• supported message digest algorithms: md5, sha1, rmd160, tiger, crc32, sha256, sha512, whirlpool (additionally with libmhash: gost, haval, crc32b)
• supported file attributes: File type, Permissions, Inode, Uid, Gid, Link name, Size, Block count, Number of links, Mtime, Ctime and Atime
• support for Posix ACL, SELinux, XAttrs and Extended file system attributes if support is compiled in
• plain text configuration files and database for simplicity
• powerful regular expression support to selectively include or exclude files and directories to be monitored
• gzip database compression if zlib support is compiled in
• stand alone static binary for easy client/server monitoring configurations
• and many more...

The current stable version of AIDE is 0.17.4, but you need to download it here.

If you don't want to, you can install from Debians repository and get Version: 0.17.3-4+deb11u1.

How to install via a terminal window from Debian's repository:

sudo apt-get install aide

Press Enter.

Other supported distributions:

• Debian: sudo apt install aide
• Ubuntu: sudo apt install aide
• LMDE5:  sudo apt install aide
• FreeBSD: pkg install aide
• Gentoo: emerge aide
• Homebrew: brew install aide
• MacPorts: port install aide
• NixOS: nix-env -iA nixos.aide
• OpenBSD: pkg_add aide
• openSUSE: zypper install aide
• Red Hat | CentOS | Fedora: yum install aide

Run this command:

sudo aide -v

Press Enter.

Result:

user@computer:~$ aide -v
Aide 0.17.3

Compiled with the following options:

WITH_MMAP
WITH_PCRE
WITH_POSIX_ACL
WITH_SELINUX
WITH_XATTR
WITH_CAPABILITIES
WITH_E2FSATTRS
WITH_ZLIB
WITH_MHASH
WITH_AUDIT

Default config values:
config file: <none>
database_in: <none>
database_out: <none>

Available hashsum groups:
md5: yes
sha1: yes
sha256: yes
sha512: yes
rmd160: yes
tiger: yes
crc32: yes
crc32b: yes
haval: yes
whirlpool: yes
gost: yes
stribog256: no
stribog512: no

Default compound groups:
R: l+p+u+g+s+c+m+i+n+md5+acl+selinux+xattrs+ftype+e2fsattrs+caps
L: l+p+u+g+i+n+acl+selinux+xattrs+ftype+e2fsattrs+caps
>: l+p+u+g+i+n+acl+S+selinux+xattrs+ftype+e2fsattrs+caps
H: md5+sha1+rmd160+tiger+crc32+haval+gost+crc32b+sha256+sha512+whirlpool
X: acl+selinux+xattrs+e2fsattrs+caps

You should open the configuration using your favorite editor:

sudo gedit /etc/aide.conf

Press Enter.

It has directives that define the database location, report location, default rules, the directories/files to be included in the database.

You should research recommended settings:

PERMS = p+u+g+acl+selinux+xattrs

The PERMS rule is used for access control only, it will detect any changes to file or directories based on file/directory permissions, user, group, access control and permissions.

To check file content and file type:

CONTENT = sha256+ftype

An extended version of the previous rule, that checks extended content, file type and access:

CONTENT_EX = sha256+ftype+p+u+g+n+acl+selinux+xattrs

DATAONLY rule below will detect any changes in data inside all files/directories:

DATAONLY =  p+n+u+g+s+acl+selinux+xattrs+sha256

Now that you have defined rules, you can specify the file and directories to watch. The following definition will check permissions for all files in root directory.

/root/\..*  PERMS

Check all files in the /root directory for any changes.

/root/   CONTENT_EX

Will help you detect any changes in data inside all files/directory under /etc/

To detect any changes in data inside all files/directory under /etc/:

/etc/   DATAONLY

Use AIDE to Check File and Directory Integrity in Linux:

sudo aide --init

Now rename the database to /var/lib/aide/aide.db.gz before proceeding.

sudo mv /var/lib/aide/aide.db.new.gz /var/lib/aide/aide.db.gz

I recommended you move the database to a secure location.

Once the database is created, you can check the integrity of the files and directories:

sudo aide --check

It will comprare the snapshot in the database to the files/directories found on your system disk. If it finds changes,that you might not expect, it generates a report which you can then review.