31807d
# Example configuration file for AIDE.
31807d
31807d
@@define DBDIR /var/lib/aide
31807d
@@define LOGDIR /var/log/aide
31807d
31807d
# The location of the database to be read.
31807d
database=file:@@{DBDIR}/aide.db.gz
31807d
31807d
# The location of the database to be written.
31807d
#database_out=sql:host:port:database:login_name:passwd:table
31807d
#database_out=file:aide.db.new
31807d
database_out=file:@@{DBDIR}/aide.db.new.gz
31807d
31807d
# Whether to gzip the output to database
31807d
gzip_dbout=yes
31807d
31807d
# Default.
31807d
verbose=5
31807d
31807d
report_url=file:@@{LOGDIR}/aide.log
31807d
report_url=stdout
31807d
#report_url=stderr
31807d
#NOT IMPLEMENTED report_url=mailto:root@foo.com
31807d
#NOT IMPLEMENTED report_url=syslog:LOG_AUTH
31807d
31807d
# These are the default rules.
31807d
#
31807d
#p:      permissions
31807d
#i:      inode:
31807d
#n:      number of links
31807d
#u:      user
31807d
#g:      group
31807d
#s:      size
31807d
#b:      block count
31807d
#m:      mtime
31807d
#a:      atime
31807d
#c:      ctime
31807d
#S:      check for growing size
31807d
#acl:           Access Control Lists
31807d
#selinux        SELinux security context
31807d
#xattrs:        Extended file attributes
31807d
#md5:    md5 checksum
31807d
#sha1:   sha1 checksum
31807d
#sha256:        sha256 checksum
31807d
#sha512:        sha512 checksum
31807d
#rmd160: rmd160 checksum
31807d
#tiger:  tiger checksum
31807d
31807d
#haval:  haval checksum (MHASH only)
31807d
#gost:   gost checksum (MHASH only)
31807d
#crc32:  crc32 checksum (MHASH only)
31807d
#whirlpool:     whirlpool checksum (MHASH only)
31807d
31807d
#R:             p+i+n+u+g+s+m+c+acl+selinux+xattrs+md5
31807d
#L:             p+i+n+u+g+acl+selinux+xattrs
31807d
#E:             Empty group
31807d
#>:             Growing logfile p+u+g+i+n+S+acl+selinux+xattrs
31807d
31807d
# You can create custom rules like this.
31807d
# With MHASH...
31807d
# ALLXTRAHASHES = sha1+rmd160+sha256+sha512+whirlpool+tiger+haval+gost+crc32
31807d
ALLXTRAHASHES = sha1+rmd160+sha256+sha512+tiger
31807d
# Everything but access time (Ie. all changes)
31807d
EVERYTHING = R+ALLXTRAHASHES
31807d
ca2856
# Sane
ca2856
# NORMAL = R+sha512
ca2856
NORMAL = p+i+n+u+g+s+m+c+acl+selinux+xattrs+sha512
31807d
31807d
# For directories, don't bother doing hashes
31807d
DIR = p+i+n+u+g+acl+selinux+xattrs
31807d
31807d
# Access control only
ca2856
PERMS = p+u+g+acl+selinux+xattrs
31807d
31807d
# Logfile are special, in that they often change
ca2856
LOG = p+u+g+n+S+acl+selinux+xattrs
ca2856
ca2856
# Content + file type.
ca2856
CONTENT = sha512+ftype
31807d
ca2856
# Extended content + file type + access.
ca2856
CONTENT_EX = sha512+ftype+p+u+g+n+acl+selinux+xattrs
31807d
31807d
# Some files get updated automatically, so the inode/ctime/mtime change
31807d
# but we want to know when the data inside them changes
ca2856
DATAONLY =  p+n+u+g+s+acl+selinux+xattrs+sha512
31807d
31807d
# Next decide what directories/files you want in the database.
31807d
ca2856
/boot        CONTENT_EX
ca2856
/opt/        CONTENT
ca2856
ca2856
# Admins dot files constantly change, just check perms
ca2856
/root/\..* PERMS
ca2856
# Otherwise get all of /root.
ca2856
/root/   CONTENT_EX
ca2856
31807d
# These are too volatile
ca2856
!/usr/src/
ca2856
!/usr/tmp/
ca2856
ca2856
# Otherwise get all of /usr.
ca2856
/usr/    CONTENT_EX
ca2856
ca2856
# trusted databases
ca2856
/etc/hosts$      CONTENT_EX
ca2856
/etc/host.conf$  CONTENT_EX
ca2856
/etc/hostname$   CONTENT_EX
ca2856
/etc/issue$      CONTENT_EX
ca2856
/etc/issue.net$  CONTENT_EX
ca2856
/etc/protocols$  CONTENT_EX
ca2856
/etc/services$   CONTENT_EX
ca2856
/etc/localtime$  CONTENT_EX
ca2856
/etc/alternatives/ CONTENT_EX
ca2856
/etc/sysconfig   CONTENT_EX
ca2856
/etc/mime.types$ CONTENT_EX
ca2856
/etc/terminfo/   CONTENT_EX
ca2856
/etc/exports$    CONTENT_EX
ca2856
/etc/fstab$      CONTENT_EX
ca2856
/etc/passwd$     CONTENT_EX
ca2856
/etc/group$      CONTENT_EX
ca2856
/etc/gshadow$    CONTENT_EX
ca2856
/etc/shadow$     CONTENT_EX
ca2856
/etc/subgid$     CONTENT_EX
ca2856
/etc/subuid$     CONTENT_EX
ca2856
/etc/security/opasswd$ CONTENT_EX
ca2856
/etc/skel/       CONTENT_EX
ca2856
/etc/subuid$     CONTENT_EX
ca2856
/etc/subgid$     CONTENT_EX
ca2856
/etc/sssd/       CONTENT_EX
ca2856
/etc/machine-id$ CONTENT_EX
ca2856
/etc/swid/       CONTENT_EX
ca2856
/etc/system-release-cpe$ CONTENT_EX
ca2856
/etc/shells$     CONTENT_EX
ca2856
/etc/tmux.conf$  CONTENT_EX
ca2856
/etc/xattr.conf$ CONTENT_EX
ca2856
ca2856
ca2856
# networking
ca2856
/etc/hosts.allow$   CONTENT_EX
ca2856
/etc/hosts.deny$    CONTENT_EX
ca2856
/etc/firewalld/ CONTENT_EX
ca2856
!/etc/NetworkManager/system-connections/
ca2856
/etc/NetworkManager/ CONTENT_EX
ca2856
/etc/networks$ CONTENT_EX
ca2856
/etc/dhcp/ CONTENT_EX
ca2856
/etc/wpa_supplicant/ CONTENT_EX
ca2856
/etc/resolv.conf$ DATAONLY
ca2856
/etc/nscd.conf$ CONTENT_EX
ca2856
ca2856
# logins and accounts
ca2856
/etc/login.defs$ CONTENT_EX
ca2856
/etc/libuser.conf$ CONTENT_EX
ca2856
/var/log/faillog$ PERMS
ca2856
/var/log/lastlog$ PERMS
ca2856
/var/run/faillock/ PERMS
ca2856
/etc/pam.d/ CONTENT_EX
ca2856
/etc/security/ CONTENT_EX
ca2856
/etc/securetty$ CONTENT_EX
ca2856
/etc/polkit-1/ CONTENT_EX
ca2856
/etc/sudo.conf$ CONTENT_EX
ca2856
/etc/sudoers CONTENT_EX
ca2856
/etc/sudoers.d/ CONTENT_EX
ca2856
ca2856
# Shell/X startup files
ca2856
/etc/profile$ CONTENT_EX
ca2856
/etc/profile.d/ CONTENT_EX
ca2856
/etc/bashrc$ CONTENT_EX
ca2856
/etc/bash_completion.d/ CONTENT_EX
ca2856
/etc/zprofile$ CONTENT_EX
ca2856
/etc/zshrc$ CONTENT_EX
ca2856
/etc/zlogin$ CONTENT_EX
ca2856
/etc/zlogout$ CONTENT_EX
ca2856
/etc/X11/ CONTENT_EX
31807d
31807d
# Pkg manager
ca2856
/etc/dnf/ CONTENT_EX
ca2856
/etc/yum.conf$ CONTENT_EX
ca2856
/etc/yum/ CONTENT_EX
ca2856
/etc/yum.repos.d/ CONTENT_EX
31807d
31807d
# This gets new/removes-old filenames daily
31807d
!/var/log/sa
31807d
# As we are checking it, we've truncated yesterdays size to zero.
31807d
!/var/log/aide.log
31807d
ca2856
# auditing
31807d
# AIDE produces an audit record, so this becomes perpetual motion.
ca2856
/var/log/audit/ PERMS
ca2856
/etc/audit/ CONTENT_EX
ca2856
/etc/libaudit.conf$ CONTENT_EX
ca2856
/etc/aide.conf$  CONTENT_EX
ca2856
ca2856
# System logs
ca2856
/etc/rsyslog.conf$ CONTENT_EX
ca2856
/etc/rsyslog.d/ CONTENT_EX
ca2856
/etc/logrotate.conf$ CONTENT_EX
ca2856
/etc/logrotate.d/ CONTENT_EX
ca2856
/etc/systemd/journald.conf$ CONTENT_EX
ca2856
/var/log/ LOG+ANF+ARF
ca2856
/var/run/utmp LOG
31807d
ca2856
# secrets
ca2856
/etc/pkcs11/ CONTENT_EX
ca2856
/etc/pki/ CONTENT_EX
ca2856
/etc/crypto-policies/ CONTENT_EX
ca2856
/etc/certmonger/ CONTENT_EX
ca2856
/var/lib/systemd/random-seed$ PERMS
ca2856
ca2856
# init system
ca2856
/etc/systemd/ CONTENT_EX
ca2856
/etc/rc.d/ CONTENT_EX
ca2856
/etc/tmpfiles.d/ CONTENT_EX
ca2856
ca2856
# boot config
ca2856
/etc/default/ CONTENT_EX
ca2856
/etc/grub.d/ CONTENT_EX
ca2856
/etc/dracut.conf CONTENT_EX
ca2856
/etc/dracut.conf.d/ CONTENT_EX
ca2856
ca2856
# glibc linker
ca2856
/etc/ld.so.cache$ CONTENT_EX
ca2856
/etc/ld.so.conf$ CONTENT_EX
ca2856
/etc/ld.so.conf.d/ CONTENT_EX
ca2856
/etc/ld.so.preload$ CONTENT_EX
ca2856
ca2856
# kernel config
ca2856
/etc/sysctl.conf CONTENT_EX
ca2856
/etc/sysctl.d/ CONTENT_EX
ca2856
/etc/modprobe.d/ CONTENT_EX
ca2856
/etc/modules-load.d/ CONTENT_EX
ca2856
/etc/depmod.d/ CONTENT_EX
ca2856
/etc/udev/ CONTENT_EX
ca2856
/etc/crypttab$ CONTENT_EX
ca2856
ca2856
#### Daemons ####
ca2856
ca2856
# cron jobs
ca2856
/var/spool/at/ CONTENT
ca2856
/etc/at.allow$ CONTENT
ca2856
/etc/at.deny$ CONTENT
ca2856
/var/spool/anacron CONTENT
ca2856
/etc/anacrontab$ CONTENT_EX
ca2856
/etc/cron.allow$ CONTENT_EX
ca2856
/etc/cron.deny$ CONTENT_EX
ca2856
/etc/cron.d/ CONTENT_EX
ca2856
/etc/cron.daily/ CONTENT_EX
ca2856
/etc/cron.hourly/ CONTENT_EX
ca2856
/etc/cron.monthly/ CONTENT_EX
ca2856
/etc/cron.weekly/ CONTENT_EX
ca2856
/etc/crontab$ CONTENT_EX
ca2856
/var/spool/cron/root/ CONTENT
ca2856
ca2856
# time keeping
ca2856
/etc/chrony.conf CONTENT_EX
ca2856
/etc/chrony.keys$ CONTENT_EX
ca2856
ca2856
# mail
ca2856
/etc/aliases$ CONTENT_EX
ca2856
/etc/aliases.db$ CONTENT_EX
ca2856
/etc/postfix/ CONTENT_EX
ca2856
ca2856
# ssh
ca2856
/etc/ssh/sshd_config CONTENT_EX
ca2856
/etc/ssh/ssh_config CONTENT_EX
ca2856
ca2856
# stunnel
ca2856
/etc/stunnel/ CONTENT_EX
ca2856
ca2856
# printing
ca2856
/etc/cups/ CONTENT_EX
ca2856
/etc/cupshelpers/ CONTENT_EX
ca2856
/etc/avahi/ CONTENT_EX
ca2856
ca2856
# web server
ca2856
/etc/httpd/ CONTENT_EX
ca2856
ca2856
# dns
ca2856
/etc/named/ CONTENT_EX
ca2856
/etc/named.conf$ CONTENT_EX
ca2856
/etc/named.iscdlv.key$ CONTENT_EX
ca2856
/etc/named.rfc1912.zones$ CONTENT_EX
ca2856
/etc/named.root.key$ CONTENT_EX
ca2856
ca2856
# xinetd
ca2856
/etc/xinetd.conf$ CONTENT_EX
ca2856
/etc/xinetd.d/ CONTENT_EX
ca2856
ca2856
# IPsec
ca2856
/etc/ipsec.conf CONTENT_EX
ca2856
/etc/ipsec.secrets CONTENT_EX
ca2856
/etc/ipsec.d/ CONTENT_EX
ca2856
ca2856
# USB guard
ca2856
/etc/usbguard/ CONTENT_EX
ca2856
ca2856
# Ignore some files
ca2856
!/etc/mtab$
ca2856
!/etc/.*~
31807d
ca2856
# Now everything else
ca2856
/etc/    PERMS
31807d
31807d
31807d
# With AIDE's default verbosity level of 5, these would give lots of
31807d
# warnings upon tree traversal. It might change with future version.
31807d
#
31807d
#=/lost\+found    DIR
31807d
#=/home           DIR
31807d
31807d
# Ditto /var/log/sa reason...
31807d
!/var/log/and-httpd
31807d
31807d
# Admins dot files constantly change, just check perms
31807d
/root/\..* PERMS
ca2856
!/root/.xauth*