| # Example configuration file for AIDE |
| # See more: man 5 aide.conf |
| |
| database=file:/var/lib/aide/aide.db |
| database_out=file:/var/lib/aide/aide.db.new |
| |
| # Change this to "no" or remove it to not gzip output |
| # (only useful on systems with few CPU cycles to spare) |
| gzip_dbout=yes |
| |
| # Default: 5 |
| #verbose=5 |
| |
| report_url=file:/var/log/aide/aide.log |
| report_url=stdout |
| #report_url=stderr |
| |
| # Here are all the things we can check - these are the default rules |
| # |
| # p: permissions |
| # ftype: file type |
| # i: inode |
| # l: link name |
| # n: number of links |
| # u: user |
| # g: group |
| # s: size |
| # b: block count |
| # m: mtime (modification time) |
| # a: atime (access time) |
| # c: ctime (change time) |
| # S: check for growing size |
| # I: ignore changed filename |
| # ANF: allow new files |
| # ARF: allow removed files |
| # md5: md5 checksum |
| # sha1: sha1 checksum |
| # sha256: sha256 checksum |
| # sha512: sha512 checksum |
| # rmd160: rmd160 checksum |
| # tiger: tiger checksum |
| # crc32: crc32 checksum |
| # R: p+ftype+i+l+n+u+g+s+m+c+md5+X |
| # L: p+ftype+i+l+n+u+g+X |
| # E: Empty group |
| # X: acl+selinux+xattrs+e2fsattrs (if groups are explicitly enabled) |
| # >: Growing file p+ftype+l+u+g+i+n+S+X |
| |
| # Defines formerly set here have been moved to /etc/default/aide. |
| |
| # Custom rules |
| Binlib = p+i+n+u+g+s+b+m+c+md5+sha256+rmd160 |
| ConfFiles = p+i+n+u+g+s+b+m+c+md5+sha256+rmd160 |
| Logs = p+i+n+u+g+S |
| Devices = p+i+n+u+g+s+b+c+md5+sha256+rmd160 |
| Databases = p+n+u+g |
| StaticDir = p+i+n+u+g |
| ManPages = p+i+n+u+g+s+b+m+c+md5+sha256+rmd160 |
| |
| # Next decide what directories/files you want in the database |
| |
| # Kernel, system map, etc. |
| =/boot$ Binlib |
| # Configs |
| /etc ConfFiles |
| !/etc/mtab |
| # Binaries |
| /bin Binlib |
| /sbin Binlib |
| /usr/bin Binlib |
| /usr/sbin Binlib |
| /usr/libexec Binlib |
| /usr/local/bin Binlib |
| /usr/local/sbin Binlib |
| #/usr/games Binlib |
| # Libraries |
| /lib(64)? Binlib |
| /usr/lib(64)? Binlib |
| /usr/local/lib(64)? Binlib |
| # Log files |
| =/var/log$ StaticDir |
| #!/var/log/ksymoops |
| /var/log/aide/aide.log(.[0-9])?(.gz)? Databases |
| /var/log/aide/error.log(.[0-9])?(.gz)? Databases |
| #/var/log/setuid.changes(.[0-9])?(.gz)? Databases |
| !/var/log/aide |
| /var/log Logs |
| # Devices |
| !/dev/pts |
| # If you get spurious warnings about being unable to mmap() /dev/cpu/mtrr, |
| # you may uncomment this to get rid of them. They're harmless but sometimes |
| # annoying. |
| #!/dev/cpu/mtrr |
| #!/dev/xconsole |
| /dev Devices |
| # Other miscellaneous files |
| /var/run$ StaticDir |
| !/var/run |
| # Test only the directory when dealing with /proc |
| /proc$ StaticDir |
| !/proc |
| |
| # You can look through these examples to get further ideas |
| |
| # MD5 sum files - especially useful with debsums -g |
| #/var/lib/dpkg/info/([^\.]+).md5sums u+g+s+m+md5+sha1 |
| |
| # Check crontabs |
| #/var/spool/anacron/cron.daily Databases |
| #/var/spool/anacron/cron.monthly Databases |
| #/var/spool/anacron/cron.weekly Databases |
| #/var/spool/cron Databases |
| #/var/spool/cron/crontabs Databases |
| |
| # manpages can be trojaned, especially depending on *roff implementation |
| #/usr/man ManPages |
| #/usr/share/man ManPages |
| #/usr/local/man ManPages |
| |
| # docs |
| #/usr/doc ManPages |
| #/usr/share/doc ManPages |
| |
| # check users' home directories |
| #/home Binlib |
| |
| # check sources for modifications |
| #/usr/src L |
| #/usr/local/src L |
| |
| # Check headers for same |
| #/usr/include L |
| #/usr/local/include L |