Article

Table of Contents
Theme:
Was this article helpful?
Try Vultr Today with

$50 Free on Us!

Want to contribute?

You could earn up to $600 by adding new articles.

Setting up AIDE on CentOS 6

Last Updated: Wed, Jul 15, 2015
CentOS Security Server Apps
Archived content

This article is outdated and may not work correctly for current operating systems or software.

After you've secured your server with routine tasks like changing your SSH port and setting firewall rules - you're mostly safe. Though, there is a chance that an attacker gains access to your server. When this happens, your next defense is learning when files are modified on your server. With AIDE, you're notified when certain files are modified on your server.

This article will teach you how to install AIDE to better protect your server on CentOS 6.

Step 1: Installing AIDE

Installing the software is quite simple. Just run the following command as the root user:

yum install -y aide

That's all you need to do for installation.

Step 2: Configuring AIDE

This is the harder part. In order for AIDE to work, we need to compile a database of folders/files that we want notifications about. We will use the AIDE defaults. Setting up monitoring on specific folders/files is outside the scope of this tutorial. Refer to AIDE documentation if you need that type of configuration.

First, we need to initialize AIDE. Run the following command as root:

aide --init

That will create the database for the first time. Then, run these commands as root:

cd /var/lib/aide

mv aide.db.new.gz aide.db.gz

Unfortunately, this step is required as AIDE will not work without it.

We need to have AIDE inspect our files for the first time as well, so execute these commands as root:

aide --check

aide --update

Go back to the /var/lib/aide directory, and you should find another new database. Remove the first one without the new part in the file name, by running:

rm aide.db.gz

Move over the new database:

mv aide.db.new.gz aide.db.gz

Since the default configuration already fits for most of our files, we should be fine using it. All that's left is to have AIDE send you an email if there are any unauthorized changes. For this article, we'll be using nano as our text editor.

nano /etc/crontab

Find the section with MAILTO=root and change root to your email address. Then, run:

crontab -e

Add this to the file:

0 1 * * * /usr/sbin/aide --check

This will make AIDE check and send you an email once per day if it detects that a file has been modified.

Conclusion

This ensures your security in most cases; however, you must update the database every time you modify system files, or anything in your web directory. If an attacker places malware on your system, AIDE will notify you where it is, and you'll be able to disinfect your system.

Want to contribute?

You could earn up to $600 by adding new articles.