- Korean: 이 페이지는 아직 한글로 번역되지 않았습니다.
os-aide.plugin.bash¤
aide install configurations.
group:prenet | runtype:none | deps: - | port: -
Usage
os-aide help|install|uninstall|download|disable|configgen|configapply|check|run|checkpoint
$ os-aide install - install AIDE file integrity monitoring
$ os-aide uninstall - uninstall AIDE
$ os-aide download - download AIDE package files to pkg dir
$ os-aide disable - disable AIDE plugin
$ os-aide configgen - generate AIDE configuration files
$ os-aide configapply - apply AIDE configuration files
$ os-aide check - check AIDE plugin status
$ os-aide run - run AIDE integrity check
$ os-aide checkpoint - create new AIDE database checkpoint
$ os-aide help - show this help messageAIDE (Advanced Intrusion Detection Environment) monitors file system changes.
Jangbi Configs¤
/opt/jangbi/.config
RUN_OS_AIDE=1 # enable aide file integrity monitoring
Check if running¤
bash command
$ aide --check
AIDE found differences between database and filesystem!!
$ ls -la /var/lib/aide/
-rw-r--r-- 1 root root aide.db
Current Configuration¤
Current configuration is stored in /etc/aide/. it is generated by os-aide configgen command on install.
You can edit it manually and not run install or configapply commands to keep current configurations.
/etc/aide/aide.conf
# Example configuration file for AIDE.
@@define DBDIR /var/lib/aide
@@define LOGDIR /var/log/aide
# The location of the database to be read.
database_in=file:@@{DBDIR}/aide.minimal.db.gz
# The location of the database to be written.
#database_out=sql:host:port:database:login_name:passwd:table
#database_out=file:aide.db.new
database_out=file:@@{DBDIR}/aide.minimal.db.new.gz
# Whether to gzip the output to database
gzip_dbout=yes
# Default.
log_level=info
report_url=file:@@{LOGDIR}/aide.minimal.log
report_url=stdout
#report_url=stderr
#NOT IMPLEMENTED report_url=mailto:[email protected]
#NOT IMPLEMENTED report_url=syslog:LOG_AUTH
# These are the default rules.
#
#p: permissions
#i: inode:
#n: number of links
#u: user
#g: group
#s: size
#b: block count
#m: mtime
#a: atime
#c: ctime
#S: check for growing size
#acl: Access Control Lists
#selinux SELinux security context
#xattrs: Extended file attributes
#md5: md5 checksum
#sha1: sha1 checksum
#sha256: sha256 checksum
#sha512: sha512 checksum
#rmd160: rmd160 checksum
#tiger: tiger checksum
#haval: haval checksum (MHASH only)
#gost: gost checksum (MHASH only)
#crc32: crc32 checksum (MHASH only)
#whirlpool: whirlpool checksum (MHASH only)
#FIPSR = p+i+n+u+g+s+m+c+acl+selinux+xattrs+sha256
FIPSR = p+i+n+u+g+s+m+c+sha256
#R: p+i+n+u+g+s+m+c+acl+selinux+xattrs+md5
#L: p+i+n+u+g+acl+selinux+xattrs
#E: Empty group
#>: Growing logfile p+u+g+i+n+S+acl+selinux+xattrs
# You can create custom rules like this.
# With MHASH...
# ALLXTRAHASHES = sha1+rmd160+sha256+sha512+whirlpool+tiger+haval+gost+crc32
ALLXTRAHASHES = sha1+rmd160+sha256+sha512+tiger
# Everything but access time (Ie. all changes)
EVERYTHING = R+ALLXTRAHASHES
# Sane, with multiple hashes
# NORMAL = R+rmd160+sha256+whirlpool
NORMAL = FIPSR+sha512
# For directories, don't bother doing hashes
DIR = p+i+n+u+g+acl+selinux+xattrs
# Access control only
PERMS = p+i+u+g+acl+selinux
# Logfile are special, in that they often change
LOG = >
# Just do sha256 and sha512 hashes
LSPP = FIPSR+sha512
# Some files get updated automatically, so the inode/ctime/mtime change
# but we want to know when the data inside them changes
#DATAONLY = p+n+u+g+s+acl+selinux+xattrs+sha256
DATAONLY = p+n+u+g+s+acl+selinux+xattrs+sha512
# Next decide what directories/files you want in the database.
/boot NORMAL
/bin NORMAL
/sbin NORMAL
/usr/sbin NORMAL
/usr/bin NORMAL
# /lib NORMAL
# /lib64 NORMAL
# /opt NORMAL
# /usr NORMAL
# /root NORMAL
# These are too volatile
# !/usr/src
# !/usr/tmp
/opt/jangbi NORMAL
!/opt/jangbi/imgs
# Check only permissions, inode, user and group for /etc, but
# cover some important files closely.
/etc PERMS
!/etc/mtab
# Ignore backup files
!/etc/.*~
/etc/exports NORMAL
/etc/fstab NORMAL
/etc/passwd NORMAL
/etc/group NORMAL
/etc/gshadow NORMAL
/etc/shadow NORMAL
/etc/security/opasswd NORMAL
/etc/hosts.allow NORMAL
/etc/hosts.deny NORMAL
/etc/sudoers NORMAL
/etc/skel NORMAL
/etc/logrotate.d NORMAL
/etc/resolv.conf DATAONLY
/etc/nscd.conf NORMAL
/etc/securetty NORMAL
# Shell/X starting files
/etc/profile NORMAL
/etc/bashrc NORMAL
/etc/bash_completion.d/ NORMAL
/etc/login.defs NORMAL
/etc/zprofile NORMAL
/etc/zshrc NORMAL
/etc/zlogin NORMAL
/etc/zlogout NORMAL
/etc/profile.d/ NORMAL
/etc/X11/ NORMAL
# Pkg manager
# /etc/yum.conf NORMAL
# /etc/yumex.conf NORMAL
# /etc/yumex.profiles.conf NORMAL
# /etc/yum/ NORMAL
# /etc/yum.repos.d/ NORMAL
/etc/apt/ NORMAL
# /var/log LOG
# /var/run/utmp LOG
# This gets new/removes-old filenames daily
# !/var/log/sa
# As we are checking it, we've truncated yesterdays size to zero.
# !/var/log/aide.log
# LSPP rules...
# AIDE produces an audit record, so this becomes perpetual motion.
# /var/log/audit/ LSPP
# /etc/audit/ LSPP
# /etc/libaudit.conf LSPP
# /usr/sbin/stunnel LSPP
# /var/spool/at LSPP
# /etc/at.allow LSPP
# /etc/at.deny LSPP
# /etc/cron.allow LSPP
# /etc/cron.deny LSPP
# /etc/cron.d/ LSPP
# /etc/cron.daily/ LSPP
# /etc/cron.hourly/ LSPP
# /etc/cron.monthly/ LSPP
# /etc/cron.weekly/ LSPP
# /etc/crontab LSPP
# /var/spool/cron/root LSPP
# /etc/login.defs LSPP
# /etc/securetty LSPP
# /var/log/faillog LSPP
# /var/log/lastlog LSPP
# /etc/hosts LSPP
# /etc/sysconfig LSPP
# /etc/inittab LSPP
# /etc/grub/ LSPP
# /etc/rc.d LSPP
# /etc/ld.so.conf LSPP
# /etc/localtime LSPP
# /etc/sysctl.conf LSPP
# /etc/modprobe.conf LSPP
# /etc/pam.d LSPP
# /etc/security LSPP
# /etc/aliases LSPP
# /etc/postfix LSPP
# /etc/ssh/sshd_config LSPP
# /etc/ssh/ssh_config LSPP
# /etc/stunnel LSPP
# /etc/vsftpd.ftpusers LSPP
# /etc/vsftpd LSPP
# /etc/issue LSPP
# /etc/issue.net LSPP
# /etc/cups LSPP
# With AIDE's default verbosity level of 5, these would give lots of
# warnings upon tree traversal. It might change with future version.
#
#=/lost\+found DIR
#=/home DIR
# Ditto /var/log/sa reason...
# !/var/log/and-httpd
# The root user's dotfiles should not change and need to be watched closely.
/root/\..* NORMAL