From 5b3470d6766d5c4e4efc9cd3d7e7197f7915771d Mon Sep 17 00:00:00 2001 From: Cropi Date: Thu, 7 Aug 2025 10:32:01 +0200 Subject: [PATCH 1/2] aide.conf: update custom rules --- aide.conf | 112 ++++++++++++++++++++++++++---------------------------- 1 file changed, 54 insertions(+), 58 deletions(-) diff --git a/aide.conf b/aide.conf index 2deaa1b..773a80a 100644 --- a/aide.conf +++ b/aide.conf @@ -111,31 +111,27 @@ report_url=stdout # Use 'aide --version' to list the default compound groups. # You can create custom rules like this. -# With MHASH... -# ALLXTRAHASHES = sha1+rmd160+sha256+sha512+whirlpool+tiger+haval+gost+crc32 -ALLXTRAHASHES = sha1+rmd160+sha256+sha512+tiger -# Everything but access time (Ie. all changes) +# Note: Removed deprecated/removed hashsums (tiger, haval, crc32, crc32b, whirlpool, md5, sha1, rmd160, gost) +# ALLXTRAHASHES = sha1+rmd160+sha256+sha512+whirlpool+tiger+haval+gost+crc32+crc32b (old with deprecated/removed) +ALLXTRAHASHES = sha256+sha512+sha512_256+sha3_256+sha3_512+stribog256+stribog512 +# Everything but access time (Ie. all changes) - updated with modern hashsums EVERYTHING = R+ALLXTRAHASHES -# Sane, with multiple hashes -# NORMAL = R+rmd160+sha256+whirlpool -NORMAL = FIPSR+sha512 +# Base + extended attributes + selinux + acl + file capabilities with multiple modern hashes +NORMAL = R+xattrs+selinux+acl+e2fsattrs+caps+sha512+sha3_512 -# For directories, don't bother doing hashes -DIR = p+i+n+u+g+acl+selinux+xattrs +# For directories, don't bother doing hashes - added file type and link name +DIR = ftype+p+i+l+n+u+g+acl+selinux+xattrs -# Access control only -PERMS = p+i+u+g+acl+selinux +# Access control only - added file type and link name +PERMS = ftype+p+i+l+u+g+acl+selinux # Logfile are special, in that they often change LOG = > -# Just do sha256 and sha512 hashes -LSPP = FIPSR+sha512 - # Some files get updated automatically, so the inode/ctime/mtime change -# but we want to know when the data inside them changes -DATAONLY = p+n+u+g+s+acl+selinux+xattrs+sha256 +# but we want to know when the data inside them changes - updated with modern hash +DATAONLY = ftype+p+l+n+u+g+s+acl+selinux+xattrs+sha_256 # Next decide what directories/files you want in the database. @@ -147,6 +143,7 @@ DATAONLY = p+n+u+g+s+acl+selinux+xattrs+sha256 /opt NORMAL /usr NORMAL /root NORMAL + # These are too volatile !/usr/src !/usr/tmp @@ -205,62 +202,61 @@ DATAONLY = p+n+u+g+s+acl+selinux+xattrs+sha256 # As we are checking it, we've truncated yesterdays size to zero. !/var/log/aide.log -# LSPP rules... # AIDE produces an audit record, so this becomes perpetual motion. -# /var/log/audit/ LSPP -/etc/audit/ LSPP -/etc/libaudit.conf LSPP -/usr/sbin/stunnel LSPP -/var/spool/at LSPP -/etc/at.allow LSPP -/etc/at.deny LSPP -/etc/cron.allow LSPP -/etc/cron.deny LSPP -/etc/cron.d/ LSPP -/etc/cron.daily/ LSPP -/etc/cron.hourly/ LSPP -/etc/cron.monthly/ LSPP -/etc/cron.weekly/ LSPP -/etc/crontab LSPP -/var/spool/cron/root LSPP +# /var/log/audit/ NORMAL +/etc/audit/ NORMAL +/etc/libaudit.conf NORMAL +/usr/sbin/stunnel NORMAL +/var/spool/at NORMAL +/etc/at.allow NORMAL +/etc/at.deny NORMAL +/etc/cron.allow NORMAL +/etc/cron.deny NORMAL +/etc/cron.d/ NORMAL +/etc/cron.daily/ NORMAL +/etc/cron.hourly/ NORMAL +/etc/cron.monthly/ NORMAL +/etc/cron.weekly/ NORMAL +/etc/crontab NORMAL +/var/spool/cron/root NORMAL -/etc/login.defs LSPP -/etc/securetty LSPP -/var/log/faillog LSPP -/var/log/lastlog LSPP +/etc/login.defs NORMAL +/etc/securetty NORMAL +/var/log/faillog NORMAL +/var/log/lastlog NORMAL -/etc/hosts LSPP -/etc/sysconfig LSPP +/etc/hosts NORMAL +/etc/sysconfig NORMAL -/etc/inittab LSPP -/etc/grub/ LSPP -/etc/rc.d LSPP +/etc/inittab NORMAL +/etc/grub/ NORMAL +/etc/rc.d NORMAL -/etc/ld.so.conf LSPP +/etc/ld.so.conf NORMAL -/etc/localtime LSPP +/etc/localtime NORMAL -/etc/sysctl.conf LSPP +/etc/sysctl.conf NORMAL -/etc/modprobe.conf LSPP +/etc/modprobe.conf NORMAL -/etc/pam.d LSPP -/etc/security LSPP -/etc/aliases LSPP -/etc/postfix LSPP +/etc/pam.d NORMAL +/etc/security NORMAL +/etc/aliases NORMAL +/etc/postfix NORMAL -/etc/ssh/sshd_config LSPP -/etc/ssh/ssh_config LSPP +/etc/ssh/sshd_config NORMAL +/etc/ssh/ssh_config NORMAL -/etc/stunnel LSPP +/etc/stunnel NORMAL -/etc/vsftpd.ftpusers LSPP -/etc/vsftpd LSPP +/etc/vsftpd.ftpusers NORMAL +/etc/vsftpd NORMAL -/etc/issue LSPP -/etc/issue.net LSPP +/etc/issue NORMAL +/etc/issue.net NORMAL -/etc/cups LSPP +/etc/cups NORMAL # With AIDE's default verbosity level of 5, these would give lots of # warnings upon tree traversal. It might change with future version. From 88698a013b48979013c3daab447fae179331835b Mon Sep 17 00:00:00 2001 From: Cropi Date: Mon, 8 Sep 2025 10:37:47 +0200 Subject: [PATCH 2/2] Refactor aide.conf --- aide.conf | 252 +++++++++++++++++++++++++++++++++++------------------- 1 file changed, 162 insertions(+), 90 deletions(-) diff --git a/aide.conf b/aide.conf index 773a80a..7090a46 100644 --- a/aide.conf +++ b/aide.conf @@ -117,8 +117,10 @@ ALLXTRAHASHES = sha256+sha512+sha512_256+sha3_256+sha3_512+stribog256+stribog512 # Everything but access time (Ie. all changes) - updated with modern hashsums EVERYTHING = R+ALLXTRAHASHES -# Base + extended attributes + selinux + acl + file capabilities with multiple modern hashes -NORMAL = R+xattrs+selinux+acl+e2fsattrs+caps+sha512+sha3_512 +# Base + sha512 (strong) +NORMAL = R+sha512 + +CONTENT = ftype+sha256 # For directories, don't bother doing hashes - added file type and link name DIR = ftype+p+i+l+n+u+g+acl+selinux+xattrs @@ -135,128 +137,201 @@ DATAONLY = ftype+p+l+n+u+g+s+acl+selinux+xattrs+sha_256 # Next decide what directories/files you want in the database. -/boot NORMAL -/bin NORMAL -/sbin NORMAL -/lib NORMAL -/lib64 NORMAL -/opt NORMAL -/usr NORMAL -/root NORMAL - +/boot/ NORMAL +/bin/ NORMAL +/sbin/ NORMAL +/lib/ NORMAL +/lib64/ NORMAL +# Monitor /opt selectively to avoid noise from auto-updating applications +/opt/ CONTENT +/usr/ NORMAL # These are too volatile !/usr/src !/usr/tmp +/root NORMAL +# Admins dot files constantly change, just check perms +/root/\..* PERMS + # Check only permissions, inode, user and group for /etc, but # cover some important files closely. /etc PERMS !/etc/mtab # Ignore backup files !/etc/.*~ -/etc/exports NORMAL -/etc/fstab NORMAL -/etc/passwd NORMAL -/etc/group NORMAL -/etc/gshadow NORMAL -/etc/shadow NORMAL -/etc/security/opasswd NORMAL -/etc/hosts.allow NORMAL -/etc/hosts.deny NORMAL +# trusted databases +/etc/hosts$ NORMAL +/etc/host.conf$ NORMAL +/etc/hostname$ NORMAL +/etc/issue$ NORMAL +/etc/issue.net$ NORMAL +/etc/protocols$ NORMAL +/etc/services$ NORMAL +/etc/localtime$ NORMAL +/etc/alternatives/ NORMAL +/etc/mime.types$ NORMAL +/etc/terminfo/ NORMAL +/etc/exports$ NORMAL +/etc/fstab$ NORMAL +/etc/passwd$ NORMAL +/etc/group$ NORMAL +/etc/gshadow$ NORMAL +/etc/shadow$ NORMAL +/etc/security/opasswd$ NORMAL +/etc/skel/ NORMAL -/etc/sudoers NORMAL -/etc/skel NORMAL +# networking +/etc/hosts.allow$ NORMAL +/etc/hosts.deny$ NORMAL +/etc/firewalld/ NORMAL +/etc/NetworkManager/ NORMAL +/etc/networks$ NORMAL +/etc/dhcp/ NORMAL +/etc/wpa_supplicant/ NORMAL +/etc/resolv.conf$ DATAONLY +/etc/nscd.conf$ NORMAL -/etc/logrotate.d NORMAL - -/etc/resolv.conf DATAONLY - -/etc/nscd.conf NORMAL -/etc/securetty NORMAL +# logins and accounts +/etc/login.defs$ NORMAL +/etc/libuser.conf$ NORMAL +/var/log/faillog$ PERMS +/var/log/lastlog$ PERMS +/var/run/faillock/ PERMS +/etc/pam.d/ NORMAL +/etc/security$ NORMAL +/etc/securetty$ NORMAL +/etc/polkit-1/ NORMAL +/etc/sudo.conf$ NORMAL +/etc/sudoers$ NORMAL +/etc/sudoers.d/ NORMAL # Shell/X starting files -/etc/profile NORMAL -/etc/bashrc NORMAL -/etc/bash_completion.d/ NORMAL -/etc/login.defs NORMAL -/etc/zprofile NORMAL -/etc/zshrc NORMAL -/etc/zlogin NORMAL -/etc/zlogout NORMAL +/etc/profile$ NORMAL /etc/profile.d/ NORMAL +/etc/bashrc$ NORMAL +/etc/bash_completion.d/ NORMAL +/etc/zprofile$ NORMAL +/etc/zshrc$ NORMAL +/etc/zlogin$ NORMAL +/etc/zlogout$ NORMAL /etc/X11/ NORMAL +/etc/shells$ NORMAL # Pkg manager -/etc/yum.conf NORMAL -/etc/yumex.conf NORMAL -/etc/yumex.profiles.conf NORMAL +/etc/yum.conf$ NORMAL /etc/yum/ NORMAL /etc/yum.repos.d/ NORMAL -/var/log LOG -/var/run/utmp LOG - -# This gets new/removes-old filenames daily -!/var/log/sa -# As we are checking it, we've truncated yesterdays size to zero. -!/var/log/aide.log - -# AIDE produces an audit record, so this becomes perpetual motion. -# /var/log/audit/ NORMAL /etc/audit/ NORMAL -/etc/libaudit.conf NORMAL -/usr/sbin/stunnel NORMAL -/var/spool/at NORMAL -/etc/at.allow NORMAL -/etc/at.deny NORMAL -/etc/cron.allow NORMAL -/etc/cron.deny NORMAL +/etc/audisp/ NORMAL +/etc/libaudit.conf$ NORMAL +/etc/aide.conf$ NORMAL + +# System logs +/etc/rsyslog.conf$ NORMAL +/etc/rsyslog.d/ NORMAL +/etc/logrotate.conf$ NORMAL +/etc/logrotate.d/ NORMAL +/var/log/ LOG+ANF+ARF +/var/run/utmp$ LOG + +# secrets +/etc/pkcs11/ NORMAL +/etc/pki/ NORMAL +/etc/ssl/ NORMAL +/etc/certmonger/ NORMAL + +# init system +/etc/systemd/ NORMAL +/etc/sysconfig/ NORMAL +/etc/rc.d/ NORMAL +/etc/tmpfiles.d/ NORMAL +/etc/machine-id$ NORMAL + +# boot config +/etc/grub.d/ NORMAL +/etc/grub2.cfg$ NORMAL +/etc/dracut.conf$ NORMAL +/etc/dracut.conf.d/ NORMAL + +# glibc linker +/etc/ld.so.cache$ NORMAL +/etc/ld.so.conf$ NORMAL +/etc/ld.so.conf.d/ NORMAL + +# kernel config +/etc/sysctl.conf$ NORMAL +/etc/sysctl.d/ NORMAL +/etc/modprobe.d/ NORMAL +/etc/modules-load.d/ NORMAL +/etc/depmod.d/ NORMAL +/etc/udev/ NORMAL +/etc/crypttab$ NORMAL + +#### Daemons #### + +# cron jobs +/var/spool/at/ CONTENT +/etc/at.allow$ CONTENT +/etc/at.deny$ CONTENT +/etc/cron.allow$ NORMAL +/etc/cron.deny$ NORMAL /etc/cron.d/ NORMAL /etc/cron.daily/ NORMAL /etc/cron.hourly/ NORMAL /etc/cron.monthly/ NORMAL /etc/cron.weekly/ NORMAL -/etc/crontab NORMAL -/var/spool/cron/root NORMAL +/etc/crontab$ NORMAL +/var/spool/cron/root/ CONTENT +/etc/anacrontab$ NORMAL -/etc/login.defs NORMAL -/etc/securetty NORMAL -/var/log/faillog NORMAL -/var/log/lastlog NORMAL +# time keeping +/etc/ntp.conf$ NORMAL +/etc/ntp/ NORMAL +/etc/chrony.conf$ NORMAL +/etc/chrony.keys$ NORMAL -/etc/hosts NORMAL -/etc/sysconfig NORMAL +# mail +/etc/aliases$ NORMAL +/etc/aliases.db$ NORMAL +/etc/postfix/ NORMAL +/etc/mail.rc$ NORMAL +/etc/mailcap$ NORMAL -/etc/inittab NORMAL -/etc/grub/ NORMAL -/etc/rc.d NORMAL +# ssh +/etc/ssh/sshd_config$ NORMAL +/etc/ssh/ssh_config$ NORMAL -/etc/ld.so.conf NORMAL +# stunnel +/etc/stunnel/ NORMAL -/etc/localtime NORMAL +# ftp +/etc/vsftpd.conf$ CONTENT +/etc/vsftpd/ CONTENT -/etc/sysctl.conf NORMAL +# printing +/etc/cups/ NORMAL +/etc/cupshelpers/ NORMAL +/etc/avahi/ NORMAL -/etc/modprobe.conf NORMAL +# web server +/etc/httpd/ NORMAL -/etc/pam.d NORMAL -/etc/security NORMAL -/etc/aliases NORMAL -/etc/postfix NORMAL +# dns +/etc/named/ NORMAL +/etc/named.conf$ NORMAL +/etc/named.iscdlv.key$ NORMAL +/etc/named.rfc1912.zones$ NORMAL +/etc/named.root.key$ NORMAL -/etc/ssh/sshd_config NORMAL -/etc/ssh/ssh_config NORMAL +# xinetd +/etc/xinetd.d/ NORMAL -/etc/stunnel NORMAL - -/etc/vsftpd.ftpusers NORMAL -/etc/vsftpd NORMAL - -/etc/issue NORMAL -/etc/issue.net NORMAL - -/etc/cups NORMAL +# This gets new/removes-old filenames daily +!/var/log/sa +# As we are checking it, we've truncated yesterdays size to zero. +!/var/log/aide.log # With AIDE's default verbosity level of 5, these would give lots of # warnings upon tree traversal. It might change with future version. @@ -265,7 +340,4 @@ DATAONLY = ftype+p+l+n+u+g+s+acl+selinux+xattrs+sha_256 #=/home DIR # Ditto /var/log/sa reason... -!/var/log/and-httpd - -# Admins dot files constantly change, just check perms -/root/\..* PERMS +!/var/log/httpd/ \ No newline at end of file