Open vt-alt opened 1 year ago
What's the update on this ?
Currently I'm working on the aide 0.19 release (0.19 Milestone) that will include support for file system type restricted rules (see also aide/aide#39); I plan to update/rewrite the AIDE documentation soon after. Until then please use the AIDE user mailing list (https://www.ipi.fi/mailman/listinfo/aide) for any questions about the usage of AIDE.
You removed
aide.conf
in 2021. But good example using best practices from the author would be very useful.Since rules are regexp based (also restricted rules complicating view) for new users it's hard to grasp how it's better and optimal to write them for real system and not miss something.
ps. Does order matter or not, are multiple rules with the same pattern allowed or not (and how they are interpreted), nowhere explained what is
R
andL
, what is purpose ofE
, howI
works.pps. This is what people get as examples instead:
Fedora provides such
aide.conf
https://src.fedoraproject.org/rpms/aide/blob/rawhide/f/aide.conf Why they list every dir in/
(like below) and not just match root with some rule?Why they list every file in
/etc
instead of some global rule?Perhaps user should not forget to add
/etc/zshrc.d
to it if they usezsh
. Their ruleset seems not forbid to traverse into/proc
or/sys
is this not important (since no rules added to them)?OpenSUSE provides such example https://build.opensuse.org/package/view_file/openSUSE:Factory/aide/aide.conf?expand=1
And why not just
=/proc StaticDir
? Also, binaries dirs. matched withBinlib = p+i+n+u+g+s+b+m+c+sha256+sha512
, but withsetcap
equivalent of SUID root capabilities could be added and system trojanized undetected (for example addCAP_SYS_ADMIN
to some rarely used tcsh binary). They seems missing this, instead they get double security with two hashsums+sha256+sha512
while one is enough.