If you control the development and production servers and you can install aide, it's an excellent way to see changes in a directory tree or file collection.
You can run aide on a set of files and get a database holding file metadata and content hashes. If you make some changes and generate a second database, you can compare them and quickly see a list of modified files.
Feeding this list to rsync can be much faster than syncing two directories over a network -- rsync can get lost in the weeds if you give it a large enough tree.
Get aide-0.19.3.tar.gz and aide-0.19.3.tar.gz.asc from https://github.com/aide/aide/releases/
me% gpg --verify aide-0.19.3.tar.gz.asc
gpg: assuming signed data in 'aide-0.19.3.tar.gz'
gpg: Signature made Sat Jan 31 05:32:02 2026 EST
gpg: using RSA key 5495CDA17C9AC17AB23841A718EE86386022EF57
gpg: Good signature from "Hannes von Haugwitz <hannes@vonhaugwitz.com>"
[expired]
gpg: aka "Hannes von Haugwitz <hvhaugwitz@debian.org>" [expired]
gpg: Note: This key has expired!
Primary key fingerprint: 2BBB D30F AAB2 9B32 53BC FBA6 F694 7DAB 68E7 B931
Subkey fingerprint: 5495 CDA1 7C9A C17A B238 41A7 18EE 8638 6022 EF57
The current public key needed for signature verification is:
pub 4096R/68E7B931 2011-06-28 [expires: 2025-06-27] uid Hannes von Haugwitz <hannes@vonhaugwitz.com>
If you do not have this key, you can get it from one of the well known PGP key servers. You can check the key with reasonable assurance by running gpg --fingerprint and comparing the output:
me% gpg --fingerprint 2BBBD30FAAB29B3253BCFBA6F6947DAB68E7B931
pub rsa4096/0xF6947DAB68E7B931 2011-06-28 [C] [expired: 2023-06-27]
Key fingerprint = 2BBB D30F AAB2 9B32 53BC FBA6 F694 7DAB 68E7 B931
uid [ expired] Hannes von Haugwitz <hannes@vonhaugwitz.com>
uid [ expired] Hannes von Haugwitz <hvhaugwitz@debian.org>
Change to the source directory and do:
dest='/usr/local'
./configure \
--prefix=$dest \
--enable-static \
--enable-year2038 \
--mandir=$dest/man
make
make check [0 tests, but maybe someday that changes...]
sudo make install
This is a basic config file which checks my source directories starting with the letter a.
me% cat /usr/local/etc/aide.conf # Files and directories to be scanned by aide. # Location of AIDE database database_in=file:/var/db/aide/databases/aide.db database_out=file:/var/db/aide/databases/aide.db.out # If we want to compare two DBs database_new=file:/var/db/aide/databases/aide.db.new # Reports go here report_url=file:/var/log/aide.log # -------------------------------------------------------------------- # How to check: # # p: permission and file mode bits a: access timestamp # i: inode number m: modification timestamp # n: number of links (ref count) c: inode creation timestamp # u: user id of owner sha1: SHA1 signature # g: group id of owner # s: size of file # # Scan the files and report any changes in mode bits, inode number, # reference count, uid, gid, filesize, modification timestamp, and SHA1 # signature. Ignore any changes in the access or creation timestamps. C=p+i+n+u+g+s+m-md5-tiger+sha1-c-a # -------------------------------------------------------------------- # What to check -- test directory for comparison. /usr/local/src/a C
root# mkdir -p /var/db/aide/databases root# aide -i [Ran very quickly...]
root# chmod 640 /var/log/aide.log me% ls -l /var/log/aide.log -rw-r----- 1 root wheel 1117 13-Mar-2026 18:11:34 /var/log/aide.log
me% cat /var/log/aide.log
Start timestamp: 2026-03-13 18:11:29 -0400 (AIDE 0.19.3)
AIDE successfully initialized database.
New AIDE database written to /var/db/aide/databases/aide.db.out
Number of entries: 23515
---------------------------------------------------
The attributes of the (uncompressed) database(s):
---------------------------------------------------
/var/db/aide/databases/aide.db.out
SHA256 : Irjr9clNFU9qTvnkaLnaX8/wqritWFsy
cGSF8nCvWAk=
SHA512 : ux5BLp2pemVUxioG5et9C0fIRLNCvAHR
mZXWEpYDbb9OnwX3ht4497yDjk6XK8tA
HB8ixE9ERB6WOsohVY54pQ==
STRIBOG256: 0TmTTI3W97iZOYcUZYGl5V6mZQSR13d8
AfCNI2k1TGQ=
STRIBOG512: sTAwdO9HC/IEQfL71jsTCovOxXkU8xh1
kC2BEIL4Ua4qH79CMltwNo7qcK0L5bTc
bGXGU1mPWPKfZeUmLx4Spg==
SHA512/256: dRsBtg2YQU8Hyh6U5T0wd6CSdycEPvMW
ikHObz2C+fA=
SHA3-256 : Tdu7cWcRBMbz0Ec2wCmeqNkM3rlb9OGN
I1kLcSVl3t8=
SHA3-512 : eJnZtYWynlH4DwD5OgVpf1UxOopJS7ld
MEOerxDtsDYjKT12KsxKdkHC1eTSub4t
1HmvE6wjxgUXrStddzZEbw==
End timestamp: 2026-03-13 18:11:34 -0400 (run time: 0m 5s)
I added a file called LOG to /usr/local/src/a/aide
root# mv /var/db/aide/databases/aide.db.out /var/db/aide/databases/aide.db root# ls -l /var/db/aide/databases -rw------- 1 root wheel 3336693 13-Mar-2026 18:11:34 aide.db
After running a new check:
root# aide me% cat /var/log/aide.log Start timestamp: 2026-03-13 18:18:51 -0400 (AIDE 0.19.3) AIDE found differences between database and filesystem!! Summary: Total number of entries: 23516 Added entries: 1 Removed entries: 0 Changed entries: 1 --------------------------------------------------- Added entries: --------------------------------------------------- f++++++++++++: /usr/local/src/a/aide/LOG --------------------------------------------------- Changed entries: --------------------------------------------------- d > ... m .. : /usr/local/src/a/aide --------------------------------------------------- Detailed information about changes: --------------------------------------------------- Directory: /usr/local/src/a/aide Size : 5 | 6 Mtime : 2026-03-13 17:46:45 -0400 | 2026-03-13 18:18:47 -0400 The attributes of the (uncompressed) database(s): [...] End timestamp: 2026-03-13 18:18:53 -0400 (run time: 0m 2s)
Save the old DB, create a new one, and compare them:
root# cd /var/db/aide/databases root# ls -l -rw------- 1 root wheel 3638209 14-Mar-2026 05:11:55 aide.db root# aide -i root# ls -l -rw------- 1 root wheel 3638209 14-Mar-2026 05:11:55 aide.db -rw------- 1 root wheel 3638313 14-Mar-2026 05:23:14 aide.db.out root# mv aide.db.out aide.db.new root# ls -l -rw------- 1 root wheel 3638209 14-Mar-2026 05:11:55 aide.db -rw------- 1 root wheel 3638313 14-Mar-2026 05:23:14 aide.db.new root# aide --compare me% cat /var/log/aide.log Start timestamp: 2026-03-14 05:23:53 -0400 (AIDE 0.19.3) AIDE found differences between the two databases!! Summary: Total number of entries: 25676 Added entries: 1 Removed entries: 0 Changed entries: 1 --------------------------------------------------- Added entries: [same as previous output] End timestamp: 2026-03-14 05:23:54 -0400 (run time: 0m 1s)
If there were no changes, you would see something like this:
Start timestamp: 2026-03-14 05:28:15 -0400 (AIDE 0.19.3) AIDE found NO differences between the two databases. Looks okay!! Number of entries: 25676 --------------------------------------------------- The attributes of the (uncompressed) database(s): [...] End timestamp: 2026-03-14 05:28:16 -0400 (run time: 0m 1s)
You can certainly do the same thing with a Perl, Python, or shell script but you would still have to run the same script on your production system, bring back the results, and compare them to the ones on your dev system.
Aide is useful for checking the integrity of any sensitive files; it's not a bad idea to install it on general purposes.
Feel free to send comments.
Generated from article.t2t by
txt2tags
$Revision: 1.6 $
$UUID: 7f64ad2e-dbd8-3c75-8d9c-ac3cdcb0c694 $