# Example configuration file for AIDE
# See more: man 5 aide.conf

database_in=file:/var/lib/aide/aide.db
database_out=file:/var/lib/aide/aide.db.new

# Change this to "no" or remove it to not gzip output
# (only useful on systems with few CPU cycles to spare)
gzip_dbout=yes

# Default: warning
#log_level=info

# Default: changed_attributes
#report_level=added_removed_attributes

report_url=file:/var/log/aide/aide.log
report_url=stdout
#report_url=stderr

# Here are all the things we can check - these are the default rules
#
# p:   permissions
# ftype: file type
# i:   inode
# l:   link name
# n:   number of links
# u:   user
# g:   group
# s:   size
# b:   block count
# m:   mtime (modification time)
# a:   atime (access time)
# c:   ctime (change time)
# S:   check for growing size
# I:   ignore changed filename
# ANF: allow new files
# ARF: allow removed files
# md5: md5 checksum
# sha1: sha1 checksum
# sha256: sha256 checksum
# sha512: sha512 checksum
# rmd160: rmd160 checksum
# tiger: tiger checksum
# crc32:    crc32 checksum
# R:   p+ftype+i+l+n+u+g+s+m+c+md5+X
# L:   p+ftype+i+l+n+u+g+X
# E:   Empty group
# X:   acl+selinux+xattrs+e2fsattrs (if groups are explicitly enabled)
# >:   Growing file p+ftype+l+u+g+i+n+S+X

# Defines formerly set here have been moved to /etc/default/aide.

# Custom rules
Binlib = p+i+n+u+g+s+b+m+c+md5+sha256+rmd160
ConfFiles = p+i+n+u+g+s+b+m+c+md5+sha256+rmd160
Logs = p+i+n+u+g+S
Devices = p+i+n+u+g+s+b+c+md5+sha256+rmd160
Databases = p+n+u+g
StaticDir = p+i+n+u+g
ManPages = p+i+n+u+g+s+b+m+c+md5+sha256+rmd160

# Next decide what directories/files you want in the database

# Kernel, system map, etc.
=/boot$ Binlib
# Configs
/etc ConfFiles
!/etc/mtab
# Binaries
/bin Binlib
/sbin Binlib
/usr/bin Binlib
/usr/sbin Binlib
/usr/libexec Binlib
/usr/local/bin Binlib
/usr/local/sbin Binlib
#/usr/games Binlib
# Libraries
/lib(64)? Binlib
/usr/lib(64)? Binlib
/usr/local/lib(64)? Binlib
# Log files
=/var/log$ StaticDir
#!/var/log/ksymoops
/var/log/aide/aide.log(.[0-9])?(.gz)? Databases
/var/log/aide/error.log(.[0-9])?(.gz)? Databases
#/var/log/setuid.changes(.[0-9])?(.gz)? Databases
!/var/log/aide
/var/log Logs
# Devices
!/dev/pts
# If you get spurious warnings about being unable to mmap() /dev/cpu/mtrr,
# you may uncomment this to get rid of them. They're harmless but sometimes
# annoying.
#!/dev/cpu/mtrr
#!/dev/xconsole
/dev Devices
# Other miscellaneous files
/var/run$ StaticDir
!/var/run
# Test only the directory when dealing with /proc
/proc$ StaticDir
!/proc

# You can look through these examples to get further ideas

# MD5 sum files - especially useful with debsums -g
#/var/lib/dpkg/info/([^\.]+).md5sums u+g+s+m+md5+sha1

# Check crontabs
#/var/spool/anacron/cron.daily Databases
#/var/spool/anacron/cron.monthly Databases
#/var/spool/anacron/cron.weekly Databases
#/var/spool/cron Databases
#/var/spool/cron/crontabs Databases

# manpages can be trojaned, especially depending on *roff implementation
#/usr/man ManPages
#/usr/share/man ManPages
#/usr/local/man ManPages

# docs
#/usr/doc ManPages
#/usr/share/doc ManPages

# check users' home directories
#/home Binlib

# check sources for modifications
#/usr/src L
#/usr/local/src L

# Check headers for same
#/usr/include L
#/usr/local/include L