diff --git a/aide.conf b/aide.conf index 6818526..8524225 100644 --- a/aide.conf +++ b/aide.conf @@ -14,20 +14,49 @@ database_out=file:@@{DBDIR}/aide.db.new.gz # Whether to gzip the output to database gzip_dbout=yes +# Database attributes to include in report (H = all compiled hashsums, default) +database_attrs=H + +# Add metadata to database (version info, timestamps) +database_add_metadata=yes + +# Warn about unrestricted rules during config check (default: false) +config_check_warn_unrestricted_rules=false + +# Number of workers for parallel processing (default: 1, can use percentage) +num_workers=1 + # Default. log_level=warning report_level=changed_attributes +# Report format (plain or json) +report_format=plain + +# Group files in report by added/removed/changed +report_grouped=yes + +# Summarize changes in report +report_summarize_changes=yes + +# Don't report if no differences found +report_quiet=no + +# Report encoding (base64 is default, base16 available) +report_base16=no + report_url=file:@@{LOGDIR}/aide.log report_url=stdout #report_url=stderr -#NOT IMPLEMENTED report_url=mailto:root@foo.com -#NOT IMPLEMENTED report_url=syslog:LOG_AUTH +#report_url=syslog:LOG_AUTH # These are the default rules. # +#ftype: file type +#fstype: file system type (Linux-only) #p: permissions -#i: inode: +#i: inode +#l: link name (symbolic links only) #n: number of links #u: user #g: group @@ -36,55 +65,78 @@ report_url=stdout #m: mtime #a: atime #c: ctime -#S: check for growing size #acl: Access Control Lists #selinux SELinux security context #xattrs: Extended file attributes -#md5: md5 checksum -#sha1: sha1 checksum +#e2fsattrs: file attributes on Linux file system +#caps: file capabilities (Linux-only) + +# Hashsums attributes (regular files only) #sha256: sha256 checksum #sha512: sha512 checksum -#rmd160: rmd160 checksum -#tiger: tiger checksum +#sha512_256: SHA-512 checksum truncated to 256 output bits +#sha3_256: SHA3-256 checksum (modern) +#sha3_512: SHA3-512 checksum (modern) +#stribog256: GOST R 34.11-2012, 256 bit +#stribog512: GOST R 34.11-2012, 512 bit -#haval: haval checksum (MHASH only) -#gost: gost checksum (MHASH only) -#crc32: crc32 checksum (MHASH only) -#whirlpool: whirlpool checksum (MHASH only) +# DEPRECATED (will be removed in future versions): +#md5: md5 checksum (deprecated since v0.19) +#sha1: sha1 checksum (deprecated since v0.19) +#rmd160: rmd160 checksum (deprecated since v0.19) +#gost: gost checksum (deprecated since v0.19) -FIPSR = p+i+n+u+g+s+acl+selinux+xattrs+sha256 +# REMOVED in AIDE v0.19: +#S: check for growing size (use 'growing+s' instead) +#tiger: tiger checksum (removed) +#haval: haval checksum (removed) +#crc32: crc32 checksum (removed) +#crc32b: crc32b checksum (removed) +#whirlpool: whirlpool checksum (removed) -#R: p+i+n+u+g+s+m+c+acl+selinux+xattrs+md5 -#L: p+i+n+u+g+acl+selinux+xattrs -#E: Empty group -#>: Growing logfile p+u+g+i+n+S+acl+selinux+xattrs +# Special attributes for advanced use cases: +#I: ignore changed filename - detects moved files by inode +#growing: ignore growing file size/timestamps for logs +#compressed: ignore compression - compares uncompressed content +#ANF: allow new files - new files ignored in report +#ARF: allow removed files - missing files ignored in report + +# Default groups in AIDE v0.19: +# R = p+ftype+i+l+n+u+g+s+m+c+sha3_256+X +# L = p+ftype+i+l+n+u+g+X +# > = Growing file p+ftype+l+u+g+i+n+s+growing+X +# H = all compiled in (and not deprecated) hashsums +# X = acl+selinux+xattrs+e2fsattrs+caps (if compiled in) +# E = Empty group +# Use 'aide --version' to list the default compound groups. # You can create custom rules like this. -# With MHASH... -# ALLXTRAHASHES = sha1+rmd160+sha256+sha512+whirlpool+tiger+haval+gost+crc32 -ALLXTRAHASHES = sha1+rmd160+sha256+sha512+tiger -# Everything but access time (Ie. all changes) +# Note: Removed deprecated/removed hashsums (tiger, haval, crc32, crc32b, whirlpool, md5, sha1, rmd160, gost) +ALLXTRAHASHES = sha256+sha512+sha512_256+sha3_256+sha3_512+stribog256+stribog512 +# Everything but access time (Ie. all changes) - updated with modern hashsums EVERYTHING = R+ALLXTRAHASHES -# Sane, with multiple hashes -# NORMAL = R+rmd160+sha256+whirlpool -NORMAL = FIPSR+sha512 +# Base + sha512 (strong) +NORMAL = R+sha512-m-c -# For directories, don't bother doing hashes -DIR = p+i+n+u+g+acl+selinux+xattrs +# Content only - added file type and strong hash +CONTENT = ftype+sha512 -# Access control only -PERMS = p+i+u+g+acl+selinux +# For directories, don't bother doing hashes - added file type and link name +DIR = ftype+p+i+l+n+u+g+acl+selinux+xattrs -# Logfile are special, in that they often change -LOG = > +# Access control only - added file type and link name +PERMS = ftype+p+i+l+u+g+acl+selinux -# Just do sha256 and sha512 hashes -LSPP = FIPSR+sha512 +# Logfiles are special, in that they often change due to log rotation +# Track only: permissions, file type, user, group, number of links, SELinux context, extended attributes +# Allow new files (ANF) and allow removed files (ARF) due to log rotation techniques +# Don't track: size, inodes, timestamps, checksums and some special attributes (these change frequently with log rotation) +LOG = p+ftype+u+g+n+ANF+ARF+selinux+xattrs # Some files get updated automatically, so the inode/ctime/mtime change -# but we want to know when the data inside them changes -DATAONLY = p+n+u+g+s+acl+selinux+xattrs+sha256 +# but we want to know when the data inside them changes - updated with modern hash +DATAONLY = ftype+p+l+n+u+g+s+acl+selinux+xattrs+sha256 # Next decide what directories/files you want in the database. @@ -93,124 +145,217 @@ DATAONLY = p+n+u+g+s+acl+selinux+xattrs+sha256 /sbin NORMAL /lib NORMAL /lib64 NORMAL -/opt NORMAL +# Monitor /opt selectively to avoid noise from auto-updating applications +/opt CONTENT /usr NORMAL -/root NORMAL # These are too volatile !/usr/src !/usr/tmp +# Admins dot files constantly change, just check perms +/root/\..* PERMS +!/root/.xauth* +/root NORMAL + # Check only permissions, inode, user and group for /etc, but # cover some important files closely. /etc PERMS !/etc/mtab # Ignore backup files !/etc/.*~ -/etc/exports NORMAL -/etc/fstab NORMAL -/etc/passwd NORMAL -/etc/group NORMAL -/etc/gshadow NORMAL -/etc/shadow NORMAL -/etc/security/opasswd NORMAL -/etc/hosts.allow NORMAL -/etc/hosts.deny NORMAL +# trusted databases +/etc/hosts$ NORMAL +/etc/host.conf$ NORMAL +/etc/hostname$ NORMAL +/etc/issue$ NORMAL +/etc/issue.net$ NORMAL +/etc/protocols$ NORMAL +/etc/services$ NORMAL +/etc/localtime$ NORMAL +/etc/alternatives NORMAL +/etc/mime.types$ NORMAL +/etc/terminfo NORMAL +/etc/exports$ NORMAL +/etc/fstab$ NORMAL +/etc/passwd$ NORMAL +/etc/group$ NORMAL +/etc/gshadow$ NORMAL +/etc/shadow$ NORMAL +/etc/subgid$ NORMAL +/etc/subuid$ NORMAL +/etc/skel NORMAL +/etc/sssd NORMAL +/etc/swid NORMAL +/etc/system-release-cpe$ NORMAL +/etc/tmux.conf$ NORMAL +/etc/xattr.conf$ NORMAL -/etc/sudoers NORMAL -/etc/skel NORMAL +# networking +/etc/firewalld NORMAL +!/etc/NetworkManager/system-connections +/etc/NetworkManager NORMAL +/etc/networks$ NORMAL +/etc/dhcp NORMAL +/etc/wpa_supplicant NORMAL +/etc/resolv.conf$ DATAONLY -/etc/logrotate.d NORMAL - -/etc/resolv.conf DATAONLY - -/etc/nscd.conf NORMAL -/etc/securetty NORMAL +# logins and accounts +/etc/login.defs$ NORMAL +/etc/libuser.conf$ NORMAL +/var/log/faillog$ PERMS +/var/log/lastlog$ PERMS +/var/run/faillock PERMS +/etc/pam.d NORMAL +/etc/security NORMAL +/etc/securetty$ NORMAL +/etc/polkit-1 NORMAL +/etc/sudo.conf$ NORMAL +/etc/sudoers$ NORMAL +/etc/sudoers.d NORMAL # Shell/X starting files -/etc/profile NORMAL -/etc/bashrc NORMAL -/etc/bash_completion.d/ NORMAL -/etc/login.defs NORMAL -/etc/zprofile NORMAL -/etc/zshrc NORMAL -/etc/zlogin NORMAL -/etc/zlogout NORMAL -/etc/profile.d/ NORMAL -/etc/X11/ NORMAL +/etc/profile$ NORMAL +/etc/profile.d NORMAL +/etc/bashrc$ NORMAL +/etc/bash_completion.d NORMAL +/etc/zprofile$ NORMAL +/etc/zshrc$ NORMAL +/etc/zlogin$ NORMAL +/etc/zlogout$ NORMAL +/etc/X11 NORMAL +/etc/shells$ NORMAL # Pkg manager -/etc/yum.conf NORMAL -/etc/yumex.conf NORMAL -/etc/yumex.profiles.conf NORMAL -/etc/yum/ NORMAL -/etc/yum.repos.d/ NORMAL +/etc/dnf NORMAL +/etc/yum.repos.d NORMAL + +# auditing +# AIDE produces an audit record, so this becomes perpetual motion. +/var/log/audit PERMS +/etc/audit NORMAL +/etc/libaudit.conf$ NORMAL +/etc/aide.conf$ NORMAL + +# System logs with proper logrotate handling +/etc/rsyslog.conf$ NORMAL +/etc/rsyslog.d NORMAL +/etc/logrotate.conf$ NORMAL +/etc/logrotate.d NORMAL +/etc/systemd/journald.conf$ NORMAL + +# Log directory +/var/log LOG +# Journal files - exclude xattrs due to systemd journal's user.crtime_usec extended attribute changes +/var/log/journal LOG-xattrs -/var/log LOG /var/run/utmp LOG + +# secrets +/etc/pkcs11 NORMAL +/etc/pki NORMAL +/etc/ssl NORMAL +/etc/certmonger NORMAL +/var/lib/systemd/random-seed$ PERMS + +# init system +/etc/systemd NORMAL +/etc/sysconfig NORMAL +/etc/rc.d NORMAL +/etc/tmpfiles.d NORMAL +/etc/machine-id$ NORMAL + +# boot config +/etc/default NORMAL +/etc/grub.d NORMAL +/etc/grub2.cfg$ NORMAL +/etc/dracut.conf$ NORMAL +/etc/dracut.conf.d NORMAL + +# glibc linker +/etc/ld.so.cache$ NORMAL +/etc/ld.so.conf$ NORMAL +/etc/ld.so.conf.d NORMAL +/etc/ld.so.preload$ NORMAL + +# kernel config +/etc/sysctl.conf$ NORMAL +/etc/sysctl.d NORMAL +/etc/modprobe.d NORMAL +/etc/modules-load.d NORMAL +/etc/depmod.d NORMAL +/etc/udev NORMAL +/etc/crypttab$ NORMAL + +#### Daemons #### + +# cron jobs +/var/spool/at CONTENT +/etc/at.allow$ CONTENT +/etc/at.deny$ CONTENT +/etc/anacrontab$ NORMAL +/etc/cron.allow$ NORMAL +/etc/cron.deny$ NORMAL +/etc/cron.d NORMAL +/etc/cron.daily NORMAL +/etc/cron.hourly NORMAL +/etc/cron.monthly NORMAL +/etc/cron.weekly NORMAL +/etc/crontab$ NORMAL +/var/spool/cron/root CONTENT + +# time keeping +/etc/chrony.conf$ NORMAL +/etc/chrony.keys$ NORMAL + +# mail +/etc/aliases$ NORMAL +/etc/aliases.db$ NORMAL +/etc/postfix NORMAL + +# ssh +/etc/ssh/sshd_config$ NORMAL +/etc/ssh/ssh_config$ NORMAL + +# stunnel +/etc/stunnel NORMAL + +# ftp +/etc/vsftpd CONTENT + +# printing +/etc/cups NORMAL +/etc/cupshelpers NORMAL +/etc/avahi NORMAL + +# web server +/etc/httpd NORMAL + +# dns +/etc/named NORMAL +/etc/named.conf$ NORMAL +/etc/named.iscdlv.key$ NORMAL +/etc/named.rfc1912.zones$ NORMAL +/etc/named.root.key$ NORMAL + +# xinetd +/etc/xinetd.conf$ NORMAL +/etc/xinetd.d NORMAL + +# IPsec +/etc/ipsec.conf$ NORMAL +/etc/ipsec.secrets$ NORMAL +/etc/ipsec.d NORMAL + +# USBGuard +/etc/usbguard NORMAL + # This gets new/removes-old filenames daily !/var/log/sa # As we are checking it, we've truncated yesterdays size to zero. !/var/log/aide.log -# LSPP rules... -# AIDE produces an audit record, so this becomes perpetual motion. -# /var/log/audit/ LSPP -/etc/audit/ LSPP -/etc/libaudit.conf LSPP -/usr/sbin/stunnel LSPP -/var/spool/at LSPP -/etc/at.allow LSPP -/etc/at.deny LSPP -/etc/cron.allow LSPP -/etc/cron.deny LSPP -/etc/cron.d/ LSPP -/etc/cron.daily/ LSPP -/etc/cron.hourly/ LSPP -/etc/cron.monthly/ LSPP -/etc/cron.weekly/ LSPP -/etc/crontab LSPP -/var/spool/cron/root LSPP - -/etc/login.defs LSPP -/etc/securetty LSPP -/var/log/faillog LSPP -/var/log/lastlog LSPP - -/etc/hosts LSPP -/etc/sysconfig LSPP - -/etc/inittab LSPP -/etc/grub/ LSPP -/etc/rc.d LSPP - -/etc/ld.so.conf LSPP - -/etc/localtime LSPP - -/etc/sysctl.conf LSPP - -/etc/modprobe.conf LSPP - -/etc/pam.d LSPP -/etc/security LSPP -/etc/aliases LSPP -/etc/postfix LSPP - -/etc/ssh/sshd_config LSPP -/etc/ssh/ssh_config LSPP - -/etc/stunnel LSPP - -/etc/vsftpd.ftpusers LSPP -/etc/vsftpd LSPP - -/etc/issue LSPP -/etc/issue.net LSPP - -/etc/cups LSPP - # With AIDE's default verbosity level of 5, these would give lots of # warnings upon tree traversal. It might change with future version. # @@ -218,8 +363,4 @@ DATAONLY = p+n+u+g+s+acl+selinux+xattrs+sha256 #=/home DIR # Ditto /var/log/sa reason... -!/boot/grub2/grubenv -!/var/log/and-httpd - -# Admins dot files constantly change, just check perms -/root/\..* PERMS +!/var/log/httpd \ No newline at end of file diff --git a/aide.spec b/aide.spec index 4154b0b..87eb404 100644 --- a/aide.spec +++ b/aide.spec @@ -1,7 +1,7 @@ Summary: Intrusion detection environment Name: aide Version: 0.19.2 -Release: 1%{?dist} +Release: 2%{?dist} URL: https://github.com/aide/aide License: GPL-2.0-or-later Source0: %{url}/releases/download/v%{version}/%{name}-%{version}.tar.gz @@ -79,6 +79,12 @@ install -Dpm0644 %{SOURCE6} %{buildroot}%{_tmpfilesdir}/aide.conf %{_tmpfilesdir}/aide.conf %changelog +* Thu Sep 25 2025 Attila Lakatos - 0.19.2-2 +- Modernize aide config file +Resolves: RHEL-39970 +- No path reference ends with '/' +Resolves: RHEL-39959 + * Tue Aug 05 2025 Attila Lakatos - 0.19.2-1 - rebase to 0.19.2 Resolves: RHEL-110572