Refactor aide.conf

aide.conf

@@ -111,157 +111,228 @@ report_url=stdout
 # Use 'aide --version' to list the default compound groups.
 
 # You can create custom rules like this.
-# With MHASH...
-# ALLXTRAHASHES = sha1+rmd160+sha256+sha512+whirlpool+tiger+haval+gost+crc32
-ALLXTRAHASHES = sha1+rmd160+sha256+sha512+tiger
-# Everything but access time (Ie. all changes)
+# Note: Removed deprecated/removed hashsums (tiger, haval, crc32, crc32b, whirlpool, md5, sha1, rmd160, gost)
+# ALLXTRAHASHES = sha1+rmd160+sha256+sha512+whirlpool+tiger+haval+gost+crc32+crc32b (old with deprecated/removed)
+ALLXTRAHASHES = sha256+sha512+sha512_256+sha3_256+sha3_512+stribog256+stribog512
+# Everything but access time (Ie. all changes) - updated with modern hashsums
 EVERYTHING = R+ALLXTRAHASHES
 
-# Sane, with multiple hashes
-# NORMAL = R+rmd160+sha256+whirlpool
-NORMAL = FIPSR+sha512
+# Base + sha512 (strong)
+NORMAL = R+sha512
 
-# For directories, don't bother doing hashes
-DIR = p+i+n+u+g+acl+selinux+xattrs
+CONTENT = ftype+sha256
 
-# Access control only
-PERMS = p+i+u+g+acl+selinux
+# For directories, don't bother doing hashes - added file type and link name
+DIR = ftype+p+i+l+n+u+g+acl+selinux+xattrs
+
+# Access control only - added file type and link name
+PERMS = ftype+p+i+l+u+g+acl+selinux
 
 # Logfile are special, in that they often change
 LOG = >
 
-# Just do sha256 and sha512 hashes
-LSPP = FIPSR+sha512
-
 # Some files get updated automatically, so the inode/ctime/mtime change
-# but we want to know when the data inside them changes
-DATAONLY =  p+n+u+g+s+acl+selinux+xattrs+sha256
+# but we want to know when the data inside them changes - updated with modern hash
+DATAONLY = ftype+p+l+n+u+g+s+acl+selinux+xattrs+sha_256
 
 # Next decide what directories/files you want in the database.
 
-/boot   NORMAL
-/bin    NORMAL
-/sbin   NORMAL
-/lib    NORMAL
-/lib64  NORMAL
-/opt    NORMAL
-/usr    NORMAL
-/root   NORMAL
+/boot/   NORMAL
+/bin/    NORMAL
+/sbin/   NORMAL
+/lib/    NORMAL
+/lib64/  NORMAL
+# Monitor /opt selectively to avoid noise from auto-updating applications
+/opt/    CONTENT
+/usr/    NORMAL
 # These are too volatile
 !/usr/src
 !/usr/tmp
 
+/root   NORMAL
+# Admins dot files constantly change, just check perms
+/root/\..* PERMS
+
 # Check only permissions, inode, user and group for /etc, but
 # cover some important files closely.
 /etc    PERMS
 !/etc/mtab
 # Ignore backup files
 !/etc/.*~
-/etc/exports  NORMAL
-/etc/fstab    NORMAL
-/etc/passwd   NORMAL
-/etc/group    NORMAL
-/etc/gshadow  NORMAL
-/etc/shadow   NORMAL
-/etc/security/opasswd   NORMAL
 
-/etc/hosts.allow   NORMAL
-/etc/hosts.deny    NORMAL
+# trusted databases
+/etc/hosts$ NORMAL
+/etc/host.conf$ NORMAL
+/etc/hostname$ NORMAL
+/etc/issue$ NORMAL
+/etc/issue.net$ NORMAL
+/etc/protocols$ NORMAL
+/etc/services$ NORMAL
+/etc/localtime$ NORMAL
+/etc/alternatives/ NORMAL
+/etc/mime.types$ NORMAL
+/etc/terminfo/ NORMAL
+/etc/exports$  NORMAL
+/etc/fstab$    NORMAL
+/etc/passwd$   NORMAL
+/etc/group$    NORMAL
+/etc/gshadow$  NORMAL
+/etc/shadow$   NORMAL
+/etc/security/opasswd$   NORMAL
+/etc/skel/ NORMAL
 
-/etc/sudoers NORMAL
-/etc/skel NORMAL
+# networking
+/etc/hosts.allow$   NORMAL
+/etc/hosts.deny$    NORMAL
+/etc/firewalld/ NORMAL
+/etc/NetworkManager/ NORMAL
+/etc/networks$ NORMAL
+/etc/dhcp/ NORMAL
+/etc/wpa_supplicant/ NORMAL
+/etc/resolv.conf$ DATAONLY
+/etc/nscd.conf$ NORMAL
 
-/etc/logrotate.d NORMAL
-
-/etc/resolv.conf DATAONLY
-
-/etc/nscd.conf NORMAL
-/etc/securetty NORMAL
+# logins and accounts
+/etc/login.defs$ NORMAL
+/etc/libuser.conf$ NORMAL
+/var/log/faillog$ PERMS
+/var/log/lastlog$ PERMS
+/var/run/faillock/ PERMS
+/etc/pam.d/ NORMAL
+/etc/security$ NORMAL
+/etc/securetty$ NORMAL
+/etc/polkit-1/ NORMAL
+/etc/sudo.conf$ NORMAL
+/etc/sudoers$ NORMAL
+/etc/sudoers.d/ NORMAL
 
 # Shell/X starting files
-/etc/profile NORMAL
-/etc/bashrc NORMAL
-/etc/bash_completion.d/ NORMAL
-/etc/login.defs NORMAL
-/etc/zprofile NORMAL
-/etc/zshrc NORMAL
-/etc/zlogin NORMAL
-/etc/zlogout NORMAL
+/etc/profile$ NORMAL
 /etc/profile.d/ NORMAL
+/etc/bashrc$ NORMAL
+/etc/bash_completion.d/ NORMAL
+/etc/zprofile$ NORMAL
+/etc/zshrc$ NORMAL
+/etc/zlogin$ NORMAL
+/etc/zlogout$ NORMAL
 /etc/X11/ NORMAL
+/etc/shells$ NORMAL
 
 # Pkg manager
-/etc/yum.conf NORMAL
-/etc/yumex.conf NORMAL
-/etc/yumex.profiles.conf NORMAL
+/etc/yum.conf$ NORMAL
 /etc/yum/ NORMAL
 /etc/yum.repos.d/ NORMAL
 
-/var/log   LOG
-/var/run/utmp LOG
+/etc/audit/ NORMAL
+/etc/audisp/ NORMAL
+/etc/libaudit.conf$ NORMAL
+/etc/aide.conf$  NORMAL
+
+# System logs
+/etc/rsyslog.conf$ NORMAL
+/etc/rsyslog.d/ NORMAL
+/etc/logrotate.conf$ NORMAL
+/etc/logrotate.d/ NORMAL
+/var/log/ LOG+ANF+ARF
+/var/run/utmp$ LOG
+
+# secrets
+/etc/pkcs11/ NORMAL
+/etc/pki/ NORMAL
+/etc/ssl/ NORMAL
+/etc/certmonger/ NORMAL
+
+# init system
+/etc/systemd/ NORMAL
+/etc/sysconfig/ NORMAL
+/etc/rc.d/ NORMAL
+/etc/tmpfiles.d/ NORMAL
+/etc/machine-id$ NORMAL
+
+# boot config
+/etc/grub.d/ NORMAL
+/etc/grub2.cfg$ NORMAL
+/etc/dracut.conf$ NORMAL
+/etc/dracut.conf.d/ NORMAL
+
+# glibc linker
+/etc/ld.so.cache$ NORMAL
+/etc/ld.so.conf$ NORMAL
+/etc/ld.so.conf.d/ NORMAL
+
+# kernel config
+/etc/sysctl.conf$ NORMAL
+/etc/sysctl.d/ NORMAL
+/etc/modprobe.d/ NORMAL
+/etc/modules-load.d/ NORMAL
+/etc/depmod.d/ NORMAL
+/etc/udev/ NORMAL
+/etc/crypttab$ NORMAL
+
+#### Daemons ####
+
+# cron jobs
+/var/spool/at/ CONTENT
+/etc/at.allow$ CONTENT
+/etc/at.deny$ CONTENT
+/etc/cron.allow$ NORMAL
+/etc/cron.deny$ NORMAL
+/etc/cron.d/ NORMAL
+/etc/cron.daily/ NORMAL
+/etc/cron.hourly/ NORMAL
+/etc/cron.monthly/ NORMAL
+/etc/cron.weekly/ NORMAL
+/etc/crontab$ NORMAL
+/var/spool/cron/root/ CONTENT
+/etc/anacrontab$ NORMAL
+
+# time keeping
+/etc/ntp.conf$ NORMAL
+/etc/ntp/ NORMAL
+/etc/chrony.conf$ NORMAL
+/etc/chrony.keys$ NORMAL
+
+# mail
+/etc/aliases$ NORMAL
+/etc/aliases.db$ NORMAL
+/etc/postfix/ NORMAL
+/etc/mail.rc$ NORMAL
+/etc/mailcap$ NORMAL
+
+# ssh
+/etc/ssh/sshd_config$ NORMAL
+/etc/ssh/ssh_config$ NORMAL
+
+# stunnel
+/etc/stunnel/ NORMAL
+
+# ftp
+/etc/vsftpd.conf$ CONTENT
+/etc/vsftpd/ CONTENT
+
+# printing
+/etc/cups/ NORMAL
+/etc/cupshelpers/ NORMAL
+/etc/avahi/ NORMAL
+
+# web server
+/etc/httpd/ NORMAL
+
+# dns
+/etc/named/ NORMAL
+/etc/named.conf$ NORMAL
+/etc/named.iscdlv.key$ NORMAL
+/etc/named.rfc1912.zones$ NORMAL
+/etc/named.root.key$ NORMAL
+
+# xinetd
+/etc/xinetd.d/ NORMAL
 
 # This gets new/removes-old filenames daily
 !/var/log/sa
 # As we are checking it, we've truncated yesterdays size to zero.
 !/var/log/aide.log
 
-# LSPP rules...
-# AIDE produces an audit record, so this becomes perpetual motion.
-# /var/log/audit/ LSPP
-/etc/audit/ LSPP
-/etc/libaudit.conf LSPP
-/usr/sbin/stunnel LSPP
-/var/spool/at LSPP
-/etc/at.allow LSPP
-/etc/at.deny LSPP
-/etc/cron.allow LSPP
-/etc/cron.deny LSPP
-/etc/cron.d/ LSPP
-/etc/cron.daily/ LSPP
-/etc/cron.hourly/ LSPP
-/etc/cron.monthly/ LSPP
-/etc/cron.weekly/ LSPP
-/etc/crontab LSPP
-/var/spool/cron/root LSPP
-
-/etc/login.defs LSPP
-/etc/securetty LSPP
-/var/log/faillog LSPP
-/var/log/lastlog LSPP
-
-/etc/hosts LSPP
-/etc/sysconfig LSPP
-
-/etc/inittab LSPP
-/etc/grub/ LSPP
-/etc/rc.d LSPP
-
-/etc/ld.so.conf LSPP
-
-/etc/localtime LSPP
-
-/etc/sysctl.conf LSPP
-
-/etc/modprobe.conf LSPP
-
-/etc/pam.d LSPP
-/etc/security LSPP
-/etc/aliases LSPP
-/etc/postfix LSPP
-
-/etc/ssh/sshd_config LSPP
-/etc/ssh/ssh_config LSPP
-
-/etc/stunnel LSPP
-
-/etc/vsftpd.ftpusers LSPP
-/etc/vsftpd LSPP
-
-/etc/issue LSPP
-/etc/issue.net LSPP
-
-/etc/cups LSPP
-
 # With AIDE's default verbosity level of 5, these would give lots of
 # warnings upon tree traversal. It might change with future version.
 #
@@ -269,7 +340,4 @@ DATAONLY =  p+n+u+g+s+acl+selinux+xattrs+sha256
 #=/home           DIR
 
 # Ditto /var/log/sa reason...
-!/var/log/and-httpd
-
-# Admins dot files constantly change, just check perms
-/root/\..* PERMS
+!/var/log/httpd/