AIDE – Lightweight Linux Host Intrusion Detection
文章介绍了AIDE(Advanced Intrusion Detection Environment),一款轻量级的Linux主机入侵检测工具。它通过扫描文件系统并维护文件元数据快照(如权限、校验和等),快速检测未经授权的更改。适用于高安全要求环境,支持加密哈希和规则配置,无需后台服务或网络连接。 2025-5-26 01:0:0 Author: www.darknet.org.uk(查看原文) 阅读量:2 收藏

Regarding host-based intrusion detection on Linux, not everything must be eBPF, cloud-native, or backed by a dashboard with a 12-step install guide.

AIDE - Lightweight Linux Host Intrusion Detection

Sometimes, what you need is fast, simple, and hardened.

AIDE (Advanced Intrusion Detection Environment) is that tool.

Initially designed in the early 2000s and still actively maintained, AIDE remains one of the most trusted file integrity checkers on hardened Linux systems. It’s used in everything from air-gapped environments and critical infrastructure to high-assurance audit contexts where noise is not an option.

What Is AIDE?

AIDE is a host-based intrusion detection system (HIDS) that scans and maintains a snapshot of your filesystem, specifically, metadata like file permissions, checksums, timestamps, ownership, and size.

When run, it compares the system’s current state against its known-good database and reports any changes.

It’s minimal, non-resident (no daemon by default), and often used in combination with cron jobs or scheduled tasks to detect:

  • Unauthorised changes to config files
  • Rootkits or hidden binary replacements
  • Unexpected modifications in system directories

Core Features

  • Fast local file integrity checking
  • Cryptographic hash support: SHA1, SHA256, SHA512, etc.
  • Templated rule-based configuration
  • Portable and simple to audit
  • Outputs plaintext diffs or custom reports
  • Doesn’t require an agent or network connection

Basic Installation

On Debian/Ubuntu:

On Red Hat/CentOS:

Build from source (if needed):

git clone https://github.com/aide/aide.git

cd aide

./configure && make && sudo make install

Hardened Use Cases

  • Run AIDE via cron daily and email the results
  • Store baseline hashes in an external location or an immutable store
  • Pair with auditd or a log monitoring system for broader HIDS coverage
  • Use in offline or classified environments with strict change control

Final Thoughts

If you’re looking for a simple, fast, and reliable file integrity checker that doesn’t require a backend, dashboard, or dozen dependencies, AIDE is still a top-tier choice, especially for:

  • Servers with a tight attack surface
  • Hardened security baselines
  • Legacy or air-gapped systems

It’s not flashy. It’s not new. But it gets the job done—and in some environments, that matters.

You can download AIDE or read more here: https://github.com/aide/aide

Reader Interactions


文章来源: https://www.darknet.org.uk/2025/05/aide-lightweight-linux-host-intrusion-detection/
如有侵权请联系:admin#unsafe.sh