# # AIDE 0.11 # # example configuration file for Mandriva # # This configuration file checks the integrity of the AIDE package # # Default values for the parameters are in comments before the # corresponding line. # @@define TOPDIR / @@define BINDIR @@{TOPDIR}usr/sbin @@define CONFDIR @@{TOPDIR}etc @@define DBDIR @@{TOPDIR}var/lib/aide @@define LOGDIR @@{TOPDIR}var/log # The location of the database to be read. database=file:@@{DBDIR}/aide.db # The location of the database to be written. #database_out=sql:host:port:database:login_name:passwd:table database_out=file:@@{DBDIR}/aide.db.new # For compare, you need to specify the database files to compare; # compare uses database and database_new #database_new=file:@@{DBDIR}/aide.db.new # Whether to gzip the database output gzip_dbout=no report_url=stdout #report_url=stderr #NOT IMPLEMENTED report_url=mailto:root@foo.com #report_url=syslog:LOG_LOCAL1 report_url=file:@@{LOGDIR}/aide.log # # Default Groups: # #p: permissions #i: inode #n: number of links #u: user #g: group #s: size #b: block count #m: mtime #a: atime #c: ctime (not compatible with 'I') #S: check for growing size #md5: md5 checksum #sha1: sha1 checksum #rmd160: rmd160 checksum #tiger: tiger checksum #R: p+i+n+u+g+s+m+c+md5 #L: p+i+n+u+g #E: Empty group #>: Growing logfile p+u+g+i+n+S #I: Ignore changed filename (not compatible with 'c') #ANF: Allow new files #ARF: Allow removed files # # The following are available if you have mhash support enabled. # #haval: haval checksum #gost: gost checksum #crc32: crc32 checksum ################################################################## # RULE DEFINITIONS ################################################################## # ignore_list is a special rule definition # the attributes listed in it are not displayed in the # final report # # NOTE: this default configuration file does not use md5 checks # due to the fact that md5 is fairly trivial to spoof now, so # rely on more "important" checksums # HighSec=R+a+sha1+rmd160+tiger+haval+crc32 All=R+a+sha1+rmd160 Norm=s+n+b+sha1+rmd160 # Essential system binaries should be monitored on all attributes, with a # high level of certainty. We keep only SHA-1 and rmd160 for now. BIN=p+i+n+u+g+s+m+sha1+rmd160 # System logs should be allowed to change, and even to switch inode numbers. # The inode modification is because of Red Hat's automatic log cycling. LOG=p+n+u+g # Device files should simply maintain ownership, permissions and such. # It doesn't make sense to monitor contents. We also ignore inode # mod (c) because this changes every reboot. DEV=p+n+u+g # Essential system config files (/etc/fstab, /etc/hosts.allow) should # be watched very closely. CONF=p+i+n+u+g+s+m+c+sha1+rmd160 # Most directories need to allow for new files to be added, so we # won't watch size, mod time, changes to the inode, or compute sigs. DIR=p+i+n+u+g ################################################################## # MAIN CONFIGURATION ################################################################## # Monitor the root directory itself, but don't recurse into it. =/ DIR # Monitor essential system binaries: libraries and programs. /bin/.* BIN /lib/.* BIN /sbin/.* BIN /usr/bin/.* BIN /usr/lib/.* BIN /usr/sbin/.* BIN /usr/local/bin/.* BIN /usr/local/lib/.* BIN /usr/local/sbin/.* BIN # Monitor the /boot directory, where the kernel et al. is stored. # System.map changes inode and mod time on every reboot, so ignore # these. /boot/.* BIN /boot/System.map BIN-m-c # Monitor /dev, the devices directory, but not /dev/pts/* which can # change on each login, nor /dev/shm which is for temporary storage /dev/.* DEV !/dev/pts/.* !/dev/shm/.* # Granularly, watch the system's config files... /etc/.* CONF # mtab holds current mounted volume information. Usually, we should # treat this as a log, since it must change. /etc/mtab LOG # Directories that likely will change often but don't need much special # care and allow for new sub-directories and files to be created =/home DIR =/lost+found DIR =/mnt DIR =/media DIR =/proc DIR-n =/tmp DIR # watch /root closely; you can make exclusions to certain files that # change often, like /root/.viminfo, etc. /root/.* BIN-m !/root/.viminfo !/root/.gnupg/random_seed # /var is difficult, as it contains logs, mail queues, and mailboxes, to # name a few type of files. # 1) The log directory is hard to watch, because of the log cycling. # 2) The spool/cron should be watched. We can watch very closely if we # are willing to disallow cron. # 3) The spool/mail directory should only be watched for permissions, but # not for content, since mail files will be added with new users. =/var DIR /var/log/.* LOG =/var/spool LOG /var/spool/cron Norm /var/mail LOG /var/spool/exim LOG !/var/spool/exim/input !/var/spool/exim/msglog =/var/tmp DIR !/var/lock =/var/log/service LOG # enable this if you don't care about being notified of changed log files which # can happen quite rapidly for busy services #!/var/log/service/.* # Check the aide binary, database and config files for everything @@{CONFDIR}/aide.conf HighSec @@{BINDIR}/aide HighSec # these are disabled by default because they are generated *after* AIDE runs so will # always show up in the report as changed #@@{DBDIR}/aide.db HighSec #@@{DBDIR}/aide.db.sig HighSec #@@{DBDIR}/reports/.* HighSec