Before you can run AIDE checks on your system, the first thing you have to do is to rename the database. By default, this is done with the command:
mv /var/lib/aide/aide.db.new /var/lib/aide/aide.db
After any configuration change, you always have to reinitialize the AIDE database and subsequently move the newly generated database. It is also a good idea to make a backup of this database.
The actual check if there were changes to the system is simple. Just run the command aide --check. If the output is empty, everything is fine. If AIDE found changes, you will be displayed a summary of changes like the following:
aide --check AIDE found differences between database and filesystem!! Summary: Total number of files: 1992 Added files: 0 Removed files: 0 Changed files: 1
To learn about the actual changes, increase the verbose level of the check with the parameter -V. For the previous example, this could look like the following:
aide --check -V AIDE found differences between database and filesystem!! Start timestamp: 2009-02-18 15:14:10 Summary: Total number of files: 1992 Added files: 0 Removed files: 0 Changed files: 1 --------------------------------------------------- Changed files: --------------------------------------------------- changed: /etc/passwd -------------------------------------------------- Detailed information about changes: --------------------------------------------------- File: /etc/passwd Mtime : 2009-02-18 15:11:02 , 2009-02-18 15:11:47 Ctime : 2009-02-18 15:11:02 , 2009-02-18 15:11:47
In this example, the file /etc/passwd was touched to demonstrate the effect.