shithub Public

Watch 1 Fork 0 Star 0

Text · 1897 bytes Raw Blame History

  
        1
        # SPDX-License-Identifier: AGPL-3.0-or-later
      
        2
        #
      
        3
        # shithub-specific exclusions. Drops into /etc/aide/aide.conf.d/.
      
        4
        # Everything here uses AIDE's "!" prefix to UN-watch paths that
      
        5
        # the upstream Debian config would otherwise track.
      
        6
        #
      
        7
        # We exclude paths whose churn is by-design — keeping them in the
      
        8
        # baseline would generate so much noise that real intrusion signals
      
        9
        # would drown. The stuff we DO want flagged: /etc, /usr/local/bin,
      
        10
        # /usr/lib/systemd/system, /root/.ssh, package-managed binaries,
      
        11
        # sshd_config — all of which the upstream config already covers.
      
        12
        
        13
        # ── Application data (repos, by design write-heavy)
      
        14
        !/data
      
        15
        !/var/lib/shithub
      
        16
        !/var/lib/shithub-ssh
      
        17
        
        18
        # ── Database files + WAL (Postgres rewrites these constantly)
      
        19
        !/var/lib/postgresql
      
        20
        
        21
        # ── Source checkout (fetch+reset on every deploy)
      
        22
        !/root/src/shithub
      
        23
        
        24
        # ── Caddy state (cert renewals, access log)
      
        25
        !/var/lib/caddy
      
        26
        !/var/log/caddy
      
        27
        
        28
        # ── Postgres server logs. The Debian aide-common config ships a
      
        29
        # rule for postgresql-15 only; Ubuntu 24 runs postgresql-16 whose
      
        30
        # log file matches a generic /var/log/* pattern that fires on every
      
        31
        # query the server logs. Pure noise.
      
        32
        !/var/log/postgresql
      
        33
        
        34
        # ── sysstat collector. /var/log/sysstat/sa<DD> is rewritten every
      
        35
        # 10 minutes by the sa1 cron, so an aide check in between always
      
        36
        # sees a different file. Excluded outright.
      
        37
        !/var/log/sysstat
      
        38
        
        39
        # ── shithub-specific log dir
      
        40
        !/var/log/shithub
      
        41
        
        42
        # ── AIDE's own metadata (don't recurse into our own DB)
      
        43
        !/var/lib/aide
      
        44
        
        45
        # ── Restore-drill scratch (mktemp paths under /tmp already excluded
      
        46
        #    by upstream, but the share dir holds the live script + sql)
      
        47
        !/usr/local/share/shithub
      
        48
        
        49
        # ── Backup workdir (nightly pg_dump lands here before rclone copy;
      
        50
        #    file count + content change every night by design)
      
        51
        !/var/backups/shithub
      
        52
        
        53
        # ── shithub-deploy artifacts on the app droplet
      
        54
        !/tmp/shithubd-new

1	# SPDX-License-Identifier: AGPL-3.0-or-later
2	#
3	# shithub-specific exclusions. Drops into /etc/aide/aide.conf.d/.
4	# Everything here uses AIDE's "!" prefix to UN-watch paths that
5	# the upstream Debian config would otherwise track.
6	#
7	# We exclude paths whose churn is by-design — keeping them in the
8	# baseline would generate so much noise that real intrusion signals
9	# would drown. The stuff we DO want flagged: /etc, /usr/local/bin,
10	# /usr/lib/systemd/system, /root/.ssh, package-managed binaries,
11	# sshd_config — all of which the upstream config already covers.
12
13	# ── Application data (repos, by design write-heavy)
14	!/data
15	!/var/lib/shithub
16	!/var/lib/shithub-ssh
17
18	# ── Database files + WAL (Postgres rewrites these constantly)
19	!/var/lib/postgresql
20
21	# ── Source checkout (fetch+reset on every deploy)
22	!/root/src/shithub
23
24	# ── Caddy state (cert renewals, access log)
25	!/var/lib/caddy
26	!/var/log/caddy
27
28	# ── Postgres server logs. The Debian aide-common config ships a
29	# rule for postgresql-15 only; Ubuntu 24 runs postgresql-16 whose
30	# log file matches a generic /var/log/* pattern that fires on every
31	# query the server logs. Pure noise.
32	!/var/log/postgresql
33
34	# ── sysstat collector. /var/log/sysstat/sa<DD> is rewritten every
35	# 10 minutes by the sa1 cron, so an aide check in between always
36	# sees a different file. Excluded outright.
37	!/var/log/sysstat
38
39	# ── shithub-specific log dir
40	!/var/log/shithub
41
42	# ── AIDE's own metadata (don't recurse into our own DB)
43	!/var/lib/aide
44
45	# ── Restore-drill scratch (mktemp paths under /tmp already excluded
46	# by upstream, but the share dir holds the live script + sql)
47	!/usr/local/share/shithub
48
49	# ── Backup workdir (nightly pg_dump lands here before rclone copy;
50	# file count + content change every night by design)
51	!/var/backups/shithub
52
53	# ── shithub-deploy artifacts on the app droplet
54	!/tmp/shithubd-new