Step 1: Installing AIDE
Installing the software is quite simple. Just run the following command as the root user:
yum install -y aide
That’s all you need to do for installation.
Step 2: Configuring AIDE
This is the harder part. In order for AIDE to work, we need to compile a database of folders/files that we want notifications about. We will use the AIDE defaults. Setting up monitoring on specific folders/files is outside the scope of this tutorial. Refer to AIDE documentation if you need that type of configuration.
First, we need to initialize AIDE. Run the following command as root:
That will create the database for the first time. Then, run these commands as root:
cd /var/lib/aide mv aide.db.new.gz aide.db.gz
Unfortunately, this step is required as AIDE will not work without it.
We need to have AIDE inspect our files for the first time as well, so execute these commands as root:
aide --check aide --update
Go back to the
/var/lib/aide directory, and you should find another new database. Remove the first one without the new part in the file name, by running:
Move over the new database:
mv aide.db.new.gz aide.db.gz
Since the default configuration already fits for most of our files, we should be fine using it. All that’s left is to have AIDE send you an email if there are any unauthorized changes. For this article, we’ll be using nano as our text editor.
Find the section with
MAILTO=root and change
root to your email address. Then, run:
Add this to the file:
0 1 * * * /usr/sbin/aide --check
This will make AIDE check and send you an email once per day if it detects that a file has been modified.