#afick conf # The location of the database to be read. database:=/var/lib/afick/afick # Here are all the things we can check - these are the default rules # #p: permissions #d: device #i: inode: #n: number of links #u: user #g: group #s: size #b: block count #m: mtime #a: atime #c: ctime #md5: md5 checksum #R: p+i+n+u+g+s+m+c+md5 #L: p+i+n+u+g # You can alse create custom rules - my home made rule definition goes # like this # #MyRule = p+i+n+u+g+s+b+md5+sha1 MyRule = p+i+n+u+g+s+b+md5 # Next decide what directories/files you want in the database /bin MyRule # apply the custom rule to the files in bin /boot MyRule !/boot/map !/boot/System.map !/dev /etc p+i+u+g # check only permissions, inode, user and group for etc !/etc/mtab !/etc/webmin/sysstats/modules/ !/home /lib MyRule # apply the same custom rule to the files in /lib /opt/ MyRule !/opt/.journal !/proc /root MyRule !/root/.viminfo !/root/.bash_history !/root/sav !/root/.mc /sbin MyRule # apply the same custom rule to the files in sbin !/tmp /usr MyRule # Nothing should change under /usr !/usr/.journal !/usr/dict/ !/usr/doc/ !/usr/games/ !/usr/info/ /usr/libexec/webmin/sysstats/ MyRule -i !/usr/libexec/webmin/sysstats/graphs/ !/usr/local/doc !/usr/local/games !/usr/local/man !/usr/man/ !/usr/share/ !/usr/src/redhat/ !/usr/tmp/ /var/ftp MyRule /var/www MyRule !/var/www/html/snortalog.html MyRule !/var/www/html/snortsnarf MyRule