# Example configuration file for AIDE. # @@define DBDIR /var/lib/aide @@define LOGDIR /var/log/aide # The location of the database to be read. database=file:@@{DBDIR}/aide.db.gz # The location of the database to be written. #database_out=sql:host:port:database:login_name:passwd:table #database_out=file:aide.db.new database_out=file:@@{DBDIR}/aide.db.new.gz # Whether to gzip the output to database gzip_dbout=yes # Default. verbose=5 report_url=file:@@{LOGDIR}/aide.log report_url=stdout #report_url=stderr # # Here are all the attributes we can check #p: permissions #i: inode #n: number of links #l: link name #u: user #g: group #s: size ###b: block count #m: mtime #a: atime #c: ctime #S: check for growing size #I: ignore changed filename #ANF: allow new files #ARF: allow removed files # # Here are all the digests we can use #md5: md5 checksum #sha1: sha1 checksum #sha256: sha256 checksum #sha512: sha512 checksum #rmd160: rmd160 checksum #tiger: tiger checksum #haval: haval checksum #crc32: crc32 checksum #gost: gost checksum #whirlpool: whirlpool checksum # These are the default rules #R: p+i+l+n+u+g+s+m+c+md5 #L: p+i+l+n+u+g #E: Empty group #>: Growing logfile p+l+u+g+i+n+S # You can create custom rules - my home made rule definition goes like this #ALLXTRAHASHES = sha1+rmd160+sha256+sha512+whirlpool+tiger+haval+gost+crc32 ALLXTRAHASHES = sha256+sha512 # Everything but access time (Ie. all changes) EVERYTHING = R+ALLXTRAHASHES # Sane, with multiple hashes # NORMAL = R+rmd160+sha256+whirlpool NORMAL = R+rmd160+sha256 # For directories, don't bother doing hashes DIR = p+i+n+u+g+acl+xattrs # Access control only PERMS = p+i+u+g+acl # Logfile are special, in that they often change LOG = > # Just do md5 and sha256 hashes LSPP = R+sha256 # Some files get updated automatically, so the inode/ctime/mtime change # but we want to know when the data inside them changes DATAONLY = p+n+u+g+s+acl+xattrs+md5+sha256+rmd160+tiger # Next decide what directories/files you want in the database. /boot NORMAL /bin NORMAL /sbin NORMAL /lib NORMAL /lib64 NORMAL /opt NORMAL /usr NORMAL /root NORMAL # These are too volatile !/usr/src !/usr/tmp # Check only permissions, inode, user and group for /etc, but # cover some important files closely. /etc PERMS !/etc/mtab # Ignore backup files !/etc/.*~ /etc/exports NORMAL /etc/fstab NORMAL /etc/passwd NORMAL /etc/group NORMAL /etc/gshadow NORMAL /etc/shadow NORMAL /etc/security/opasswd NORMAL /etc/hosts.allow NORMAL /etc/hosts.deny NORMAL /etc/sudoers NORMAL /etc/skel NORMAL /etc/logrotate.d NORMAL /etc/resolv.conf DATAONLY /etc/nscd.conf NORMAL /etc/securetty NORMAL # Shell/X starting files /etc/profile NORMAL /etc/bashrc NORMAL /etc/bash_completion.d/ NORMAL /etc/login.defs NORMAL /etc/zprofile NORMAL /etc/zshrc NORMAL /etc/zlogin NORMAL /etc/zlogout NORMAL /etc/profile.d/ NORMAL /etc/X11/ NORMAL # Ignore logs !/var/lib/pacman/.* !/var/cache/.* !/var/log/.* !/var/run/.* !/var/spool/.*