How to Configure AIDE (File Integrity Monitoring) on Fedora

How to Configure AIDE (File Integrity Monitoring) on Fedora

You deploy a web server, lock down SSH, install your application, and go to sleep. Three days later, a compromised dependency injects a reverse shell into a binary, or a misconfigured script overwrites /etc/passwd. You need to know immediately, not when the audit trail is gone. AIDE gives you that baseline. You set the state of the system once, and AIDE watches for any drift. It does not prevent changes. It tells you exactly what changed, when it changed, and where.

What is actually happening

AIDE works by taking a cryptographic snapshot of your files. It records permissions, ownership, timestamps, and hashes for every file you tell it to watch. When you run a check later, it compares the current state against that snapshot. If a file changed, AIDE reports it.

AIDE is not real-time monitoring. It is a periodic check. Think of it like a security guard who walks the floor every night with a clipboard. The guard does not see the break-in happen. The guard sees the broken window the next morning and marks it on the report. The value comes from the consistency of the check and the cryptographic proof that the file content has altered.

Install and initialize the database

Install the package and generate the baseline. This process scans the filesystem, which can take several minutes depending on disk speed and file count. Run this on a fresh system or immediately after your final configuration is locked in.

sudo dnf install -y aide
# Install the AIDE package and dependencies. The -y flag auto-confirms the transaction.

sudo aide --init
# Generate the initial database. This scans the filesystem and writes hashes to aide.db.new.

The initialization writes to a temporary file named aide.db.new. AIDE refuses to run checks against a file named .new to prevent accidental overwrites of the active database. You must rename the file to activate it.

sudo mv /var/lib/aide/aide.db.new /var/lib/aide/aide.db
# Rename the new database to the active name. AIDE requires the file to be named aide.db to run checks.

Update the database after every package upgrade. AIDE cannot distinguish between a hacker and a dnf update. If you skip this step, your next check will report thousands of false positives.

Configure the timer

Fedora ships AIDE with a systemd timer. The timer runs the check automatically and logs the result to the journal. Enable the timer to start monitoring.

sudo systemctl enable --now aide.timer
# Enable the systemd timer to run checks automatically. The --now flag starts the timer immediately.

systemctl status aide.timer
# Verify the timer is active and check the scheduled next run time.

The default timer runs daily. You can adjust the interval if your risk profile requires more frequent checks. Config files in /etc/ are user-modified. Files in /usr/lib/ ship with the package. Edit /etc/. Never edit /usr/lib/.

sudo systemctl edit aide.timer
# Create an override directory and open the editor for the timer unit.

Add the following to the override file to change the schedule. The OnCalendar directive uses systemd calendar event syntax.

[Timer]
# Run every 6 hours instead of daily. Adjust based on your risk tolerance.
OnCalendar=*-*-* 00/6:00:00

# Add a random delay up to 5 minutes to prevent thundering herd effects on large fleets.
RandomizedDelaySec=300

Reload the daemon after editing the override.

sudo systemctl daemon-reload
# Reload systemd to pick up the new timer configuration.

Check the journal, not the email. AIDE writes to the systemd journal by default on Fedora. Use journalctl -u aide.service to filter output. The journalctl -xe command reads better than journalctl alone because the x flag adds explanatory text and the e flag jumps to the end.

Verify the configuration

Run a manual check to confirm the database is working and the configuration is valid. This forces an immediate comparison against the baseline.

sudo aide --check
# Run a manual check against the database. This forces an immediate comparison.

A clean system returns a summary with no differences.

AIDE found no differences. Everything is secure.

If you see AIDE found differences between checked and saved data, review the output. AIDE lists the file path, the attribute that changed, and the old versus new values.

/var/log/lastlog:
  Changed: mtime
  Removed: mtime=2024-01-15 10:00:00
  Added: mtime=2024-01-15 10:05:00

Check the timer status to ensure automated checks are scheduled.

systemctl status aide.timer
# Check the timer state and the scheduled next run time.

Run aide --check manually after any major system change. Update the database immediately after you make the change, or AIDE will scream about your own work.

Common pitfalls and error handling

AIDE will report changes that are expected. Log files rotate, temporary files appear, and package updates modify binaries. You must tune the configuration to ignore volatile paths. The default configuration excludes /proc, /sys, /dev, and /run. You can add custom exclusions in /etc/aide.conf.

# /etc/aide.conf
# Exclude volatile directories. AIDE skips these by default, but you can add custom exclusions.
# The ! operator negates the rule.
!/var/log/journal
!/tmp

Excluding journal logs prevents false positives from log rotation. The ! operator tells AIDE to ignore the path entirely.

If you see Error: AIDE database file /var/lib/aide/aide.db is not found, you likely ran --init but did not move the file. AIDE creates aide.db.new and waits for you to rename it. Run the mv command to fix this.

If the check takes too long, reduce the scope. AIDE supports rules that define which attributes to check. The default rule Normal checks permissions, inode, symlinks, user, group, size, blocks, mtime, ctime, and sha256 hash. You can create a lighter rule for directories that change frequently.

# /etc/aide.conf
# Define a lighter rule that skips hash checking. Useful for large directories where metadata matters more than content.
Quick = p+i+l+u+g+s+b+m+c

Use the Quick rule in your path definitions to speed up checks.

# /etc/aide.conf
# Apply the Quick rule to the home directory. This checks metadata but skips expensive hash calculations.
/home Quick

Never run aide --update blindly. Read the diff first. If AIDE reports a change in /usr/bin/sudo, verify the change is legitimate before updating the database. An attacker could modify the database to hide their tracks. Always verify the file hash manually if you suspect compromise.

When to use AIDE versus alternatives

Use AIDE when you need a lightweight, local file integrity checker that runs periodically and requires no network traffic.

Use OSSEC when you need real-time monitoring, log analysis, and rootkit detection across multiple hosts.

Use Wazuh when you are managing a fleet of servers and want a centralized dashboard with compliance reporting.

Stay on AIDE when your compliance requirement is just "detect file changes" and you do not want to maintain a remote collector.

Trust the package manager. Manual file edits drift, snapshots stay. Keep your baseline fresh and your checks regular.

Where to go next

• How to Use LUKS Disk Encryption on Fedora
• How to Configure Rich Rules in firewalld on Fedora
• How to Set Up HTTPS with Let's Encrypt and Certbot on Fedora

AIDE acts like a digital fingerprint scanner for your computer's files. It takes a snapshot of your system's important files and checks them regularly to see if anything has changed without your permission. This helps you spot if a hacker or a software bug has tampered with your system.