I'm currently trying to optimize the use of AIDE and Auditd on my system, but I feel like I'm missing the best practices, especially when it comes to AIDE configuration.
When setting up AIDE, should I exclude everything by default and then manually include specific folders and files for monitoring, or is there a better approach that others are using?
For example, I've noticed some challenges:
Files like the Fail2Ban SQL file need to be excluded.Log files also need to be excluded because they constantly change.As a result, my exclusion list is becoming very large, and I'm wondering if I'm over-complicating the configuration.
I’d really appreciate it if anyone could share their experiences, best practices, or an example of an optimal AIDE configuration. How do you ensure efficient and manageable monitoring without excluding too much or too little?