# Aide Notes [Check Integrity of File and Directory Using “AIDE” in Linux](https://www.tecmint.com/check-integrity-of-file-and-directory-using-aide-in-linux/) Aide is used to check hashes on files. # Basic Usage ``` #Initialize the very first DB at `/var/lib/aide/aide.db.new.gz` aide --init #Check the current file system against the DB aide --check #Update the DB based on the file system aide --update #Show extra debugging aide --verbose=255 ``` # Best Practices 1. Create a database against which future checks are performed. `aide --init` 2. Move the database to a read-only media. the config file and AIDE binary should also be moved to read only. This read only media should only be accessible during the scan. 3. Check the current files against the read only init DB. `aide --check` 4. Make adjustments to the conf file if needed and update the aide DB with `aide --update`. This will create a new DB. This new DB should be placed on the read-only media along with new config file. # Splunk [Splunk and AIDE -- How do I ignore the first line of an AIDE log file?](https://community.splunk.com/t5/Getting-Data-In/Splunk-and-AIDE-How-do-I-ignore-the-first-line-of-an-AIDE-log/m-p/307082) ## Add context to the log file [Splunk: Best Practice - Enriched log paths](https://www.oldlogsnewtricks.com/post/best-practice-enriched-log-paths) ``` 14 * * * * /sbin/aide --check >> /var/log/aide_`rpm -qa aide`_`md5sum /etc/aide.conf`_aide-`date`.log ``` aide --check >> /var/log/aide/aide-$(date +%s).log ## Prep Aide logs for Splunk [AIDE-Handler aide_Runv3](https://github.com/jls3tech/AIDE-Handler/blob/master/aide_Runv3.sh) ``` cat /var/log/aide/aide-1600126273.log | grep 'changed\|added\|removed'|sed -r 's/://g'|sed -r 's/ /,/g' >> /var/log/aide/splunk-log ``` ## Splunk Search `index=os sourcetype=aide`