AIDE Ubuntu Installation


AIDE is an open-source tool that allows administrators to monitor for any changes made to files and directories on a system. In this guide, we’ll be going over how to set it up and test it on Ubuntu 18.04 or 16.04.


Before you can follow the guide below, you’re going to need either Ubuntu 18.04 or 16.04 on a compatible server and of course have AIDE itself ready to install.

Installing AIDE Package

Update package repositories before continuing:

apt update -y

Install the AIDE package using the apt command

apt install aide -y

Updating AIDE Configuration


^ This is where you would set up mailed reports and Cronjob-specific configuration options.


^ This is where you set the directories and files that AIDE will monitor.

We'll be editing:


for now but feel free to look around in


if you're interested in configuring any of the things listed in the file.

AIDE Definitions



file includes all the definitions and rules (in that order) that are in each of the files in the

/etc/aide/aide.conf.d/ directory.

By default, the file will contain only the definitions that will be used when stating how files/directories should be watched.

An example definition looks like this:

OwnerMode = p+u+g+ftype

This specific definition would monitor the files to see if there are any changes in the permissions, the owners/groups of the file, and the file type. You can see what each of the specific letters in this definition do by looking at the man page for AIDE:

With these definitions, you can even combine multiple of them into one single definition. This is one of the ones that I made:

OwnerSize = OwnerMode+s+b

With this definition, AIDE would monitor for all changes that the


definition is already looking out for along with changes in the file size. Since this group definition is custom-made, you can do the same and make whatever definition or group definition that would fulfill your needs!
Now, these definitions wouldn't be of any use until we tell AIDE to use them when monitoring files and directories.

AIDE Rules

As I mentioned before, all of the rules by default will be in each of the files in the



The rules listed in these files won't show up in


until you run the



So before we run that command, we'll want to pick and choose whichever rules we'll want to apply to our system.

As an example, we'll set up AIDE to monitor the directories that the web service,

Apache2 installs on the system.


the /etc/aide/aide.conf.d/

directory, we have a few files that match this description:




contains a few rules containing the log files that Apache2 creates. However, for our example, we'll want AIDE to also watch the configuration directories to make sure nobody is changing the files on the system.

Before we configure the Apache2 files directly, let's move the rest of the files out of the way so AIDE will only add rules that will fulfill our needs:

mkdir /etc/aide/unused-config-files
for FILE in $(ls -arth /etc/aide/aide.conf.d | grep -viE "apache2|aide$"); do mv /etc/aide/aide.conf.d/${FILE} /etc/aide/unused-config-files/; done

With these commands, we'll create a directory and move all files that do not specifically reference the Apache2 service or AIDE into that directory.

Now onto editing the contents of the Apache2 files. Within


we can find:

@@define APACHE2_LOGS (access|error|suexec)
@@define APACHE2_LOGS (access|error)
/var/log/apache2/@@{APACHE2_LOGS}\.log$ Log
/var/log/apache2/@@{APACHE2_LOGS}\.log\.1$ LowLog
/var/log/apache2/@@{APACHE2_LOGS}\.log\.2\.gz$ LoSerMemberLog
/var/log/apache2/@@{APACHE2_LOGS}\.log\.([3-9]|[1-4][0-9]|5[0-1])\.gz$ SerMemberLog
/var/log/apache2/@@{APACHE2_LOGS}\.log\.52\.gz$ HiSerMemberLog

/@@{RUN}/apache2\.pid$ VarFile
/@@{RUN}/apache2/ssl_scache$ VarFile
/var/log/apache2$ VarDir
/@@{RUN}/apache2$ VarDirInode

So let's break down this file first before we add our own rule to it.

The first 5 lines of the file use the @@ symbols and go over setting a variable that can be used within all other AIDE configuration files. You can view the documentation for these specific macros (as they are called) here:

We can see that the if/else condition first checks to see if the


variable is set which is all the

file 30_aide_apache2

does. So, as long as that file stays enabled, the file we're editing will not have any problems.

You'll see within the if/else statements the use of


which is how you set the variables. Within the file, it sets the variable


to be both




whenever it is called.

So applying what we know, this variable is used to have AIDE look at both the




files with the log-specific definitions, which can be found in


A few of the next lines after those use


which is created by the 10-aide-run config file and simply translates to run.

So with all of the contents of the file explained, let's create our own rule to the bottom of the file.

@@define SITES (sites-available|sites-enabled)
/etc/apache2/@@{SITES} Checksums

First, we define


to resolve to both




Both of these values come from the directories that Apache2 creates to sort out which configuration files are enabled or are simply just available.

Then, we use this newly-created variable when specifying the Apache2 configuration directory so that it knows where to look. If we wanted to exclude the directory, we would put ! in front of the directory and leave out the group definition like this:


Since we're wanting to monitor the directory for changes within the files, we'll add


definition onto the end.

Now that we've created our rules, we can move on to initializing the database.

For these rules files, you can just create a file, place the rules in it, and name it whatever you want as long as the file is within the


directory. You can also add the rules to the


directory but only use this for testing as all changes get overwritten when you run the



Initializing the Database

Now that we have the rules that we want AIDE to use, we can initialize the database


Applying changes

Update AIDE configuration by running this command:


Now update the default configuration file with the one that we just generated by running this command:

cp /var/lib/aide/aide.conf.autogenerated /etc/aide/aide.conf

Now we should be able to see the rules we added in the Apache2 AIDE config file in


If you want to make any changes to the configuration after you've set up everything, you can just add the rules wherever you think is best and then re-initialize the database to overwrite the baseline configuration.

Testing AIDE

Now that we have the database set up and the rules monitoring the files that we want to be checking, we can test AIDE by making changes to the Apache2 directories.

touch /etc/apache2/sites-enabled/aide.conf

Now run the aide.wrapper command with the -C option to see that AIDE saw us create this new file!

root@aide-test:/etc/aide/aide.conf.d# aide.wrapper -C
Start timestamp: 2021-01-25 22:05:22 +0000 (AIDE 0.16)
AIDE found differences between database and filesystem!!
Verbose level: 6

Total number of entries: 156
Added entries: 1
Removed entries: 0
Changed entries: 0

Added entries:

f++++++++++++++++: /etc/apache2/sites-enabled/aide.conf

The attributes of the (uncompressed) database(s):

RMD160 : uu/nZvqD/lwLoqIBU+Q5NkfBs2E=
SHA256 : riBO2TjNW41EnuJ3iTXBFlGWzEcNA2k/
SHA512 : PWjqwCgvzSEXSuXeMwYaAM5oEEaN8vTx
CRC32 : Q8gEfQ==
HAVAL : OrNFTv7qMAdtGS+1zDc0InnK8tVv4kg3
GOST : Cg8R3BLhocvxsvweTBTdR6wHy9L07Jxd

End timestamp: 2021-01-25 22:05:22 +0000 (run time: 0m 0s)

Now, we can use AIDE to monitor any files or directories we want!


AIDE can be used for a variety of applications including monitoring file configuration changes, filesystem changes, and more. It can even be used as a tool to keep any cyber attacks from modifying the system in any way. However, even if they did, it’s easy to identify what files they altered, and how.

Overall, AIDE is a great tool to use for general admin integrations for your systems! If you run into any trouble though, don’t hesitate to reach out to the Awnix team for help!

Leave a Comment