blob: 87df5e168c804c31bb21bad391c968d324705c12 (
plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
|
# Example configuration file for AIDE
# See more: man 5 aide.conf
database=file:/var/lib/aide/aide.db
database_out=file:/var/lib/aide/aide.db.new
# Change this to "no" or remove it to not gzip output
# (only useful on systems with few CPU cycles to spare)
gzip_dbout=yes
# Default: 5
#verbose=5
report_url=file:/var/log/aide/aide.log
report_url=stdout
#report_url=stderr
# Here are all the things we can check - these are the default rules
#
# p: permissions
# ftype: file type
# i: inode
# l: link name
# n: number of links
# u: user
# g: group
# s: size
# b: block count
# m: mtime (modification time)
# a: atime (access time)
# c: ctime (change time)
# S: check for growing size
# I: ignore changed filename
# ANF: allow new files
# ARF: allow removed files
# md5: md5 checksum
# sha1: sha1 checksum
# sha256: sha256 checksum
# sha512: sha512 checksum
# rmd160: rmd160 checksum
# tiger: tiger checksum
# crc32: crc32 checksum
# R: p+ftype+i+l+n+u+g+s+m+c+md5+X
# L: p+ftype+i+l+n+u+g+X
# E: Empty group
# X: acl+selinux+xattrs+e2fsattrs (if groups are explicitly enabled)
# >: Growing file p+ftype+l+u+g+i+n+S+X
# Defines formerly set here have been moved to /etc/default/aide.
# Custom rules
Binlib = p+i+n+u+g+s+b+m+c+md5+sha256+rmd160
ConfFiles = p+i+n+u+g+s+b+m+c+md5+sha256+rmd160
Logs = p+i+n+u+g+S
Devices = p+i+n+u+g+s+b+c+md5+sha256+rmd160
Databases = p+n+u+g
StaticDir = p+i+n+u+g
ManPages = p+i+n+u+g+s+b+m+c+md5+sha256+rmd160
# Next decide what directories/files you want in the database
# Kernel, system map, etc.
=/boot$ Binlib
# Configs
/etc ConfFiles
!/etc/mtab
# Binaries
/bin Binlib
/sbin Binlib
/usr/bin Binlib
/usr/sbin Binlib
/usr/libexec Binlib
/usr/local/bin Binlib
/usr/local/sbin Binlib
#/usr/games Binlib
# Libraries
/lib(64)? Binlib
/usr/lib(64)? Binlib
/usr/local/lib(64)? Binlib
# Log files
=/var/log$ StaticDir
#!/var/log/ksymoops
/var/log/aide/aide.log(.[0-9])?(.gz)? Databases
/var/log/aide/error.log(.[0-9])?(.gz)? Databases
#/var/log/setuid.changes(.[0-9])?(.gz)? Databases
!/var/log/aide
/var/log Logs
# Devices
!/dev/pts
# If you get spurious warnings about being unable to mmap() /dev/cpu/mtrr,
# you may uncomment this to get rid of them. They're harmless but sometimes
# annoying.
#!/dev/cpu/mtrr
#!/dev/xconsole
/dev Devices
# Other miscellaneous files
/var/run$ StaticDir
!/var/run
# Test only the directory when dealing with /proc
/proc$ StaticDir
!/proc
# You can look through these examples to get further ideas
# MD5 sum files - especially useful with debsums -g
#/var/lib/dpkg/info/([^\.]+).md5sums u+g+s+m+md5+sha1
# Check crontabs
#/var/spool/anacron/cron.daily Databases
#/var/spool/anacron/cron.monthly Databases
#/var/spool/anacron/cron.weekly Databases
#/var/spool/cron Databases
#/var/spool/cron/crontabs Databases
# manpages can be trojaned, especially depending on *roff implementation
#/usr/man ManPages
#/usr/share/man ManPages
#/usr/local/man ManPages
# docs
#/usr/doc ManPages
#/usr/share/doc ManPages
# check users' home directories
#/home Binlib
# check sources for modifications
#/usr/src L
#/usr/local/src L
# Check headers for same
#/usr/include L
#/usr/local/include L
|
GitWeb