1aide.conf(5)                  File Formats Manual                 aide.conf(5)
2
3
4

NAME

6       aide.conf  -  The  configuration  file for Advanced Intrusion Detection
7       Environment
8

SYNOPSIS

10       aide.conf is the configuration file for  Advanced  Intrusion  Detection
11       Environment.  aide.conf contains the runtime configuration aide uses to
12       initiailize or check the aide database.
13

FILE FORMAT

15       aide.conf is similar in to Tripwire(tm)'s configuration file. With lit‐
16       tle effort tw.conf can be converted to aide.conf.
17
18       aide.conf  is  case-sensitive.  Leading  and  trailing  whitespaces are
19       ignored.
20
21       There are three types of lines in aide.conf. First there are  the  con‐
22       figuration  lines  which  are  used to set configuration parameters and
23       define/undefine variables. Second, there are selection lines  that  are
24       used  to  indicate  which files are added to the database. Third, macro
25       lines define or undefine variables within the config file. Lines begin‐
26       ning with # are ignored as comments.
27

CONFIG LINES

29       These  lines  have  the  format parameter=value. See URLS for a list of
30       valid urls.
31
32       database
33              The url from which database is read. There can only  be  one  of
34              these lines. If there are multiple database lines then the first
35              is used.  The default value is "/usr/etc/aide.db".
36
37       database_out
38              The url to which the new database is written to. There can  only
39              be  one of these lines. If there are multiple database_out lines
40              then   the   first   is   used.    The    default    value    is
41              "/usr/etc/aide.db.new".
42
43       database_new
44              The  url  from  which  the other database for --compare is read.
45              There is no default for this one.
46
47       verbose
48              The level of messages that is output. This value  can  be  0-255
49              inclusive. This parameter can only be given once. Value from the
50              first occurence is used. If --verbose or -V  is  used  then  the
51              value  from  that  is used. The default is 5. If verbosity is 20
52              then additional report output is  written  when  doing  --check,
53              --update or --compare.
54
55       syslog_format
56              Valid  values are yes,true,no and false. This option enables new
57              syslog format which is suitable for  logging.  Every  change  is
58              logged  as one simple line. This option changes verbose level to
59              0 and prints everything that was changed. It is suggested to use
60              this  option  with  "report_url=syslog:...".  Default  value  is
61              "false/no".  Maximum size of message is 1KB which is  limitation
62              of  syslog  call. If message is greater than limit, message will
63              be truncated.  Option summarize_changes has no impact  for  this
64              format.
65
66              Output always starts with:
67              "AIDE found differences between database and filesystem!!"
68              And it is followed by summary:
69              summary;total_number_of_files=1000;added_files=0;removed_files=0;changed_files=1
70              And finally there are logs about changes:
71              dir=/usr/sbin;Mtime_old=0000-00-00 00:00:00;Mtime_new=0000-00-00 00:00:00;...
72
73       report_url
74              The  url  that  the  output is written to. There can be multiple
75              instances of this parameter. Output is written to all  of  them.
76              The default is stdout.
77
78       gzip_dbout
79              Whether the output to the database is gzipped or not. Valid val‐
80              ues are yes,true,no and false. The default is no. This option is
81              available only if zlib support is compiled in.
82
83       acl_no_symlink_follow
84              Whether  to  check  ACLs  for  symlinks or not. Valid values are
85              yes,true,no and false. The default is to follow  symlinks.  This
86              option is available only if acl support is compiled in.
87
88       warn_dead_symlinks
89              Whether  to  warn  about  dead symlinks or not. Valid values are
90              yes,true,no and false. The default is not  to  warn  about  dead
91              symlinks.
92
93       grouped
94              Whether  to  group the files in the report by added, removed and
95              changed files or not. Valid values are yes, true, no and  false.
96              The default is to group the files in the report.
97
98       summarize_changes
99              Whether  to  summarize changes in the added, removed and changed
100              files  sections  of  the  report  or  not.  Valid   values   are
101              yes,true,no  and  false.   The  default  is not to summarize the
102              changes.
103
104              The general format is like the string YlZbpugamcinCAXSE, where Y
105              is  replaced  by  the  file-type  (f for a regular file, d for a
106              directory, L for a symbolic link, D for a  character  device,  B
107              for  a  block device, F for a FIFO, s for a unix socket, | for a
108              Solaris door, ! if file type has changed and ? otherwise).
109
110              The Z is replaced as follows: A = means that the  size  has  not
111              changed,  a  <  reports  a shrinked size and a > reports a grown
112              size.
113
114              The other letters in the string are the actual letters that will
115              be  output  if  the  associated  attribute for the item has been
116              changed or a "." for no change, a "+" if the attribute has  been
117              added,  a  "-" if it has been removed, a ":" if the attribute is
118              listed in ignore_list or a " " if the  attribute  has  not  been
119              checked.  The  exceptions  to this are: (1) a newly created file
120              replaces each letter with a "+", and (2) a removed file replaces
121              each letter with a "-".
122
123              The attribute that is associated with each letter is as follows:
124
125
126              o      A l means that the link name has changed.
127
128              o      A b means that the block count has changed.
129
130              o      A p means that the permissions have changed.
131
132              o      An u means that the uid has changed.
133
134              o      A g means that the gid has changed.
135
136              o      An a means that the access time has changed.
137
138              o      A m means that the modification time has changed.
139
140              o      A c means that the change time has changed.
141
142              o      An i means that the inode has changed.
143
144              o      A n means that the link count has changed.
145
146              o      A C means that one or more checksums have changed.
147
148              The following letters are only available when explicitly enabled
149              using configure:
150
151
152              o      A A means that the access control list has changed.
153
154              o      A X means that the extended attributes have changed.
155
156              o      A S means that the SELinux attributes have changed.
157
158              o      A E means that the file attributes on a  second  extended
159                     file system have changed.
160
161       report_attributes
162              Special  group definition that lists parameters which are always
163              printed in the final report for changed files.
164
165       ignore_list
166              Special group definition that lists parameters which are  to  be
167              ignored from the final report.
168
169       config_version
170              The  value  of  config_version is printed in the report and also
171              printed to the database.  This  is  for  informational  purposes
172              only. It has no other functionality.
173
174       Group definitions
175              If  the  parameter is not one of the previous parameters then it
176              is regarded as a group definition. Value is then regarded as  an
177              expression. Expression is of the following form.
178
179                  <predefined group>| <expr> + <predefined group>
180                                    | <expr> - <predifined group>
181
182              See  DEFAULT  GROUPS  for  an  explanation of default predefined
183              groups.  Note that this is different from the  way  Tripwire(tm)
184              does it.
185
186              There  is  also  a special group named "ignore_list". The prede‐
187              fined -groups listed in  it  are  NOT  displayed  in  the  final
188              report.
189

SELECTION LINES

191       aide  supports  three  types  of  selection  lines  (regular, negative,
192       equals) Lines beginning with "/" are  regular  selection  lines.  Lines
193       beginning with "=" are equals selection lines. And lines beginning with
194       "!"  are negative selection lines. The string following the first char‐
195       acter is taken as a regular expression matching to a complete filename,
196       including the path. In a regular selection rule the "/" is included  in
197       the  regular  expression.  Special  characters in your filenames can be
198       escaped using two-digit URL encoding (for example, %20 to  represent  a
199       space).   Following  the  regular  expression  is a group definition as
200       explained above.  See EXAMPLES and doc/aide.conf for examples.
201
202       More in-depth discussion of the selection algorithm can be found in the
203       aide manual.
204

MACRO LINES

206       @@define VAR val
207              Define variable VAR to value val.
208
209       @@undef VAR
210              Undefine variable VAR.
211
212       @@ifdef VAR, @@ifndef VAR
213              @@ifdef  begins  an  if statement. It must be terminated with an
214              @@endif statement. The lines between  @@ifdef  and  @@endif  are
215              used if variable VAR is defined. If there is an @@else statement
216              then the part between @@ifdef and  @@else  is  used  is  VAR  is
217              defined  otherwise  the part between @@else and @@endif is used.
218              @@ifndef reverses the logic of @@ifdef statement  but  otherwise
219              works similarly.
220
221       @@ifhost hostname, @@ifnhost hostname
222              @@ifhost  works  like  @@ifdef only difference is that it checks
223              whether hostname equals the name of the host that aide  is  run‐
224              ning  on.   hostname is the name of the host without the domain‐
225              name (hostname, not hostname.aide.org).
226
227       @@{VAR}
228              @@{VAR} is replaced with the value  of  the  variable  VAR.   If
229              variable  VAR  is  not  defined  an empty string is used. Unlike
230              Tripwire(tm) @@VAR is NOT supported. One special VAR is @@{HOST‐
231              NAME}  which is substituted for the hostname of the current sys‐
232              tem.
233
234       @@else Begins the else part of an if statement.
235
236       @@endif
237              Ends an if statement.
238
239       @@include VAR
240              Includes the file VAR. The content of the file is used as if  it
241              were inserted in this part of the config file.
242

URLS

244       Urls  can be one of the following. Input urls cannot be used as outputs
245       and vice versa.
246
247       stdout
248
249       stderr Output is sent to stdout,stderr respectively.
250
251       stdin  Input is read from stdin.
252
253       file://filename
254              Input is read from filename or output is written to filename.
255
256       fd:number
257              Input is read from filedescriptor number or output is written to
258              number.
259

DEFAULT GROUPS

261       p:   permissions
262
263       ftype: file type
264
265       i:   inode
266
267       l:   link name
268
269       n:   number of links
270
271       u:   user
272
273       g:   group
274
275       s:   size
276
277       b:   block count
278
279       m:   mtime
280
281       a:   atime
282
283       c:   ctime
284
285       S:   check for growing size
286
287       I:   ignore changed filename
288
289       ANF: allow new files
290
291       ARF: allow removed files
292
293       md5: md5 checksum
294
295       sha1: sha1 checksum
296
297       sha256: sha256 checksum
298
299       sha512: sha512 checksum
300
301       rmd160: rmd160 checksum
302
303       tiger: tiger checksum
304
305       haval: haval checksum
306
307       crc32:    crc32 checksum
308
309       R:   p+ftype+i+l+n+u+g+s+m+c+md5
310
311       L:   p+ftype+i+l+n+u+g
312
313       E:   Empty group
314
315       >:   Growing logfile p+ftype+l+u+g+i+n+S
316
317       And also the following if you have mhash support enabled
318
319       gost: gost checksum
320
321       whirlpool: whirlpool checksum
322
323       The following are available and added to the default groups R, L and >
324
325       only when explicitly enabled using configure
326
327       acl: access control list
328
329       selinux: selinux attributes
330
331       xattrs: extended attributes
332
333       e2fsattrs: file attributes on a second extended file system
334
335       Please  note that 'I' and 'c' are incompatible. When the name of a file
336       is changed, it's ctime is updated as well. When you put 'c' and 'I'  in
337       the same rule the, a changed ctime is silently ignored.
338
339       When  'ANF'  is  used, new files are added to the new database, but are
340       ignored in the report.
341
342       When 'ARF' is used, files missing on disk  are  omitted  from  the  new
343       database, but are ignored in the report.
344

EXAMPLES

346              /    R
347
348       This  adds  all files on your machine to the database. This is one line
349       is a fully qualified configuration file.
350
351              !/dev
352
353       This ignores the /dev directory structure.
354
355              =/tmp
356
357       Only /tmp is taken into the database. None of its children are added.
358
359              All=p+i+n+u+g+s+m+c+a+md5+sha1+tiger+rmd160
360
361       This line defines group All. It has all attributes and all md  checksum
362       functions.  If you absolutely want all digest functions then you should
363       enable mhash support and add +crc32+haval+gost to the end of the  defi‐
364       nition for All. Mhash support can only be enabled at compile-time.
365

HINTS

367              =/foo p+i+l+n+u+g+s+m+c+md5
368
369              /foo/bar p+i+l+n+u+g+s+m+c+md5
370
371       This config adds all files under /foo because they match to regex /foo,
372       which is equivalent to /foo.* . What you probably want is:
373
374              =/foo$ p+i+l+n+u+g+s+m+c+md5
375
376              /foo/bar p+i+l+n+u+g+s+m+c+md5
377
378       Note that the following still works as  expected  because  =/foo$  stop
379       recuring of directory /foo.
380
381              =/foo p+i+l+n+u+g+s+m+c+md5
382
383       In  the  following,  the  first  is not allowed in AIDE. Use the latter
384       instead.
385
386              /foo epug
387
388              /foo e+p+u+g
389

SEE ALSO

391       aide(1) http://www.cs.tut.fi/~rammer/aide/manual.html
392

DISCLAIMER

394       All trademarks are the property of their respective owners.  No animals
395       were harmed while making this webpage or this piece of software.
396
397
398
399
400
401                                                                  aide.conf(5)
Impressum