During an incident-response investigation you learn that a previously trusted RHEL server may have been tampered with. A cryptographic database of the server's original filesystem state was created with the --init option shortly after deployment. Which utility will let you compare the current files on disk against that baseline and report any unauthorized changes?
The correct utility is AIDE. Advanced Intrusion Detection Environment builds a signed database of file attributes (hash, size, mtime, permissions, etc.) during initialization and later runs (aide --check) compare the live filesystem to that baseline, producing a report of anything that has changed. This makes it ideal for detecting indicators of compromise such as modified binaries or configuration files.
rkhunter is a rootkit scanner that looks for known signatures and suspicious artifacts, but it does not rely on a pre-saved baseline of every file. fail2ban parses log files and dynamically updates firewall rules to block abusive IP addresses; it does not perform file-integrity checks. auditctl loads kernel audit rules and controls what auditd logs; by itself it neither stores nor compares baselines. Therefore, only AIDE satisfies the requirement to verify the current state of the filesystem against the previously generated cryptographic snapshot.
Ask Bash
Bash is our AI bot, trained to help you pass your exam. AI Generated Content may display inaccurate information, always double-check anything important.
What does AIDE do, and why is it ideal for detecting file changes?
Open an interactive chat with Bash
How does AIDE differ from rkhunter?
Open an interactive chat with Bash
What is the purpose of the `aide --init` and `aide --check` commands?
Open an interactive chat with Bash
CompTIA Linux+ XK0-006 (V8)
Security
Your Score:
Report Issue
Bash, the Crucial Exams Chat Bot
AI Bot
Loading...
Loading...
Loading...
IT & Cybersecurity Package Join Premium for Full Access