From 4750c5ce8a6f1c547f339ff8146e90e0348376b4 Mon Sep 17 00:00:00 2001 From: Fedora Release Engineering Date: Wed, 23 Jul 2025 16:50:19 +0000 Subject: [PATCH 01/22] Rebuilt for https://fedoraproject.org/wiki/Fedora_43_Mass_Rebuild From 7b39911f4eb2db77db0fc254927fd64145b42e1c Mon Sep 17 00:00:00 2001 From: Cropi Date: Tue, 5 Aug 2025 11:23:42 +0200 Subject: [PATCH 02/22] Simplify URL handling --- aide.spec | 8 +++----- 1 file changed, 3 insertions(+), 5 deletions(-) diff --git a/aide.spec b/aide.spec index eda0cff..8efe513 100644 --- a/aide.spec +++ b/aide.spec @@ -1,14 +1,12 @@ -%global forgeurl https://github.com/%{name}/%{name} - Summary: Intrusion detection environment Name: aide Version: 0.18.8 Release: %autorelease -URL: https://aide.github.io/ +URL: https://github.com/aide/aide License: GPL-2.0-or-later -Source0: %{forgeurl}/releases/download/v%{version}/%{name}-%{version}.tar.gz -Source1: %{forgeurl}/releases/download/v%{version}/%{name}-%{version}.tar.gz.asc +Source0: %{url}/releases/download/v%{version}/%{name}-%{version}.tar.gz +Source1: %{url}/releases/download/v%{version}/%{name}-%{version}.tar.gz.asc # gpg2 --recv-keys 2BBBD30FAAB29B3253BCFBA6F6947DAB68E7B931 # gpg2 --export --export-options export-minimal 2BBBD30FAAB29B3253BCFBA6F6947DAB68E7B931 >gpgkey-aide.gpg Source2: gpgkey-aide.gpg From f3c128e1ec4eb9ae7587e205f92220018060201f Mon Sep 17 00:00:00 2001 From: Cropi Date: Tue, 5 Aug 2025 11:26:43 +0200 Subject: [PATCH 03/22] spec: standardize source file reference syntax Use consistent %{SOURCE#} macro syntax throughout the spec file instead of mixing %{S:#} and %{SOURCE#} formats. This improves readability and follows RPM packaging best practices. --- aide.spec | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/aide.spec b/aide.spec index 8efe513..fdb6bfc 100644 --- a/aide.spec +++ b/aide.spec @@ -42,7 +42,7 @@ checker and intrusion detection program. %prep %{gpgverify} --keyring='%{SOURCE2}' --signature='%{SOURCE1}' --data='%{SOURCE0}' %autosetup -p1 -cp -a %{S:4} . +cp -a %{SOURCE4} . %build #autoreconf -ivf @@ -64,8 +64,8 @@ make check %install %make_install bindir=%{_sbindir} -install -Dpm0644 -t %{buildroot}%{_sysconfdir} %{S:3} -install -Dpm0644 %{S:5} %{buildroot}%{_sysconfdir}/logrotate.d/aide +install -Dpm0644 -t %{buildroot}%{_sysconfdir} %{SOURCE3} +install -Dpm0644 %{SOURCE5} %{buildroot}%{_sysconfdir}/logrotate.d/aide mkdir -p %{buildroot}%{_localstatedir}/log/aide mkdir -p -m0700 %{buildroot}%{_localstatedir}/lib/aide From d45509d296037b559dd13f0217ef380a4b93f9c5 Mon Sep 17 00:00:00 2001 From: Cropi Date: Tue, 5 Aug 2025 11:38:04 +0200 Subject: [PATCH 04/22] Rebase to 0.19.1 --- .gitignore | 2 ++ aide.spec | 2 +- sources | 4 ++-- 3 files changed, 5 insertions(+), 3 deletions(-) diff --git a/.gitignore b/.gitignore index 465c998..3d07290 100644 --- a/.gitignore +++ b/.gitignore @@ -17,3 +17,5 @@ aide-0.14.tar.gz.asc /aide-0.18.6.tar.gz /aide-0.18.8.tar.gz /aide-0.18.8.tar.gz.asc +/aide-0.19.1.tar.gz +/aide-0.19.1.tar.gz.asc diff --git a/aide.spec b/aide.spec index fdb6bfc..1553dba 100644 --- a/aide.spec +++ b/aide.spec @@ -1,6 +1,6 @@ Summary: Intrusion detection environment Name: aide -Version: 0.18.8 +Version: 0.19.1 Release: %autorelease URL: https://github.com/aide/aide License: GPL-2.0-or-later diff --git a/sources b/sources index ca6c59b..d46f6aa 100644 --- a/sources +++ b/sources @@ -1,2 +1,2 @@ -SHA512 (aide-0.18.8.tar.gz) = 38763f527cfbc11847eca2fca17eceabc46158624954f0457feb49b885f34e4311f2dbc50b5471f4ff972e9e4e9c9f55c2da8dd8d55c04063a9043ab4829ff05 -SHA512 (aide-0.18.8.tar.gz.asc) = 9eeed86a0484d9f2acfd91c49adae285b34ebc390f65f32d72e9409a5e57456e637036094cb7fd38cb6a1332f6bbb58e4ff704819fd4449ec0d7b2ae01d95cd8 +SHA512 (aide-0.19.1.tar.gz) = 5f345458acdc79072b8293ea19a6846f2f7ab2eca36729ff1dc6fe06595a40f46af5aac57c8b02b4d144a4ad649b2a1d7f8e3bb216f0fa3d48a7023abf0029b1 +SHA512 (aide-0.19.1.tar.gz.asc) = d5bb3b8ec7dec229a01ae2e2588cc64caf9eaf2e9a71593c2d43662eb25f0afca9d955de7eeba13ca10dbe09f5b66e3b653ab018aa4c16f0531c368335b5e6de From 8e0d851b93fe8045dd46d53f6532b5b159d62fcc Mon Sep 17 00:00:00 2001 From: Cropi Date: Tue, 5 Aug 2025 11:41:14 +0200 Subject: [PATCH 05/22] cry: use nettle instead of gcrypt --- aide.spec | 7 ++++--- 1 file changed, 4 insertions(+), 3 deletions(-) diff --git a/aide.spec b/aide.spec index 1553dba..9bd36bf 100644 --- a/aide.spec +++ b/aide.spec @@ -18,7 +18,7 @@ BuildRequires: gcc BuildRequires: make BuildRequires: bison flex BuildRequires: pcre2-devel -BuildRequires: libgpg-error-devel libgcrypt-devel +BuildRequires: libgpg-error-devel nettle-devel BuildRequires: zlib-devel BuildRequires: libcurl-devel BuildRequires: libacl-devel @@ -49,7 +49,8 @@ cp -a %{SOURCE4} . %configure \ --disable-static \ --with-config_file=%{_sysconfdir}/aide.conf \ - --with-gcrypt \ + --without-gcrypt \ + --with-nettle \ --with-zlib \ --with-curl \ --with-posix-acl \ @@ -71,7 +72,7 @@ mkdir -p -m0700 %{buildroot}%{_localstatedir}/lib/aide %files %license COPYING -%doc AUTHORS ChangeLog NEWS README contrib/ +%doc AUTHORS ChangeLog NEWS README %doc README.quickstart %{_sbindir}/aide %{_mandir}/man1/*.1* From faf0f7484f747e738fb6dc73b4af6e461c0c832c Mon Sep 17 00:00:00 2001 From: Cropi Date: Thu, 7 Aug 2025 10:28:00 +0200 Subject: [PATCH 06/22] aide.conf: add missing fields to config (added since 0.17) --- aide.conf | 27 +++++++++++++++++++++++++++ 1 file changed, 27 insertions(+) diff --git a/aide.conf b/aide.conf index 57b15b9..5c978f7 100644 --- a/aide.conf +++ b/aide.conf @@ -14,10 +14,37 @@ database_out=file:@@{DBDIR}/aide.db.new.gz # Whether to gzip the output to database gzip_dbout=yes +# Database attributes to include in report (H = all compiled hashsums, default) +database_attrs=H + +# Add metadata to database (version info, timestamps) +database_add_metadata=yes + +# Warn about unrestricted rules during config check (default: false) +config_check_warn_unrestricted_rules=false + +# Number of workers for parallel processing (default: 1, can use percentage) +num_workers=1 + # Default. log_level=warning report_level=changed_attributes +# Report format (plain or json) +report_format=plain + +# Group files in report by added/removed/changed +report_grouped=yes + +# Summarize changes in report +report_summarize_changes=yes + +# Don't report if no differences found +report_quiet=no + +# Report encoding (base64 is default, base16 available) +report_base16=no + report_url=file:@@{LOGDIR}/aide.log report_url=stdout #report_url=stderr From aa4fd80a6162bb0e14037cbd3ada91dc21e11cda Mon Sep 17 00:00:00 2001 From: Cropi Date: Thu, 7 Aug 2025 10:29:00 +0200 Subject: [PATCH 07/22] aide.conf: correct report_url possible values --- aide.conf | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) diff --git a/aide.conf b/aide.conf index 5c978f7..4a0c0b8 100644 --- a/aide.conf +++ b/aide.conf @@ -48,8 +48,7 @@ report_base16=no report_url=file:@@{LOGDIR}/aide.log report_url=stdout #report_url=stderr -#NOT IMPLEMENTED report_url=mailto:root@foo.com -#NOT IMPLEMENTED report_url=syslog:LOG_AUTH +#report_url=syslog:LOG_AUTH # These are the default rules. # From c19980c40c356c14c5bfe0bf1149c93f48449313 Mon Sep 17 00:00:00 2001 From: Cropi Date: Thu, 7 Aug 2025 10:31:02 +0200 Subject: [PATCH 08/22] aide.conf: update (special) attributes section --- aide.conf | 55 ++++++++++++++++++++++++++++++++++++++++--------------- 1 file changed, 40 insertions(+), 15 deletions(-) diff --git a/aide.conf b/aide.conf index 4a0c0b8..2deaa1b 100644 --- a/aide.conf +++ b/aide.conf @@ -52,8 +52,11 @@ report_url=stdout # These are the default rules. # +#ftype: file type +#fstype: file system type (Linux-only) #p: permissions -#i: inode: +#i: inode +#l: link name (symbolic links only) #n: number of links #u: user #g: group @@ -62,28 +65,50 @@ report_url=stdout #m: mtime #a: atime #c: ctime -#S: check for growing size #acl: Access Control Lists #selinux SELinux security context #xattrs: Extended file attributes -#md5: md5 checksum -#sha1: sha1 checksum +#e2fsattrs: file attributes on Linux file system +#caps: file capabilities (Linux-only) + +# Hashsums attributes (regular files only) #sha256: sha256 checksum #sha512: sha512 checksum -#rmd160: rmd160 checksum -#tiger: tiger checksum +#sha512_256: SHA-512 checksum truncated to 256 output bits +#sha3_256: SHA3-256 checksum (modern) +#sha3_512: SHA3-512 checksum (modern) +#stribog256: GOST R 34.11-2012, 256 bit +#stribog512: GOST R 34.11-2012, 512 bit -#haval: haval checksum (MHASH only) -#gost: gost checksum (MHASH only) -#crc32: crc32 checksum (MHASH only) -#whirlpool: whirlpool checksum (MHASH only) +# DEPRECATED (will be removed in future versions): +#md5: md5 checksum (deprecated since v0.19) +#sha1: sha1 checksum (deprecated since v0.19) +#rmd160: rmd160 checksum (deprecated since v0.19) +#gost: gost checksum (deprecated since v0.19) -FIPSR = p+i+n+u+g+s+m+c+acl+selinux+xattrs+sha256 +# REMOVED in AIDE v0.19: +#S: check for growing size (use 'growing+s' instead) +#tiger: tiger checksum (removed) +#haval: haval checksum (removed) +#crc32: crc32 checksum (removed) +#crc32b: crc32b checksum (removed) +#whirlpool: whirlpool checksum (removed) -#R: p+i+n+u+g+s+m+c+acl+selinux+xattrs+md5 -#L: p+i+n+u+g+acl+selinux+xattrs -#E: Empty group -#>: Growing logfile p+u+g+i+n+S+acl+selinux+xattrs +# Special attributes for advanced use cases: +#I: ignore changed filename - detects moved files by inode +#growing: ignore growing file size/timestamps for logs +#compressed: ignore compression - compares uncompressed content +#ANF: allow new files - new files ignored in report +#ARF: allow removed files - missing files ignored in report + +# Default groups in AIDE v0.19: +# R = p+ftype+i+l+n+u+g+s+m+c+sha3_256+X +# L = p+ftype+i+l+n+u+g+X +# > = Growing file p+ftype+l+u+g+i+n+s+growing+X +# H = all compiled in (and not deprecated) hashsums +# X = acl+selinux+xattrs+e2fsattrs+caps (if compiled in) +# E = Empty group +# Use 'aide --version' to list the default compound groups. # You can create custom rules like this. # With MHASH... From 7aad76e824e38aa8e4ce3ed520f3ce841e69d1af Mon Sep 17 00:00:00 2001 From: Cropi Date: Wed, 20 Aug 2025 08:33:36 +0200 Subject: [PATCH 09/22] Rebase to 0.19.2 Resolves: rhbz#2389391 Resolves: rhbz#2389389 CVE-2025-54389 CVE-2025-54409 --- .gitignore | 2 ++ aide.spec | 2 +- sources | 4 ++-- 3 files changed, 5 insertions(+), 3 deletions(-) diff --git a/.gitignore b/.gitignore index 3d07290..ce1812d 100644 --- a/.gitignore +++ b/.gitignore @@ -19,3 +19,5 @@ aide-0.14.tar.gz.asc /aide-0.18.8.tar.gz.asc /aide-0.19.1.tar.gz /aide-0.19.1.tar.gz.asc +/aide-0.19.2.tar.gz +/aide-0.19.2.tar.gz.asc diff --git a/aide.spec b/aide.spec index 9bd36bf..7b1c7a4 100644 --- a/aide.spec +++ b/aide.spec @@ -1,6 +1,6 @@ Summary: Intrusion detection environment Name: aide -Version: 0.19.1 +Version: 0.19.2 Release: %autorelease URL: https://github.com/aide/aide License: GPL-2.0-or-later diff --git a/sources b/sources index d46f6aa..0b47fd8 100644 --- a/sources +++ b/sources @@ -1,2 +1,2 @@ -SHA512 (aide-0.19.1.tar.gz) = 5f345458acdc79072b8293ea19a6846f2f7ab2eca36729ff1dc6fe06595a40f46af5aac57c8b02b4d144a4ad649b2a1d7f8e3bb216f0fa3d48a7023abf0029b1 -SHA512 (aide-0.19.1.tar.gz.asc) = d5bb3b8ec7dec229a01ae2e2588cc64caf9eaf2e9a71593c2d43662eb25f0afca9d955de7eeba13ca10dbe09f5b66e3b653ab018aa4c16f0531c368335b5e6de +SHA512 (aide-0.19.2.tar.gz) = 08506c2302e34794fa08a27caaa1e714ba736d46351c577234f2c3d2623ea82b243b3318061a369a46d6961a782f42fbb8edd42d1d4de6949e7fc30c87865830 +SHA512 (aide-0.19.2.tar.gz.asc) = ebc04f22a49ec6b378dca4930574edcd46919281297bc1d5e09f5839a6fab3a38762462b7d852a82b7045313f9c24208bfff49a561d8afd04e9116be7096169a From 920124928552faeaef5846b87f8f9dd5423b1011 Mon Sep 17 00:00:00 2001 From: Cropi Date: Thu, 7 Aug 2025 10:32:01 +0200 Subject: [PATCH 10/22] Refactor aide.conf --- aide.conf | 310 ++++++++++++++++++++++++++++++++++-------------------- 1 file changed, 198 insertions(+), 112 deletions(-) diff --git a/aide.conf b/aide.conf index 2deaa1b..5953f6d 100644 --- a/aide.conf +++ b/aide.conf @@ -111,31 +111,29 @@ report_url=stdout # Use 'aide --version' to list the default compound groups. # You can create custom rules like this. -# With MHASH... -# ALLXTRAHASHES = sha1+rmd160+sha256+sha512+whirlpool+tiger+haval+gost+crc32 -ALLXTRAHASHES = sha1+rmd160+sha256+sha512+tiger -# Everything but access time (Ie. all changes) +# Note: Removed deprecated/removed hashsums (tiger, haval, crc32, crc32b, whirlpool, md5, sha1, rmd160, gost) +ALLXTRAHASHES = sha256+sha512+sha512_256+sha3_256+sha3_512+stribog256+stribog512 +# Everything but access time (Ie. all changes) - updated with modern hashsums EVERYTHING = R+ALLXTRAHASHES -# Sane, with multiple hashes -# NORMAL = R+rmd160+sha256+whirlpool -NORMAL = FIPSR+sha512 +# Base + sha512 (strong) +NORMAL = R+sha512 -# For directories, don't bother doing hashes -DIR = p+i+n+u+g+acl+selinux+xattrs +# Content only - added file type and strong hash +CONTENT = ftype+sha512 -# Access control only -PERMS = p+i+u+g+acl+selinux +# For directories, don't bother doing hashes - added file type and link name +DIR = ftype+p+i+l+n+u+g+acl+selinux+xattrs + +# Access control only - added file type and link name +PERMS = ftype+p+i+l+u+g+acl+selinux # Logfile are special, in that they often change LOG = > -# Just do sha256 and sha512 hashes -LSPP = FIPSR+sha512 - # Some files get updated automatically, so the inode/ctime/mtime change -# but we want to know when the data inside them changes -DATAONLY = p+n+u+g+s+acl+selinux+xattrs+sha256 +# but we want to know when the data inside them changes - updated with modern hash +DATAONLY = ftype+p+l+n+u+g+s+acl+selinux+xattrs+sha256 # Next decide what directories/files you want in the database. @@ -144,124 +142,215 @@ DATAONLY = p+n+u+g+s+acl+selinux+xattrs+sha256 /sbin NORMAL /lib NORMAL /lib64 NORMAL -/opt NORMAL +# Monitor /opt selectively to avoid noise from auto-updating applications +/opt CONTENT /usr NORMAL -/root NORMAL # These are too volatile !/usr/src !/usr/tmp +/root NORMAL +# Admins dot files constantly change, just check perms +/root/\..* PERMS +!/root/.xauth* + # Check only permissions, inode, user and group for /etc, but # cover some important files closely. /etc PERMS !/etc/mtab # Ignore backup files !/etc/.*~ -/etc/exports NORMAL -/etc/fstab NORMAL -/etc/passwd NORMAL -/etc/group NORMAL -/etc/gshadow NORMAL -/etc/shadow NORMAL -/etc/security/opasswd NORMAL -/etc/hosts.allow NORMAL -/etc/hosts.deny NORMAL +# trusted databases +/etc/hosts$ NORMAL +/etc/host.conf$ NORMAL +/etc/hostname$ NORMAL +/etc/issue$ NORMAL +/etc/issue.net$ NORMAL +/etc/protocols$ NORMAL +/etc/services$ NORMAL +/etc/localtime$ NORMAL +/etc/alternatives NORMAL +/etc/mime.types$ NORMAL +/etc/terminfo NORMAL +/etc/exports$ NORMAL +/etc/fstab$ NORMAL +/etc/passwd$ NORMAL +/etc/group$ NORMAL +/etc/gshadow$ NORMAL +/etc/shadow$ NORMAL +/etc/subgid$ NORMAL +/etc/subuid$ NORMAL +/etc/skel NORMAL +/etc/sssd NORMAL +/etc/swid NORMAL +/etc/system-release-cpe$ NORMAL +/etc/tmux.conf$ NORMAL +/etc/xattr.conf$ NORMAL -/etc/sudoers NORMAL -/etc/skel NORMAL +# networking +/etc/firewalld NORMAL +!/etc/NetworkManager/system-connections +/etc/NetworkManager NORMAL +/etc/networks$ NORMAL +/etc/dhcp NORMAL +/etc/wpa_supplicant NORMAL +/etc/resolv.conf$ DATAONLY +/etc/nscd.conf$ NORMAL -/etc/logrotate.d NORMAL - -/etc/resolv.conf DATAONLY - -/etc/nscd.conf NORMAL -/etc/securetty NORMAL +# logins and accounts +/etc/login.defs$ NORMAL +/etc/libuser.conf$ NORMAL +/var/log/faillog$ PERMS +/var/log/lastlog$ PERMS +/var/run/faillock PERMS +/etc/pam.d NORMAL +/etc/security NORMAL +/etc/securetty$ NORMAL +/etc/polkit-1 NORMAL +/etc/sudo.conf$ NORMAL +/etc/sudoers$ NORMAL +/etc/sudoers.d NORMAL # Shell/X starting files -/etc/profile NORMAL -/etc/bashrc NORMAL -/etc/bash_completion.d/ NORMAL -/etc/login.defs NORMAL -/etc/zprofile NORMAL -/etc/zshrc NORMAL -/etc/zlogin NORMAL -/etc/zlogout NORMAL -/etc/profile.d/ NORMAL -/etc/X11/ NORMAL +/etc/profile$ NORMAL +/etc/profile.d NORMAL +/etc/bashrc$ NORMAL +/etc/bash_completion.d NORMAL +/etc/zprofile$ NORMAL +/etc/zshrc$ NORMAL +/etc/zlogin$ NORMAL +/etc/zlogout$ NORMAL +/etc/X11 NORMAL +/etc/shells$ NORMAL # Pkg manager -/etc/yum.conf NORMAL -/etc/yumex.conf NORMAL -/etc/yumex.profiles.conf NORMAL -/etc/yum/ NORMAL -/etc/yum.repos.d/ NORMAL +/etc/dnf NORMAL +/etc/yum.repos.d NORMAL -/var/log LOG +# auditing +# AIDE produces an audit record, so this becomes perpetual motion. +/var/log/audit PERMS +/etc/audit NORMAL +/etc/libaudit.conf$ NORMAL +/etc/aide.conf$ NORMAL + +# System logs +/etc/rsyslog.conf$ NORMAL +/etc/rsyslog.d NORMAL +/etc/logrotate.conf$ NORMAL +/etc/logrotate.d NORMAL +/etc/systemd/journald.conf$ NORMAL +/var/log LOG+ANF+ARF /var/run/utmp LOG + +# secrets +/etc/pkcs11 NORMAL +/etc/pki NORMAL +/etc/ssl NORMAL +/etc/certmonger NORMAL +/var/lib/systemd/random-seed$ PERMS + +# init system +/etc/systemd NORMAL +/etc/sysconfig NORMAL +/etc/rc.d NORMAL +/etc/tmpfiles.d NORMAL +/etc/machine-id$ NORMAL + +# boot config +/etc/default NORMAL +/etc/grub.d NORMAL +/etc/grub2.cfg$ NORMAL +/etc/dracut.conf$ NORMAL +/etc/dracut.conf.d NORMAL + +# glibc linker +/etc/ld.so.cache$ NORMAL +/etc/ld.so.conf$ NORMAL +/etc/ld.so.conf.d NORMAL +/etc/ld.so.preload$ NORMAL + +# kernel config +/etc/sysctl.conf$ NORMAL +/etc/sysctl.d NORMAL +/etc/modprobe.d NORMAL +/etc/modules-load.d NORMAL +/etc/depmod.d NORMAL +/etc/udev NORMAL +/etc/crypttab$ NORMAL + +#### Daemons #### + +# cron jobs +/var/spool/at CONTENT +/etc/at.allow$ CONTENT +/etc/at.deny$ CONTENT +/etc/anacrontab$ NORMAL +/etc/cron.allow$ NORMAL +/etc/cron.deny$ NORMAL +/etc/cron.d NORMAL +/etc/cron.daily NORMAL +/etc/cron.hourly NORMAL +/etc/cron.monthly NORMAL +/etc/cron.weekly NORMAL +/etc/crontab$ NORMAL +/var/spool/cron/root CONTENT + +# time keeping +/etc/ntp.conf$ NORMAL +/etc/ntp NORMAL +/etc/chrony.conf$ NORMAL +/etc/chrony.keys$ NORMAL + +# mail +/etc/aliases$ NORMAL +/etc/aliases.db$ NORMAL +/etc/postfix NORMAL + +# ssh +/etc/ssh/sshd_config$ NORMAL +/etc/ssh/ssh_config$ NORMAL + +# stunnel +/etc/stunnel NORMAL + +# ftp +/etc/vsftpd CONTENT + +# printing +/etc/cups NORMAL +/etc/cupshelpers NORMAL +/etc/avahi NORMAL + +# web server +/etc/httpd NORMAL + +# dns +/etc/named NORMAL +/etc/named.conf$ NORMAL +/etc/named.iscdlv.key$ NORMAL +/etc/named.rfc1912.zones$ NORMAL +/etc/named.root.key$ NORMAL + +# xinetd +/etc/xinetd.conf$ NORMAL +/etc/xinetd.d NORMAL + +# IPsec +/etc/ipsec.conf$ NORMAL +/etc/ipsec.secrets$ NORMAL +/etc/ipsec.d NORMAL + +# USBGuard +/etc/usbguard NORMAL + # This gets new/removes-old filenames daily !/var/log/sa # As we are checking it, we've truncated yesterdays size to zero. !/var/log/aide.log -# LSPP rules... -# AIDE produces an audit record, so this becomes perpetual motion. -# /var/log/audit/ LSPP -/etc/audit/ LSPP -/etc/libaudit.conf LSPP -/usr/sbin/stunnel LSPP -/var/spool/at LSPP -/etc/at.allow LSPP -/etc/at.deny LSPP -/etc/cron.allow LSPP -/etc/cron.deny LSPP -/etc/cron.d/ LSPP -/etc/cron.daily/ LSPP -/etc/cron.hourly/ LSPP -/etc/cron.monthly/ LSPP -/etc/cron.weekly/ LSPP -/etc/crontab LSPP -/var/spool/cron/root LSPP - -/etc/login.defs LSPP -/etc/securetty LSPP -/var/log/faillog LSPP -/var/log/lastlog LSPP - -/etc/hosts LSPP -/etc/sysconfig LSPP - -/etc/inittab LSPP -/etc/grub/ LSPP -/etc/rc.d LSPP - -/etc/ld.so.conf LSPP - -/etc/localtime LSPP - -/etc/sysctl.conf LSPP - -/etc/modprobe.conf LSPP - -/etc/pam.d LSPP -/etc/security LSPP -/etc/aliases LSPP -/etc/postfix LSPP - -/etc/ssh/sshd_config LSPP -/etc/ssh/ssh_config LSPP - -/etc/stunnel LSPP - -/etc/vsftpd.ftpusers LSPP -/etc/vsftpd LSPP - -/etc/issue LSPP -/etc/issue.net LSPP - -/etc/cups LSPP - # With AIDE's default verbosity level of 5, these would give lots of # warnings upon tree traversal. It might change with future version. # @@ -269,7 +358,4 @@ DATAONLY = p+n+u+g+s+acl+selinux+xattrs+sha256 #=/home DIR # Ditto /var/log/sa reason... -!/var/log/and-httpd - -# Admins dot files constantly change, just check perms -/root/\..* PERMS +!/var/log/httpd \ No newline at end of file From 8a1c97dba18c69ab61d4de8bacc5c915a65aab0c Mon Sep 17 00:00:00 2001 From: Cropi Date: Wed, 17 Sep 2025 11:26:30 +0200 Subject: [PATCH 11/22] Replace ntp with chrony config files --- aide.conf | 2 -- 1 file changed, 2 deletions(-) diff --git a/aide.conf b/aide.conf index 5953f6d..799961f 100644 --- a/aide.conf +++ b/aide.conf @@ -299,8 +299,6 @@ DATAONLY = ftype+p+l+n+u+g+s+acl+selinux+xattrs+sha256 /var/spool/cron/root CONTENT # time keeping -/etc/ntp.conf$ NORMAL -/etc/ntp NORMAL /etc/chrony.conf$ NORMAL /etc/chrony.keys$ NORMAL From 9566357ccc7dbebd709f0005b241bfaae1e5024f Mon Sep 17 00:00:00 2001 From: Cropi Date: Wed, 17 Sep 2025 11:29:15 +0200 Subject: [PATCH 12/22] Remove deprecated config file /etc/nscd.conf https://fedoraproject.org/wiki/Changes/RemoveNSCD --- aide.conf | 1 - 1 file changed, 1 deletion(-) diff --git a/aide.conf b/aide.conf index 799961f..e698ac6 100644 --- a/aide.conf +++ b/aide.conf @@ -196,7 +196,6 @@ DATAONLY = ftype+p+l+n+u+g+s+acl+selinux+xattrs+sha256 /etc/dhcp NORMAL /etc/wpa_supplicant NORMAL /etc/resolv.conf$ DATAONLY -/etc/nscd.conf$ NORMAL # logins and accounts /etc/login.defs$ NORMAL From d25ee9c7642ff575917aedbc5f977fdeff047ac8 Mon Sep 17 00:00:00 2001 From: Cropi Date: Mon, 22 Sep 2025 16:19:04 +0200 Subject: [PATCH 13/22] Adjust /var/log/journal monitoring in default config file By default, log files are expected to grow but persistent journal files are not handled correctly. The persistent journal is stored in /var/log/journal, hence fall into LOG rule.Unfortunately since some version of Fedora, the journal files get an extended attribute user.crtime_usec which updates when the file rotates. Make sure to leave this out from the report. --- aide.conf | 15 +++++++++++---- 1 file changed, 11 insertions(+), 4 deletions(-) diff --git a/aide.conf b/aide.conf index e698ac6..da4cbb5 100644 --- a/aide.conf +++ b/aide.conf @@ -128,8 +128,10 @@ DIR = ftype+p+i+l+n+u+g+acl+selinux+xattrs # Access control only - added file type and link name PERMS = ftype+p+i+l+u+g+acl+selinux -# Logfile are special, in that they often change -LOG = > +# Logfiles are special, in that they often change +# Don't track inodes (-i) since log rotation creates new files with different inodes +# Allow new files (ANF) and allow removed files (ARF) due to log rotation techniques +LOG = >+ANF+ARF-i # Some files get updated automatically, so the inode/ctime/mtime change # but we want to know when the data inside them changes - updated with modern hash @@ -234,13 +236,18 @@ DATAONLY = ftype+p+l+n+u+g+s+acl+selinux+xattrs+sha256 /etc/libaudit.conf$ NORMAL /etc/aide.conf$ NORMAL -# System logs +# System logs with proper logrotate handling /etc/rsyslog.conf$ NORMAL /etc/rsyslog.d NORMAL /etc/logrotate.conf$ NORMAL /etc/logrotate.d NORMAL /etc/systemd/journald.conf$ NORMAL -/var/log LOG+ANF+ARF + +# Log directory +/var/log LOG +# Journal files - exclude xattrs due to systemd journal's user.crtime_usec extended attribute changes +/var/log/journal LOG-xattrs + /var/run/utmp LOG From c9baefb29993343e1dc03a55663aac2f518d902f Mon Sep 17 00:00:00 2001 From: Cropi Date: Tue, 23 Sep 2025 08:46:09 +0200 Subject: [PATCH 14/22] Add .rpmlintrc file --- aide.rpmlintrc | 15 +++++++++++++++ 1 file changed, 15 insertions(+) create mode 100644 aide.rpmlintrc diff --git a/aide.rpmlintrc b/aide.rpmlintrc new file mode 100644 index 0000000..67d2667 --- /dev/null +++ b/aide.rpmlintrc @@ -0,0 +1,15 @@ +# RPMlint configuration for aide package +# These warnings are expected and intentional for security reasons + +# AIDE log directory has restricted permissions (700) for security +# Log files may contain sensitive security information +addFilter("aide.* non-standard-dir-perm /var/log/aide 700") + +# AIDE configuration file has restricted permissions (600) for security +# Configuration reveals what files/directories are monitored +addFilter("aide.* non-readable /etc/aide.conf 600") + +# FSF address in COPYING file is outdated - this is an upstream issue +# The license text contains the old FSF address format +addFilter("aide.* incorrect-fsf-address /usr/share/licenses/aide/COPYING") + From 32855bb23585027061c8b289466e796eb662ce82 Mon Sep 17 00:00:00 2001 From: Cropi Date: Tue, 23 Sep 2025 11:08:10 +0200 Subject: [PATCH 15/22] Update LOG in config file --- aide.conf | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/aide.conf b/aide.conf index da4cbb5..bf7e66b 100644 --- a/aide.conf +++ b/aide.conf @@ -130,8 +130,9 @@ PERMS = ftype+p+i+l+u+g+acl+selinux # Logfiles are special, in that they often change # Don't track inodes (-i) since log rotation creates new files with different inodes +# Don't track size (-s) since log rotation causes size decreases that we don't care about # Allow new files (ANF) and allow removed files (ARF) due to log rotation techniques -LOG = >+ANF+ARF-i +LOG = >+ANF+ARF-i-s # Some files get updated automatically, so the inode/ctime/mtime change # but we want to know when the data inside them changes - updated with modern hash From 2ed6802a1a5f0554427a3e18d0f1cf453b310041 Mon Sep 17 00:00:00 2001 From: Cropi Date: Tue, 23 Sep 2025 11:51:37 +0200 Subject: [PATCH 16/22] Do not include mtime/ctime in regular files --- aide.conf | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/aide.conf b/aide.conf index bf7e66b..c8ed75d 100644 --- a/aide.conf +++ b/aide.conf @@ -117,7 +117,7 @@ ALLXTRAHASHES = sha256+sha512+sha512_256+sha3_256+sha3_512+stribog256+stribog512 EVERYTHING = R+ALLXTRAHASHES # Base + sha512 (strong) -NORMAL = R+sha512 +NORMAL = R+sha512-m-c # Content only - added file type and strong hash CONTENT = ftype+sha512 From 5634fe32368d43da2a5aec91fa7691cae1048e05 Mon Sep 17 00:00:00 2001 From: Cropi Date: Tue, 23 Sep 2025 12:17:43 +0200 Subject: [PATCH 17/22] Adjust ordering of /root files --- aide.conf | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/aide.conf b/aide.conf index c8ed75d..5ea17ef 100644 --- a/aide.conf +++ b/aide.conf @@ -152,10 +152,10 @@ DATAONLY = ftype+p+l+n+u+g+s+acl+selinux+xattrs+sha256 !/usr/src !/usr/tmp -/root NORMAL # Admins dot files constantly change, just check perms /root/\..* PERMS !/root/.xauth* +/root NORMAL # Check only permissions, inode, user and group for /etc, but # cover some important files closely. From 307529a5874a6219b5b513d32eeac5c7d919aea1 Mon Sep 17 00:00:00 2001 From: Cropi Date: Tue, 23 Sep 2025 14:59:21 +0200 Subject: [PATCH 18/22] Do not monitor acl on /var/log/journal --- aide.conf | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/aide.conf b/aide.conf index 5ea17ef..da9d00d 100644 --- a/aide.conf +++ b/aide.conf @@ -247,7 +247,7 @@ DATAONLY = ftype+p+l+n+u+g+s+acl+selinux+xattrs+sha256 # Log directory /var/log LOG # Journal files - exclude xattrs due to systemd journal's user.crtime_usec extended attribute changes -/var/log/journal LOG-xattrs +/var/log/journal LOG-xattrs-acl /var/run/utmp LOG From 8479fabb2f09bb8aace92132692fc616aa3e039f Mon Sep 17 00:00:00 2001 From: Cropi Date: Wed, 24 Sep 2025 08:16:59 +0200 Subject: [PATCH 19/22] Accomodate for constantly changing log files Many log files constantly change, especially if those are rotated. Many of those files have changing xattrs, e2fsattrs, caps and acl(s). So let's not monitor them, unless there will be many false positives. --- aide.conf | 10 +++++----- 1 file changed, 5 insertions(+), 5 deletions(-) diff --git a/aide.conf b/aide.conf index da9d00d..8524225 100644 --- a/aide.conf +++ b/aide.conf @@ -128,11 +128,11 @@ DIR = ftype+p+i+l+n+u+g+acl+selinux+xattrs # Access control only - added file type and link name PERMS = ftype+p+i+l+u+g+acl+selinux -# Logfiles are special, in that they often change -# Don't track inodes (-i) since log rotation creates new files with different inodes -# Don't track size (-s) since log rotation causes size decreases that we don't care about +# Logfiles are special, in that they often change due to log rotation +# Track only: permissions, file type, user, group, number of links, SELinux context, extended attributes # Allow new files (ANF) and allow removed files (ARF) due to log rotation techniques -LOG = >+ANF+ARF-i-s +# Don't track: size, inodes, timestamps, checksums and some special attributes (these change frequently with log rotation) +LOG = p+ftype+u+g+n+ANF+ARF+selinux+xattrs # Some files get updated automatically, so the inode/ctime/mtime change # but we want to know when the data inside them changes - updated with modern hash @@ -247,7 +247,7 @@ DATAONLY = ftype+p+l+n+u+g+s+acl+selinux+xattrs+sha256 # Log directory /var/log LOG # Journal files - exclude xattrs due to systemd journal's user.crtime_usec extended attribute changes -/var/log/journal LOG-xattrs-acl +/var/log/journal LOG-xattrs /var/run/utmp LOG From c4ba6e2926d7a55448a3f619b2a73d7ad6bf220e Mon Sep 17 00:00:00 2001 From: Cropi Date: Thu, 9 Oct 2025 09:42:32 +0200 Subject: [PATCH 20/22] Add explanatory comment for /boot/grub2/grubenv exclusion Document why /boot/grub2/grubenv is excluded from AIDE monitoring. The file's timestamp gets modified continuously due to the "boot_success" implementation, which would cause unnecessary noise in security monitoring reports. Do not monitor link count in /var/log/journal --- aide.conf | 10 +++++++--- 1 file changed, 7 insertions(+), 3 deletions(-) diff --git a/aide.conf b/aide.conf index 8524225..0ec4c0c 100644 --- a/aide.conf +++ b/aide.conf @@ -246,8 +246,9 @@ DATAONLY = ftype+p+l+n+u+g+s+acl+selinux+xattrs+sha256 # Log directory /var/log LOG -# Journal files - exclude xattrs due to systemd journal's user.crtime_usec extended attribute changes -/var/log/journal LOG-xattrs +# Journal files - exclude xattrs and link count due to systemd journal's user.crtime_usec extended attribute changes and new directory creation +/var/log/journal LOG-xattrs-n + /var/run/utmp LOG @@ -363,4 +364,7 @@ DATAONLY = ftype+p+l+n+u+g+s+acl+selinux+xattrs+sha256 #=/home DIR # Ditto /var/log/sa reason... -!/var/log/httpd \ No newline at end of file +!/var/log/httpd +# /boot/grub2/grubenv's timestamp is getting modified continuously due to "boot_success" implementation +!/boot/grub2/grubenv + From 9a67d750d4f88a2eebd7f6e944e25f6de0bf2d4b Mon Sep 17 00:00:00 2001 From: Cropi Date: Thu, 16 Oct 2025 09:46:00 +0200 Subject: [PATCH 21/22] Adjust default config to avoid false positives in /etc --- aide.conf | 6 ++++-- 1 file changed, 4 insertions(+), 2 deletions(-) diff --git a/aide.conf b/aide.conf index 0ec4c0c..56ba1da 100644 --- a/aide.conf +++ b/aide.conf @@ -126,7 +126,7 @@ CONTENT = ftype+sha512 DIR = ftype+p+i+l+n+u+g+acl+selinux+xattrs # Access control only - added file type and link name -PERMS = ftype+p+i+l+u+g+acl+selinux +PERMS = ftype+p+u+g+acl+selinux+xattrs # Logfiles are special, in that they often change due to log rotation # Track only: permissions, file type, user, group, number of links, SELinux context, extended attributes @@ -159,7 +159,6 @@ DATAONLY = ftype+p+l+n+u+g+s+acl+selinux+xattrs+sha256 # Check only permissions, inode, user and group for /etc, but # cover some important files closely. -/etc PERMS !/etc/mtab # Ignore backup files !/etc/.*~ @@ -352,6 +351,9 @@ DATAONLY = ftype+p+l+n+u+g+s+acl+selinux+xattrs+sha256 # USBGuard /etc/usbguard NORMAL +# Now everything else +/etc PERMS + # This gets new/removes-old filenames daily !/var/log/sa # As we are checking it, we've truncated yesterdays size to zero. From 3b76bcd11a6bf80bfcfb0904ee45de2e3d9e79b6 Mon Sep 17 00:00:00 2001 From: Fedora Release Engineering Date: Fri, 16 Jan 2026 03:31:38 +0000 Subject: [PATCH 22/22] Rebuilt for https://fedoraproject.org/wiki/Fedora_44_Mass_Rebuild