AIDE Config: What to scan

It is best to include the more generalized rules last. As people wanting alerts about anything abnormal, everything will be scanned unless there was a rule to prevent it. Since the term “everything” is as general as can be, it tends to go last.

Here is an example to search everything except for the specific exceptions which are mentioned in the example. Naturally, those exceptions are excepted.

Here is a recommended start to customizing the included configuration file:

echo Most=R+sha1+rmd160+sha256+sha512 | sudo -n tee -a /etc/aide.conf
echo / Most | sudo -n tee -a /etc/aide.conf
echo \# / All | sudo -n tee -a /etc/aide.conf

The pre-defined file may have come up with a different rule for slash, and other rules (e.g. for the kernel file). These may actually perform less checks. Determine whether that is acceptable. If not, comment them out.