Let us try to edit the aide.conf after copying it to out AIDE toplevel directory.
There are three kindly of lines in the configuration files they are
1. VARIABLES
@@define TOPDIR /home/bala/Download/AIDE/aide-0.15.1
2. MACROS - if not defined get it defined here
@@ifndef TOPDIR
@@define TOPDIR /
@@endif
3. Type of files and Directory to be monitored
Now we will modify the place where AIDE will write the MD5SUM onto
# The location of the database to be read.
#database=file:aide.db
database=file:/home/bala/Download/AIDE/aide.db.new
#This is the link where aide writes the output on to
database_out=file:aide.db.new
#We can also asking to be verbose
verbose=20
#This is the place where AIDE is going to shout if it finds errors.
report_url=stdout
These are all the things which AIDE can check for
# @@{TOPDIR} is replaced with /home/bala/Download/AIDE/aide-0.15.1 when
# read by aide.
#p: permissions
#ftype: file type
#i: inode
#n: number of links
#l: link name
#u: user
#g: group
#s: size
#b: block count
#m: mtime
#a: atime
#c: ctime
#S: check for growing size
#I: ignore changed filename
#md5: md5 checksum
#sha1: sha1 checksum
#sha256: sha256 checksum
#sha512: sha512 checksum
#rmd160: rmd160 checksum
#tiger: tiger checksum
#haval: haval checksum
#crc32: crc32 checksum
#R: p+ftype+i+l+n+u+g+s+m+c+md5
#L: p+ftype+i+l+n+u+g
#E: Empty group
#>: Growing logfile p+ftype+l+u+g+i+n+S
#The following are available if you have mhash support enabled:
#gost: gost checksum
#whirlpool: whirlpool checksum
#The following are available and added to the default groups R, L and >
#only when explicitly enabled using configure:
#acl: access control list
#selinux SELinux security context
#xattrs: extended file attributes
#e2fsattrs: file attributes on a second extende
# Rule definition
All=R+a+sha1+rmd160+sha256+sha512+tiger+whirlpool
#We need to be careful in asking AIDE to just monitor those files which do not change frequently.
#We will try to write our own rules inside AIDE config files now :-D
#Modified by Bala, first rule recursively, second rule just the var directory.
/etc R
=/var
If we want to just negate certain folders we can do like the following
# we will include the root directory recursively
/ R
# We will exclude the home directory like
!/home R
AIDE can also compress the output database file all we need to do is change the following line in aide.conf file
gzip_dbout=yes
However for the above stuff to work we need zlib to be installed on the system.
[bala@localhost AIDE]$ cp aide-0.15.1/doc/aide.conf .
[bala@localhost AIDE]$ vim aide.conf
1. VARIABLES
@@define TOPDIR /home/bala/Download/AIDE/aide-0.15.1
2. MACROS - if not defined get it defined here
@@ifndef TOPDIR
@@define TOPDIR /
@@endif
3. Type of files and Directory to be monitored
Now we will modify the place where AIDE will write the MD5SUM onto
# The location of the database to be read.
#database=file:aide.db
database=file:/home/bala/Download/AIDE/aide.db.new
#This is the link where aide writes the output on to
database_out=file:aide.db.new
#We can also asking to be verbose
verbose=20
#This is the place where AIDE is going to shout if it finds errors.
report_url=stdout
These are all the things which AIDE can check for
# @@{TOPDIR} is replaced with /home/bala/Download/AIDE/aide-0.15.1 when
# read by aide.
#p: permissions
#ftype: file type
#i: inode
#n: number of links
#l: link name
#u: user
#g: group
#s: size
#b: block count
#m: mtime
#a: atime
#c: ctime
#S: check for growing size
#I: ignore changed filename
#md5: md5 checksum
#sha1: sha1 checksum
#sha256: sha256 checksum
#sha512: sha512 checksum
#rmd160: rmd160 checksum
#tiger: tiger checksum
#haval: haval checksum
#crc32: crc32 checksum
#R: p+ftype+i+l+n+u+g+s+m+c+md5
#L: p+ftype+i+l+n+u+g
#E: Empty group
#>: Growing logfile p+ftype+l+u+g+i+n+S
#The following are available if you have mhash support enabled:
#gost: gost checksum
#whirlpool: whirlpool checksum
#The following are available and added to the default groups R, L and >
#only when explicitly enabled using configure:
#acl: access control list
#selinux SELinux security context
#xattrs: extended file attributes
#e2fsattrs: file attributes on a second extende
# Rule definition
All=R+a+sha1+rmd160+sha256+sha512+tiger+whirlpool
#We need to be careful in asking AIDE to just monitor those files which do not change frequently.
#We will try to write our own rules inside AIDE config files now :-D
#Modified by Bala, first rule recursively, second rule just the var directory.
/etc R
=/var
If we want to just negate certain folders we can do like the following
# we will include the root directory recursively
/ R
# We will exclude the home directory like
!/home R
AIDE can also compress the output database file all we need to do is change the following line in aide.conf file
gzip_dbout=yes
However for the above stuff to work we need zlib to be installed on the system.
No comments:
Post a Comment