# /etc/aide.conf

@@define DBDIR /var/lib/aide
@@define LOGDIR /var/log/aide

# The location of the trusted database, /var/lib/aide/reference is a RO NFS
# share
database=file:@@{DBDIR}/reference/aide-@@{HOSTNAME}.db.gz

# The location of a new or updated database
database_out=file:@@{DBDIR}/aide-@@{HOSTNAME}.db.new.gz
gzip_dbout=yes

report_url=file:@@{LOGDIR}/aide.log
report_url=stdout
verbose=5

# Our default check level, most checks are used, and several hashes for
# collision detection. Adding additional hashes will improve this guarantee but
# creation of the database and checking against it will take longer.
NORMAL = R-md5+sha256+whirlpool

# This is for files that get refreshed automatically, but usually the content
# doesn't change. We want to keep our baseline just not care about the
# inode/creation time/modification times.
DATAONLY = NORMAL-i-m-c

# Perform all the standard checks but do not attempt to perform checksums on
# the files.
METAONLY = R-md5

# For dev, device contents, creation time, and modification times don't really
# matter, but the file type, ownership, permissions and extended attributes
# should absolutely be monitored for changes.
#
# This is also useful for log files.
SPECIAL = p+ftype+l+n+u+g+X

# I want the entire root filesystem monitored with a few exceptions (listed
# individually later on).
/                   NORMAL

# Quite a few devices get read and written to.
/dev                SPECIAL

# The resolv.conf file can be frequently rewritten but the content should
# generally not change.
/etc/resolv.conf    DATAONLY

# There is an odd issue with the files in this directory that cause AIDE to
# crash with a floating point error. Everything can be checked but no checksums
# can be performed on the files... Super weird.
/usr/lib/guile/2.2  METAONLY

# I care less about this directory as it's primarily documentation, but still
# monitor somethings about it.
/usr/share          METAONLY

# These cause weird issues with aide as they're always reported changed for
# attributes that shouldn't be monitored.
!/dev/ptmx
!/dev/pts/1
!/dev/tty

# Ignore the current mount list
!/etc/mtab

# We expect user's home directories to change during normal operations.
# Auditing under this directory doesn't make sense.
!/home

# These are all other filesystems and in some cases do not play well with aide
# (proc is always changing and shouldn't be aggressively queried like this).
# These are low risk for attackers as long as additional protections are in
# place (such as noexec on /tmp).
!/proc
!/mnt
!/run
!/sys
!/tmp
!/usr/tmp

# While very important data is stored in /var, it is highly volatile and will
# generally trip up every check unless highly tuned. I recommend adding
# specific files you know to change unfrequently and are sensitive, or
# alterntively very carefully test the following line:
!/var

# This needs to be after the exclusion to be effective, we still want to keep
# track of the attributes of our log files.
/var/log            SPECIAL