# BEGIN ANSIBLE MANAGED - DO NOT EDIT BLOCK # Ansible managed configuration file, do not modify manually! # # ┌──────────────────────────────────────────────────────────────────────┐ # │ Contents of configuration file aide.conf │ # ├──────────────────────────────────────────────────────────────────────┤ # │ │ # ├──┬───── 1. VARIABLES │ # │ ├───── 1.1 DATABASE │ # │ └───── 1.2 REPORT │ # │ │ # ├──┬───── 2. RULES │ # │ ├───── 2.1 LIST OF ATTRIBUTES │ # │ ├───── 2.2 LIST OF CHECKSUMS │ # │ └───── 2.3 AVAILABLE RULES │ # │ │ # ├──┬───── 3. PATHS │ # │ ├──┬── 3.1 EXCLUDED │ # │ │ ├── 3.1.1 ETC │ # │ │ ├── 3.1.2 USR │ # │ │ ├── 3.1.3 VAR │ # │ │ └── 3.1.4 OTHERS │ # │ └──┬── 3.2. INCLUDED │ # │ ├── 3.2.1 ETC │ # │ ├── 3.2.2 USR │ # │ ├── 3.2.3 VAR │ # │ └── 3.2.4 OTHERS │ # │ │ # └──────────────────────────────────────────────────────────────────────┘ # ## 1. VARIABLES ## 1.1 DATABASE @@define DBDIR /var/lib/aide @@define LOGDIR /var/log/aide # The location of the database to be read. database_in = http://10.0.0.40/local/pml010074.aide-database # The location of the database to be written. database_out = file:@@{DBDIR}/pml010074.aide-database # Whether to gzip the output to database. gzip_dbout = no ## 1.2 REPORT # Default log_level=warning report_level=changed_attributes report_url=syslog:LOG_AUTH ## 2. RULES ## 2.1 LIST OF ATTRIBUTES # These are the default parameters we can check against. # p: permissions # i: inode # n: number of links # u: user # g: group # s: size # b: block count # m: mtime # a: atime # c: ctime # S: check for growing size # acl: Access Control Lists # selinux SELinux security context # (must be enabled at compilation time) # xattrs: Extended file attributes # 2.2 LIST OF CHECKSUMS # md5: md5 checksum # sha1: sha1 checksum # sha256: sha256 checksum # sha512: sha512 checksum # rmd160: rmd160 checksum # tiger: tiger checksum # haval: haval checksum (MHASH only) # gost: gost checksum (MHASH only) # crc32: crc32 checksum (MHASH only) # whirlpool: whirlpool checksum (MHASH only) # 2.3 AVAILABLE RULES # These are the default rules # R: p+i+l+n+u+g+s+m+c+md5 # L: p+i+l+n+u+g # E: Empty group # >: Growing logfile p+l+u+g+i+n+S # Default compound groups: # R: l+p+u+g+s+c+m+i+n+md5+acl+xattrs+ftype+e2fsattrs # L: l+p+u+g+i+n+acl+xattrs+ftype+e2fsattrs # >: l+p+u+g+s+i+n+acl+xattrs+ftype+e2fsattrs+growing # H: md5+sha1+rmd160+tiger+crc32+gost+sha256+sha512+whirlpool # +stribog256+stribog512 # X: acl+xattrs+e2fsattrs # You can create custom rules - my home made rule definition goes like this # ALLXTRAHASHES = sha1+rmd160+sha256+sha512+tiger # Everything but access time (Ie. all changes) EVERYTHING = R+sha256+sha512 # Sane, with multiple hashes # NORMAL = R+rmd160+sha256+whirlpool # NORMAL = R+sha256+sha512 NORMAL = p+i+l+n+u+g+s+m+c+sha256 # For directories, don't bother doing hashes DIR = p+i+n+u+g+acl+xattrs # Access control only PERMS = p+i+u+g+acl # Logfile are special, in that they often change LOG = > # Just do sha256 and sha512 hashes FIPSR = p+i+n+u+g+s+m+c+acl+xattrs+sha256 LSPP = FIPSR+sha512 # Some files get updated automatically, so the inode/ctime/mtime change # but we want to know when the data inside them changes DATAONLY = p+n+u+g+s+acl+xattrs+sha256 ## 3. PATHS # # Here we define which directories and files we want to view or not view # when monitoring with AIDE. # ## 3.1 EXCLUDED ## 3.1.1 ETC # Ignore root cache files !/root/.* # Ignore backup files !/etc/.*~ # Ignore mtab !/etc/mtab ## 3.1.2 USR # These are too volatile !/usr/src !/usr/tmp ## 3.1.3 VAR # Ignore logs !/var/lib/pacman/.* !/var/cache/.* !/var/log/.* !/var/run/.* !/var/spool/.* ## 3.1.4 OTHERS # Ignore cups !/etc/cups # Ignore backup files !/root/.* ## 3.2 INCLUDED ## 3.2.1 ETC # Check only permissions, inode, user and group for /etc, but cover some # important files closely. /etc PERMS /etc/aliases FIPSR /etc/at.allow FIPSR /etc/at.deny FIPSR /etc/audit/ FIPSR /etc/bash_completion.d/ NORMAL /etc/bashrc NORMAL /etc/cron.allow FIPSR /etc/cron.daily/ FIPSR /etc/cron.deny FIPSR /etc/cron.d/ FIPSR /etc/cron.hourly/ FIPSR /etc/cron.monthly/ FIPSR /etc/crontab FIPSR /etc/cron.weekly/ FIPSR /etc/cups FIPSR /etc/exports NORMAL /etc/fstab NORMAL /etc/group NORMAL /etc/grub/ FIPSR /etc/gshadow NORMAL /etc/hosts.allow NORMAL /etc/hosts.deny NORMAL /etc/hosts FIPSR /etc/inittab FIPSR /etc/issue FIPSR /etc/issue.net FIPSR /etc/ld.so.conf FIPSR /etc/libaudit.conf FIPSR /etc/localtime FIPSR /etc/login.defs FIPSR /etc/login.defs NORMAL /etc/logrotate.d NORMAL /etc/modprobe.conf FIPSR /etc/nscd.conf NORMAL /etc/pam.d FIPSR /etc/passwd NORMAL /etc/postfix FIPSR /etc/profile.d/ NORMAL /etc/profile NORMAL /etc/rc.d FIPSR /etc/resolv.conf DATAONLY /etc/securetty FIPSR /etc/securetty NORMAL /etc/security FIPSR /etc/security/opasswd NORMAL /etc/shadow NORMAL /etc/skel NORMAL /etc/ssh/ssh_config FIPSR /etc/ssh/sshd_config FIPSR /etc/stunnel FIPSR /etc/sudoers NORMAL /etc/sysconfig FIPSR /etc/sysctl.conf FIPSR /etc/vsftpd.ftpusers FIPSR /etc/vsftpd FIPSR /etc/X11/ NORMAL /etc/zlogin NORMAL /etc/zlogout NORMAL /etc/zprofile NORMAL /etc/zshrc NORMAL ## 3.2.2 USR /usr NORMAL /usr/sbin/stunnel FIPSR ## 3.2.3 VAR /var/log/faillog FIPSR /var/log/lastlog FIPSR /var/spool/at FIPSR /var/spool/cron/root FIPSR ## 3.2.4 OTHERS /boot NORMAL /bin NORMAL /lib NORMAL /lib64 NORMAL /opt NORMAL /root NORMAL # Host based OTHERS # local user scripts /usr/local/bin/ FIPSR # local scripts with root rights /usr/local/sbin/ FIPSR # # END ANSIBLE MANAGED - DO NOT EDIT BLOCK