6ac4f1
# Example configuration file for AIDE.
6ac4f1
6ac4f1
@@define DBDIR /var/lib/aide
6ac4f1
@@define LOGDIR /var/log/aide
6ac4f1
6ac4f1
# The location of the database to be read.
6ac4f1
database=file:@@{DBDIR}/aide.db.gz
6ac4f1
6ac4f1
# The location of the database to be written.
6ac4f1
#database_out=sql:host:port:database:login_name:passwd:table
6ac4f1
#database_out=file:aide.db.new
6ac4f1
database_out=file:@@{DBDIR}/aide.db.new.gz
6ac4f1
6ac4f1
# Whether to gzip the output to database
6ac4f1
gzip_dbout=yes
6ac4f1
6ac4f1
# Default.
6ac4f1
verbose=5
6ac4f1
6ac4f1
report_url=file:@@{LOGDIR}/aide.log
6ac4f1
report_url=stdout
6ac4f1
#report_url=stderr
6ac4f1
#NOT IMPLEMENTED report_url=mailto:root@foo.com
6ac4f1
#NOT IMPLEMENTED report_url=syslog:LOG_AUTH
6ac4f1
6ac4f1
# These are the default rules.
6ac4f1
#
6ac4f1
#p:      permissions
6ac4f1
#i:      inode:
6ac4f1
#n:      number of links
6ac4f1
#u:      user
6ac4f1
#g:      group
6ac4f1
#s:      size
6ac4f1
#b:      block count
6ac4f1
#m:      mtime
6ac4f1
#a:      atime
6ac4f1
#c:      ctime
6ac4f1
#S:      check for growing size
6ac4f1
#acl:           Access Control Lists
6ac4f1
#selinux        SELinux security context
6ac4f1
#xattrs:        Extended file attributes
6ac4f1
#md5:    md5 checksum
6ac4f1
#sha1:   sha1 checksum
6ac4f1
#sha256:        sha256 checksum
6ac4f1
#sha512:        sha512 checksum
6ac4f1
#rmd160: rmd160 checksum
6ac4f1
#tiger:  tiger checksum
6ac4f1
6ac4f1
#haval:  haval checksum (MHASH only)
6ac4f1
#gost:   gost checksum (MHASH only)
6ac4f1
#crc32:  crc32 checksum (MHASH only)
6ac4f1
#whirlpool:     whirlpool checksum (MHASH only)
6ac4f1
6ac4f1
FIPSR = p+i+n+u+g+s+m+c+acl+selinux+xattrs+sha256
6ac4f1
6ac4f1
#R:             p+i+n+u+g+s+m+c+acl+selinux+xattrs+md5
6ac4f1
#L:             p+i+n+u+g+acl+selinux+xattrs
6ac4f1
#E:             Empty group
6ac4f1
#>:             Growing logfile p+u+g+i+n+S+acl+selinux+xattrs
6ac4f1
6ac4f1
# You can create custom rules like this.
6ac4f1
# With MHASH...
6ac4f1
# ALLXTRAHASHES = sha1+rmd160+sha256+sha512+whirlpool+tiger+haval+gost+crc32
6ac4f1
ALLXTRAHASHES = sha1+rmd160+sha256+sha512+tiger
6ac4f1
# Everything but access time (Ie. all changes)
6ac4f1
EVERYTHING = R+ALLXTRAHASHES
6ac4f1
6ac4f1
# Sane, with multiple hashes
6ac4f1
# NORMAL = R+rmd160+sha256+whirlpool
6ac4f1
NORMAL = FIPSR+sha512
6ac4f1
6ac4f1
# For directories, don't bother doing hashes
6ac4f1
DIR = p+i+n+u+g+acl+selinux+xattrs
6ac4f1
6ac4f1
# Access control only
6ac4f1
PERMS = p+i+u+g+acl+selinux
6ac4f1
6ac4f1
# Logfile are special, in that they often change
6ac4f1
LOG = >
6ac4f1
6ac4f1
# Just do sha256 and sha512 hashes
6ac4f1
LSPP = FIPSR+sha512
6ac4f1
6ac4f1
# Some files get updated automatically, so the inode/ctime/mtime change
6ac4f1
# but we want to know when the data inside them changes
6ac4f1
DATAONLY =  p+n+u+g+s+acl+selinux+xattrs+sha256
6ac4f1
6ac4f1
# Next decide what directories/files you want in the database.
6ac4f1
6ac4f1
/boot   NORMAL
6ac4f1
/bin    NORMAL
6ac4f1
/sbin   NORMAL
6ac4f1
/lib    NORMAL
6ac4f1
/lib64  NORMAL
6ac4f1
/opt    NORMAL
6ac4f1
/usr    NORMAL
6ac4f1
/root   NORMAL
6ac4f1
# These are too volatile
6ac4f1
!/usr/src
6ac4f1
!/usr/tmp
6ac4f1
6ac4f1
# Check only permissions, inode, user and group for /etc, but
6ac4f1
# cover some important files closely.
6ac4f1
/etc    PERMS
6ac4f1
!/etc/mtab
6ac4f1
# Ignore backup files
6ac4f1
!/etc/.*~
6ac4f1
/etc/exports  NORMAL
6ac4f1
/etc/fstab    NORMAL
6ac4f1
/etc/passwd   NORMAL
6ac4f1
/etc/group    NORMAL
6ac4f1
/etc/gshadow  NORMAL
6ac4f1
/etc/shadow   NORMAL
6ac4f1
/etc/security/opasswd   NORMAL
6ac4f1
6ac4f1
/etc/hosts.allow   NORMAL
6ac4f1
/etc/hosts.deny    NORMAL
6ac4f1
6ac4f1
/etc/sudoers NORMAL
6ac4f1
/etc/skel NORMAL
6ac4f1
6ac4f1
/etc/logrotate.d NORMAL
6ac4f1
6ac4f1
/etc/resolv.conf DATAONLY
6ac4f1
6ac4f1
/etc/nscd.conf NORMAL
6ac4f1
/etc/securetty NORMAL
6ac4f1
6ac4f1
# Shell/X starting files
6ac4f1
/etc/profile NORMAL
6ac4f1
/etc/bashrc NORMAL
6ac4f1
/etc/bash_completion.d/ NORMAL
6ac4f1
/etc/login.defs NORMAL
6ac4f1
/etc/zprofile NORMAL
6ac4f1
/etc/zshrc NORMAL
6ac4f1
/etc/zlogin NORMAL
6ac4f1
/etc/zlogout NORMAL
6ac4f1
/etc/profile.d/ NORMAL
6ac4f1
/etc/X11/ NORMAL
6ac4f1
6ac4f1
# Pkg manager
6ac4f1
/etc/yum.conf NORMAL
6ac4f1
/etc/yumex.conf NORMAL
6ac4f1
/etc/yumex.profiles.conf NORMAL
6ac4f1
/etc/yum/ NORMAL
6ac4f1
/etc/yum.repos.d/ NORMAL
6ac4f1
6ac4f1
/var/log   LOG
6ac4f1
/var/run/utmp LOG
6ac4f1
6ac4f1
# This gets new/removes-old filenames daily
6ac4f1
!/var/log/sa
6ac4f1
# As we are checking it, we've truncated yesterdays size to zero.
6ac4f1
!/var/log/aide.log
6ac4f1
6ac4f1
# LSPP rules...
6ac4f1
# AIDE produces an audit record, so this becomes perpetual motion.
6ac4f1
# /var/log/audit/ LSPP
6ac4f1
/etc/audit/ LSPP
6ac4f1
/etc/libaudit.conf LSPP
6ac4f1
/usr/sbin/stunnel LSPP
6ac4f1
/var/spool/at LSPP
6ac4f1
/etc/at.allow LSPP
6ac4f1
/etc/at.deny LSPP
6ac4f1
/etc/cron.allow LSPP
6ac4f1
/etc/cron.deny LSPP
6ac4f1
/etc/cron.d/ LSPP
6ac4f1
/etc/cron.daily/ LSPP
6ac4f1
/etc/cron.hourly/ LSPP
6ac4f1
/etc/cron.monthly/ LSPP
6ac4f1
/etc/cron.weekly/ LSPP
6ac4f1
/etc/crontab LSPP
6ac4f1
/var/spool/cron/root LSPP
6ac4f1
6ac4f1
/etc/login.defs LSPP
6ac4f1
/etc/securetty LSPP
6ac4f1
/var/log/faillog LSPP
6ac4f1
/var/log/lastlog LSPP
6ac4f1
6ac4f1
/etc/hosts LSPP
6ac4f1
/etc/sysconfig LSPP
6ac4f1
6ac4f1
/etc/inittab LSPP
6ac4f1
/etc/grub/ LSPP
6ac4f1
/etc/rc.d LSPP
6ac4f1
6ac4f1
/etc/ld.so.conf LSPP
6ac4f1
6ac4f1
/etc/localtime LSPP
6ac4f1
6ac4f1
/etc/sysctl.conf LSPP
6ac4f1
6ac4f1
/etc/modprobe.conf LSPP
6ac4f1
6ac4f1
/etc/pam.d LSPP
6ac4f1
/etc/security LSPP
6ac4f1
/etc/aliases LSPP
6ac4f1
/etc/postfix LSPP
6ac4f1
6ac4f1
/etc/ssh/sshd_config LSPP
6ac4f1
/etc/ssh/ssh_config LSPP
6ac4f1
6ac4f1
/etc/stunnel LSPP
6ac4f1
6ac4f1
/etc/vsftpd.ftpusers LSPP
6ac4f1
/etc/vsftpd LSPP
6ac4f1
6ac4f1
/etc/issue LSPP
6ac4f1
/etc/issue.net LSPP
6ac4f1
6ac4f1
/etc/cups LSPP
6ac4f1
6ac4f1
# With AIDE's default verbosity level of 5, these would give lots of
6ac4f1
# warnings upon tree traversal. It might change with future version.
6ac4f1
#
6ac4f1
#=/lost\+found    DIR
6ac4f1
#=/home           DIR
6ac4f1
6ac4f1
# Ditto /var/log/sa reason...
6ac4f1
!/var/log/and-httpd
6ac4f1
6ac4f1
# Admins dot files constantly change, just check perms
6ac4f1
/root/\..* PERMS