timer --no-pagerThis command will show table with information about when timer will run next time. It also shows how much time is left before execution. If you see it in list, it means everything is configured correctly.
After the timer runs for first time, we want to see report of AIDE check. Systemd sends all output from services to journal system. We can read these logs by using journalctl command. Type this:
sudo journalctl -u aide-checkThis will show you everything AIDE printed during check. If there are no changes, it will tell you system is clean. If there are changes, it will list all files that were added, deleted, or modified. You must read these logs carefully.
Sometimes you need to make changes to your server. For example, you might run update command like sudo apt upgrade or sudo dnf upgrade. This will update packages and change many files on your hard drive. This is legitimate change made by you. But next time AIDE runs, it will see these changes and print many alerts because it does not know you did the update. To solve this, we must tell AIDE to update its database to match new state of system. We can run update command:
sudo aide --updateThis command will scan system again and create new database file. Just like before, this file will be named /var/lib/aide/aide.db.new.gz.
We must replace old database with new updated database so next checks will be quiet again. Run this command:
sudo mv /var/lib/aide/aide.db.new.gz /var/lib/aide/aide.db.gzNow AIDE has new baseline database. Next daily check will not alert you about packages you updated. You must do this process every time you make changes to configuration files or install new software. It is important habit because if you ignore alerts, you will not notice when hacker actually changes something.
Let talk about how to customize what AIDE checks. Configuration file is /etc/aide.conf. Inside, there are rules. Some directories change constantly, like /var/log or /tmp. We do not want AIDE to check these because they change every minute and will make too many alerts. In configuration file, we can exclude them. We use exclamation mark ! before directory path to tell AIDE to ignore it. For example, !/tmp means ignore temp directory. If you have custom directory with very sensitive data, you can add it to /etc/aide.conf so AIDE will monitor it too. Just write directory path and rule name at bottom of file. Remember, if you change configuration file, you must run initialization or update command again.
Using AIDE with systemd timer is great way to keep your Linux system secure without spending money on expensive security tools. It runs quietly in background and only alerts you when something changes. By setting up low priority with systemd, your server will not lose performance. Make sure to check logs regularly and update database after you do system maintenance.