diff --git a/aide.conf b/aide.conf index 2deaa1b..7090a46 100644 --- a/aide.conf +++ b/aide.conf @@ -111,157 +111,228 @@ report_url=stdout # Use 'aide --version' to list the default compound groups. # You can create custom rules like this. -# With MHASH... -# ALLXTRAHASHES = sha1+rmd160+sha256+sha512+whirlpool+tiger+haval+gost+crc32 -ALLXTRAHASHES = sha1+rmd160+sha256+sha512+tiger -# Everything but access time (Ie. all changes) +# Note: Removed deprecated/removed hashsums (tiger, haval, crc32, crc32b, whirlpool, md5, sha1, rmd160, gost) +# ALLXTRAHASHES = sha1+rmd160+sha256+sha512+whirlpool+tiger+haval+gost+crc32+crc32b (old with deprecated/removed) +ALLXTRAHASHES = sha256+sha512+sha512_256+sha3_256+sha3_512+stribog256+stribog512 +# Everything but access time (Ie. all changes) - updated with modern hashsums EVERYTHING = R+ALLXTRAHASHES -# Sane, with multiple hashes -# NORMAL = R+rmd160+sha256+whirlpool -NORMAL = FIPSR+sha512 +# Base + sha512 (strong) +NORMAL = R+sha512 -# For directories, don't bother doing hashes -DIR = p+i+n+u+g+acl+selinux+xattrs +CONTENT = ftype+sha256 -# Access control only -PERMS = p+i+u+g+acl+selinux +# For directories, don't bother doing hashes - added file type and link name +DIR = ftype+p+i+l+n+u+g+acl+selinux+xattrs + +# Access control only - added file type and link name +PERMS = ftype+p+i+l+u+g+acl+selinux # Logfile are special, in that they often change LOG = > -# Just do sha256 and sha512 hashes -LSPP = FIPSR+sha512 - # Some files get updated automatically, so the inode/ctime/mtime change -# but we want to know when the data inside them changes -DATAONLY = p+n+u+g+s+acl+selinux+xattrs+sha256 +# but we want to know when the data inside them changes - updated with modern hash +DATAONLY = ftype+p+l+n+u+g+s+acl+selinux+xattrs+sha_256 # Next decide what directories/files you want in the database. -/boot NORMAL -/bin NORMAL -/sbin NORMAL -/lib NORMAL -/lib64 NORMAL -/opt NORMAL -/usr NORMAL -/root NORMAL +/boot/ NORMAL +/bin/ NORMAL +/sbin/ NORMAL +/lib/ NORMAL +/lib64/ NORMAL +# Monitor /opt selectively to avoid noise from auto-updating applications +/opt/ CONTENT +/usr/ NORMAL # These are too volatile !/usr/src !/usr/tmp +/root NORMAL +# Admins dot files constantly change, just check perms +/root/\..* PERMS + # Check only permissions, inode, user and group for /etc, but # cover some important files closely. /etc PERMS !/etc/mtab # Ignore backup files !/etc/.*~ -/etc/exports NORMAL -/etc/fstab NORMAL -/etc/passwd NORMAL -/etc/group NORMAL -/etc/gshadow NORMAL -/etc/shadow NORMAL -/etc/security/opasswd NORMAL -/etc/hosts.allow NORMAL -/etc/hosts.deny NORMAL +# trusted databases +/etc/hosts$ NORMAL +/etc/host.conf$ NORMAL +/etc/hostname$ NORMAL +/etc/issue$ NORMAL +/etc/issue.net$ NORMAL +/etc/protocols$ NORMAL +/etc/services$ NORMAL +/etc/localtime$ NORMAL +/etc/alternatives/ NORMAL +/etc/mime.types$ NORMAL +/etc/terminfo/ NORMAL +/etc/exports$ NORMAL +/etc/fstab$ NORMAL +/etc/passwd$ NORMAL +/etc/group$ NORMAL +/etc/gshadow$ NORMAL +/etc/shadow$ NORMAL +/etc/security/opasswd$ NORMAL +/etc/skel/ NORMAL -/etc/sudoers NORMAL -/etc/skel NORMAL +# networking +/etc/hosts.allow$ NORMAL +/etc/hosts.deny$ NORMAL +/etc/firewalld/ NORMAL +/etc/NetworkManager/ NORMAL +/etc/networks$ NORMAL +/etc/dhcp/ NORMAL +/etc/wpa_supplicant/ NORMAL +/etc/resolv.conf$ DATAONLY +/etc/nscd.conf$ NORMAL -/etc/logrotate.d NORMAL - -/etc/resolv.conf DATAONLY - -/etc/nscd.conf NORMAL -/etc/securetty NORMAL +# logins and accounts +/etc/login.defs$ NORMAL +/etc/libuser.conf$ NORMAL +/var/log/faillog$ PERMS +/var/log/lastlog$ PERMS +/var/run/faillock/ PERMS +/etc/pam.d/ NORMAL +/etc/security$ NORMAL +/etc/securetty$ NORMAL +/etc/polkit-1/ NORMAL +/etc/sudo.conf$ NORMAL +/etc/sudoers$ NORMAL +/etc/sudoers.d/ NORMAL # Shell/X starting files -/etc/profile NORMAL -/etc/bashrc NORMAL -/etc/bash_completion.d/ NORMAL -/etc/login.defs NORMAL -/etc/zprofile NORMAL -/etc/zshrc NORMAL -/etc/zlogin NORMAL -/etc/zlogout NORMAL +/etc/profile$ NORMAL /etc/profile.d/ NORMAL +/etc/bashrc$ NORMAL +/etc/bash_completion.d/ NORMAL +/etc/zprofile$ NORMAL +/etc/zshrc$ NORMAL +/etc/zlogin$ NORMAL +/etc/zlogout$ NORMAL /etc/X11/ NORMAL +/etc/shells$ NORMAL # Pkg manager -/etc/yum.conf NORMAL -/etc/yumex.conf NORMAL -/etc/yumex.profiles.conf NORMAL +/etc/yum.conf$ NORMAL /etc/yum/ NORMAL /etc/yum.repos.d/ NORMAL -/var/log LOG -/var/run/utmp LOG +/etc/audit/ NORMAL +/etc/audisp/ NORMAL +/etc/libaudit.conf$ NORMAL +/etc/aide.conf$ NORMAL + +# System logs +/etc/rsyslog.conf$ NORMAL +/etc/rsyslog.d/ NORMAL +/etc/logrotate.conf$ NORMAL +/etc/logrotate.d/ NORMAL +/var/log/ LOG+ANF+ARF +/var/run/utmp$ LOG + +# secrets +/etc/pkcs11/ NORMAL +/etc/pki/ NORMAL +/etc/ssl/ NORMAL +/etc/certmonger/ NORMAL + +# init system +/etc/systemd/ NORMAL +/etc/sysconfig/ NORMAL +/etc/rc.d/ NORMAL +/etc/tmpfiles.d/ NORMAL +/etc/machine-id$ NORMAL + +# boot config +/etc/grub.d/ NORMAL +/etc/grub2.cfg$ NORMAL +/etc/dracut.conf$ NORMAL +/etc/dracut.conf.d/ NORMAL + +# glibc linker +/etc/ld.so.cache$ NORMAL +/etc/ld.so.conf$ NORMAL +/etc/ld.so.conf.d/ NORMAL + +# kernel config +/etc/sysctl.conf$ NORMAL +/etc/sysctl.d/ NORMAL +/etc/modprobe.d/ NORMAL +/etc/modules-load.d/ NORMAL +/etc/depmod.d/ NORMAL +/etc/udev/ NORMAL +/etc/crypttab$ NORMAL + +#### Daemons #### + +# cron jobs +/var/spool/at/ CONTENT +/etc/at.allow$ CONTENT +/etc/at.deny$ CONTENT +/etc/cron.allow$ NORMAL +/etc/cron.deny$ NORMAL +/etc/cron.d/ NORMAL +/etc/cron.daily/ NORMAL +/etc/cron.hourly/ NORMAL +/etc/cron.monthly/ NORMAL +/etc/cron.weekly/ NORMAL +/etc/crontab$ NORMAL +/var/spool/cron/root/ CONTENT +/etc/anacrontab$ NORMAL + +# time keeping +/etc/ntp.conf$ NORMAL +/etc/ntp/ NORMAL +/etc/chrony.conf$ NORMAL +/etc/chrony.keys$ NORMAL + +# mail +/etc/aliases$ NORMAL +/etc/aliases.db$ NORMAL +/etc/postfix/ NORMAL +/etc/mail.rc$ NORMAL +/etc/mailcap$ NORMAL + +# ssh +/etc/ssh/sshd_config$ NORMAL +/etc/ssh/ssh_config$ NORMAL + +# stunnel +/etc/stunnel/ NORMAL + +# ftp +/etc/vsftpd.conf$ CONTENT +/etc/vsftpd/ CONTENT + +# printing +/etc/cups/ NORMAL +/etc/cupshelpers/ NORMAL +/etc/avahi/ NORMAL + +# web server +/etc/httpd/ NORMAL + +# dns +/etc/named/ NORMAL +/etc/named.conf$ NORMAL +/etc/named.iscdlv.key$ NORMAL +/etc/named.rfc1912.zones$ NORMAL +/etc/named.root.key$ NORMAL + +# xinetd +/etc/xinetd.d/ NORMAL # This gets new/removes-old filenames daily !/var/log/sa # As we are checking it, we've truncated yesterdays size to zero. !/var/log/aide.log -# LSPP rules... -# AIDE produces an audit record, so this becomes perpetual motion. -# /var/log/audit/ LSPP -/etc/audit/ LSPP -/etc/libaudit.conf LSPP -/usr/sbin/stunnel LSPP -/var/spool/at LSPP -/etc/at.allow LSPP -/etc/at.deny LSPP -/etc/cron.allow LSPP -/etc/cron.deny LSPP -/etc/cron.d/ LSPP -/etc/cron.daily/ LSPP -/etc/cron.hourly/ LSPP -/etc/cron.monthly/ LSPP -/etc/cron.weekly/ LSPP -/etc/crontab LSPP -/var/spool/cron/root LSPP - -/etc/login.defs LSPP -/etc/securetty LSPP -/var/log/faillog LSPP -/var/log/lastlog LSPP - -/etc/hosts LSPP -/etc/sysconfig LSPP - -/etc/inittab LSPP -/etc/grub/ LSPP -/etc/rc.d LSPP - -/etc/ld.so.conf LSPP - -/etc/localtime LSPP - -/etc/sysctl.conf LSPP - -/etc/modprobe.conf LSPP - -/etc/pam.d LSPP -/etc/security LSPP -/etc/aliases LSPP -/etc/postfix LSPP - -/etc/ssh/sshd_config LSPP -/etc/ssh/ssh_config LSPP - -/etc/stunnel LSPP - -/etc/vsftpd.ftpusers LSPP -/etc/vsftpd LSPP - -/etc/issue LSPP -/etc/issue.net LSPP - -/etc/cups LSPP - # With AIDE's default verbosity level of 5, these would give lots of # warnings upon tree traversal. It might change with future version. # @@ -269,7 +340,4 @@ DATAONLY = p+n+u+g+s+acl+selinux+xattrs+sha256 #=/home DIR # Ditto /var/log/sa reason... -!/var/log/and-httpd - -# Admins dot files constantly change, just check perms -/root/\..* PERMS +!/var/log/httpd/ \ No newline at end of file