|
 |
1bceaa |
# Example configuration file for AIDE.
|
|
|
1bceaa |
|
|
|
1bceaa |
@@define DBDIR /var/lib/aide
|
|
|
1bceaa |
@@define LOGDIR /var/log/aide
|
|
|
1bceaa |
|
|
|
1bceaa |
# The location of the database to be read.
|
|
|
1bceaa |
database=file:@@{DBDIR}/aide.db.gz
|
|
|
1bceaa |
|
|
|
1bceaa |
# The location of the database to be written.
|
|
|
1bceaa |
#database_out=sql:host:port:database:login_name:passwd:table
|
|
|
1bceaa |
#database_out=file:aide.db.new
|
|
|
1bceaa |
database_out=file:@@{DBDIR}/aide.db.new.gz
|
|
|
1bceaa |
|
|
|
1bceaa |
# Whether to gzip the output to database.
|
|
|
1bceaa |
gzip_dbout=yes
|
|
|
1bceaa |
|
|
|
1bceaa |
# Default.
|
|
|
1bceaa |
verbose=5
|
|
|
1bceaa |
|
|
|
1bceaa |
report_url=file:@@{LOGDIR}/aide.log
|
|
|
1bceaa |
report_url=stdout
|
|
|
1bceaa |
#report_url=stderr
|
|
|
1bceaa |
#NOT IMPLEMENTED report_url=mailto:root@foo.com
|
|
|
1bceaa |
#NOT IMPLEMENTED report_url=syslog:LOG_AUTH
|
|
|
1bceaa |
|
|
|
1bceaa |
# These are the default rules.
|
|
|
1bceaa |
#
|
|
|
1bceaa |
#p: permissions
|
|
|
1bceaa |
#i: inode:
|
|
|
1bceaa |
#n: number of links
|
|
|
1bceaa |
#u: user
|
|
|
1bceaa |
#g: group
|
|
|
1bceaa |
#s: size
|
|
|
1bceaa |
#b: block count
|
|
|
1bceaa |
#m: mtime
|
|
|
1bceaa |
#a: atime
|
|
|
1bceaa |
#c: ctime
|
|
|
1bceaa |
#S: check for growing size
|
|
|
1bceaa |
#acl: Access Control Lists
|
|
|
1bceaa |
#selinux SELinux security context
|
|
|
1bceaa |
#xattrs: Extended file attributes
|
|
|
1bceaa |
#md5: md5 checksum
|
|
|
1bceaa |
#sha1: sha1 checksum
|
|
|
1bceaa |
#sha256: sha256 checksum
|
|
|
1bceaa |
#sha512: sha512 checksum
|
|
|
1bceaa |
#rmd160: rmd160 checksum
|
|
|
1bceaa |
#tiger: tiger checksum
|
|
|
1bceaa |
|
|
|
1bceaa |
#haval: haval checksum (MHASH only)
|
|
|
1bceaa |
#gost: gost checksum (MHASH only)
|
|
|
1bceaa |
#crc32: crc32 checksum (MHASH only)
|
|
|
1bceaa |
#whirlpool: whirlpool checksum (MHASH only)
|
|
|
1bceaa |
|
|
|
1bceaa |
FIPSR = p+i+n+u+g+s+m+c+acl+selinux+xattrs+sha256
|
|
|
1bceaa |
|
|
|
1bceaa |
#R: p+i+n+u+g+s+m+c+acl+selinux+xattrs+md5
|
|
|
1bceaa |
#L: p+i+n+u+g+acl+selinux+xattrs
|
|
|
1bceaa |
#E: Empty group
|
|
|
1bceaa |
#>: Growing logfile p+u+g+i+n+S+acl+selinux+xattrs
|
|
|
1bceaa |
|
|
|
1bceaa |
# You can create custom rules like this.
|
|
|
1bceaa |
# With MHASH...
|
|
|
1bceaa |
# ALLXTRAHASHES = sha1+rmd160+sha256+sha512+whirlpool+tiger+haval+gost+crc32
|
|
|
1bceaa |
ALLXTRAHASHES = sha1+rmd160+sha256+sha512+tiger
|
|
|
1bceaa |
|
|
|
1bceaa |
# Everything but access time (Ie. all changes)
|
|
|
1bceaa |
EVERYTHING = R+ALLXTRAHASHES
|
|
|
1bceaa |
|
|
|
1bceaa |
# Sane, with one good hash.
|
|
|
1bceaa |
# NORMAL = sha256
|
|
|
1bceaa |
NORMAL = sha256
|
|
|
1bceaa |
|
|
|
1bceaa |
# For directories, don't bother doing hashes.
|
|
|
1bceaa |
DIR = p+i+n+u+g+acl+selinux+xattrs
|
|
|
1bceaa |
|
|
|
1bceaa |
# Access control only.
|
|
|
1bceaa |
PERMS = p+u+g+acl+selinux+xattrs
|
|
|
1bceaa |
|
|
|
1bceaa |
# Access + inode changes + file type.
|
|
|
1bceaa |
STATIC = p+u+g+acl+selinux+xattrs+i+n+b+c+ftype
|
|
|
1bceaa |
|
|
|
1bceaa |
# Logfiles only check access w/o xattrs.
|
|
|
1bceaa |
LOG = p+u+g+n+acl+selinux+ftype
|
|
|
1bceaa |
|
|
|
1bceaa |
# Content + file type.
|
|
|
1bceaa |
CONTENT = sha256+ftype
|
|
|
1bceaa |
|
|
|
1bceaa |
# Extended content + file type + access.
|
|
|
1bceaa |
CONTENT_EX = sha256+ftype+p+u+g+n+acl+selinux+xattrs
|
|
|
1bceaa |
|
|
|
1bceaa |
# Some files get updated automatically, so the inode/ctime/mtime change
|
|
|
1bceaa |
# but we want to know when the data inside them changes.
|
|
|
1bceaa |
DATAONLY = p+n+u+g+s+acl+selinux+xattrs+sha256
|
|
|
1bceaa |
|
|
|
1bceaa |
# Next decide what directories/files you want in the database. Aide
|
|
|
1bceaa |
# uses a first match system. Put file specific instructions before generic
|
|
|
1bceaa |
# matches. e.g. Put file matches before directories.
|
|
|
1bceaa |
|
|
|
1bceaa |
/boot/ CONTENT_EX
|
|
|
1bceaa |
/bin/ CONTENT_EX
|
|
|
1bceaa |
/sbin/ CONTENT_EX
|
|
|
1bceaa |
/lib/ CONTENT_EX
|
|
|
1bceaa |
/lib64/ CONTENT_EX
|
|
|
1bceaa |
/opt/ CONTENT
|
|
|
1bceaa |
|
|
|
1bceaa |
# Admin's dot files constantly change, just check perms.
|
|
|
1bceaa |
/root/\..* PERMS
|
|
|
1bceaa |
# Otherwise get all of /root.
|
|
|
1bceaa |
/root/ CONTENT_EX
|
|
|
1bceaa |
|
|
|
1bceaa |
# These are too volatile.
|
|
|
1bceaa |
!/usr/src/
|
|
|
1bceaa |
!/usr/tmp/
|
|
|
1bceaa |
# Otherwise get all of /usr.
|
|
|
1bceaa |
/usr/ CONTENT_EX
|
|
|
1bceaa |
|
|
|
1bceaa |
# Check only permissions, user, group, seliunx for /etc, but
|
|
|
1bceaa |
# cover some important files closely.
|
|
|
1bceaa |
!/etc/mtab$
|
|
|
1bceaa |
|
|
|
1bceaa |
# Ignore backup files
|
|
|
1bceaa |
!/etc/.*~
|
|
|
1bceaa |
|
|
|
1bceaa |
# trusted databases
|
|
|
1bceaa |
/etc/hosts$ CONTENT_EX
|
|
|
1bceaa |
/etc/host.conf$ CONTENT_EX
|
|
|
1bceaa |
/etc/hostname$ CONTENT_EX
|
|
|
1bceaa |
/etc/issue$ CONTENT_EX
|
|
|
1bceaa |
/etc/issue.net$ CONTENT_EX
|
|
|
1bceaa |
/etc/protocols$ CONTENT_EX
|
|
|
1bceaa |
/etc/services$ CONTENT_EX
|
|
|
1bceaa |
/etc/localtime$ CONTENT_EX
|
|
|
1bceaa |
/etc/alternatives/ CONTENT_EX
|
|
|
1bceaa |
/etc/mime.types$ CONTENT_EX
|
|
|
1bceaa |
/etc/terminfo/ CONTENT_EX
|
|
|
1bceaa |
/etc/exports$ CONTENT_EX
|
|
|
1bceaa |
/etc/fstab$ CONTENT_EX
|
|
|
1bceaa |
/etc/passwd$ CONTENT_EX
|
|
|
1bceaa |
/etc/group$ CONTENT_EX
|
|
|
1bceaa |
/etc/gshadow$ CONTENT_EX
|
|
|
1bceaa |
/etc/shadow$ CONTENT_EX
|
|
|
1bceaa |
/etc/security/opasswd$ CONTENT_EX
|
|
|
1bceaa |
/etc/skel/ CONTENT_EX
|
|
|
1bceaa |
|
|
|
1bceaa |
# networking
|
|
|
1bceaa |
/etc/hosts.allow$ CONTENT_EX
|
|
|
1bceaa |
/etc/hosts.deny$ CONTENT_EX
|
|
|
1bceaa |
/etc/firewalld/ CONTENT_EX
|
|
|
1bceaa |
/etc/NetworkManager/ CONTENT_EX
|
|
|
1bceaa |
/etc/networks$ CONTENT_EX
|
|
|
1bceaa |
/etc/dhcp/ CONTENT_EX
|
|
|
1bceaa |
/etc/wpa_supplicant/ CONTENT_EX
|
|
|
1bceaa |
/etc/resolv.conf$ DATAONLY
|
|
|
1bceaa |
/etc/nscd.conf$ NORMAL
|
|
|
1bceaa |
|
|
|
1bceaa |
# logins and accounts
|
|
|
1bceaa |
/etc/login.defs$ CONTENT_EX
|
|
|
1bceaa |
/etc/libuser.conf$ CONTENT_EX
|
|
|
1bceaa |
/var/log/faillog$ PERMS
|
|
|
1bceaa |
/var/log/lastlog$ PERMS
|
|
|
1bceaa |
/var/run/faillock/ PERMS
|
|
|
1bceaa |
/etc/pam.d/ CONTENT_EX
|
|
|
1bceaa |
/etc/security$ CONTENT_EX
|
|
|
1bceaa |
/etc/securetty$ CONTENT_EX
|
|
|
1bceaa |
/etc/polkit-1/ CONTENT_EX
|
|
|
1bceaa |
/etc/sudo.conf$ CONTENT_EX
|
|
|
1bceaa |
/etc/sudoers$ CONTENT_EX
|
|
|
1bceaa |
/etc/sudoers.d/ CONTENT_EX
|
|
|
1bceaa |
|
|
|
1bceaa |
# Shell/X starting files
|
|
|
1bceaa |
/etc/profile$ CONTENT_EX
|
|
|
1bceaa |
/etc/profile.d/ CONTENT_EX
|
|
|
1bceaa |
/etc/bashrc$ CONTENT_EX
|
|
|
1bceaa |
/etc/bash_completion.d/ CONTENT_EX
|
|
|
1bceaa |
/etc/zprofile$ CONTENT_EX
|
|
|
1bceaa |
/etc/zshrc$ CONTENT_EX
|
|
|
1bceaa |
/etc/zlogin$ CONTENT_EX
|
|
|
1bceaa |
/etc/zlogout$ CONTENT_EX
|
|
|
1bceaa |
/etc/X11/ CONTENT_EX
|
|
|
1bceaa |
/etc/shells$ CONTENT_EX
|
|
|
1bceaa |
|
|
|
1bceaa |
# Pkg manager
|
|
|
1bceaa |
/etc/yum.conf$ CONTENT_EX
|
|
|
1bceaa |
/etc/yumex.conf$ CONTENT_EX
|
|
|
1bceaa |
/etc/yumex.profiles.conf$ CONTENT_EX
|
|
|
1bceaa |
/etc/yum/ CONTENT_EX
|
|
|
1bceaa |
/etc/yum.repos.d/ CONTENT_EX
|
|
|
1bceaa |
|
|
|
1bceaa |
# This gets new/removes-old filenames daily.
|
|
|
1bceaa |
!/var/log/sa/
|
|
|
1bceaa |
# As we are checking it, we've truncated yesterdays size to zero.
|
|
|
1bceaa |
!/var/log/aide.log
|
|
|
1bceaa |
|
|
|
1bceaa |
# auditing
|
|
|
1bceaa |
# AIDE produces an audit record, so this becomes perpetual motion.
|
|
|
1bceaa |
# /var/log/audit/ PERMS+ANF+ARF
|
|
|
1bceaa |
/etc/audit/ CONTENT_EX
|
|
|
1bceaa |
/etc/audisp/ CONTENT_EX
|
|
|
1bceaa |
/etc/libaudit.conf$ CONTENT_EX
|
|
|
1bceaa |
/etc/aide.conf$ CONTENT_EX
|
|
|
1bceaa |
|
|
|
1bceaa |
# System logs
|
|
|
1bceaa |
/etc/rsyslog.conf$ CONTENT_EX
|
|
|
1bceaa |
/etc/rsyslog.d/ CONTENT_EX
|
|
|
1bceaa |
/etc/logrotate.conf$ CONTENT_EX
|
|
|
1bceaa |
/etc/logrotate.d/ CONTENT_EX
|
|
|
1bceaa |
/var/log/ LOG+ANF+ARF
|
|
|
1bceaa |
/var/run/utmp$ LOG
|
|
|
1bceaa |
|
|
|
1bceaa |
# secrets
|
|
|
1bceaa |
/etc/pkcs11/ CONTENT_EX
|
|
|
1bceaa |
/etc/pki/ CONTENT_EX
|
|
|
1bceaa |
/etc/ssl/ CONTENT_EX
|
|
|
1bceaa |
/etc/certmonger/ CONTENT_EX
|
|
|
1bceaa |
|
|
|
1bceaa |
# init system
|
|
|
1bceaa |
/etc/systemd/ CONTENT_EX
|
|
|
1bceaa |
/etc/sysconfig/ CONTENT_EX
|
|
|
1bceaa |
/etc/rc.d/ CONTENT_EX
|
|
|
1bceaa |
/etc/tmpfiles.d/ CONTENT_EX
|
|
|
1bceaa |
/etc/machine-id$ CONTENT_EX
|
|
|
1bceaa |
|
|
|
1bceaa |
# boot config
|
|
|
1bceaa |
/etc/grub.d/ CONTENT_EX
|
|
|
1bceaa |
/etc/grub2.cfg$ CONTENT_EX
|
|
|
1bceaa |
/etc/dracut.conf$ CONTENT_EX
|
|
|
1bceaa |
/etc/dracut.conf.d/ CONTENT_EX
|
|
|
1bceaa |
|
|
|
1bceaa |
# glibc linker
|
|
|
1bceaa |
/etc/ld.so.cache$ CONTENT_EX
|
|
|
1bceaa |
/etc/ld.so.conf$ CONTENT_EX
|
|
|
1bceaa |
/etc/ld.so.conf.d/ CONTENT_EX
|
|
|
1bceaa |
|
|
|
1bceaa |
# kernel config
|
|
|
1bceaa |
/etc/sysctl.conf$ CONTENT_EX
|
|
|
1bceaa |
/etc/sysctl.d/ CONTENT_EX
|
|
|
1bceaa |
/etc/modprobe.d/ CONTENT_EX
|
|
|
1bceaa |
/etc/modules-load.d/ CONTENT_EX
|
|
|
1bceaa |
/etc/depmod.d/ CONTENT_EX
|
|
|
1bceaa |
/etc/udev/ CONTENT_EX
|
|
|
1bceaa |
/etc/crypttab$ CONTENT_EX
|
|
|
1bceaa |
|
|
|
1bceaa |
#### Daemons ####
|
|
|
1bceaa |
|
|
|
1bceaa |
# cron jobs
|
|
|
1bceaa |
/var/spool/at/ CONTENT
|
|
|
1bceaa |
/etc/at.allow$ CONTENT
|
|
|
1bceaa |
/etc/at.deny$ CONTENT
|
|
|
1bceaa |
/etc/cron.allow$ CONTENT_EX
|
|
|
1bceaa |
/etc/cron.deny$ CONTENT_EX
|
|
|
1bceaa |
/etc/cron.d/ CONTENT_EX
|
|
|
1bceaa |
/etc/cron.daily/ CONTENT_EX
|
|
|
1bceaa |
/etc/cron.hourly/ CONTENT_EX
|
|
|
1bceaa |
/etc/cron.monthly/ CONTENT_EX
|
|
|
1bceaa |
/etc/cron.weekly/ CONTENT_EX
|
|
|
1bceaa |
/etc/crontab$ CONTENT_EX
|
|
|
1bceaa |
/var/spool/cron/root/ CONTENT
|
|
|
1bceaa |
/etc/anacrontab$ CONTENT_EX
|
|
|
1bceaa |
|
|
|
1bceaa |
# time keeping
|
|
|
1bceaa |
/etc/ntp.conf$ CONTENT_EX
|
|
|
1bceaa |
/etc/ntp/ CONTENT_EX
|
|
|
1bceaa |
/etc/chrony.conf$ CONTENT_EX
|
|
|
1bceaa |
/etc/chrony.keys$ CONTENT_EX
|
|
|
1bceaa |
|
|
|
1bceaa |
# mail
|
|
|
1bceaa |
/etc/aliases$ CONTENT_EX
|
|
|
1bceaa |
/etc/aliases.db$ CONTENT_EX
|
|
|
1bceaa |
/etc/postfix/ CONTENT_EX
|
|
|
1bceaa |
/etc/mail.rc$ CONTENT_EX
|
|
|
1bceaa |
/etc/mailcap$ CONTENT_EX
|
|
|
1bceaa |
|
|
|
1bceaa |
# ssh
|
|
|
1bceaa |
/etc/ssh/sshd_config$ CONTENT_EX
|
|
|
1bceaa |
/etc/ssh/ssh_config$ CONTENT_EX
|
|
|
1bceaa |
|
|
|
1bceaa |
# stunnel
|
|
|
1bceaa |
/etc/stunnel/ CONTENT_EX
|
|
|
1bceaa |
|
|
|
1bceaa |
# ftp
|
|
|
1bceaa |
/etc/vsftpd.conf$ CONTENT
|
|
|
1bceaa |
/etc/vsftpd/ CONTENT
|
|
|
1bceaa |
|
|
|
1bceaa |
# printing
|
|
|
1bceaa |
/etc/cups/ CONTENT_EX
|
|
|
1bceaa |
/etc/cupshelpers/ CONTENT_EX
|
|
|
1bceaa |
/etc/avahi/ CONTENT_EX
|
|
|
1bceaa |
|
|
|
1bceaa |
# web server
|
|
|
1bceaa |
/etc/httpd/ CONTENT_EX
|
|
|
1bceaa |
|
|
|
1bceaa |
# dns
|
|
|
1bceaa |
/etc/named/ CONTENT_EX
|
|
|
1bceaa |
/etc/named.conf$ CONTENT_EX
|
|
|
1bceaa |
/etc/named.iscdlv.key$ CONTENT_EX
|
|
|
1bceaa |
/etc/named.rfc1912.zones$ CONTENT_EX
|
|
|
1bceaa |
/etc/named.root.key$ CONTENT_EX
|
|
|
1bceaa |
|
|
|
1bceaa |
# xinetd
|
|
|
1bceaa |
/etc/xinetd.d/ CONTENT_EX
|
|
|
1bceaa |
|
|
|
1bceaa |
# Now everything else in /etc.
|
|
|
1bceaa |
/etc/ PERMS
|
|
|
1bceaa |
|
|
|
1bceaa |
# With AIDE's default verbosity level of 5, these would give lots of
|
|
|
1bceaa |
# warnings upon tree traversal. It might change with future version.
|
|
|
1bceaa |
#
|
|
|
1bceaa |
#=/lost\+found DIR
|
|
|
1bceaa |
#=/home DIR
|
|
|
1bceaa |
|
|
|
1bceaa |
# Ditto /var/log/sa/ same reason...
|
|
|
1bceaa |
!/var/log/httpd/
|