|
| 1 | +# AIDE conf |
| 2 | + |
| 3 | +# The daily cron job depends on these paths |
| 4 | +database=file:/var/lib/aide/aide.db |
| 5 | +database_out=file:/var/lib/aide/aide.db.new |
| 6 | +database_new=file:/var/lib/aide/aide.db.new |
| 7 | +gzip_dbout=yes |
| 8 | + |
| 9 | +# Set to no to disable summarize_changes option. |
| 10 | +summarize_changes=yes |
| 11 | + |
| 12 | +# Set to no to disable grouping of files in report. |
| 13 | +grouped=yes |
| 14 | + |
| 15 | +# standard verbose level |
| 16 | +verbose = 6 |
| 17 | + |
| 18 | +# Set to yes to print the checksums in the report in hex format |
| 19 | +report_base16 = no |
| 20 | + |
| 21 | +# if you want to sacrifice security for speed, remove some of these |
| 22 | +# checksums. Whirlpool is broken on sparc and sparc64 (see #429180, |
| 23 | +# #420547, #152203). |
| 24 | +Checksums = sha512 |
| 25 | + |
| 26 | +# The checksums of the databases to be printed in the report |
| 27 | +# Set to 'E' to disable. |
| 28 | +database_attrs = Checksums |
| 29 | + |
| 30 | +# check permissions, owner, group and file type |
| 31 | +OwnerMode = p+u+g+ftype |
| 32 | + |
| 33 | +# Check size and block count |
| 34 | +Size = s+b |
| 35 | + |
| 36 | +# Files that stay static |
| 37 | +InodeData = OwnerMode+n+i+Size+l+X |
| 38 | +StaticFile = m+c+Checksums |
| 39 | + |
| 40 | +# Files that stay static but are copied to a ram disk on startup |
| 41 | +# (causing different inode) |
| 42 | +RamdiskData = InodeData-i |
| 43 | + |
| 44 | +# Check everything |
| 45 | +Full = InodeData+StaticFile |
| 46 | + |
| 47 | +# Files that change their mtimes or ctimes but not their contents |
| 48 | +VarTime = InodeData+Checksums |
| 49 | + |
| 50 | +# Files that are recreated regularly but do not change their contents |
| 51 | +VarInode = VarTime-i |
| 52 | + |
| 53 | +# Files that change their contents during system operation |
| 54 | +VarFile = OwnerMode+n+l+X |
| 55 | + |
| 56 | +# Directories that change their contents during system operation |
| 57 | +VarDir = OwnerMode+n+i+X |
| 58 | + |
| 59 | +# Directories that are recreated regularly and change their contents |
| 60 | +VarDirInode = OwnerMode+n+X |
| 61 | + |
| 62 | +# Directories that change their mtimes or ctimes but not their contents |
| 63 | +VarDirTime = InodeData |
| 64 | + |
| 65 | +# Logs are special: they are continously written to, may be compressed |
| 66 | +# have their file name changed in different, mutually incompatibly ways |
| 67 | +# and apprear and vanish at will. Handling this is a a complex and error- |
| 68 | +# prone issue. |
| 69 | +# |
| 70 | +# This is best broken down in a number of small tasks: |
| 71 | +# |
| 72 | +# |
| 73 | +# (A) |
| 74 | +# While a live log is being written to, it doesn't change its mode and |
| 75 | +# inode and its size only increases. |
| 76 | +# |
| 77 | +# (B) |
| 78 | +# When a live log is rotated for the first time, it should not change |
| 79 | +# its mode, may change its inode, and its size decreases. The size |
| 80 | +# decrease may not be noticed by aide if the file had size x at the last |
| 81 | +# aide run, was rotated in the mean time and was written to so that it |
| 82 | +# had a size > x at the next aide run. |
| 83 | +# |
| 84 | +# (C) |
| 85 | +# When a log is compressed, this looks to aide like the uncompressed |
| 86 | +# file vanished (or was replaced by another file) and the compressed |
| 87 | +# file appeared out of the blue. There is (currently) no way to |
| 88 | +# associate the (gone) uncompressed file's contents with the (new) |
| 89 | +# compressed file's contents |
| 90 | +# |
| 91 | +# (D) |
| 92 | +# The actual log rotation may rename foo.{x}.bar to foo.{x+1}.bar without |
| 93 | +# changing the other properties of the file |
| 94 | +# |
| 95 | +# (E) |
| 96 | +# If only a given number of log generations is to be kept, foo.{y}.bar may |
| 97 | +# vanish, but usually only when no foo.{z}.bar exists for z>y. |
| 98 | +# |
| 99 | +# (F) |
| 100 | +# The set of files foo.{x}.bar to foo.{y}.bar is called a "log series" |
| 101 | +# in aide terms, with the lowest x being called the "LoSerMember" element |
| 102 | +# and the highest y being called the "HiSerMember" element, and the z |
| 103 | +# with x<z<y simple called "SerMember". The Lo and Hi members need to |
| 104 | +# be special cased in aide configuration. |
| 105 | +# |
| 106 | +# |
| 107 | +# This is an example of the normal life of a log named foo in a logrotate |
| 108 | +# configuration using a configuration at it is commonly used in Debian |
| 109 | +# (from old to new): |
| 110 | +# 1 logrotate deletes HiSerMember foo.{y}.gz |
| 111 | +# 2 logrotate rotates SerMember foo.{z-1}.gz to foo.{z}.gz for all |
| 112 | +# z with 3<z<=y. This includes rotation of foo.{y-1}.gz to |
| 113 | +# foo.{y}.gz and foo.2.gz to foo.3.gz |
| 114 | +# 3 logrotate compresses foo.1 to foo.2.gz, creating LoSerMember foo.2.gz |
| 115 | +# 4 logrotate rotates foo to foo.1 (a simple rename) |
| 116 | +# 5 logrotate creates new, empty foo |
| 117 | +# 6 foo daemon logs to foo - foo grows in size |
| 118 | +# |
| 119 | +# we need the following rules: |
| 120 | +# /var/log/foo$ Log |
| 121 | +# /var/log/foo$ FreqRotLog |
| 122 | +# this takes care of the growing live log (step 7). The "Log" rule |
| 123 | +# is appropriate for logs that are not rotated daily as rotation |
| 124 | +# might be reported (if the file size has decreased since the last |
| 125 | +# aide run). For daily rotated logs, the "FreqRotLog" may be more |
| 126 | +# appropriate. |
| 127 | +# /var/log/foo\.1$ LowLog |
| 128 | +# this takes care of step 5. |
| 129 | +# /var/log/foo\.2\.gz$ LoSerMemberLog |
| 130 | +# this allows yet unknown new files to appear with a \.2\.gz extension, |
| 131 | +# covering step 3. |
| 132 | +# /var/log/foo\.[3..y-1]\.gz$ SerMemberLog |
| 133 | +# this watches the log files as they wander through the Series, |
| 134 | +# changing only their file name but not their contents or metadata, |
| 135 | +# covering step 2. |
| 136 | +# Please note that [3..y-1] needs to be a manually crafted regexp covering |
| 137 | +# all numbers between 3 and y-1. |
| 138 | +# /var/log/foo\.y\.gz$ HiSerMemberLog |
| 139 | +# finally, the last element of the Series is allowed to vanish without |
| 140 | +# being reported, covering step 1. |
| 141 | +# |
| 142 | +# Please note that these example rules need to be adapted to the logrotate |
| 143 | +# configuration for the log. Compression may be disabled or lead to a different |
| 144 | +# extension, the dateext option may be used, old logs might be held in a |
| 145 | +# different place, a log series does not necessarily need to be compressed etc. |
| 146 | +# |
| 147 | +# Please note that savelog rotates the live log to .0 and not to .1 as it |
| 148 | +# is logrotates (changeable) default. |
| 149 | + |
| 150 | + |
| 151 | +# Logs grow in size. Log rotation of these logs will be reported, so |
| 152 | +# this should only be used for logs that are not rotated daily. |
| 153 | +Log = OwnerMode+n+S+X |
| 154 | + |
| 155 | +# Logs that are frequently rotated |
| 156 | +FreqRotLog = Log-S |
| 157 | + |
| 158 | +# The first instance of a rotated log: After the log has stopped being |
| 159 | +# written to, but before rotation |
| 160 | +LowLog = Log-S |
| 161 | + |
| 162 | +# Rotated logs change their file name but retain all their other properties |
| 163 | +SerMemberLog = Full+I |
| 164 | + |
| 165 | +# The first instance of a compressed, rotated log: After a LowLog was |
| 166 | +# compressed. |
| 167 | +LoSerMemberLog = SerMemberLog+ANF |
| 168 | + |
| 169 | +# The last instance of a compressed, rotated log: After this name, a log |
| 170 | +# will be removed |
| 171 | +HiSerMemberLog = SerMemberLog+ARF |
| 172 | + |
| 173 | +# Not-yet-compressed log created by logrotate's dateext option: |
| 174 | +# These files appear one rotation (renamed from the live log) and are gone |
| 175 | +# the next rotation (being compressed) |
| 176 | +LowDELog = SerMemberLog+ANF+ARF |
| 177 | + |
| 178 | +# Compressed log created by logrotate's dateext option: These files appear |
| 179 | +# once and are not touched any more. |
| 180 | +SerMemberDELog = Full+ANF |
| 181 | + |
| 182 | +# For daemons that log to a variable file name and have the live log |
| 183 | +# hardlinked to a static file name |
| 184 | +LinkedLog = Log-n |
0 commit comments