AIDE (Advanced Intrusion Detection Enviroment)

AIDE (Advanced intrusion detection environment) is an intrusion detection program. More specifically a file integrity checker.

AIDE constructs a database of the files specified in aide.conf, AIDE's configuration file. The AIDE database stores various file attributes including: permissions, inode number, user, group, file size, mtime and ctime, atime, growing size, number of links and link name. AIDE also creates a cryptographic checksum or hash of each file using one or a combination of the following message digests algorithms: sha1, sha256, sha512, md5, rmd160, tiger (gost and whirlpool can be compiled in if mhash support is available). Additionally, the extended attributes acl, xattr and selinux can be used when explicitly enabled during compile time.

Typically, a system administrator will create an AIDE database on a new system before it is brought onto the network. This first AIDE database is a snapshot of the system in its normal state and the yardstick by which all subsequent updates and changes will be measured. The database should contain information about key system binaries, libraries, header files, all files that are expected to remain the same over time. The database probably should not contain information about files which change frequently like log files, mail spools, proc filesystems, user's home directories, or temporary directories.

After a break-in, an administrator may begin by examining the system using system tools like ls, ps, netstat, and who --- the very tools most likely to be trojaned. Imagine that ls has been doctored to not show any file named "sniffedpackets.log" and that ps and netstat have been rewritten to not show any information for a process named "sniffdaemond". Even an administrator who had previously printed out on paper the dates and sizes of these key system files cannot be certain by comparison that they have not been modified in some way. File dates and sizes can be manipulated; some better root-kits make this trivial.

While it is possible to manipulate file dates and sizes, it is much more difficult to manipulate a single cryptographic checksum like md5, and exponentially more difficult to manipulate each of the entire arrays of checksums that AIDE supports. By rerunning AIDE after a break-in, a system administrator can quickly identify changes to key files and have a fairly high degree of confidence as to the accuracy of these findings.

To know about the courses CLICK HERE..!!

Contact US CLICK HERE..!!


  1. I really enjoy simply reading all of your weblogs. Simply wanted to inform you that you have people like me who appreciate your work. Definitely a great post. Hats off to you! The information that you have provided is very helpful.