Simple file comparison with aide

It’s sometimes useful to know, what’s happening on your server, if you install a new package or run a update. There are many solutions for this case, but a simple one is to use aide, which is available on the most linux distributions. Aide is a simple intrusion detection program that creates a database from your system to check the integrity of the files. In this blog post, we show you an easy-to-use guide to compare the changes on your system; for example, after an installation / update. This is useful to analyse a package on a test system for the later usage on a prod system. You should take a snapshot of your server to repeat the steps for further analyses.

Installation and Configuration of aide

First step, install the package.

After that, you can change the existing configuration or create your own. It’s possible to define your own rules with options, which should be used for a directory / filesystem. The available options and other configuration parameters are listed on this page. For a simple comparison of a system, you can just take this short config, which contains the most useful rule options.

p = permission, n = number of links, u = user, g = group, s = size, m = mtime, c = ctime, xattrs = extended file attributes, md5 = md5 checksum, sha1 = sha1 checksum

To check your configuration, run the following command.

Initialisation

Before you start your custom installation or update, you have to create an initial database as reference of your system. This step can take some time and depends on the selected options in your configuration.

After the initialisation of the database, there will be a success message printed out with the path to your defined database.

Custom Part (Installation / Update) 

Now you can start the installation, update, or other steps you would like to compare.

Comparison

After your installation or update, you have two opportunities to compare the changes. For a quick comparison, just compare the actual state of the system with the initialised database. If you’re on a system that is used by other people and a lot of other tasks running on it, you should initialise another database to compare with. It’s also better to create a new database, if you like to have an history, so you can compare other installation versions of the package and see which part of the package changed in which version.
We recommend you to save the output in a file, because depending on your custom part, there will be a lot of informations.

Solution #1 – quick comparison:

Solution #2 – create a new database:

After the creation of the new database, just compare these two databases. They must be defined in the configfile with database=file:<path> and database_new=file:<path>.

Output

Here’s a sample output of a comparison between two databases. You’ll get a summary and the details with the differences.

All removed, changed and added entries will be listed.

In the detail you see the changes on a file (size, mtime, ctime).

Conclusion

With aide you’ve got a simple to use tool, which can be used for file comparisons. It can also be used for other stuff and it’s worth a view. The steps above are tested on a debian 8 system, so if you run this instruction on a RHEL / Fedora server, the configuration and command part can be a little bit different, so you should check the man page for further help. Have you got other solutions or hints for a compare, so feel free to share your thoughts in the comments.

One Comment

  • Ivan Reply

    I’ve used aide for several years as a way to prove file integrity for PCI DSS systems, much simpler than shamhain (http://www.la-samhna.de/samhain) even though samhain has very nice features.

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.