From 5b3470d6766d5c4e4efc9cd3d7e7197f7915771d Mon Sep 17 00:00:00 2001 From: Cropi Date: Thu, 7 Aug 2025 10:32:01 +0200 Subject: [PATCH 01/16] aide.conf: update custom rules --- aide.conf | 112 ++++++++++++++++++++++++++---------------------------- 1 file changed, 54 insertions(+), 58 deletions(-) diff --git a/aide.conf b/aide.conf index 2deaa1b..773a80a 100644 --- a/aide.conf +++ b/aide.conf @@ -111,31 +111,27 @@ report_url=stdout # Use 'aide --version' to list the default compound groups. # You can create custom rules like this. -# With MHASH... -# ALLXTRAHASHES = sha1+rmd160+sha256+sha512+whirlpool+tiger+haval+gost+crc32 -ALLXTRAHASHES = sha1+rmd160+sha256+sha512+tiger -# Everything but access time (Ie. all changes) +# Note: Removed deprecated/removed hashsums (tiger, haval, crc32, crc32b, whirlpool, md5, sha1, rmd160, gost) +# ALLXTRAHASHES = sha1+rmd160+sha256+sha512+whirlpool+tiger+haval+gost+crc32+crc32b (old with deprecated/removed) +ALLXTRAHASHES = sha256+sha512+sha512_256+sha3_256+sha3_512+stribog256+stribog512 +# Everything but access time (Ie. all changes) - updated with modern hashsums EVERYTHING = R+ALLXTRAHASHES -# Sane, with multiple hashes -# NORMAL = R+rmd160+sha256+whirlpool -NORMAL = FIPSR+sha512 +# Base + extended attributes + selinux + acl + file capabilities with multiple modern hashes +NORMAL = R+xattrs+selinux+acl+e2fsattrs+caps+sha512+sha3_512 -# For directories, don't bother doing hashes -DIR = p+i+n+u+g+acl+selinux+xattrs +# For directories, don't bother doing hashes - added file type and link name +DIR = ftype+p+i+l+n+u+g+acl+selinux+xattrs -# Access control only -PERMS = p+i+u+g+acl+selinux +# Access control only - added file type and link name +PERMS = ftype+p+i+l+u+g+acl+selinux # Logfile are special, in that they often change LOG = > -# Just do sha256 and sha512 hashes -LSPP = FIPSR+sha512 - # Some files get updated automatically, so the inode/ctime/mtime change -# but we want to know when the data inside them changes -DATAONLY = p+n+u+g+s+acl+selinux+xattrs+sha256 +# but we want to know when the data inside them changes - updated with modern hash +DATAONLY = ftype+p+l+n+u+g+s+acl+selinux+xattrs+sha_256 # Next decide what directories/files you want in the database. @@ -147,6 +143,7 @@ DATAONLY = p+n+u+g+s+acl+selinux+xattrs+sha256 /opt NORMAL /usr NORMAL /root NORMAL + # These are too volatile !/usr/src !/usr/tmp @@ -205,62 +202,61 @@ DATAONLY = p+n+u+g+s+acl+selinux+xattrs+sha256 # As we are checking it, we've truncated yesterdays size to zero. !/var/log/aide.log -# LSPP rules... # AIDE produces an audit record, so this becomes perpetual motion. -# /var/log/audit/ LSPP -/etc/audit/ LSPP -/etc/libaudit.conf LSPP -/usr/sbin/stunnel LSPP -/var/spool/at LSPP -/etc/at.allow LSPP -/etc/at.deny LSPP -/etc/cron.allow LSPP -/etc/cron.deny LSPP -/etc/cron.d/ LSPP -/etc/cron.daily/ LSPP -/etc/cron.hourly/ LSPP -/etc/cron.monthly/ LSPP -/etc/cron.weekly/ LSPP -/etc/crontab LSPP -/var/spool/cron/root LSPP +# /var/log/audit/ NORMAL +/etc/audit/ NORMAL +/etc/libaudit.conf NORMAL +/usr/sbin/stunnel NORMAL +/var/spool/at NORMAL +/etc/at.allow NORMAL +/etc/at.deny NORMAL +/etc/cron.allow NORMAL +/etc/cron.deny NORMAL +/etc/cron.d/ NORMAL +/etc/cron.daily/ NORMAL +/etc/cron.hourly/ NORMAL +/etc/cron.monthly/ NORMAL +/etc/cron.weekly/ NORMAL +/etc/crontab NORMAL +/var/spool/cron/root NORMAL -/etc/login.defs LSPP -/etc/securetty LSPP -/var/log/faillog LSPP -/var/log/lastlog LSPP +/etc/login.defs NORMAL +/etc/securetty NORMAL +/var/log/faillog NORMAL +/var/log/lastlog NORMAL -/etc/hosts LSPP -/etc/sysconfig LSPP +/etc/hosts NORMAL +/etc/sysconfig NORMAL -/etc/inittab LSPP -/etc/grub/ LSPP -/etc/rc.d LSPP +/etc/inittab NORMAL +/etc/grub/ NORMAL +/etc/rc.d NORMAL -/etc/ld.so.conf LSPP +/etc/ld.so.conf NORMAL -/etc/localtime LSPP +/etc/localtime NORMAL -/etc/sysctl.conf LSPP +/etc/sysctl.conf NORMAL -/etc/modprobe.conf LSPP +/etc/modprobe.conf NORMAL -/etc/pam.d LSPP -/etc/security LSPP -/etc/aliases LSPP -/etc/postfix LSPP +/etc/pam.d NORMAL +/etc/security NORMAL +/etc/aliases NORMAL +/etc/postfix NORMAL -/etc/ssh/sshd_config LSPP -/etc/ssh/ssh_config LSPP +/etc/ssh/sshd_config NORMAL +/etc/ssh/ssh_config NORMAL -/etc/stunnel LSPP +/etc/stunnel NORMAL -/etc/vsftpd.ftpusers LSPP -/etc/vsftpd LSPP +/etc/vsftpd.ftpusers NORMAL +/etc/vsftpd NORMAL -/etc/issue LSPP -/etc/issue.net LSPP +/etc/issue NORMAL +/etc/issue.net NORMAL -/etc/cups LSPP +/etc/cups NORMAL # With AIDE's default verbosity level of 5, these would give lots of # warnings upon tree traversal. It might change with future version. From 7aad76e824e38aa8e4ce3ed520f3ce841e69d1af Mon Sep 17 00:00:00 2001 From: Cropi Date: Wed, 20 Aug 2025 08:33:36 +0200 Subject: [PATCH 02/16] Rebase to 0.19.2 Resolves: rhbz#2389391 Resolves: rhbz#2389389 CVE-2025-54389 CVE-2025-54409 --- .gitignore | 2 ++ aide.spec | 2 +- sources | 4 ++-- 3 files changed, 5 insertions(+), 3 deletions(-) diff --git a/.gitignore b/.gitignore index 3d07290..ce1812d 100644 --- a/.gitignore +++ b/.gitignore @@ -19,3 +19,5 @@ aide-0.14.tar.gz.asc /aide-0.18.8.tar.gz.asc /aide-0.19.1.tar.gz /aide-0.19.1.tar.gz.asc +/aide-0.19.2.tar.gz +/aide-0.19.2.tar.gz.asc diff --git a/aide.spec b/aide.spec index 9bd36bf..7b1c7a4 100644 --- a/aide.spec +++ b/aide.spec @@ -1,6 +1,6 @@ Summary: Intrusion detection environment Name: aide -Version: 0.19.1 +Version: 0.19.2 Release: %autorelease URL: https://github.com/aide/aide License: GPL-2.0-or-later diff --git a/sources b/sources index d46f6aa..0b47fd8 100644 --- a/sources +++ b/sources @@ -1,2 +1,2 @@ -SHA512 (aide-0.19.1.tar.gz) = 5f345458acdc79072b8293ea19a6846f2f7ab2eca36729ff1dc6fe06595a40f46af5aac57c8b02b4d144a4ad649b2a1d7f8e3bb216f0fa3d48a7023abf0029b1 -SHA512 (aide-0.19.1.tar.gz.asc) = d5bb3b8ec7dec229a01ae2e2588cc64caf9eaf2e9a71593c2d43662eb25f0afca9d955de7eeba13ca10dbe09f5b66e3b653ab018aa4c16f0531c368335b5e6de +SHA512 (aide-0.19.2.tar.gz) = 08506c2302e34794fa08a27caaa1e714ba736d46351c577234f2c3d2623ea82b243b3318061a369a46d6961a782f42fbb8edd42d1d4de6949e7fc30c87865830 +SHA512 (aide-0.19.2.tar.gz.asc) = ebc04f22a49ec6b378dca4930574edcd46919281297bc1d5e09f5839a6fab3a38762462b7d852a82b7045313f9c24208bfff49a561d8afd04e9116be7096169a From 88698a013b48979013c3daab447fae179331835b Mon Sep 17 00:00:00 2001 From: Cropi Date: Mon, 8 Sep 2025 10:37:47 +0200 Subject: [PATCH 03/16] Refactor aide.conf --- aide.conf | 252 +++++++++++++++++++++++++++++++++++------------------- 1 file changed, 162 insertions(+), 90 deletions(-) diff --git a/aide.conf b/aide.conf index 773a80a..7090a46 100644 --- a/aide.conf +++ b/aide.conf @@ -117,8 +117,10 @@ ALLXTRAHASHES = sha256+sha512+sha512_256+sha3_256+sha3_512+stribog256+stribog512 # Everything but access time (Ie. all changes) - updated with modern hashsums EVERYTHING = R+ALLXTRAHASHES -# Base + extended attributes + selinux + acl + file capabilities with multiple modern hashes -NORMAL = R+xattrs+selinux+acl+e2fsattrs+caps+sha512+sha3_512 +# Base + sha512 (strong) +NORMAL = R+sha512 + +CONTENT = ftype+sha256 # For directories, don't bother doing hashes - added file type and link name DIR = ftype+p+i+l+n+u+g+acl+selinux+xattrs @@ -135,128 +137,201 @@ DATAONLY = ftype+p+l+n+u+g+s+acl+selinux+xattrs+sha_256 # Next decide what directories/files you want in the database. -/boot NORMAL -/bin NORMAL -/sbin NORMAL -/lib NORMAL -/lib64 NORMAL -/opt NORMAL -/usr NORMAL -/root NORMAL - +/boot/ NORMAL +/bin/ NORMAL +/sbin/ NORMAL +/lib/ NORMAL +/lib64/ NORMAL +# Monitor /opt selectively to avoid noise from auto-updating applications +/opt/ CONTENT +/usr/ NORMAL # These are too volatile !/usr/src !/usr/tmp +/root NORMAL +# Admins dot files constantly change, just check perms +/root/\..* PERMS + # Check only permissions, inode, user and group for /etc, but # cover some important files closely. /etc PERMS !/etc/mtab # Ignore backup files !/etc/.*~ -/etc/exports NORMAL -/etc/fstab NORMAL -/etc/passwd NORMAL -/etc/group NORMAL -/etc/gshadow NORMAL -/etc/shadow NORMAL -/etc/security/opasswd NORMAL -/etc/hosts.allow NORMAL -/etc/hosts.deny NORMAL +# trusted databases +/etc/hosts$ NORMAL +/etc/host.conf$ NORMAL +/etc/hostname$ NORMAL +/etc/issue$ NORMAL +/etc/issue.net$ NORMAL +/etc/protocols$ NORMAL +/etc/services$ NORMAL +/etc/localtime$ NORMAL +/etc/alternatives/ NORMAL +/etc/mime.types$ NORMAL +/etc/terminfo/ NORMAL +/etc/exports$ NORMAL +/etc/fstab$ NORMAL +/etc/passwd$ NORMAL +/etc/group$ NORMAL +/etc/gshadow$ NORMAL +/etc/shadow$ NORMAL +/etc/security/opasswd$ NORMAL +/etc/skel/ NORMAL -/etc/sudoers NORMAL -/etc/skel NORMAL +# networking +/etc/hosts.allow$ NORMAL +/etc/hosts.deny$ NORMAL +/etc/firewalld/ NORMAL +/etc/NetworkManager/ NORMAL +/etc/networks$ NORMAL +/etc/dhcp/ NORMAL +/etc/wpa_supplicant/ NORMAL +/etc/resolv.conf$ DATAONLY +/etc/nscd.conf$ NORMAL -/etc/logrotate.d NORMAL - -/etc/resolv.conf DATAONLY - -/etc/nscd.conf NORMAL -/etc/securetty NORMAL +# logins and accounts +/etc/login.defs$ NORMAL +/etc/libuser.conf$ NORMAL +/var/log/faillog$ PERMS +/var/log/lastlog$ PERMS +/var/run/faillock/ PERMS +/etc/pam.d/ NORMAL +/etc/security$ NORMAL +/etc/securetty$ NORMAL +/etc/polkit-1/ NORMAL +/etc/sudo.conf$ NORMAL +/etc/sudoers$ NORMAL +/etc/sudoers.d/ NORMAL # Shell/X starting files -/etc/profile NORMAL -/etc/bashrc NORMAL -/etc/bash_completion.d/ NORMAL -/etc/login.defs NORMAL -/etc/zprofile NORMAL -/etc/zshrc NORMAL -/etc/zlogin NORMAL -/etc/zlogout NORMAL +/etc/profile$ NORMAL /etc/profile.d/ NORMAL +/etc/bashrc$ NORMAL +/etc/bash_completion.d/ NORMAL +/etc/zprofile$ NORMAL +/etc/zshrc$ NORMAL +/etc/zlogin$ NORMAL +/etc/zlogout$ NORMAL /etc/X11/ NORMAL +/etc/shells$ NORMAL # Pkg manager -/etc/yum.conf NORMAL -/etc/yumex.conf NORMAL -/etc/yumex.profiles.conf NORMAL +/etc/yum.conf$ NORMAL /etc/yum/ NORMAL /etc/yum.repos.d/ NORMAL -/var/log LOG -/var/run/utmp LOG - -# This gets new/removes-old filenames daily -!/var/log/sa -# As we are checking it, we've truncated yesterdays size to zero. -!/var/log/aide.log - -# AIDE produces an audit record, so this becomes perpetual motion. -# /var/log/audit/ NORMAL /etc/audit/ NORMAL -/etc/libaudit.conf NORMAL -/usr/sbin/stunnel NORMAL -/var/spool/at NORMAL -/etc/at.allow NORMAL -/etc/at.deny NORMAL -/etc/cron.allow NORMAL -/etc/cron.deny NORMAL +/etc/audisp/ NORMAL +/etc/libaudit.conf$ NORMAL +/etc/aide.conf$ NORMAL + +# System logs +/etc/rsyslog.conf$ NORMAL +/etc/rsyslog.d/ NORMAL +/etc/logrotate.conf$ NORMAL +/etc/logrotate.d/ NORMAL +/var/log/ LOG+ANF+ARF +/var/run/utmp$ LOG + +# secrets +/etc/pkcs11/ NORMAL +/etc/pki/ NORMAL +/etc/ssl/ NORMAL +/etc/certmonger/ NORMAL + +# init system +/etc/systemd/ NORMAL +/etc/sysconfig/ NORMAL +/etc/rc.d/ NORMAL +/etc/tmpfiles.d/ NORMAL +/etc/machine-id$ NORMAL + +# boot config +/etc/grub.d/ NORMAL +/etc/grub2.cfg$ NORMAL +/etc/dracut.conf$ NORMAL +/etc/dracut.conf.d/ NORMAL + +# glibc linker +/etc/ld.so.cache$ NORMAL +/etc/ld.so.conf$ NORMAL +/etc/ld.so.conf.d/ NORMAL + +# kernel config +/etc/sysctl.conf$ NORMAL +/etc/sysctl.d/ NORMAL +/etc/modprobe.d/ NORMAL +/etc/modules-load.d/ NORMAL +/etc/depmod.d/ NORMAL +/etc/udev/ NORMAL +/etc/crypttab$ NORMAL + +#### Daemons #### + +# cron jobs +/var/spool/at/ CONTENT +/etc/at.allow$ CONTENT +/etc/at.deny$ CONTENT +/etc/cron.allow$ NORMAL +/etc/cron.deny$ NORMAL /etc/cron.d/ NORMAL /etc/cron.daily/ NORMAL /etc/cron.hourly/ NORMAL /etc/cron.monthly/ NORMAL /etc/cron.weekly/ NORMAL -/etc/crontab NORMAL -/var/spool/cron/root NORMAL +/etc/crontab$ NORMAL +/var/spool/cron/root/ CONTENT +/etc/anacrontab$ NORMAL -/etc/login.defs NORMAL -/etc/securetty NORMAL -/var/log/faillog NORMAL -/var/log/lastlog NORMAL +# time keeping +/etc/ntp.conf$ NORMAL +/etc/ntp/ NORMAL +/etc/chrony.conf$ NORMAL +/etc/chrony.keys$ NORMAL -/etc/hosts NORMAL -/etc/sysconfig NORMAL +# mail +/etc/aliases$ NORMAL +/etc/aliases.db$ NORMAL +/etc/postfix/ NORMAL +/etc/mail.rc$ NORMAL +/etc/mailcap$ NORMAL -/etc/inittab NORMAL -/etc/grub/ NORMAL -/etc/rc.d NORMAL +# ssh +/etc/ssh/sshd_config$ NORMAL +/etc/ssh/ssh_config$ NORMAL -/etc/ld.so.conf NORMAL +# stunnel +/etc/stunnel/ NORMAL -/etc/localtime NORMAL +# ftp +/etc/vsftpd.conf$ CONTENT +/etc/vsftpd/ CONTENT -/etc/sysctl.conf NORMAL +# printing +/etc/cups/ NORMAL +/etc/cupshelpers/ NORMAL +/etc/avahi/ NORMAL -/etc/modprobe.conf NORMAL +# web server +/etc/httpd/ NORMAL -/etc/pam.d NORMAL -/etc/security NORMAL -/etc/aliases NORMAL -/etc/postfix NORMAL +# dns +/etc/named/ NORMAL +/etc/named.conf$ NORMAL +/etc/named.iscdlv.key$ NORMAL +/etc/named.rfc1912.zones$ NORMAL +/etc/named.root.key$ NORMAL -/etc/ssh/sshd_config NORMAL -/etc/ssh/ssh_config NORMAL +# xinetd +/etc/xinetd.d/ NORMAL -/etc/stunnel NORMAL - -/etc/vsftpd.ftpusers NORMAL -/etc/vsftpd NORMAL - -/etc/issue NORMAL -/etc/issue.net NORMAL - -/etc/cups NORMAL +# This gets new/removes-old filenames daily +!/var/log/sa +# As we are checking it, we've truncated yesterdays size to zero. +!/var/log/aide.log # With AIDE's default verbosity level of 5, these would give lots of # warnings upon tree traversal. It might change with future version. @@ -265,7 +340,4 @@ DATAONLY = ftype+p+l+n+u+g+s+acl+selinux+xattrs+sha_256 #=/home DIR # Ditto /var/log/sa reason... -!/var/log/and-httpd - -# Admins dot files constantly change, just check perms -/root/\..* PERMS +!/var/log/httpd/ \ No newline at end of file From 920124928552faeaef5846b87f8f9dd5423b1011 Mon Sep 17 00:00:00 2001 From: Cropi Date: Thu, 7 Aug 2025 10:32:01 +0200 Subject: [PATCH 04/16] Refactor aide.conf --- aide.conf | 310 ++++++++++++++++++++++++++++++++++-------------------- 1 file changed, 198 insertions(+), 112 deletions(-) diff --git a/aide.conf b/aide.conf index 2deaa1b..5953f6d 100644 --- a/aide.conf +++ b/aide.conf @@ -111,31 +111,29 @@ report_url=stdout # Use 'aide --version' to list the default compound groups. # You can create custom rules like this. -# With MHASH... -# ALLXTRAHASHES = sha1+rmd160+sha256+sha512+whirlpool+tiger+haval+gost+crc32 -ALLXTRAHASHES = sha1+rmd160+sha256+sha512+tiger -# Everything but access time (Ie. all changes) +# Note: Removed deprecated/removed hashsums (tiger, haval, crc32, crc32b, whirlpool, md5, sha1, rmd160, gost) +ALLXTRAHASHES = sha256+sha512+sha512_256+sha3_256+sha3_512+stribog256+stribog512 +# Everything but access time (Ie. all changes) - updated with modern hashsums EVERYTHING = R+ALLXTRAHASHES -# Sane, with multiple hashes -# NORMAL = R+rmd160+sha256+whirlpool -NORMAL = FIPSR+sha512 +# Base + sha512 (strong) +NORMAL = R+sha512 -# For directories, don't bother doing hashes -DIR = p+i+n+u+g+acl+selinux+xattrs +# Content only - added file type and strong hash +CONTENT = ftype+sha512 -# Access control only -PERMS = p+i+u+g+acl+selinux +# For directories, don't bother doing hashes - added file type and link name +DIR = ftype+p+i+l+n+u+g+acl+selinux+xattrs + +# Access control only - added file type and link name +PERMS = ftype+p+i+l+u+g+acl+selinux # Logfile are special, in that they often change LOG = > -# Just do sha256 and sha512 hashes -LSPP = FIPSR+sha512 - # Some files get updated automatically, so the inode/ctime/mtime change -# but we want to know when the data inside them changes -DATAONLY = p+n+u+g+s+acl+selinux+xattrs+sha256 +# but we want to know when the data inside them changes - updated with modern hash +DATAONLY = ftype+p+l+n+u+g+s+acl+selinux+xattrs+sha256 # Next decide what directories/files you want in the database. @@ -144,124 +142,215 @@ DATAONLY = p+n+u+g+s+acl+selinux+xattrs+sha256 /sbin NORMAL /lib NORMAL /lib64 NORMAL -/opt NORMAL +# Monitor /opt selectively to avoid noise from auto-updating applications +/opt CONTENT /usr NORMAL -/root NORMAL # These are too volatile !/usr/src !/usr/tmp +/root NORMAL +# Admins dot files constantly change, just check perms +/root/\..* PERMS +!/root/.xauth* + # Check only permissions, inode, user and group for /etc, but # cover some important files closely. /etc PERMS !/etc/mtab # Ignore backup files !/etc/.*~ -/etc/exports NORMAL -/etc/fstab NORMAL -/etc/passwd NORMAL -/etc/group NORMAL -/etc/gshadow NORMAL -/etc/shadow NORMAL -/etc/security/opasswd NORMAL -/etc/hosts.allow NORMAL -/etc/hosts.deny NORMAL +# trusted databases +/etc/hosts$ NORMAL +/etc/host.conf$ NORMAL +/etc/hostname$ NORMAL +/etc/issue$ NORMAL +/etc/issue.net$ NORMAL +/etc/protocols$ NORMAL +/etc/services$ NORMAL +/etc/localtime$ NORMAL +/etc/alternatives NORMAL +/etc/mime.types$ NORMAL +/etc/terminfo NORMAL +/etc/exports$ NORMAL +/etc/fstab$ NORMAL +/etc/passwd$ NORMAL +/etc/group$ NORMAL +/etc/gshadow$ NORMAL +/etc/shadow$ NORMAL +/etc/subgid$ NORMAL +/etc/subuid$ NORMAL +/etc/skel NORMAL +/etc/sssd NORMAL +/etc/swid NORMAL +/etc/system-release-cpe$ NORMAL +/etc/tmux.conf$ NORMAL +/etc/xattr.conf$ NORMAL -/etc/sudoers NORMAL -/etc/skel NORMAL +# networking +/etc/firewalld NORMAL +!/etc/NetworkManager/system-connections +/etc/NetworkManager NORMAL +/etc/networks$ NORMAL +/etc/dhcp NORMAL +/etc/wpa_supplicant NORMAL +/etc/resolv.conf$ DATAONLY +/etc/nscd.conf$ NORMAL -/etc/logrotate.d NORMAL - -/etc/resolv.conf DATAONLY - -/etc/nscd.conf NORMAL -/etc/securetty NORMAL +# logins and accounts +/etc/login.defs$ NORMAL +/etc/libuser.conf$ NORMAL +/var/log/faillog$ PERMS +/var/log/lastlog$ PERMS +/var/run/faillock PERMS +/etc/pam.d NORMAL +/etc/security NORMAL +/etc/securetty$ NORMAL +/etc/polkit-1 NORMAL +/etc/sudo.conf$ NORMAL +/etc/sudoers$ NORMAL +/etc/sudoers.d NORMAL # Shell/X starting files -/etc/profile NORMAL -/etc/bashrc NORMAL -/etc/bash_completion.d/ NORMAL -/etc/login.defs NORMAL -/etc/zprofile NORMAL -/etc/zshrc NORMAL -/etc/zlogin NORMAL -/etc/zlogout NORMAL -/etc/profile.d/ NORMAL -/etc/X11/ NORMAL +/etc/profile$ NORMAL +/etc/profile.d NORMAL +/etc/bashrc$ NORMAL +/etc/bash_completion.d NORMAL +/etc/zprofile$ NORMAL +/etc/zshrc$ NORMAL +/etc/zlogin$ NORMAL +/etc/zlogout$ NORMAL +/etc/X11 NORMAL +/etc/shells$ NORMAL # Pkg manager -/etc/yum.conf NORMAL -/etc/yumex.conf NORMAL -/etc/yumex.profiles.conf NORMAL -/etc/yum/ NORMAL -/etc/yum.repos.d/ NORMAL +/etc/dnf NORMAL +/etc/yum.repos.d NORMAL -/var/log LOG +# auditing +# AIDE produces an audit record, so this becomes perpetual motion. +/var/log/audit PERMS +/etc/audit NORMAL +/etc/libaudit.conf$ NORMAL +/etc/aide.conf$ NORMAL + +# System logs +/etc/rsyslog.conf$ NORMAL +/etc/rsyslog.d NORMAL +/etc/logrotate.conf$ NORMAL +/etc/logrotate.d NORMAL +/etc/systemd/journald.conf$ NORMAL +/var/log LOG+ANF+ARF /var/run/utmp LOG + +# secrets +/etc/pkcs11 NORMAL +/etc/pki NORMAL +/etc/ssl NORMAL +/etc/certmonger NORMAL +/var/lib/systemd/random-seed$ PERMS + +# init system +/etc/systemd NORMAL +/etc/sysconfig NORMAL +/etc/rc.d NORMAL +/etc/tmpfiles.d NORMAL +/etc/machine-id$ NORMAL + +# boot config +/etc/default NORMAL +/etc/grub.d NORMAL +/etc/grub2.cfg$ NORMAL +/etc/dracut.conf$ NORMAL +/etc/dracut.conf.d NORMAL + +# glibc linker +/etc/ld.so.cache$ NORMAL +/etc/ld.so.conf$ NORMAL +/etc/ld.so.conf.d NORMAL +/etc/ld.so.preload$ NORMAL + +# kernel config +/etc/sysctl.conf$ NORMAL +/etc/sysctl.d NORMAL +/etc/modprobe.d NORMAL +/etc/modules-load.d NORMAL +/etc/depmod.d NORMAL +/etc/udev NORMAL +/etc/crypttab$ NORMAL + +#### Daemons #### + +# cron jobs +/var/spool/at CONTENT +/etc/at.allow$ CONTENT +/etc/at.deny$ CONTENT +/etc/anacrontab$ NORMAL +/etc/cron.allow$ NORMAL +/etc/cron.deny$ NORMAL +/etc/cron.d NORMAL +/etc/cron.daily NORMAL +/etc/cron.hourly NORMAL +/etc/cron.monthly NORMAL +/etc/cron.weekly NORMAL +/etc/crontab$ NORMAL +/var/spool/cron/root CONTENT + +# time keeping +/etc/ntp.conf$ NORMAL +/etc/ntp NORMAL +/etc/chrony.conf$ NORMAL +/etc/chrony.keys$ NORMAL + +# mail +/etc/aliases$ NORMAL +/etc/aliases.db$ NORMAL +/etc/postfix NORMAL + +# ssh +/etc/ssh/sshd_config$ NORMAL +/etc/ssh/ssh_config$ NORMAL + +# stunnel +/etc/stunnel NORMAL + +# ftp +/etc/vsftpd CONTENT + +# printing +/etc/cups NORMAL +/etc/cupshelpers NORMAL +/etc/avahi NORMAL + +# web server +/etc/httpd NORMAL + +# dns +/etc/named NORMAL +/etc/named.conf$ NORMAL +/etc/named.iscdlv.key$ NORMAL +/etc/named.rfc1912.zones$ NORMAL +/etc/named.root.key$ NORMAL + +# xinetd +/etc/xinetd.conf$ NORMAL +/etc/xinetd.d NORMAL + +# IPsec +/etc/ipsec.conf$ NORMAL +/etc/ipsec.secrets$ NORMAL +/etc/ipsec.d NORMAL + +# USBGuard +/etc/usbguard NORMAL + # This gets new/removes-old filenames daily !/var/log/sa # As we are checking it, we've truncated yesterdays size to zero. !/var/log/aide.log -# LSPP rules... -# AIDE produces an audit record, so this becomes perpetual motion. -# /var/log/audit/ LSPP -/etc/audit/ LSPP -/etc/libaudit.conf LSPP -/usr/sbin/stunnel LSPP -/var/spool/at LSPP -/etc/at.allow LSPP -/etc/at.deny LSPP -/etc/cron.allow LSPP -/etc/cron.deny LSPP -/etc/cron.d/ LSPP -/etc/cron.daily/ LSPP -/etc/cron.hourly/ LSPP -/etc/cron.monthly/ LSPP -/etc/cron.weekly/ LSPP -/etc/crontab LSPP -/var/spool/cron/root LSPP - -/etc/login.defs LSPP -/etc/securetty LSPP -/var/log/faillog LSPP -/var/log/lastlog LSPP - -/etc/hosts LSPP -/etc/sysconfig LSPP - -/etc/inittab LSPP -/etc/grub/ LSPP -/etc/rc.d LSPP - -/etc/ld.so.conf LSPP - -/etc/localtime LSPP - -/etc/sysctl.conf LSPP - -/etc/modprobe.conf LSPP - -/etc/pam.d LSPP -/etc/security LSPP -/etc/aliases LSPP -/etc/postfix LSPP - -/etc/ssh/sshd_config LSPP -/etc/ssh/ssh_config LSPP - -/etc/stunnel LSPP - -/etc/vsftpd.ftpusers LSPP -/etc/vsftpd LSPP - -/etc/issue LSPP -/etc/issue.net LSPP - -/etc/cups LSPP - # With AIDE's default verbosity level of 5, these would give lots of # warnings upon tree traversal. It might change with future version. # @@ -269,7 +358,4 @@ DATAONLY = p+n+u+g+s+acl+selinux+xattrs+sha256 #=/home DIR # Ditto /var/log/sa reason... -!/var/log/and-httpd - -# Admins dot files constantly change, just check perms -/root/\..* PERMS +!/var/log/httpd \ No newline at end of file From 8a1c97dba18c69ab61d4de8bacc5c915a65aab0c Mon Sep 17 00:00:00 2001 From: Cropi Date: Wed, 17 Sep 2025 11:26:30 +0200 Subject: [PATCH 05/16] Replace ntp with chrony config files --- aide.conf | 2 -- 1 file changed, 2 deletions(-) diff --git a/aide.conf b/aide.conf index 5953f6d..799961f 100644 --- a/aide.conf +++ b/aide.conf @@ -299,8 +299,6 @@ DATAONLY = ftype+p+l+n+u+g+s+acl+selinux+xattrs+sha256 /var/spool/cron/root CONTENT # time keeping -/etc/ntp.conf$ NORMAL -/etc/ntp NORMAL /etc/chrony.conf$ NORMAL /etc/chrony.keys$ NORMAL From 9566357ccc7dbebd709f0005b241bfaae1e5024f Mon Sep 17 00:00:00 2001 From: Cropi Date: Wed, 17 Sep 2025 11:29:15 +0200 Subject: [PATCH 06/16] Remove deprecated config file /etc/nscd.conf https://fedoraproject.org/wiki/Changes/RemoveNSCD --- aide.conf | 1 - 1 file changed, 1 deletion(-) diff --git a/aide.conf b/aide.conf index 799961f..e698ac6 100644 --- a/aide.conf +++ b/aide.conf @@ -196,7 +196,6 @@ DATAONLY = ftype+p+l+n+u+g+s+acl+selinux+xattrs+sha256 /etc/dhcp NORMAL /etc/wpa_supplicant NORMAL /etc/resolv.conf$ DATAONLY -/etc/nscd.conf$ NORMAL # logins and accounts /etc/login.defs$ NORMAL From d25ee9c7642ff575917aedbc5f977fdeff047ac8 Mon Sep 17 00:00:00 2001 From: Cropi Date: Mon, 22 Sep 2025 16:19:04 +0200 Subject: [PATCH 07/16] Adjust /var/log/journal monitoring in default config file By default, log files are expected to grow but persistent journal files are not handled correctly. The persistent journal is stored in /var/log/journal, hence fall into LOG rule.Unfortunately since some version of Fedora, the journal files get an extended attribute user.crtime_usec which updates when the file rotates. Make sure to leave this out from the report. --- aide.conf | 15 +++++++++++---- 1 file changed, 11 insertions(+), 4 deletions(-) diff --git a/aide.conf b/aide.conf index e698ac6..da4cbb5 100644 --- a/aide.conf +++ b/aide.conf @@ -128,8 +128,10 @@ DIR = ftype+p+i+l+n+u+g+acl+selinux+xattrs # Access control only - added file type and link name PERMS = ftype+p+i+l+u+g+acl+selinux -# Logfile are special, in that they often change -LOG = > +# Logfiles are special, in that they often change +# Don't track inodes (-i) since log rotation creates new files with different inodes +# Allow new files (ANF) and allow removed files (ARF) due to log rotation techniques +LOG = >+ANF+ARF-i # Some files get updated automatically, so the inode/ctime/mtime change # but we want to know when the data inside them changes - updated with modern hash @@ -234,13 +236,18 @@ DATAONLY = ftype+p+l+n+u+g+s+acl+selinux+xattrs+sha256 /etc/libaudit.conf$ NORMAL /etc/aide.conf$ NORMAL -# System logs +# System logs with proper logrotate handling /etc/rsyslog.conf$ NORMAL /etc/rsyslog.d NORMAL /etc/logrotate.conf$ NORMAL /etc/logrotate.d NORMAL /etc/systemd/journald.conf$ NORMAL -/var/log LOG+ANF+ARF + +# Log directory +/var/log LOG +# Journal files - exclude xattrs due to systemd journal's user.crtime_usec extended attribute changes +/var/log/journal LOG-xattrs + /var/run/utmp LOG From c9baefb29993343e1dc03a55663aac2f518d902f Mon Sep 17 00:00:00 2001 From: Cropi Date: Tue, 23 Sep 2025 08:46:09 +0200 Subject: [PATCH 08/16] Add .rpmlintrc file --- aide.rpmlintrc | 15 +++++++++++++++ 1 file changed, 15 insertions(+) create mode 100644 aide.rpmlintrc diff --git a/aide.rpmlintrc b/aide.rpmlintrc new file mode 100644 index 0000000..67d2667 --- /dev/null +++ b/aide.rpmlintrc @@ -0,0 +1,15 @@ +# RPMlint configuration for aide package +# These warnings are expected and intentional for security reasons + +# AIDE log directory has restricted permissions (700) for security +# Log files may contain sensitive security information +addFilter("aide.* non-standard-dir-perm /var/log/aide 700") + +# AIDE configuration file has restricted permissions (600) for security +# Configuration reveals what files/directories are monitored +addFilter("aide.* non-readable /etc/aide.conf 600") + +# FSF address in COPYING file is outdated - this is an upstream issue +# The license text contains the old FSF address format +addFilter("aide.* incorrect-fsf-address /usr/share/licenses/aide/COPYING") + From 32855bb23585027061c8b289466e796eb662ce82 Mon Sep 17 00:00:00 2001 From: Cropi Date: Tue, 23 Sep 2025 11:08:10 +0200 Subject: [PATCH 09/16] Update LOG in config file --- aide.conf | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/aide.conf b/aide.conf index da4cbb5..bf7e66b 100644 --- a/aide.conf +++ b/aide.conf @@ -130,8 +130,9 @@ PERMS = ftype+p+i+l+u+g+acl+selinux # Logfiles are special, in that they often change # Don't track inodes (-i) since log rotation creates new files with different inodes +# Don't track size (-s) since log rotation causes size decreases that we don't care about # Allow new files (ANF) and allow removed files (ARF) due to log rotation techniques -LOG = >+ANF+ARF-i +LOG = >+ANF+ARF-i-s # Some files get updated automatically, so the inode/ctime/mtime change # but we want to know when the data inside them changes - updated with modern hash From 2ed6802a1a5f0554427a3e18d0f1cf453b310041 Mon Sep 17 00:00:00 2001 From: Cropi Date: Tue, 23 Sep 2025 11:51:37 +0200 Subject: [PATCH 10/16] Do not include mtime/ctime in regular files --- aide.conf | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/aide.conf b/aide.conf index bf7e66b..c8ed75d 100644 --- a/aide.conf +++ b/aide.conf @@ -117,7 +117,7 @@ ALLXTRAHASHES = sha256+sha512+sha512_256+sha3_256+sha3_512+stribog256+stribog512 EVERYTHING = R+ALLXTRAHASHES # Base + sha512 (strong) -NORMAL = R+sha512 +NORMAL = R+sha512-m-c # Content only - added file type and strong hash CONTENT = ftype+sha512 From 5634fe32368d43da2a5aec91fa7691cae1048e05 Mon Sep 17 00:00:00 2001 From: Cropi Date: Tue, 23 Sep 2025 12:17:43 +0200 Subject: [PATCH 11/16] Adjust ordering of /root files --- aide.conf | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/aide.conf b/aide.conf index c8ed75d..5ea17ef 100644 --- a/aide.conf +++ b/aide.conf @@ -152,10 +152,10 @@ DATAONLY = ftype+p+l+n+u+g+s+acl+selinux+xattrs+sha256 !/usr/src !/usr/tmp -/root NORMAL # Admins dot files constantly change, just check perms /root/\..* PERMS !/root/.xauth* +/root NORMAL # Check only permissions, inode, user and group for /etc, but # cover some important files closely. From 307529a5874a6219b5b513d32eeac5c7d919aea1 Mon Sep 17 00:00:00 2001 From: Cropi Date: Tue, 23 Sep 2025 14:59:21 +0200 Subject: [PATCH 12/16] Do not monitor acl on /var/log/journal --- aide.conf | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/aide.conf b/aide.conf index 5ea17ef..da9d00d 100644 --- a/aide.conf +++ b/aide.conf @@ -247,7 +247,7 @@ DATAONLY = ftype+p+l+n+u+g+s+acl+selinux+xattrs+sha256 # Log directory /var/log LOG # Journal files - exclude xattrs due to systemd journal's user.crtime_usec extended attribute changes -/var/log/journal LOG-xattrs +/var/log/journal LOG-xattrs-acl /var/run/utmp LOG From 8479fabb2f09bb8aace92132692fc616aa3e039f Mon Sep 17 00:00:00 2001 From: Cropi Date: Wed, 24 Sep 2025 08:16:59 +0200 Subject: [PATCH 13/16] Accomodate for constantly changing log files Many log files constantly change, especially if those are rotated. Many of those files have changing xattrs, e2fsattrs, caps and acl(s). So let's not monitor them, unless there will be many false positives. --- aide.conf | 10 +++++----- 1 file changed, 5 insertions(+), 5 deletions(-) diff --git a/aide.conf b/aide.conf index da9d00d..8524225 100644 --- a/aide.conf +++ b/aide.conf @@ -128,11 +128,11 @@ DIR = ftype+p+i+l+n+u+g+acl+selinux+xattrs # Access control only - added file type and link name PERMS = ftype+p+i+l+u+g+acl+selinux -# Logfiles are special, in that they often change -# Don't track inodes (-i) since log rotation creates new files with different inodes -# Don't track size (-s) since log rotation causes size decreases that we don't care about +# Logfiles are special, in that they often change due to log rotation +# Track only: permissions, file type, user, group, number of links, SELinux context, extended attributes # Allow new files (ANF) and allow removed files (ARF) due to log rotation techniques -LOG = >+ANF+ARF-i-s +# Don't track: size, inodes, timestamps, checksums and some special attributes (these change frequently with log rotation) +LOG = p+ftype+u+g+n+ANF+ARF+selinux+xattrs # Some files get updated automatically, so the inode/ctime/mtime change # but we want to know when the data inside them changes - updated with modern hash @@ -247,7 +247,7 @@ DATAONLY = ftype+p+l+n+u+g+s+acl+selinux+xattrs+sha256 # Log directory /var/log LOG # Journal files - exclude xattrs due to systemd journal's user.crtime_usec extended attribute changes -/var/log/journal LOG-xattrs-acl +/var/log/journal LOG-xattrs /var/run/utmp LOG From c4ba6e2926d7a55448a3f619b2a73d7ad6bf220e Mon Sep 17 00:00:00 2001 From: Cropi Date: Thu, 9 Oct 2025 09:42:32 +0200 Subject: [PATCH 14/16] Add explanatory comment for /boot/grub2/grubenv exclusion Document why /boot/grub2/grubenv is excluded from AIDE monitoring. The file's timestamp gets modified continuously due to the "boot_success" implementation, which would cause unnecessary noise in security monitoring reports. Do not monitor link count in /var/log/journal --- aide.conf | 10 +++++++--- 1 file changed, 7 insertions(+), 3 deletions(-) diff --git a/aide.conf b/aide.conf index 8524225..0ec4c0c 100644 --- a/aide.conf +++ b/aide.conf @@ -246,8 +246,9 @@ DATAONLY = ftype+p+l+n+u+g+s+acl+selinux+xattrs+sha256 # Log directory /var/log LOG -# Journal files - exclude xattrs due to systemd journal's user.crtime_usec extended attribute changes -/var/log/journal LOG-xattrs +# Journal files - exclude xattrs and link count due to systemd journal's user.crtime_usec extended attribute changes and new directory creation +/var/log/journal LOG-xattrs-n + /var/run/utmp LOG @@ -363,4 +364,7 @@ DATAONLY = ftype+p+l+n+u+g+s+acl+selinux+xattrs+sha256 #=/home DIR # Ditto /var/log/sa reason... -!/var/log/httpd \ No newline at end of file +!/var/log/httpd +# /boot/grub2/grubenv's timestamp is getting modified continuously due to "boot_success" implementation +!/boot/grub2/grubenv + From 9a67d750d4f88a2eebd7f6e944e25f6de0bf2d4b Mon Sep 17 00:00:00 2001 From: Cropi Date: Thu, 16 Oct 2025 09:46:00 +0200 Subject: [PATCH 15/16] Adjust default config to avoid false positives in /etc --- aide.conf | 6 ++++-- 1 file changed, 4 insertions(+), 2 deletions(-) diff --git a/aide.conf b/aide.conf index 0ec4c0c..56ba1da 100644 --- a/aide.conf +++ b/aide.conf @@ -126,7 +126,7 @@ CONTENT = ftype+sha512 DIR = ftype+p+i+l+n+u+g+acl+selinux+xattrs # Access control only - added file type and link name -PERMS = ftype+p+i+l+u+g+acl+selinux +PERMS = ftype+p+u+g+acl+selinux+xattrs # Logfiles are special, in that they often change due to log rotation # Track only: permissions, file type, user, group, number of links, SELinux context, extended attributes @@ -159,7 +159,6 @@ DATAONLY = ftype+p+l+n+u+g+s+acl+selinux+xattrs+sha256 # Check only permissions, inode, user and group for /etc, but # cover some important files closely. -/etc PERMS !/etc/mtab # Ignore backup files !/etc/.*~ @@ -352,6 +351,9 @@ DATAONLY = ftype+p+l+n+u+g+s+acl+selinux+xattrs+sha256 # USBGuard /etc/usbguard NORMAL +# Now everything else +/etc PERMS + # This gets new/removes-old filenames daily !/var/log/sa # As we are checking it, we've truncated yesterdays size to zero. From 3b76bcd11a6bf80bfcfb0904ee45de2e3d9e79b6 Mon Sep 17 00:00:00 2001 From: Fedora Release Engineering Date: Fri, 16 Jan 2026 03:31:38 +0000 Subject: [PATCH 16/16] Rebuilt for https://fedoraproject.org/wiki/Fedora_44_Mass_Rebuild