wiki

aide-monitor: Context-Aware Integrity Monitoring for Debian Systems

by

ebola
in , , , ,

aide-monitor

Context-aware integrity monitoring for Debian systems, built on top of AIDE.

AIDE Debian 13 systemd Pi-hole Privoxy

Only alert when something actually matters.

Why aide-monitor?

AIDE is powerful, but on a living Debian system it quickly becomes noisy. Normal package upgrades, expected runtime state, and recurring operational churn can drown out the one change you actually care about. aide-monitor solves that by adding context, package verification, and a lightweight learning layer on top of AIDE.

💡 Key idea: AIDE continues to detect filesystem changes, while aide-monitor decides which of those changes are normal, noteworthy, or genuinely suspicious.

Core features

📦 Apt-aware

Correlates file changes with recent package activity so normal upgrades do not become false alarms.

🔍 Package verification

Uses package ownership and verification checks to distinguish trusted package-managed changes from unexpected drift.

🧠 Learning mode

Suppresses recurring low-risk churn over the first days, so the system becomes quieter and more useful over time.

How it works

The diagram below shows the full flow from raw AIDE detection to filtered operator alerts. Upload the included architecture image to your Media Library and replace this placeholder with the uploaded image if you want the visual embedded in the post.

Quick start

chmod +x install-aide-monitor.sh
sudo ./install-aide-monitor.sh --dry-run
sudo ./install-aide-monitor.sh

Once installed, the system runs automatically through a systemd timer.

Operational model

In normal operation, there is very little to do. The system stores full reports, writes a concise summary, and only emits alerts when a change cannot be confidently explained. That means most days you do not read AIDE output at all.

⚠️ Always pay attention to unexpected changes in /etc, boot files, cron, systemd units, and local scripts under /usr/local.

Typical workflow

  • Check the timer: systemctl status aide-monitor.timer
  • View recent alerts: journalctl -t aide-alert -n 20
  • Inspect the latest summary: less /var/log/aide/latest.summary
  • Refresh the baseline after intentional local changes: sudo /usr/local/sbin/aide-monitor-refresh

Design philosophy

aide-monitor deliberately stays lightweight. There are no agents, no dashboards, and no external infrastructure. Instead, it combines AIDE, systemd, apt/dpkg metadata, and package verification into a small, auditable system that fits naturally on a Debian Raspberry Pi.

Keep it simple.
Keep it observable.
Only alert on what matters.