# /etc/aide.conf @@define DBDIR /var/lib/aide @@define LOGDIR /var/log/aide # The location of the trusted database, /var/lib/aide/reference is a RO NFS # share database=file:@@{DBDIR}/reference/aide-@@{HOSTNAME}.db.gz # The location of a new or updated database database_out=file:@@{DBDIR}/aide-@@{HOSTNAME}.db.new.gz gzip_dbout=yes report_url=file:@@{LOGDIR}/aide.log report_url=stdout verbose=5 # Our default check level, most checks are used, and several hashes for # collision detection. Adding additional hashes will improve this guarantee but # creation of the database and checking against it will take longer. NORMAL = R-md5+sha256+whirlpool # This is for files that get refreshed automatically, but usually the content # doesn't change. We want to keep our baseline just not care about the # inode/creation time/modification times. DATAONLY = NORMAL-i-m-c # Perform all the standard checks but do not attempt to perform checksums on # the files. METAONLY = R-md5 # For dev, device contents, creation time, and modification times don't really # matter, but the file type, ownership, permissions and extended attributes # should absolutely be monitored for changes. # # This is also useful for log files. SPECIAL = p+ftype+l+n+u+g+X # I want the entire root filesystem monitored with a few exceptions (listed # individually later on). / NORMAL # Quite a few devices get read and written to. /dev SPECIAL # The resolv.conf file can be frequently rewritten but the content should # generally not change. /etc/resolv.conf DATAONLY # There is an odd issue with the files in this directory that cause AIDE to # crash with a floating point error. Everything can be checked but no checksums # can be performed on the files... Super weird. /usr/lib/guile/2.2 METAONLY # I care less about this directory as it's primarily documentation, but still # monitor somethings about it. /usr/share METAONLY # These cause weird issues with aide as they're always reported changed for # attributes that shouldn't be monitored. !/dev/ptmx !/dev/pts/1 !/dev/tty # Ignore the current mount list !/etc/mtab # We expect user's home directories to change during normal operations. # Auditing under this directory doesn't make sense. !/home # These are all other filesystems and in some cases do not play well with aide # (proc is always changing and shouldn't be aggressively queried like this). # These are low risk for attackers as long as additional protections are in # place (such as noexec on /tmp). !/proc !/mnt !/run !/sys !/tmp !/usr/tmp # While very important data is stored in /var, it is highly volatile and will # generally trip up every check unless highly tuned. I recommend adding # specific files you know to change unfrequently and are sensitive, or # alterntively very carefully test the following line: !/var # This needs to be after the exclusion to be effective, we still want to keep # track of the attributes of our log files. /var/log SPECIAL