Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Provide best practices for rule writing #22

Open
vt-alt opened this issue Feb 5, 2023 · 2 comments
Open

Provide best practices for rule writing #22

vt-alt opened this issue Feb 5, 2023 · 2 comments
Labels
documentation

Comments

@vt-alt
Copy link

vt-alt commented Feb 5, 2023

You removed aide.conf in 2021. But good example using best practices from the author would be very useful.

Since rules are regexp based (also restricted rules complicating view) for new users it's hard to grasp how it's better and optimal to write them for real system and not miss something.

ps. Does order matter or not, are multiple rules with the same pattern allowed or not (and how they are interpreted), nowhere explained what is R and L, what is purpose of E, how I works.

pps. This is what people get as examples instead:

Fedora provides such aide.conf https://src.fedoraproject.org/rpms/aide/blob/rawhide/f/aide.conf
Why they list every dir in / (like below) and not just match root with some rule?

/boot   NORMAL
/bin    NORMAL
/sbin   NORMAL
/lib    NORMAL
/lib64  NORMAL
/opt    NORMAL
/usr    NORMAL
/root   NORMAL

Why they list every file in /etc instead of some global rule?

/etc/profile NORMAL
/etc/bashrc NORMAL
/etc/bash_completion.d/ NORMAL

Perhaps user should not forget to add /etc/zshrc.d to it if they use zsh.
Their ruleset seems not forbid to traverse into /proc or /sys is this not important (since no rules added to them)?

OpenSUSE provides such example https://build.opensuse.org/package/view_file/openSUSE:Factory/aide/aide.conf?expand=1

/proc$      StaticDir 
!/proc

And why not just =/proc StaticDir?
Also, binaries dirs. matched with Binlib = p+i+n+u+g+s+b+m+c+sha256+sha512 , but with setcap equivalent of SUID root capabilities could be added and system trojanized undetected (for example add CAP_SYS_ADMIN to some rarely used tcsh binary). They seems missing this, instead they get double security with two hashsums +sha256+sha512 while one is enough.
@hvhaugwitz hvhaugwitz changed the title FR: Provide best practices or example aide.conf Provide best practices for rule writing Feb 8, 2023
@hvhaugwitz hvhaugwitz transferred this issue from aide/aide Jul 15, 2023
@b1gy7
Copy link

b1gy7 commented Feb 16, 2024
edited
Loading

What's the update on this ?

@hvhaugwitz
Copy link
Member

Currently I'm working on the aide 0.19 release (0.19 Milestone) that will include support for file system type restricted rules (see also aide/aide#39); I plan to update/rewrite the AIDE documentation soon after. Until then please use the AIDE user mailing list (https://www.ipi.fi/mailman/listinfo/aide) for any questions about the usage of AIDE.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
documentation
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@hvhaugwitz @vt-alt @b1gy7