# Example configuration file for AIDE # See more: man 5 aide.conf @@define DBDIR /var/lib/aide @@define LOGDIR /var/log/aide @@define CONTEXT aide database_in=file:@@{DBDIR}/@@{CONTEXT}.db database_out=file:@@{DBDIR}/@@{CONTEXT}.db.new # Change this to "no" or remove it to not gzip output # (only useful on systems with few CPU cycles to spare) gzip_dbout=yes # Default: warning #log_level=info # Default: changed_attributes #report_level=added_removed_attributes report_url=file:@@{LOGDIR}/@@{CONTEXT}.log report_url=stdout #report_url=stderr # Here are all the things we can check - these are the default rules # List attributes # ftype: file type # fstype: file system type (Linux-only) # p: permissions # i: inode # l: link name (symbolic links only) # n: number of links # u: user # g: group # s: size # b: block count # m: mtime (modification time) # a: atime (access time) # c: ctime (change time) # acl access control list (requires libacl, Linux-only) # selinux: selinux attributes (requires libselinux, Linux-only) # xattrs extended attributes (requires libattr, Linux-only) # e2fsattrs file attributes on a Linux file system (requires libcap) # caps file capabilities (regular files only) # S: check for growing size (DEPRECATED) # I: ignore changed filename # growing: ignore growing file # compressed ignore compressed file # ANF: allow new files # ARF: allow removed files # List Checksums # sha256 # sha512 # sha512_256 # sha3_256 # sha3_512 # stribog256 # stribog512 # md5 (DEPRECATED) # sha1 (DEPRECATED ) # rmd160 (DEPRECATED) # gost (DEPRECATED) # Default groups # R: p+ftype+i+l+n+u+g+s+m+c+sha3_256+X # L: p+ftype+i+l+n+u+g+X # >: Growing file p+ftype+l+u+g+i+n+s+growing+X # H: all compiled in (and not deprecated) hashsums # X: acl+selinux+xattrs+e2fsattrs+caps (if attributes are compiled in) # E: Empty group # Defines formerly set here have been moved to /etc/default/aide. # Custom rules Binlib = p+i+n+u+g+s+b+m+c+sha256 ConfFiles = p+i+n+u+g+s+b+m+c+sha256 Logs = p+i+n+u+g+growing+s Devices = p+i+n+u+g+s+b+c+sha256 Databases = p+n+u+g StaticDir = p+i+n+u+g ManPages = p+i+n+u+g+s+b+m+c+sha256 # Next decide what directories/files you want in the database # Kernel, system map, etc. =/boot$ Binlib # Configs /etc ConfFiles !/etc/mtab # Binaries /bin Binlib /sbin Binlib /opt Binlib /usr/bin Binlib /usr/sbin Binlib /usr/libexec Binlib /usr/local/bin Binlib /usr/local/sbin Binlib #/usr/games Binlib # Libraries /lib(64)? Binlib /usr/lib(64)? Binlib /usr/local/lib(64)? Binlib # Log files =/var/log$ StaticDir #!/var/log/ksymoops /var/log/aide/aide.log(.[0-9])?(.gz)? Databases /var/log/aide/error.log(.[0-9])?(.gz)? Databases #/var/log/setuid.changes(.[0-9])?(.gz)? Databases !/var/log/aide /var/log Logs # Devices !/dev/pts !/dev/shm # If you get spurious warnings about being unable to mmap() /dev/cpu/mtrr, # you may uncomment this to get rid of them. They're harmless but sometimes # annoying. #!/dev/cpu/mtrr #!/dev/xconsole /dev Devices # Other miscellaneous files /var/run$ StaticDir !/var/run /run$ StaticDir !/run # Test only the directory when dealing with /proc /proc$ StaticDir !/proc # You can look through these examples to get further ideas # Check crontabs #/var/spool/anacron/cron.daily Databases #/var/spool/anacron/cron.monthly Databases #/var/spool/anacron/cron.weekly Databases #/var/spool/cron Databases #/var/spool/cron/crontabs Databases #/var/spool/fcron Databases # manpages can be trojaned, especially depending on *roff implementation #/usr/man ManPages #/usr/share/man ManPages #/usr/local/man ManPages # docs #/usr/doc ManPages #/usr/share/doc ManPages # check users' home directories #/home Binlib # check sources for modifications #/usr/src L #/usr/local/src L # Check headers for same #/usr/include L #/usr/local/include L # Include rules from /etc/aide/aide.conf.d # Files with the x bit set are executed and their output included. @@if exists /etc/aide/@@{CONTEXT}.conf.d @@x_include /etc/aide/@@{CONTEXT}.conf.d ^[a-zA-Z0-9_-]+$ @@endif