b1gy7
commented
7 months ago What's the update on this ?
Open vt-alt opened 1 year ago
b1gy7
commented
7 months ago What's the update on this ?
hvhaugwitz
commented
7 months ago Currently I'm working on the aide 0.19 release (0.19 Milestone) that will include support for file system type restricted rules (see also aide/aide#39); I plan to update/rewrite the AIDE documentation soon after. Until then please use the AIDE user mailing list (https://www.ipi.fi/mailman/listinfo/aide) for any questions about the usage of AIDE.
You removed
aide.confin 2021. But good example using best practices from the author would be very useful.Since rules are regexp based (also restricted rules complicating view) for new users it's hard to grasp how it's better and optimal to write them for real system and not miss something.
ps. Does order matter or not, are multiple rules with the same pattern allowed or not (and how they are interpreted), nowhere explained what is
RandL, what is purpose ofE, howIworks.pps. This is what people get as examples instead:
Fedora provides such
aide.confhttps://src.fedoraproject.org/rpms/aide/blob/rawhide/f/aide.conf Why they list every dir in/(like below) and not just match root with some rule?Why they list every file in
/etcinstead of some global rule?Perhaps user should not forget to add
/etc/zshrc.dto it if they usezsh. Their ruleset seems not forbid to traverse into/procor/sysis this not important (since no rules added to them)?OpenSUSE provides such example https://build.opensuse.org/package/view_file/openSUSE:Factory/aide/aide.conf?expand=1
And why not just
=/proc StaticDir? Also, binaries dirs. matched withBinlib = p+i+n+u+g+s+b+m+c+sha256+sha512, but withsetcapequivalent of SUID root capabilities could be added and system trojanized undetected (for example addCAP_SYS_ADMINto some rarely used tcsh binary). They seems missing this, instead they get double security with two hashsums+sha256+sha512while one is enough.