# Example configuration file for AIDE # See more: man 5 aide.conf database_in=file:/var/lib/aide/aide.db database_out=file:/var/lib/aide/aide.db.new # Change this to "no" or remove it to not gzip output # (only useful on systems with few CPU cycles to spare) gzip_dbout=yes # Default: warning #log_level=info # Default: changed_attributes #report_level=added_removed_attributes report_url=file:/var/log/aide/aide.log report_url=stdout #report_url=stderr # Here are all the things we can check - these are the default rules # # p: permissions # ftype: file type # i: inode # l: link name # n: number of links # u: user # g: group # s: size # b: block count # m: mtime (modification time) # a: atime (access time) # c: ctime (change time) # S: check for growing size # I: ignore changed filename # ANF: allow new files # ARF: allow removed files # md5: md5 checksum # sha1: sha1 checksum # sha256: sha256 checksum # sha512: sha512 checksum # rmd160: rmd160 checksum # tiger: tiger checksum # crc32: crc32 checksum # R: p+ftype+i+l+n+u+g+s+m+c+md5+X # L: p+ftype+i+l+n+u+g+X # E: Empty group # X: acl+selinux+xattrs+e2fsattrs (if groups are explicitly enabled) # >: Growing file p+ftype+l+u+g+i+n+S+X # Defines formerly set here have been moved to /etc/default/aide. # Custom rules Binlib = p+i+n+u+g+s+b+m+c+md5+sha256+rmd160 ConfFiles = p+i+n+u+g+s+b+m+c+md5+sha256+rmd160 Logs = p+i+n+u+g+S Devices = p+i+n+u+g+s+b+c+md5+sha256+rmd160 Databases = p+n+u+g StaticDir = p+i+n+u+g ManPages = p+i+n+u+g+s+b+m+c+md5+sha256+rmd160 # Next decide what directories/files you want in the database # Kernel, system map, etc. =/boot$ Binlib # Configs /etc ConfFiles !/etc/mtab # Binaries /bin Binlib /sbin Binlib /usr/bin Binlib /usr/sbin Binlib /usr/libexec Binlib /usr/local/bin Binlib /usr/local/sbin Binlib #/usr/games Binlib # Libraries /lib(64)? Binlib /usr/lib(64)? Binlib /usr/local/lib(64)? Binlib # Log files =/var/log$ StaticDir #!/var/log/ksymoops /var/log/aide/aide.log(.[0-9])?(.gz)? Databases /var/log/aide/error.log(.[0-9])?(.gz)? Databases #/var/log/setuid.changes(.[0-9])?(.gz)? Databases !/var/log/aide /var/log Logs # Devices !/dev/pts # If you get spurious warnings about being unable to mmap() /dev/cpu/mtrr, # you may uncomment this to get rid of them. They're harmless but sometimes # annoying. #!/dev/cpu/mtrr #!/dev/xconsole /dev Devices # Other miscellaneous files /var/run$ StaticDir !/var/run # Test only the directory when dealing with /proc /proc$ StaticDir !/proc # You can look through these examples to get further ideas # MD5 sum files - especially useful with debsums -g #/var/lib/dpkg/info/([^\.]+).md5sums u+g+s+m+md5+sha1 # Check crontabs #/var/spool/anacron/cron.daily Databases #/var/spool/anacron/cron.monthly Databases #/var/spool/anacron/cron.weekly Databases #/var/spool/cron Databases #/var/spool/cron/crontabs Databases # manpages can be trojaned, especially depending on *roff implementation #/usr/man ManPages #/usr/share/man ManPages #/usr/local/man ManPages # docs #/usr/doc ManPages #/usr/share/doc ManPages # check users' home directories #/home Binlib # check sources for modifications #/usr/src L #/usr/local/src L # Check headers for same #/usr/include L #/usr/local/include L