Refactor aide.conf

aide.conf: update custom rules
2025-09-08 10:37:47 +02:00 · 2025-08-07 10:34:39 +02:00
1 changed files with 183 additions and 115 deletions
--- a/aide.conf
+++ b/aide.conf
@ -111,157 +111,228 @@ report_url=stdout
 # Use 'aide --version' to list the default compound groups.
 # You can create custom rules like this.
-# With MHASH...
+# Note: Removed deprecated/removed hashsums (tiger, haval, crc32, crc32b, whirlpool, md5, sha1, rmd160, gost)
-# ALLXTRAHASHES = sha1+rmd160+sha256+sha512+whirlpool+tiger+haval+gost+crc32
+# ALLXTRAHASHES = sha1+rmd160+sha256+sha512+whirlpool+tiger+haval+gost+crc32+crc32b (old with deprecated/removed)
-ALLXTRAHASHES = sha1+rmd160+sha256+sha512+tiger
+ALLXTRAHASHES = sha256+sha512+sha512_256+sha3_256+sha3_512+stribog256+stribog512
-# Everything but access time (Ie. all changes)
+# Everything but access time (Ie. all changes) - updated with modern hashsums
 EVERYTHING = R+ALLXTRAHASHES
-# Sane, with multiple hashes
+# Base + sha512 (strong)
-# NORMAL = R+rmd160+sha256+whirlpool
+NORMAL = R+sha512
 NORMAL = FIPSR+sha512
-# For directories, don't bother doing hashes
+CONTENT = ftype+sha256
 DIR = p+i+n+u+g+acl+selinux+xattrs
-# Access control only
+# For directories, don't bother doing hashes - added file type and link name
-PERMS = p+i+u+g+acl+selinux
+DIR = ftype+p+i+l+n+u+g+acl+selinux+xattrs
 # Access control only - added file type and link name
 PERMS = ftype+p+i+l+u+g+acl+selinux
 # Logfile are special, in that they often change
 LOG = >
 # Just do sha256 and sha512 hashes
 LSPP = FIPSR+sha512
 # Some files get updated automatically, so the inode/ctime/mtime change
-# but we want to know when the data inside them changes
+# but we want to know when the data inside them changes - updated with modern hash
-DATAONLY =  p+n+u+g+s+acl+selinux+xattrs+sha256
+DATAONLY = ftype+p+l+n+u+g+s+acl+selinux+xattrs+sha_256
 # Next decide what directories/files you want in the database.
-/boot   NORMAL
+/boot/   NORMAL
-/bin    NORMAL
+/bin/    NORMAL
-/sbin   NORMAL
+/sbin/   NORMAL
-/lib    NORMAL
+/lib/    NORMAL
-/lib64  NORMAL
+/lib64/  NORMAL
-/opt    NORMAL
+# Monitor /opt selectively to avoid noise from auto-updating applications
-/usr    NORMAL
+/opt/    CONTENT
-/root   NORMAL
+/usr/    NORMAL
 # These are too volatile
 !/usr/src
 !/usr/tmp
 /root   NORMAL
 # Admins dot files constantly change, just check perms
 /root/\..* PERMS
 # Check only permissions, inode, user and group for /etc, but
 # cover some important files closely.
 /etc    PERMS
 !/etc/mtab
 # Ignore backup files
 !/etc/.*~
 /etc/exports  NORMAL
 /etc/fstab    NORMAL
 /etc/passwd   NORMAL
 /etc/group    NORMAL
 /etc/gshadow  NORMAL
 /etc/shadow   NORMAL
 /etc/security/opasswd   NORMAL
-/etc/hosts.allow   NORMAL
+# trusted databases
-/etc/hosts.deny    NORMAL
+/etc/hosts$ NORMAL
 /etc/host.conf$ NORMAL
 /etc/hostname$ NORMAL
 /etc/issue$ NORMAL
 /etc/issue.net$ NORMAL
 /etc/protocols$ NORMAL
 /etc/services$ NORMAL
 /etc/localtime$ NORMAL
 /etc/alternatives/ NORMAL
 /etc/mime.types$ NORMAL
 /etc/terminfo/ NORMAL
 /etc/exports$  NORMAL
 /etc/fstab$    NORMAL
 /etc/passwd$   NORMAL
 /etc/group$    NORMAL
 /etc/gshadow$  NORMAL
 /etc/shadow$   NORMAL
 /etc/security/opasswd$   NORMAL
 /etc/skel/ NORMAL
-/etc/sudoers NORMAL
+# networking
-/etc/skel NORMAL
+/etc/hosts.allow$   NORMAL
 /etc/hosts.deny$    NORMAL
 /etc/firewalld/ NORMAL
 /etc/NetworkManager/ NORMAL
 /etc/networks$ NORMAL
 /etc/dhcp/ NORMAL
 /etc/wpa_supplicant/ NORMAL
 /etc/resolv.conf$ DATAONLY
 /etc/nscd.conf$ NORMAL
-/etc/logrotate.d NORMAL
+# logins and accounts
-
+/etc/login.defs$ NORMAL
-/etc/resolv.conf DATAONLY
+/etc/libuser.conf$ NORMAL
-
+/var/log/faillog$ PERMS
-/etc/nscd.conf NORMAL
+/var/log/lastlog$ PERMS
-/etc/securetty NORMAL
+/var/run/faillock/ PERMS
 /etc/pam.d/ NORMAL
 /etc/security$ NORMAL
 /etc/securetty$ NORMAL
 /etc/polkit-1/ NORMAL
 /etc/sudo.conf$ NORMAL
 /etc/sudoers$ NORMAL
 /etc/sudoers.d/ NORMAL
 # Shell/X starting files
-/etc/profile NORMAL
+/etc/profile$ NORMAL
 /etc/bashrc NORMAL
 /etc/bash_completion.d/ NORMAL
 /etc/login.defs NORMAL
 /etc/zprofile NORMAL
 /etc/zshrc NORMAL
 /etc/zlogin NORMAL
 /etc/zlogout NORMAL
 /etc/profile.d/ NORMAL
 /etc/bashrc$ NORMAL
 /etc/bash_completion.d/ NORMAL
 /etc/zprofile$ NORMAL
 /etc/zshrc$ NORMAL
 /etc/zlogin$ NORMAL
 /etc/zlogout$ NORMAL
 /etc/X11/ NORMAL
 /etc/shells$ NORMAL
 # Pkg manager
-/etc/yum.conf NORMAL
+/etc/yum.conf$ NORMAL
 /etc/yumex.conf NORMAL
 /etc/yumex.profiles.conf NORMAL
 /etc/yum/ NORMAL
 /etc/yum.repos.d/ NORMAL
-/var/log   LOG
+/etc/audit/ NORMAL
-/var/run/utmp LOG
+/etc/audisp/ NORMAL
 /etc/libaudit.conf$ NORMAL
 /etc/aide.conf$  NORMAL
 # System logs
 /etc/rsyslog.conf$ NORMAL
 /etc/rsyslog.d/ NORMAL
 /etc/logrotate.conf$ NORMAL
 /etc/logrotate.d/ NORMAL
 /var/log/ LOG+ANF+ARF
 /var/run/utmp$ LOG
 # secrets
 /etc/pkcs11/ NORMAL
 /etc/pki/ NORMAL
 /etc/ssl/ NORMAL
 /etc/certmonger/ NORMAL
 # init system
 /etc/systemd/ NORMAL
 /etc/sysconfig/ NORMAL
 /etc/rc.d/ NORMAL
 /etc/tmpfiles.d/ NORMAL
 /etc/machine-id$ NORMAL
 # boot config
 /etc/grub.d/ NORMAL
 /etc/grub2.cfg$ NORMAL
 /etc/dracut.conf$ NORMAL
 /etc/dracut.conf.d/ NORMAL
 # glibc linker
 /etc/ld.so.cache$ NORMAL
 /etc/ld.so.conf$ NORMAL
 /etc/ld.so.conf.d/ NORMAL
 # kernel config
 /etc/sysctl.conf$ NORMAL
 /etc/sysctl.d/ NORMAL
 /etc/modprobe.d/ NORMAL
 /etc/modules-load.d/ NORMAL
 /etc/depmod.d/ NORMAL
 /etc/udev/ NORMAL
 /etc/crypttab$ NORMAL
 #### Daemons ####
 # cron jobs
 /var/spool/at/ CONTENT
 /etc/at.allow$ CONTENT
 /etc/at.deny$ CONTENT
 /etc/cron.allow$ NORMAL
 /etc/cron.deny$ NORMAL
 /etc/cron.d/ NORMAL
 /etc/cron.daily/ NORMAL
 /etc/cron.hourly/ NORMAL
 /etc/cron.monthly/ NORMAL
 /etc/cron.weekly/ NORMAL
 /etc/crontab$ NORMAL
 /var/spool/cron/root/ CONTENT
 /etc/anacrontab$ NORMAL
 # time keeping
 /etc/ntp.conf$ NORMAL
 /etc/ntp/ NORMAL
 /etc/chrony.conf$ NORMAL
 /etc/chrony.keys$ NORMAL
 # mail
 /etc/aliases$ NORMAL
 /etc/aliases.db$ NORMAL
 /etc/postfix/ NORMAL
 /etc/mail.rc$ NORMAL
 /etc/mailcap$ NORMAL
 # ssh
 /etc/ssh/sshd_config$ NORMAL
 /etc/ssh/ssh_config$ NORMAL
 # stunnel
 /etc/stunnel/ NORMAL
 # ftp
 /etc/vsftpd.conf$ CONTENT
 /etc/vsftpd/ CONTENT
 # printing
 /etc/cups/ NORMAL
 /etc/cupshelpers/ NORMAL
 /etc/avahi/ NORMAL
 # web server
 /etc/httpd/ NORMAL
 # dns
 /etc/named/ NORMAL
 /etc/named.conf$ NORMAL
 /etc/named.iscdlv.key$ NORMAL
 /etc/named.rfc1912.zones$ NORMAL
 /etc/named.root.key$ NORMAL
 # xinetd
 /etc/xinetd.d/ NORMAL
 # This gets new/removes-old filenames daily
 !/var/log/sa
 # As we are checking it, we've truncated yesterdays size to zero.
 !/var/log/aide.log
 # LSPP rules...
 # AIDE produces an audit record, so this becomes perpetual motion.
 # /var/log/audit/ LSPP
 /etc/audit/ LSPP
 /etc/libaudit.conf LSPP
 /usr/sbin/stunnel LSPP
 /var/spool/at LSPP
 /etc/at.allow LSPP
 /etc/at.deny LSPP
 /etc/cron.allow LSPP
 /etc/cron.deny LSPP
 /etc/cron.d/ LSPP
 /etc/cron.daily/ LSPP
 /etc/cron.hourly/ LSPP
 /etc/cron.monthly/ LSPP
 /etc/cron.weekly/ LSPP
 /etc/crontab LSPP
 /var/spool/cron/root LSPP
 /etc/login.defs LSPP
 /etc/securetty LSPP
 /var/log/faillog LSPP
 /var/log/lastlog LSPP
 /etc/hosts LSPP
 /etc/sysconfig LSPP
 /etc/inittab LSPP
 /etc/grub/ LSPP
 /etc/rc.d LSPP
 /etc/ld.so.conf LSPP
 /etc/localtime LSPP
 /etc/sysctl.conf LSPP
 /etc/modprobe.conf LSPP
 /etc/pam.d LSPP
 /etc/security LSPP
 /etc/aliases LSPP
 /etc/postfix LSPP
 /etc/ssh/sshd_config LSPP
 /etc/ssh/ssh_config LSPP
 /etc/stunnel LSPP
 /etc/vsftpd.ftpusers LSPP
 /etc/vsftpd LSPP
 /etc/issue LSPP
 /etc/issue.net LSPP
 /etc/cups LSPP
 # With AIDE's default verbosity level of 5, these would give lots of
 # warnings upon tree traversal. It might change with future version.
 #
@ -269,7 +340,4 @@ DATAONLY =  p+n+u+g+s+acl+selinux+xattrs+sha256
 #=/home           DIR
 # Ditto /var/log/sa reason...
-!/var/log/and-httpd
+!/var/log/httpd/
 # Admins dot files constantly change, just check perms
 /root/\..* PERMS
Author	SHA1	Message	Date
Cropi	88698a013b	Refactor aide.conf	2025-09-08 10:37:47 +02:00
Cropi	5b3470d676	aide.conf: update custom rules	2025-08-07 10:34:39 +02:00