aide − Advanced Intrusion Detection Environment

aide [parameters] command

AIDE is an intrusion detection system for checking the
integrity of files.

‐‐check, ‐C
     Checks the database for inconsistencies. You must have
     an initialized database to do this. This is also the
     default command. Without any command aide does a check.

‐‐init, ‐i
     Initialize the database. You must initialize a database
     and move it to the appropriate place before you can use
     the −−check command.

‐‐update, ‐u
     Checks the database and updates the database non‐
     interactively.  The input and output databases must be

‐‐compare, ‐E
     Compares two databases. They must be defined in config
     file with database=<url> and database_new=<url>.

‐‐config‐check, ‐D
     Stops after reading in the configuration file. Any
     errors will be reported.  If aide was compiled with the
     "‐‐with‐dbhmackey" option, a hash for the config file
     will be calculated. See the AIDE manual for more

‐‐config=configfile , ‐c configfile
     Configuration is read from file configfile instead of
     "./aide.conf". Use ’‐’ for stdin.

‐‐limit=REGEX , ‐l REGEX
     Limit command to entries matching REGEX. Note that the
     REGEX only matches at the first position.

               Only check and update the database entries
               matching /etc (i.e. the /etc directory) while
               leaving all other entries unchecked and

                    aide ‐‐update ‐‐limit /etc


‐‐before="configparameters" , ‐B "configparameters"
     These configparameters are handled before the reading
     of the configuration file. See aide.conf (5) for more
     details on what to put here.

‐‐after="configparameters" , ‐A "configparameters"
     These configparameters are handled after the reading of
     the configuration file. See aide.conf (5) for more
     details on what to put here.

     Controls how verbose aide is. Value must [0‐255]. The
     default is 5. With no argument Value is set to 20. This
     parameter overrides the value set in a configuration

‐‐report=reporter,‐r reporter
     reporter is a URL which tells aide where to send it’s
     output. See aide.conf (5) section URLS for available

     aide prints out its version number

     Prints out the standard help message.

Normally, the exit status is 0 if no errors occurred. Except
when the ‐‐update command was requested, in which case the
exit status is defined as:

1 * (new files detected?)     +

2 * (removed files detected?) +

4 * (changed files detected?)

     Additionally, the following exit codes are defined for
generic error conditions:

14 Error writing error

15 Invalid argument error

16 Unimplemented function error

17 Invalid configureline error

18 IO error

19 Version mismatch error


Please note that due to mmap issues, aide cannot be
terminated with SIGTERM. Use SIGKILL to terminate.

The checksums in the database and in the output are by
default base64 encoded (see also report_base16 option).  To
decode them you can use the following shell command:

echo <encoded_checksum> | base64 −d | hexdump −v −e ’32/1
"%02x" "\n"’

     Default aide configuration file.

     Default aide database.

     Default aide output database.

There are probably bugs in this release. Please report them
at . Bug fixes are more
than welcome.  Unified diffs are preferred.

All trademarks are the property of their respective owners.
No animals were harmed while making this webpage or this
piece of software. Although some pizza delivery guy’s
feelings were hurt.