# 
# AIDE 0.11
#
# example configuration file for Mandriva
#
# This configuration file checks the integrity of the AIDE package
#
# Default values for the parameters are in comments before the 
# corresponding line.
#

@@define TOPDIR		/
@@define BINDIR 	@@{TOPDIR}usr/sbin
@@define CONFDIR	@@{TOPDIR}etc
@@define DBDIR		@@{TOPDIR}var/lib/aide
@@define LOGDIR		@@{TOPDIR}var/log

# The location of the database to be read.
database=file:@@{DBDIR}/aide.db

# The location of the database to be written.
#database_out=sql:host:port:database:login_name:passwd:table
database_out=file:@@{DBDIR}/aide.db.new

# For compare, you need to specify the database files to compare;
# compare uses database and database_new
#database_new=file:@@{DBDIR}/aide.db.new

# Whether to gzip the database output
gzip_dbout=no

report_url=stdout
#report_url=stderr
#NOT IMPLEMENTED report_url=mailto:root@foo.com
#report_url=syslog:LOG_LOCAL1
report_url=file:@@{LOGDIR}/aide.log

#
# Default Groups:
#
#p:     	permissions
#i:		inode
#n:		number of links
#u:		user
#g:		group
#s:		size
#b:		block count
#m:		mtime
#a:		atime
#c:		ctime (not compatible with 'I')
#S:		check for growing size
#md5:		md5 checksum
#sha1:		sha1 checksum
#rmd160:	rmd160 checksum
#tiger:		tiger checksum
#R:		p+i+n+u+g+s+m+c+md5
#L:		p+i+n+u+g
#E:		Empty group
#>:		Growing logfile p+u+g+i+n+S
#I:		Ignore changed filename (not compatible with 'c')
#ANF:		Allow new files
#ARF:		Allow removed files
#
# The following are available if you have mhash support enabled.
#
#haval:		haval checksum
#gost:		gost checksum
#crc32:		crc32 checksum

##################################################################
# RULE DEFINITIONS
##################################################################

# ignore_list is a special rule definition
# the attributes listed in it are not displayed in the
# final report

#
# NOTE: this default configuration file does not use md5 checks
# due to the fact that md5 is fairly trivial to spoof now, so
# rely on more "important" checksums
#

HighSec=R+a+sha1+rmd160+tiger+haval+crc32
All=R+a+sha1+rmd160
Norm=s+n+b+sha1+rmd160

# Essential system binaries should be monitored on all attributes, with a
# high level of certainty.  We keep only SHA-1 and rmd160 for now.
BIN=p+i+n+u+g+s+m+sha1+rmd160

# System logs should be allowed to change, and even to switch inode numbers.
# The inode modification is because of Red Hat's automatic log cycling.
LOG=p+n+u+g

# Device files should simply maintain ownership, permissions and such.
# It doesn't make sense to monitor contents.  We also ignore inode
# mod (c) because this changes every reboot.
DEV=p+n+u+g

# Essential system config files (/etc/fstab, /etc/hosts.allow) should
# be watched very closely.
CONF=p+i+n+u+g+s+m+c+sha1+rmd160

# Most directories need to allow for new files to be added, so we
# won't watch size, mod time, changes to the inode, or compute sigs.
DIR=p+i+n+u+g


##################################################################
# MAIN CONFIGURATION
##################################################################

# Monitor the root directory itself, but don't recurse into it.

=/			DIR

# Monitor essential system binaries: libraries and programs.

/bin/.*			BIN
/lib/.*			BIN
/sbin/.*		BIN
/usr/bin/.*		BIN
/usr/lib/.*		BIN
/usr/sbin/.*		BIN
/usr/local/bin/.*	BIN
/usr/local/lib/.*	BIN
/usr/local/sbin/.*	BIN

# Monitor the /boot directory, where the kernel et al. is stored.
# System.map changes inode and mod time on every reboot, so ignore
# these.

/boot/.*		BIN
/boot/System.map	BIN-m-c

# Monitor /dev, the devices directory, but not /dev/pts/* which can
# change on each login, nor /dev/shm which is for temporary storage

/dev/.*			DEV
!/dev/pts/.*
!/dev/shm/.*

# Granularly, watch the system's config files...

/etc/.*			CONF

# mtab holds current mounted volume information.  Usually, we should
# treat this as a log, since it must change.

/etc/mtab		LOG

# Directories that likely will change often but don't need much special
# care and allow for new sub-directories and files to be created

=/home			DIR
=/lost+found		DIR
=/mnt			DIR
=/media			DIR
=/proc			DIR-n
=/tmp			DIR

# watch /root closely; you can make exclusions to certain files that
# change often, like /root/.viminfo, etc.

/root/.*		BIN-m
!/root/.viminfo
!/root/.gnupg/random_seed

# /var is difficult, as it contains logs, mail queues, and mailboxes, to
# name a few type of files.
#   1) The log directory is hard to watch, because of the log cycling.
#   2) The spool/cron should be watched.  We can watch very closely if we
#      are willing to disallow cron.
#   3) The spool/mail directory should only be watched for permissions, but
#      not for content, since mail files will be added with new users.

=/var			DIR
/var/log/.*		LOG
=/var/spool		LOG
/var/spool/cron		Norm
/var/mail		LOG
/var/spool/exim		LOG
!/var/spool/exim/input
!/var/spool/exim/msglog
=/var/tmp		DIR
!/var/lock
=/var/log/service	LOG
# enable this if you don't care about being notified of changed log files which
# can happen quite rapidly for busy services
#!/var/log/service/.*

# Check the aide binary, database and config files for everything

@@{CONFDIR}/aide.conf	HighSec
@@{BINDIR}/aide		HighSec
# these are disabled by default because they are generated *after* AIDE runs so will
# always show up in the report as changed
#@@{DBDIR}/aide.db	HighSec
#@@{DBDIR}/aide.db.sig	HighSec
#@@{DBDIR}/reports/.*	HighSec