Skip to content

feat: add even more hardening #1

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Open
crimsonpython24 wants to merge 4 commits into
base: master
Choose a base branch
from
Open

feat: add even more hardening #1

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
4 commits
Select commit Hold shift + click to select a range
4eab409
feat: add even more hardening
crimsonpython24 Jan 20, 2026
4799311
feat: add more masochist rules
crimsonpython24 Jan 20, 2026
7549591
fix: edit some keys bc bored in class
crimsonpython24 Jan 22, 2026
c5a8177
breaking: add even more rules
crimsonpython24 Jan 22, 2026
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
205 changes: 86 additions & 119 deletions policies/aide.conf
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,121 +1,103 @@
@@define USER warren

# Database locations
database_in=file:/opt/local/var/lib/aide/aide.db
database_out=file:/opt/local/var/lib/aide/aide.db.new

# Uncompressed for faster reads
gzip_dbout=no

# Logging
log_level=warning
report_url=file:/opt/local/var/log/aide/aide.log
report_url=stdout
report_level=changed_attributes
report_grouped=true
report_summarize_changes=true

# Performance - use half of available CPU cores
num_workers=50%

# =============================================================================
# GROUPS
# =============================================================================

Checksums = sha256

# Full integrity check
Full = p+u+g+ftype+n+i+s+m+c+Checksums

# For config files
Checksums = sha256+sha512
Full = p+u+g+ftype+n+i+s+m+c+Checksums+xattrs+acl
ConfigFile = p+u+g+ftype+s+m+c+Checksums

# Directory structure only
DirOnly = p+u+g+ftype+n+i
LibCheck = p+u+g+ftype+s+m+c+Checksums+xattrs

# =============================================================================
# PERSISTENCE MECHANISMS - PRIMARY
# =============================================================================

# LaunchDaemons/Agents (most common persistence)
/Library/LaunchDaemons Full
/Library/LaunchAgents Full
/Users/@@{USER}/Library/LaunchAgents Full

# Login items
/Library/Preferences/com.apple.loginwindow.plist ConfigFile
/Users/@@{USER}/Library/Preferences/com.apple.loginitems.plist ConfigFile

# Privileged helper tools
/Library/PrivilegedHelperTools Full

# =============================================================================
# PERSISTENCE MECHANISMS - SECONDARY
# =============================================================================

# Authorization plugins (can intercept login)
/Library/Security Full

# Directory services plugins
/Library/DirectoryServices Full

# Scripting additions (AppleScript injection)
/Library/ScriptingAdditions Full

# Spotlight importers (code execution on file indexing)
/Library/Spotlight Full

# Legacy startup items
/Library/StartupItems Full

# Input managers (deprecated but functional)
/Library/InputManagers Full

# User Automator services
/Users/@@{USER}/Library/Services Full
/Users/@@{USER}/Library/Workflows Full

# Keyboard services / input methods
/Library/Input\ Methods Full
/Users/@@{USER}/Library/Input\ Methods Full
/Library/Keyboard\ Layouts Full
/Users/@@{USER}/Library/Keyboard\ Layouts Full

# =============================================================================
# APPLICATIONS
# =============================================================================
/Library/QuickLook Full
/Users/@@{USER}/Library/QuickLook Full
/Library/ColorPickers Full
/Users/@@{USER}/Library/ColorPickers Full
/Library/Internet\ Plug-Ins Full
/Library/Audio/Plug-Ins Full
/Users/@@{USER}/Library/Audio/Plug-Ins Full
/Library/Compositions Full
/Library/Address\ Book\ Plug-Ins Full
/Users/@@{USER}/Library/Address\ Book\ Plug-Ins Full
/Library/Mail/Bundles Full
/Users/@@{USER}/Library/Mail/Bundles Full
/Library/PDF\ Services Full
/Users/@@{USER}/Library/PDF\ Services Full
/Library/Printers Full
/Library/CoreMediaIO/Plug-Ins Full
/Library/Image\ Capture Full
/Library/Filesystems Full
/Library/Apple/System Full
/Library/Apple/usr Full

/System/Library/LaunchDaemons Full
/System/Library/LaunchAgents Full
/System/Library/Extensions Full
/System/Library/Filesystems Full
/System/Library/Frameworks Full
/System/Library/KernelCollections Full
/System/Library/PrivateFrameworks Full
/System/Library/Sandbox Full
/System/Library/Security Full

/usr/bin Full
/usr/sbin Full
/usr/lib Full
/usr/libexec Full
/bin Full
/sbin Full

/Applications Full

# Exclude noisy metadata
!/Applications/.DS_Store
!/Applications/.localized

# =============================================================================
# MACPORTS BINARIES
# =============================================================================

/opt/local/bin Full
/opt/local/sbin Full
/opt/local/libexec Full
/opt/local/lib LibCheck
/opt/local/etc Full
!/opt/local/etc/unbound/root.key
!/opt/local/var

/Users/@@{USER}/Library/Application\ Support/Google/Chrome/Default/Extensions DirOnly
/Users/@@{USER}/Library/Application\ Support/Google/Chrome/Profile\ */Extensions DirOnly
/Users/@@{USER}/Library/Application\ Support/Firefox/Profiles Full
!/Users/@@{USER}/Library/Application\ Support/Firefox/Profiles/*/storage
!/Users/@@{USER}/Library/Application\ Support/Firefox/Profiles/*/cache2
!/Users/@@{USER}/Library/Application\ Support/Firefox/Profiles/*/cookies.sqlite
!/Users/@@{USER}/Library/Application\ Support/Firefox/Profiles/*/places.sqlite
!/Users/@@{USER}/Library/Application\ Support/Firefox/Profiles/*/favicons.sqlite
!/Users/@@{USER}/Library/Application\ Support/Firefox/Profiles/*.sqlite-wal
!/Users/@@{USER}/Library/Application\ Support/Firefox/Profiles/*.sqlite-shm

# =============================================================================
# HOMEBREW (uncomment if installed)
# =============================================================================

# Intel Mac:
# /usr/local/bin Full
# /usr/local/sbin Full

# Apple Silicon:
# /opt/homebrew/bin Full
# /opt/homebrew/sbin Full

# =============================================================================
# SYSTEM CONFIGURATION
# =============================================================================

# Shell configs
/Users/@@{USER}/.zshrc ConfigFile
/Users/@@{USER}/.zprofile ConfigFile
/Users/@@{USER}/.zshenv ConfigFile
Expand All @@ -125,87 +107,72 @@ DirOnly = p+u+g+ftype+n+i
/Users/@@{USER}/.bash_logout ConfigFile
/Users/@@{USER}/.profile ConfigFile
/Users/@@{USER}/.inputrc ConfigFile

# PATH injection
/private/etc/paths ConfigFile
/private/etc/paths.d Full

# Shell list
/private/etc/shells ConfigFile

# SSH configuration
/Users/@@{USER}/.ssh/config ConfigFile
/Users/@@{USER}/.ssh/authorized_keys ConfigFile
/Users/@@{USER}/.ssh Full
!/Users/@@{USER}/.ssh/known_hosts
!/Users/@@{USER}/.ssh/sockets
/private/etc/ssh Full

# sudoers
/private/etc/sudoers ConfigFile
/private/etc/sudoers.d Full

# PAM configuration
/private/etc/pam.d Full

# Periodic scripts (cron-like)
/private/etc/periodic Full

# Cron
/private/var/at Full
/usr/lib/cron Full

# DNS
/private/etc/hosts ConfigFile
/private/etc/resolv.conf ConfigFile

# Syslog config
/private/etc/syslog.conf ConfigFile
/private/etc/newsyslog.conf ConfigFile
/private/etc/newsyslog.d Full
/private/etc/asl.conf ConfigFile
/private/etc/asl Full
/private/etc/security Full
/private/etc/pf.conf ConfigFile
/private/etc/pf.anchors Full

/private/etc/launchd.conf ConfigFile
/Users/@@{USER}/.launchd.conf ConfigFile
/Users/@@{USER}/.config Full
!/Users/@@{USER}/.config/*/Cache
!/Users/@@{USER}/.config/**/cache
/Users/@@{USER}/.gitconfig ConfigFile
/private/etc/dyld.conf ConfigFile
/Library/Preferences/com.apple.alf.plist ConfigFile
/Library/Preferences/com.apple.security.plist ConfigFile
/Library/Application\ Support/com.apple.TCC Full
/Users/@@{USER}/Library/Application\ Support/com.apple.TCC Full

# =============================================================================
# SECURITY TOOLS CONFIG
# =============================================================================

# Santa (if installed)
/var/db/santa Full

# AIDE itself
/opt/local/etc/aide Full
/Library/Application\ Support/Objective\ Development Full
/Users/@@{USER}/Library/Application\ Support/Little\ Snitch Full

# =============================================================================
# LIBRARY - HIGH-VALUE TARGETS
# =============================================================================

# Application support - structure only
/Library/Application\ Support$ DirOnly

# System extensions
/Library/SystemExtensions Full
/Library/Extensions Full

# Frameworks
/Library/Frameworks Full

# Screen savers (code execution vector)
/Library/Screen\ Savers Full
/Users/@@{USER}/Library/Screen\ Savers Full

# =============================================================================
# EXCLUSIONS
# =============================================================================
/private/etc/authorization ConfigFile
/private/etc/auto_master ConfigFile
/private/etc/fstab ConfigFile
/private/etc/group ConfigFile
/private/etc/master.passwd ConfigFile
/private/etc/passwd ConfigFile

# Caches and temp
!/Library/Caches
!/Users/@@{USER}/Library/Caches
!/private/var/folders
!/private/tmp
!/private/var/tmp

# Containers (TCC protected, causes errors)
!/Users/@@{USER}/Library/Containers

# Logs
!/Library/Logs
!/Users/@@{USER}/Library/Logs
!/Library/Application\ Support/CrashReporter
!/Users/@@{USER}/.Spotlight-V100
!/private/var/db/dyld
!/private/var/db/uuidtext
!/private/var/db/BootCaches
!/private/var/db/ConfigurationProfiles/Store
Loading