|
 |
c40f54 |
# Example configuration file for AIDE.
|
|
|
c40f54 |
|
|
|
c40f54 |
@@define DBDIR /var/lib/aide
|
|
|
c40f54 |
@@define LOGDIR /var/log/aide
|
|
|
c40f54 |
|
|
|
c40f54 |
# The location of the database to be read.
|
|
|
c40f54 |
database=file:@@{DBDIR}/aide.db.gz
|
|
|
c40f54 |
|
|
|
c40f54 |
# The location of the database to be written.
|
|
|
c40f54 |
#database_out=sql:host:port:database:login_name:passwd:table
|
|
|
c40f54 |
#database_out=file:aide.db.new
|
|
|
c40f54 |
database_out=file:@@{DBDIR}/aide.db.new.gz
|
|
|
c40f54 |
|
|
|
c40f54 |
# Whether to gzip the output to database
|
|
|
c40f54 |
gzip_dbout=yes
|
|
|
c40f54 |
|
|
|
c40f54 |
# Default.
|
|
|
c40f54 |
verbose=5
|
|
|
c40f54 |
|
|
|
c40f54 |
report_url=file:@@{LOGDIR}/aide.log
|
|
|
c40f54 |
report_url=stdout
|
|
|
c40f54 |
#report_url=stderr
|
|
|
c40f54 |
#NOT IMPLEMENTED report_url=mailto:root@foo.com
|
|
|
c40f54 |
#NOT IMPLEMENTED report_url=syslog:LOG_AUTH
|
|
|
c40f54 |
|
|
|
c40f54 |
# These are the default rules.
|
|
|
c40f54 |
#
|
|
|
c40f54 |
#p: permissions
|
|
|
c40f54 |
#i: inode:
|
|
|
c40f54 |
#n: number of links
|
|
|
c40f54 |
#u: user
|
|
|
c40f54 |
#g: group
|
|
|
c40f54 |
#s: size
|
|
|
c40f54 |
#b: block count
|
|
|
c40f54 |
#m: mtime
|
|
|
c40f54 |
#a: atime
|
|
|
c40f54 |
#c: ctime
|
|
|
c40f54 |
#S: check for growing size
|
|
|
c40f54 |
#acl: Access Control Lists
|
|
|
c40f54 |
#selinux SELinux security context
|
|
|
c40f54 |
#xattrs: Extended file attributes
|
|
|
c40f54 |
#md5: md5 checksum
|
|
|
c40f54 |
#sha1: sha1 checksum
|
|
|
c40f54 |
#sha256: sha256 checksum
|
|
|
c40f54 |
#sha512: sha512 checksum
|
|
|
c40f54 |
#rmd160: rmd160 checksum
|
|
|
c40f54 |
#tiger: tiger checksum
|
|
|
c40f54 |
|
|
|
c40f54 |
#haval: haval checksum (MHASH only)
|
|
|
c40f54 |
#gost: gost checksum (MHASH only)
|
|
|
c40f54 |
#crc32: crc32 checksum (MHASH only)
|
|
|
c40f54 |
#whirlpool: whirlpool checksum (MHASH only)
|
|
|
c40f54 |
|
|
|
c40f54 |
FIPSR = p+i+n+u+g+s+m+c+acl+selinux+xattrs+sha256
|
|
|
c40f54 |
|
|
|
c40f54 |
#R: p+i+n+u+g+s+m+c+acl+selinux+xattrs+md5
|
|
|
c40f54 |
#L: p+i+n+u+g+acl+selinux+xattrs
|
|
|
c40f54 |
#E: Empty group
|
|
|
c40f54 |
#>: Growing logfile p+u+g+i+n+S+acl+selinux+xattrs
|
|
|
c40f54 |
|
|
|
c40f54 |
# You can create custom rules like this.
|
|
|
c40f54 |
# With MHASH...
|
|
|
c40f54 |
# ALLXTRAHASHES = sha1+rmd160+sha256+sha512+whirlpool+tiger+haval+gost+crc32
|
|
|
c40f54 |
ALLXTRAHASHES = sha1+rmd160+sha256+sha512+tiger
|
|
|
c40f54 |
# Everything but access time (Ie. all changes)
|
|
|
c40f54 |
EVERYTHING = R+ALLXTRAHASHES
|
|
|
c40f54 |
|
|
|
c40f54 |
# Sane, with multiple hashes
|
|
|
c40f54 |
# NORMAL = R+rmd160+sha256+whirlpool
|
|
|
c40f54 |
NORMAL = FIPSR+sha512
|
|
|
c40f54 |
|
|
|
c40f54 |
# For directories, don't bother doing hashes
|
|
|
c40f54 |
DIR = p+i+n+u+g+acl+selinux+xattrs
|
|
|
c40f54 |
|
|
|
c40f54 |
# Access control only
|
|
|
c40f54 |
PERMS = p+i+u+g+acl+selinux
|
|
|
c40f54 |
|
|
|
c40f54 |
# Logfile are special, in that they often change
|
|
|
c40f54 |
LOG = >
|
|
|
c40f54 |
|
|
|
c40f54 |
# Just do sha256 and sha512 hashes
|
|
|
c40f54 |
LSPP = FIPSR+sha512
|
|
|
c40f54 |
|
|
|
c40f54 |
# Some files get updated automatically, so the inode/ctime/mtime change
|
|
|
c40f54 |
# but we want to know when the data inside them changes
|
|
|
c40f54 |
DATAONLY = p+n+u+g+s+acl+selinux+xattrs+sha256
|
|
|
c40f54 |
|
|
|
c40f54 |
# Next decide what directories/files you want in the database.
|
|
|
c40f54 |
|
|
|
c40f54 |
/boot NORMAL
|
|
|
c40f54 |
/bin NORMAL
|
|
|
c40f54 |
/sbin NORMAL
|
|
|
c40f54 |
/lib NORMAL
|
|
|
c40f54 |
/lib64 NORMAL
|
|
|
c40f54 |
/opt NORMAL
|
|
|
c40f54 |
/usr NORMAL
|
|
|
c40f54 |
/root NORMAL
|
|
|
c40f54 |
# These are too volatile
|
|
|
c40f54 |
!/usr/src
|
|
|
c40f54 |
!/usr/tmp
|
|
|
c40f54 |
|
|
|
c40f54 |
# Check only permissions, inode, user and group for /etc, but
|
|
|
c40f54 |
# cover some important files closely.
|
|
|
c40f54 |
/etc PERMS
|
|
|
c40f54 |
!/etc/mtab
|
|
|
c40f54 |
# Ignore backup files
|
|
|
c40f54 |
!/etc/.*~
|
|
|
c40f54 |
/etc/exports NORMAL
|
|
|
c40f54 |
/etc/fstab NORMAL
|
|
|
c40f54 |
/etc/passwd NORMAL
|
|
|
c40f54 |
/etc/group NORMAL
|
|
|
c40f54 |
/etc/gshadow NORMAL
|
|
|
c40f54 |
/etc/shadow NORMAL
|
|
|
c40f54 |
/etc/security/opasswd NORMAL
|
|
|
c40f54 |
|
|
|
c40f54 |
/etc/hosts.allow NORMAL
|
|
|
c40f54 |
/etc/hosts.deny NORMAL
|
|
|
c40f54 |
|
|
|
c40f54 |
/etc/sudoers NORMAL
|
|
|
c40f54 |
/etc/skel NORMAL
|
|
|
c40f54 |
|
|
|
c40f54 |
/etc/logrotate.d NORMAL
|
|
|
c40f54 |
|
|
|
c40f54 |
/etc/resolv.conf DATAONLY
|
|
|
c40f54 |
|
|
|
c40f54 |
/etc/nscd.conf NORMAL
|
|
|
c40f54 |
/etc/securetty NORMAL
|
|
|
c40f54 |
|
|
|
c40f54 |
# Shell/X starting files
|
|
|
c40f54 |
/etc/profile NORMAL
|
|
|
c40f54 |
/etc/bashrc NORMAL
|
|
|
c40f54 |
/etc/bash_completion.d/ NORMAL
|
|
|
c40f54 |
/etc/login.defs NORMAL
|
|
|
c40f54 |
/etc/zprofile NORMAL
|
|
|
c40f54 |
/etc/zshrc NORMAL
|
|
|
c40f54 |
/etc/zlogin NORMAL
|
|
|
c40f54 |
/etc/zlogout NORMAL
|
|
|
c40f54 |
/etc/profile.d/ NORMAL
|
|
|
c40f54 |
/etc/X11/ NORMAL
|
|
|
c40f54 |
|
|
|
c40f54 |
# Pkg manager
|
|
|
c40f54 |
/etc/yum.conf NORMAL
|
|
|
c40f54 |
/etc/yumex.conf NORMAL
|
|
|
c40f54 |
/etc/yumex.profiles.conf NORMAL
|
|
|
c40f54 |
/etc/yum/ NORMAL
|
|
|
c40f54 |
/etc/yum.repos.d/ NORMAL
|
|
|
c40f54 |
|
|
|
c40f54 |
/var/log LOG
|
|
|
c40f54 |
/var/run/utmp LOG
|
|
|
c40f54 |
|
|
|
c40f54 |
# This gets new/removes-old filenames daily
|
|
|
c40f54 |
!/var/log/sa
|
|
|
c40f54 |
# As we are checking it, we've truncated yesterdays size to zero.
|
|
|
c40f54 |
!/var/log/aide.log
|
|
|
c40f54 |
|
|
|
c40f54 |
# LSPP rules...
|
|
|
c40f54 |
# AIDE produces an audit record, so this becomes perpetual motion.
|
|
|
c40f54 |
# /var/log/audit/ LSPP
|
|
|
c40f54 |
/etc/audit/ LSPP
|
|
|
c40f54 |
/etc/libaudit.conf LSPP
|
|
|
c40f54 |
/usr/sbin/stunnel LSPP
|
|
|
c40f54 |
/var/spool/at LSPP
|
|
|
c40f54 |
/etc/at.allow LSPP
|
|
|
c40f54 |
/etc/at.deny LSPP
|
|
|
c40f54 |
/etc/cron.allow LSPP
|
|
|
c40f54 |
/etc/cron.deny LSPP
|
|
|
c40f54 |
/etc/cron.d/ LSPP
|
|
|
c40f54 |
/etc/cron.daily/ LSPP
|
|
|
c40f54 |
/etc/cron.hourly/ LSPP
|
|
|
c40f54 |
/etc/cron.monthly/ LSPP
|
|
|
c40f54 |
/etc/cron.weekly/ LSPP
|
|
|
c40f54 |
/etc/crontab LSPP
|
|
|
c40f54 |
/var/spool/cron/root LSPP
|
|
|
c40f54 |
|
|
|
c40f54 |
/etc/login.defs LSPP
|
|
|
c40f54 |
/etc/securetty LSPP
|
|
|
c40f54 |
/var/log/faillog LSPP
|
|
|
c40f54 |
/var/log/lastlog LSPP
|
|
|
c40f54 |
|
|
|
c40f54 |
/etc/hosts LSPP
|
|
|
c40f54 |
/etc/sysconfig LSPP
|
|
|
c40f54 |
|
|
|
c40f54 |
/etc/inittab LSPP
|
|
|
c40f54 |
/etc/grub/ LSPP
|
|
|
c40f54 |
/etc/rc.d LSPP
|
|
|
c40f54 |
|
|
|
c40f54 |
/etc/ld.so.conf LSPP
|
|
|
c40f54 |
|
|
|
c40f54 |
/etc/localtime LSPP
|
|
|
c40f54 |
|
|
|
c40f54 |
/etc/sysctl.conf LSPP
|
|
|
c40f54 |
|
|
|
c40f54 |
/etc/modprobe.conf LSPP
|
|
|
c40f54 |
|
|
|
c40f54 |
/etc/pam.d LSPP
|
|
|
c40f54 |
/etc/security LSPP
|
|
|
c40f54 |
/etc/aliases LSPP
|
|
|
c40f54 |
/etc/postfix LSPP
|
|
|
c40f54 |
|
|
|
c40f54 |
/etc/ssh/sshd_config LSPP
|
|
|
c40f54 |
/etc/ssh/ssh_config LSPP
|
|
|
c40f54 |
|
|
|
c40f54 |
/etc/stunnel LSPP
|
|
|
c40f54 |
|
|
|
c40f54 |
/etc/vsftpd.ftpusers LSPP
|
|
|
c40f54 |
/etc/vsftpd LSPP
|
|
|
c40f54 |
|
|
|
c40f54 |
/etc/issue LSPP
|
|
|
c40f54 |
/etc/issue.net LSPP
|
|
|
c40f54 |
|
|
|
c40f54 |
/etc/cups LSPP
|
|
|
c40f54 |
|
|
|
c40f54 |
# With AIDE's default verbosity level of 5, these would give lots of
|
|
|
c40f54 |
# warnings upon tree traversal. It might change with future version.
|
|
|
c40f54 |
#
|
|
|
c40f54 |
#=/lost\+found DIR
|
|
|
c40f54 |
#=/home DIR
|
|
|
c40f54 |
|
|
|
c40f54 |
# Ditto /var/log/sa reason...
|
|
|
c40f54 |
!/var/log/and-httpd
|
|
|
c40f54 |
|
|
|
c40f54 |
# Admins dot files constantly change, just check perms
|
|
|
c40f54 |
/root/\..* PERMS
|