# Example configuration file for AIDE. @@define DBDIR /var/lib/aide @@define LOGDIR /var/log/aide # The location of the database to be read. database=file:@@{DBDIR}/aide.db.gz # The location of the database to be written. #database_out=sql:host:port:database:login_name:passwd:table #database_out=file:aide.db.new database_out=file:@@{DBDIR}/aide.db.new.gz # Whether to gzip the output to database gzip_dbout=yes # Default. verbose=5 report_url=file:@@{LOGDIR}/aide.log report_url=stdout #report_url=stderr #NOT IMPLEMENTED report_url=mailto:root@foo.com #NOT IMPLEMENTED report_url=syslog:LOG_AUTH # These are the default rules. # #p: permissions #i: inode: #n: number of links #u: user #g: group #s: size #b: block count #m: mtime #a: atime #c: ctime #S: check for growing size #acl: Access Control Lists #selinux SELinux security context #xattrs: Extended file attributes #md5: md5 checksum #sha1: sha1 checksum #sha256: sha256 checksum #sha512: sha512 checksum #rmd160: rmd160 checksum #tiger: tiger checksum #haval: haval checksum (MHASH only) #gost: gost checksum (MHASH only) #crc32: crc32 checksum (MHASH only) #whirlpool: whirlpool checksum (MHASH only) #R: p+i+n+u+g+s+m+c+acl+selinux+xattrs+md5 #L: p+i+n+u+g+acl+selinux+xattrs #E: Empty group #>: Growing logfile p+u+g+i+n+S+acl+selinux+xattrs # You can create custom rules like this. # With MHASH... # ALLXTRAHASHES = sha1+rmd160+sha256+sha512+whirlpool+tiger+haval+gost+crc32 ALLXTRAHASHES = sha1+rmd160+sha256+sha512+tiger # Everything but access time (Ie. all changes) EVERYTHING = R+ALLXTRAHASHES # Sane # NORMAL = R+sha512 NORMAL = p+i+n+u+g+s+m+c+acl+selinux+xattrs+sha512 # For directories, don't bother doing hashes DIR = p+i+n+u+g+acl+selinux+xattrs # Access control only PERMS = p+u+g+acl+selinux+xattrs # Logfile are special, in that they often change LOG = p+u+g+n+S+acl+selinux+xattrs # Content + file type. CONTENT = sha512+ftype # Extended content + file type + access. CONTENT_EX = sha512+ftype+p+u+g+n+acl+selinux+xattrs # Some files get updated automatically, so the inode/ctime/mtime change # but we want to know when the data inside them changes DATAONLY = p+n+u+g+s+acl+selinux+xattrs+sha512 # Next decide what directories/files you want in the database. /boot/ CONTENT_EX /opt/ CONTENT # Admins dot files constantly change, just check perms /root/\..* PERMS # Otherwise get all of /root. /root/ CONTENT_EX # These are too volatile !/usr/src/ !/usr/tmp/ # Otherwise get all of /usr. /usr/ CONTENT_EX # trusted databases /etc/hosts$ CONTENT_EX /etc/host.conf$ CONTENT_EX /etc/hostname$ CONTENT_EX /etc/issue$ CONTENT_EX /etc/issue.net$ CONTENT_EX /etc/protocols$ CONTENT_EX /etc/services$ CONTENT_EX /etc/localtime$ CONTENT_EX /etc/alternatives/ CONTENT_EX /etc/sysconfig/ CONTENT_EX /etc/mime.types$ CONTENT_EX /etc/terminfo/ CONTENT_EX /etc/exports$ CONTENT_EX /etc/fstab$ CONTENT_EX /etc/passwd$ CONTENT_EX /etc/group$ CONTENT_EX /etc/gshadow$ CONTENT_EX /etc/shadow$ CONTENT_EX /etc/subgid$ CONTENT_EX /etc/subuid$ CONTENT_EX /etc/security/opasswd$ CONTENT_EX /etc/skel/ CONTENT_EX /etc/subuid$ CONTENT_EX /etc/subgid$ CONTENT_EX /etc/sssd/ CONTENT_EX /etc/machine-id$ CONTENT_EX /etc/swid/ CONTENT_EX /etc/system-release-cpe$ CONTENT_EX /etc/shells$ CONTENT_EX /etc/tmux.conf$ CONTENT_EX /etc/xattr.conf$ CONTENT_EX # networking /etc/hosts.allow$ CONTENT_EX /etc/hosts.deny$ CONTENT_EX /etc/firewalld/ CONTENT_EX !/etc/NetworkManager/system-connections/ /etc/NetworkManager/ CONTENT_EX /etc/networks$ CONTENT_EX /etc/dhcp/ CONTENT_EX /etc/wpa_supplicant/ CONTENT_EX /etc/resolv.conf$ DATAONLY /etc/nscd.conf$ CONTENT_EX # logins and accounts /etc/login.defs$ CONTENT_EX /etc/libuser.conf$ CONTENT_EX /var/log/faillog$ PERMS /var/log/lastlog$ PERMS /var/run/faillock/ PERMS /etc/pam.d/ CONTENT_EX /etc/security/ CONTENT_EX /etc/securetty$ CONTENT_EX /etc/polkit-1/ CONTENT_EX /etc/sudo.conf$ CONTENT_EX /etc/sudoers$ CONTENT_EX /etc/sudoers.d/ CONTENT_EX # Shell/X startup files /etc/profile$ CONTENT_EX /etc/profile.d/ CONTENT_EX /etc/bashrc$ CONTENT_EX /etc/bash_completion.d/ CONTENT_EX /etc/zprofile$ CONTENT_EX /etc/zshrc$ CONTENT_EX /etc/zlogin$ CONTENT_EX /etc/zlogout$ CONTENT_EX /etc/X11/ CONTENT_EX # Pkg manager /etc/dnf/ CONTENT_EX /etc/yum.conf$ CONTENT_EX /etc/yum/ CONTENT_EX /etc/yum.repos.d/ CONTENT_EX # This gets new/removes-old filenames daily !/var/log/sa # As we are checking it, we've truncated yesterdays size to zero. !/var/log/aide.log # auditing # AIDE produces an audit record, so this becomes perpetual motion. /var/log/audit/ PERMS /etc/audit/ CONTENT_EX /etc/libaudit.conf$ CONTENT_EX /etc/aide.conf$ CONTENT_EX # System logs /etc/rsyslog.conf$ CONTENT_EX /etc/rsyslog.d/ CONTENT_EX /etc/logrotate.conf$ CONTENT_EX /etc/logrotate.d/ CONTENT_EX /etc/systemd/journald.conf$ CONTENT_EX /var/log/ LOG+ANF+ARF /var/run/utmp/ LOG # secrets /etc/pkcs11/ CONTENT_EX /etc/pki/ CONTENT_EX /etc/crypto-policies/ CONTENT_EX /etc/certmonger/ CONTENT_EX /var/lib/systemd/random-seed$ PERMS # init system /etc/systemd/ CONTENT_EX /etc/rc.d/ CONTENT_EX /etc/tmpfiles.d/ CONTENT_EX # boot config /etc/default/ CONTENT_EX /etc/grub.d/ CONTENT_EX /etc/dracut.conf$ CONTENT_EX /etc/dracut.conf.d/ CONTENT_EX # glibc linker /etc/ld.so.cache$ CONTENT_EX /etc/ld.so.conf$ CONTENT_EX /etc/ld.so.conf.d/ CONTENT_EX /etc/ld.so.preload$ CONTENT_EX # kernel config /etc/sysctl.conf$ CONTENT_EX /etc/sysctl.d/ CONTENT_EX /etc/modprobe.d/ CONTENT_EX /etc/modules-load.d/ CONTENT_EX /etc/depmod.d/ CONTENT_EX /etc/udev/ CONTENT_EX /etc/crypttab$ CONTENT_EX #### Daemons #### # cron jobs /var/spool/at/ CONTENT /etc/at.allow$ CONTENT /etc/at.deny$ CONTENT /var/spool/anacron/ CONTENT /etc/anacrontab$ CONTENT_EX /etc/cron.allow$ CONTENT_EX /etc/cron.deny$ CONTENT_EX /etc/cron.d/ CONTENT_EX /etc/cron.daily/ CONTENT_EX /etc/cron.hourly/ CONTENT_EX /etc/cron.monthly/ CONTENT_EX /etc/cron.weekly/ CONTENT_EX /etc/crontab$ CONTENT_EX /var/spool/cron/root/ CONTENT # time keeping /etc/chrony.conf$ CONTENT_EX /etc/chrony.keys$ CONTENT_EX # mail /etc/aliases$ CONTENT_EX /etc/aliases.db$ CONTENT_EX /etc/postfix/ CONTENT_EX # ssh /etc/ssh/sshd_config$ CONTENT_EX /etc/ssh/ssh_config$ CONTENT_EX # stunnel /etc/stunnel/ CONTENT_EX # printing /etc/cups/ CONTENT_EX /etc/cupshelpers/ CONTENT_EX /etc/avahi/ CONTENT_EX # web server /etc/httpd/ CONTENT_EX # dns /etc/named/ CONTENT_EX /etc/named.conf$ CONTENT_EX /etc/named.iscdlv.key$ CONTENT_EX /etc/named.rfc1912.zones$ CONTENT_EX /etc/named.root.key$ CONTENT_EX # xinetd /etc/xinetd.conf$ CONTENT_EX /etc/xinetd.d/ CONTENT_EX # IPsec /etc/ipsec.conf$ CONTENT_EX /etc/ipsec.secrets$ CONTENT_EX /etc/ipsec.d/ CONTENT_EX # USB guard /etc/usbguard/ CONTENT_EX # Ignore some files !/etc/mtab$ !/etc/.*~ # Now everything else /etc/ PERMS # With AIDE's default verbosity level of 5, these would give lots of # warnings upon tree traversal. It might change with future version. # #=/lost\+found DIR #=/home DIR # Ditto /var/log/sa reason... !/var/log/and-httpd # Admins dot files constantly change, just check perms /root/\..* PERMS !/root/.xauth*