# AIDE conf database=file:/var/lib/aide/aide.db database_out=file:/var/lib/aide/aide.db.new # Change this to "no" or remove it to not gzip output # (only useful on systems with few CPU cycles to spare) gzip_dbout=yes # Here are all the things we can check - these are the default rules # #p: permissions #i: inode #n: number of links #u: user #g: group #s: size #b: block count #m: mtime #a: atime #c: ctime #S: check for growing size #md5: md5 checksum #sha1: sha1 checksum #rmd160: rmd160 checksum #tiger: tiger checksum #R: p+i+n+u+g+s+m+c+md5 #L: p+i+n+u+g #E: Empty group #>: Growing logfile p+u+g+i+n+S #haval: haval checksum #gost: gost checksum #crc32: crc32 checksum # Defines formerly set here have been moved to /etc/default/aide. # Custom rules Binlib = p+i+n+u+g+s+b+m+c+md5+sha1 ConfFiles = p+i+n+u+g+s+b+m+c+md5+sha1 Logs = p+i+n+u+g+S Devices = p+i+n+u+g+s+b+c+md5+sha1 Databases = p+n+u+g StaticDir = p+i+n+u+g ManPages = p+i+n+u+g+s+b+m+c+md5+sha1 # Next decide what directories/files you want in the database # Kernel, system map, etc. =/boot$ Binlib # Binaries /bin Binlib /sbin Binlib /usr/bin Binlib /usr/sbin Binlib /usr/local/bin Binlib /usr/local/sbin Binlib #/usr/games Binlib # Libraries /lib Binlib /usr/lib Binlib /usr/local/lib Binlib # Log files =/var/log$ StaticDir #!/var/log/ksymoops /var/log/aide/aide.log(.[0-9])?(.gz)? Databases /var/log/aide/error.log(.[0-9])?(.gz)? Databases #/var/log/setuid.changes(.[0-9])?(.gz)? Databases !/var/log/aide /var/log Logs # Devices !/dev/pts # If you get spurious warnings about being unable to mmap() /dev/cpu/mtrr, # you may uncomment this to get rid of them. They're harmless but sometimes # annoying. #!/dev/cpu/mtrr #!/dev/xconsole /dev Devices # Other miscellaneous files /var/run$ StaticDir !/var/run # Test only the directory when dealing with /proc /proc$ StaticDir !/proc # You can look through these examples to get further ideas # MD5 sum files - especially useful with debsums -g #/var/lib/dpkg/info/([^\.]+).md5sums u+g+s+m+md5+sha1 # Check crontabs #/var/spool/anacron/cron.daily Databases #/var/spool/anacron/cron.monthly Databases #/var/spool/anacron/cron.weekly Databases #/var/spool/cron Databases #/var/spool/cron/crontabs Databases # manpages can be trojaned, especially depending on *roff implementation #/usr/man ManPages #/usr/share/man ManPages #/usr/local/man ManPages # docs #/usr/doc ManPages #/usr/share/doc ManPages # check users' home directories #/home Binlib # check sources for modifications #/usr/src L #/usr/local/src L # Check headers for same #/usr/include L #/usr/local/include L