Compare commits

...
Sign in to create a new pull request.

2 commits

Author SHA1 Message Date
Cropi
88698a013b Refactor aide.conf 2025-09-08 10:37:47 +02:00
Cropi
5b3470d676 aide.conf: update custom rules 2025-08-07 10:34:39 +02:00

298
aide.conf
View file

@ -111,157 +111,228 @@ report_url=stdout
# Use 'aide --version' to list the default compound groups. # Use 'aide --version' to list the default compound groups.
# You can create custom rules like this. # You can create custom rules like this.
# With MHASH... # Note: Removed deprecated/removed hashsums (tiger, haval, crc32, crc32b, whirlpool, md5, sha1, rmd160, gost)
# ALLXTRAHASHES = sha1+rmd160+sha256+sha512+whirlpool+tiger+haval+gost+crc32 # ALLXTRAHASHES = sha1+rmd160+sha256+sha512+whirlpool+tiger+haval+gost+crc32+crc32b (old with deprecated/removed)
ALLXTRAHASHES = sha1+rmd160+sha256+sha512+tiger ALLXTRAHASHES = sha256+sha512+sha512_256+sha3_256+sha3_512+stribog256+stribog512
# Everything but access time (Ie. all changes) # Everything but access time (Ie. all changes) - updated with modern hashsums
EVERYTHING = R+ALLXTRAHASHES EVERYTHING = R+ALLXTRAHASHES
# Sane, with multiple hashes # Base + sha512 (strong)
# NORMAL = R+rmd160+sha256+whirlpool NORMAL = R+sha512
NORMAL = FIPSR+sha512
# For directories, don't bother doing hashes CONTENT = ftype+sha256
DIR = p+i+n+u+g+acl+selinux+xattrs
# Access control only # For directories, don't bother doing hashes - added file type and link name
PERMS = p+i+u+g+acl+selinux DIR = ftype+p+i+l+n+u+g+acl+selinux+xattrs
# Access control only - added file type and link name
PERMS = ftype+p+i+l+u+g+acl+selinux
# Logfile are special, in that they often change # Logfile are special, in that they often change
LOG = > LOG = >
# Just do sha256 and sha512 hashes
LSPP = FIPSR+sha512
# Some files get updated automatically, so the inode/ctime/mtime change # Some files get updated automatically, so the inode/ctime/mtime change
# but we want to know when the data inside them changes # but we want to know when the data inside them changes - updated with modern hash
DATAONLY = p+n+u+g+s+acl+selinux+xattrs+sha256 DATAONLY = ftype+p+l+n+u+g+s+acl+selinux+xattrs+sha_256
# Next decide what directories/files you want in the database. # Next decide what directories/files you want in the database.
/boot NORMAL /boot/ NORMAL
/bin NORMAL /bin/ NORMAL
/sbin NORMAL /sbin/ NORMAL
/lib NORMAL /lib/ NORMAL
/lib64 NORMAL /lib64/ NORMAL
/opt NORMAL # Monitor /opt selectively to avoid noise from auto-updating applications
/usr NORMAL /opt/ CONTENT
/root NORMAL /usr/ NORMAL
# These are too volatile # These are too volatile
!/usr/src !/usr/src
!/usr/tmp !/usr/tmp
/root NORMAL
# Admins dot files constantly change, just check perms
/root/\..* PERMS
# Check only permissions, inode, user and group for /etc, but # Check only permissions, inode, user and group for /etc, but
# cover some important files closely. # cover some important files closely.
/etc PERMS /etc PERMS
!/etc/mtab !/etc/mtab
# Ignore backup files # Ignore backup files
!/etc/.*~ !/etc/.*~
/etc/exports NORMAL
/etc/fstab NORMAL
/etc/passwd NORMAL
/etc/group NORMAL
/etc/gshadow NORMAL
/etc/shadow NORMAL
/etc/security/opasswd NORMAL
/etc/hosts.allow NORMAL # trusted databases
/etc/hosts.deny NORMAL /etc/hosts$ NORMAL
/etc/host.conf$ NORMAL
/etc/hostname$ NORMAL
/etc/issue$ NORMAL
/etc/issue.net$ NORMAL
/etc/protocols$ NORMAL
/etc/services$ NORMAL
/etc/localtime$ NORMAL
/etc/alternatives/ NORMAL
/etc/mime.types$ NORMAL
/etc/terminfo/ NORMAL
/etc/exports$ NORMAL
/etc/fstab$ NORMAL
/etc/passwd$ NORMAL
/etc/group$ NORMAL
/etc/gshadow$ NORMAL
/etc/shadow$ NORMAL
/etc/security/opasswd$ NORMAL
/etc/skel/ NORMAL
/etc/sudoers NORMAL # networking
/etc/skel NORMAL /etc/hosts.allow$ NORMAL
/etc/hosts.deny$ NORMAL
/etc/firewalld/ NORMAL
/etc/NetworkManager/ NORMAL
/etc/networks$ NORMAL
/etc/dhcp/ NORMAL
/etc/wpa_supplicant/ NORMAL
/etc/resolv.conf$ DATAONLY
/etc/nscd.conf$ NORMAL
/etc/logrotate.d NORMAL # logins and accounts
/etc/login.defs$ NORMAL
/etc/resolv.conf DATAONLY /etc/libuser.conf$ NORMAL
/var/log/faillog$ PERMS
/etc/nscd.conf NORMAL /var/log/lastlog$ PERMS
/etc/securetty NORMAL /var/run/faillock/ PERMS
/etc/pam.d/ NORMAL
/etc/security$ NORMAL
/etc/securetty$ NORMAL
/etc/polkit-1/ NORMAL
/etc/sudo.conf$ NORMAL
/etc/sudoers$ NORMAL
/etc/sudoers.d/ NORMAL
# Shell/X starting files # Shell/X starting files
/etc/profile NORMAL /etc/profile$ NORMAL
/etc/bashrc NORMAL
/etc/bash_completion.d/ NORMAL
/etc/login.defs NORMAL
/etc/zprofile NORMAL
/etc/zshrc NORMAL
/etc/zlogin NORMAL
/etc/zlogout NORMAL
/etc/profile.d/ NORMAL /etc/profile.d/ NORMAL
/etc/bashrc$ NORMAL
/etc/bash_completion.d/ NORMAL
/etc/zprofile$ NORMAL
/etc/zshrc$ NORMAL
/etc/zlogin$ NORMAL
/etc/zlogout$ NORMAL
/etc/X11/ NORMAL /etc/X11/ NORMAL
/etc/shells$ NORMAL
# Pkg manager # Pkg manager
/etc/yum.conf NORMAL /etc/yum.conf$ NORMAL
/etc/yumex.conf NORMAL
/etc/yumex.profiles.conf NORMAL
/etc/yum/ NORMAL /etc/yum/ NORMAL
/etc/yum.repos.d/ NORMAL /etc/yum.repos.d/ NORMAL
/var/log LOG /etc/audit/ NORMAL
/var/run/utmp LOG /etc/audisp/ NORMAL
/etc/libaudit.conf$ NORMAL
/etc/aide.conf$ NORMAL
# System logs
/etc/rsyslog.conf$ NORMAL
/etc/rsyslog.d/ NORMAL
/etc/logrotate.conf$ NORMAL
/etc/logrotate.d/ NORMAL
/var/log/ LOG+ANF+ARF
/var/run/utmp$ LOG
# secrets
/etc/pkcs11/ NORMAL
/etc/pki/ NORMAL
/etc/ssl/ NORMAL
/etc/certmonger/ NORMAL
# init system
/etc/systemd/ NORMAL
/etc/sysconfig/ NORMAL
/etc/rc.d/ NORMAL
/etc/tmpfiles.d/ NORMAL
/etc/machine-id$ NORMAL
# boot config
/etc/grub.d/ NORMAL
/etc/grub2.cfg$ NORMAL
/etc/dracut.conf$ NORMAL
/etc/dracut.conf.d/ NORMAL
# glibc linker
/etc/ld.so.cache$ NORMAL
/etc/ld.so.conf$ NORMAL
/etc/ld.so.conf.d/ NORMAL
# kernel config
/etc/sysctl.conf$ NORMAL
/etc/sysctl.d/ NORMAL
/etc/modprobe.d/ NORMAL
/etc/modules-load.d/ NORMAL
/etc/depmod.d/ NORMAL
/etc/udev/ NORMAL
/etc/crypttab$ NORMAL
#### Daemons ####
# cron jobs
/var/spool/at/ CONTENT
/etc/at.allow$ CONTENT
/etc/at.deny$ CONTENT
/etc/cron.allow$ NORMAL
/etc/cron.deny$ NORMAL
/etc/cron.d/ NORMAL
/etc/cron.daily/ NORMAL
/etc/cron.hourly/ NORMAL
/etc/cron.monthly/ NORMAL
/etc/cron.weekly/ NORMAL
/etc/crontab$ NORMAL
/var/spool/cron/root/ CONTENT
/etc/anacrontab$ NORMAL
# time keeping
/etc/ntp.conf$ NORMAL
/etc/ntp/ NORMAL
/etc/chrony.conf$ NORMAL
/etc/chrony.keys$ NORMAL
# mail
/etc/aliases$ NORMAL
/etc/aliases.db$ NORMAL
/etc/postfix/ NORMAL
/etc/mail.rc$ NORMAL
/etc/mailcap$ NORMAL
# ssh
/etc/ssh/sshd_config$ NORMAL
/etc/ssh/ssh_config$ NORMAL
# stunnel
/etc/stunnel/ NORMAL
# ftp
/etc/vsftpd.conf$ CONTENT
/etc/vsftpd/ CONTENT
# printing
/etc/cups/ NORMAL
/etc/cupshelpers/ NORMAL
/etc/avahi/ NORMAL
# web server
/etc/httpd/ NORMAL
# dns
/etc/named/ NORMAL
/etc/named.conf$ NORMAL
/etc/named.iscdlv.key$ NORMAL
/etc/named.rfc1912.zones$ NORMAL
/etc/named.root.key$ NORMAL
# xinetd
/etc/xinetd.d/ NORMAL
# This gets new/removes-old filenames daily # This gets new/removes-old filenames daily
!/var/log/sa !/var/log/sa
# As we are checking it, we've truncated yesterdays size to zero. # As we are checking it, we've truncated yesterdays size to zero.
!/var/log/aide.log !/var/log/aide.log
# LSPP rules...
# AIDE produces an audit record, so this becomes perpetual motion.
# /var/log/audit/ LSPP
/etc/audit/ LSPP
/etc/libaudit.conf LSPP
/usr/sbin/stunnel LSPP
/var/spool/at LSPP
/etc/at.allow LSPP
/etc/at.deny LSPP
/etc/cron.allow LSPP
/etc/cron.deny LSPP
/etc/cron.d/ LSPP
/etc/cron.daily/ LSPP
/etc/cron.hourly/ LSPP
/etc/cron.monthly/ LSPP
/etc/cron.weekly/ LSPP
/etc/crontab LSPP
/var/spool/cron/root LSPP
/etc/login.defs LSPP
/etc/securetty LSPP
/var/log/faillog LSPP
/var/log/lastlog LSPP
/etc/hosts LSPP
/etc/sysconfig LSPP
/etc/inittab LSPP
/etc/grub/ LSPP
/etc/rc.d LSPP
/etc/ld.so.conf LSPP
/etc/localtime LSPP
/etc/sysctl.conf LSPP
/etc/modprobe.conf LSPP
/etc/pam.d LSPP
/etc/security LSPP
/etc/aliases LSPP
/etc/postfix LSPP
/etc/ssh/sshd_config LSPP
/etc/ssh/ssh_config LSPP
/etc/stunnel LSPP
/etc/vsftpd.ftpusers LSPP
/etc/vsftpd LSPP
/etc/issue LSPP
/etc/issue.net LSPP
/etc/cups LSPP
# With AIDE's default verbosity level of 5, these would give lots of # With AIDE's default verbosity level of 5, these would give lots of
# warnings upon tree traversal. It might change with future version. # warnings upon tree traversal. It might change with future version.
# #
@ -269,7 +340,4 @@ DATAONLY = p+n+u+g+s+acl+selinux+xattrs+sha256
#=/home DIR #=/home DIR
# Ditto /var/log/sa reason... # Ditto /var/log/sa reason...
!/var/log/and-httpd !/var/log/httpd/
# Admins dot files constantly change, just check perms
/root/\..* PERMS