aide.conf: update custom rules
This commit is contained in:
Cropi
parent
c19980c40c
commit
5b3470d676
1 changed files with 54 additions and 58 deletions
112
aide.conf
112
aide.conf
|
|
@ -111,31 +111,27 @@ report_url=stdout
|
|||
# Use 'aide --version' to list the default compound groups.
|
||||
|
||||
# You can create custom rules like this.
|
||||
# With MHASH...
|
||||
# ALLXTRAHASHES = sha1+rmd160+sha256+sha512+whirlpool+tiger+haval+gost+crc32
|
||||
ALLXTRAHASHES = sha1+rmd160+sha256+sha512+tiger
|
||||
# Everything but access time (Ie. all changes)
|
||||
# Note: Removed deprecated/removed hashsums (tiger, haval, crc32, crc32b, whirlpool, md5, sha1, rmd160, gost)
|
||||
# ALLXTRAHASHES = sha1+rmd160+sha256+sha512+whirlpool+tiger+haval+gost+crc32+crc32b (old with deprecated/removed)
|
||||
ALLXTRAHASHES = sha256+sha512+sha512_256+sha3_256+sha3_512+stribog256+stribog512
|
||||
# Everything but access time (Ie. all changes) - updated with modern hashsums
|
||||
EVERYTHING = R+ALLXTRAHASHES
|
||||
|
||||
# Sane, with multiple hashes
|
||||
# NORMAL = R+rmd160+sha256+whirlpool
|
||||
NORMAL = FIPSR+sha512
|
||||
# Base + extended attributes + selinux + acl + file capabilities with multiple modern hashes
|
||||
NORMAL = R+xattrs+selinux+acl+e2fsattrs+caps+sha512+sha3_512
|
||||
|
||||
# For directories, don't bother doing hashes
|
||||
DIR = p+i+n+u+g+acl+selinux+xattrs
|
||||
# For directories, don't bother doing hashes - added file type and link name
|
||||
DIR = ftype+p+i+l+n+u+g+acl+selinux+xattrs
|
||||
|
||||
# Access control only
|
||||
PERMS = p+i+u+g+acl+selinux
|
||||
# Access control only - added file type and link name
|
||||
PERMS = ftype+p+i+l+u+g+acl+selinux
|
||||
|
||||
# Logfile are special, in that they often change
|
||||
LOG = >
|
||||
|
||||
# Just do sha256 and sha512 hashes
|
||||
LSPP = FIPSR+sha512
|
||||
|
||||
# Some files get updated automatically, so the inode/ctime/mtime change
|
||||
# but we want to know when the data inside them changes
|
||||
DATAONLY = p+n+u+g+s+acl+selinux+xattrs+sha256
|
||||
# but we want to know when the data inside them changes - updated with modern hash
|
||||
DATAONLY = ftype+p+l+n+u+g+s+acl+selinux+xattrs+sha_256
|
||||
|
||||
# Next decide what directories/files you want in the database.
|
||||
|
||||
|
|
@ -147,6 +143,7 @@ DATAONLY = p+n+u+g+s+acl+selinux+xattrs+sha256
|
|||
/opt NORMAL
|
||||
/usr NORMAL
|
||||
/root NORMAL
|
||||
|
||||
# These are too volatile
|
||||
!/usr/src
|
||||
!/usr/tmp
|
||||
|
|
@ -205,62 +202,61 @@ DATAONLY = p+n+u+g+s+acl+selinux+xattrs+sha256
|
|||
# As we are checking it, we've truncated yesterdays size to zero.
|
||||
!/var/log/aide.log
|
||||
|
||||
# LSPP rules...
|
||||
# AIDE produces an audit record, so this becomes perpetual motion.
|
||||
# /var/log/audit/ LSPP
|
||||
/etc/audit/ LSPP
|
||||
/etc/libaudit.conf LSPP
|
||||
/usr/sbin/stunnel LSPP
|
||||
/var/spool/at LSPP
|
||||
/etc/at.allow LSPP
|
||||
/etc/at.deny LSPP
|
||||
/etc/cron.allow LSPP
|
||||
/etc/cron.deny LSPP
|
||||
/etc/cron.d/ LSPP
|
||||
/etc/cron.daily/ LSPP
|
||||
/etc/cron.hourly/ LSPP
|
||||
/etc/cron.monthly/ LSPP
|
||||
/etc/cron.weekly/ LSPP
|
||||
/etc/crontab LSPP
|
||||
/var/spool/cron/root LSPP
|
||||
# /var/log/audit/ NORMAL
|
||||
/etc/audit/ NORMAL
|
||||
/etc/libaudit.conf NORMAL
|
||||
/usr/sbin/stunnel NORMAL
|
||||
/var/spool/at NORMAL
|
||||
/etc/at.allow NORMAL
|
||||
/etc/at.deny NORMAL
|
||||
/etc/cron.allow NORMAL
|
||||
/etc/cron.deny NORMAL
|
||||
/etc/cron.d/ NORMAL
|
||||
/etc/cron.daily/ NORMAL
|
||||
/etc/cron.hourly/ NORMAL
|
||||
/etc/cron.monthly/ NORMAL
|
||||
/etc/cron.weekly/ NORMAL
|
||||
/etc/crontab NORMAL
|
||||
/var/spool/cron/root NORMAL
|
||||
|
||||
/etc/login.defs LSPP
|
||||
/etc/securetty LSPP
|
||||
/var/log/faillog LSPP
|
||||
/var/log/lastlog LSPP
|
||||
/etc/login.defs NORMAL
|
||||
/etc/securetty NORMAL
|
||||
/var/log/faillog NORMAL
|
||||
/var/log/lastlog NORMAL
|
||||
|
||||
/etc/hosts LSPP
|
||||
/etc/sysconfig LSPP
|
||||
/etc/hosts NORMAL
|
||||
/etc/sysconfig NORMAL
|
||||
|
||||
/etc/inittab LSPP
|
||||
/etc/grub/ LSPP
|
||||
/etc/rc.d LSPP
|
||||
/etc/inittab NORMAL
|
||||
/etc/grub/ NORMAL
|
||||
/etc/rc.d NORMAL
|
||||
|
||||
/etc/ld.so.conf LSPP
|
||||
/etc/ld.so.conf NORMAL
|
||||
|
||||
/etc/localtime LSPP
|
||||
/etc/localtime NORMAL
|
||||
|
||||
/etc/sysctl.conf LSPP
|
||||
/etc/sysctl.conf NORMAL
|
||||
|
||||
/etc/modprobe.conf LSPP
|
||||
/etc/modprobe.conf NORMAL
|
||||
|
||||
/etc/pam.d LSPP
|
||||
/etc/security LSPP
|
||||
/etc/aliases LSPP
|
||||
/etc/postfix LSPP
|
||||
/etc/pam.d NORMAL
|
||||
/etc/security NORMAL
|
||||
/etc/aliases NORMAL
|
||||
/etc/postfix NORMAL
|
||||
|
||||
/etc/ssh/sshd_config LSPP
|
||||
/etc/ssh/ssh_config LSPP
|
||||
/etc/ssh/sshd_config NORMAL
|
||||
/etc/ssh/ssh_config NORMAL
|
||||
|
||||
/etc/stunnel LSPP
|
||||
/etc/stunnel NORMAL
|
||||
|
||||
/etc/vsftpd.ftpusers LSPP
|
||||
/etc/vsftpd LSPP
|
||||
/etc/vsftpd.ftpusers NORMAL
|
||||
/etc/vsftpd NORMAL
|
||||
|
||||
/etc/issue LSPP
|
||||
/etc/issue.net LSPP
|
||||
/etc/issue NORMAL
|
||||
/etc/issue.net NORMAL
|
||||
|
||||
/etc/cups LSPP
|
||||
/etc/cups NORMAL
|
||||
|
||||
# With AIDE's default verbosity level of 5, these would give lots of
|
||||
# warnings upon tree traversal. It might change with future version.
|
||||
|
|
|
|||
Loading…
Add table
Add a link
Reference in a new issue