Advanced Intrusion Detection Environment (AIDE) is an application that uses various tools to detect changes to particular files on a system and report on them so that you can maintain baseline file integrity and detect unauthorized changes and potential tootkits.

This tool is installed as follows:

sudo dnf install -y aide

When AIDE is installed, you can change the configuration in /etc/aide.conf. The configuration file is used to decide which files and directories are monitored by AIDE and also how logging and output are handled.

AIDE stores its current information about a system's configuration state in a database stored in the /var/lib/aide/aide.db. If you store a copy of this database file at an external location then you can replace it with a known safe state for AIDE when you perform an audit. If the file doesn't yet exist, you can create one for the current system state by running:

sudo aide --init

sudo cp /var/lib/aide/aide.db.new.gz /var/lib/aide/aide.db.gz

When you have created a database, you can check file integrity at any time by running:

sudo aide --check

If no differences are found, AIDE returns the results with the following message:

AIDE found NO differences between database and filesystem. Looks okay!!

If you configure this tool to run as an automated cron job, then you can get regular reports to indicate changes to system configuration and state that could help with early intrusion detection.

See the aide(1) and aide.conf(5) manual pages for more information.