1aide.conf(5) File Formats Manual aide.conf(5)
2
3
4
6 aide.conf - The configuration file for Advanced Intrusion Detection
7 Environment
8
10 aide.conf is the configuration file for Advanced Intrusion Detection
11 Environment. aide.conf contains the runtime configuration aide uses to
12 initiailize or check the aide database.
13
15 aide.conf is similar in to Tripwire(tm)'s configuration file. With lit‐
16 tle effort tw.conf can be converted to aide.conf.
17
18 aide.conf is case-sensitive. Leading and trailing whitespaces are
19 ignored.
20
21 There are three types of lines in aide.conf. First there are the con‐
22 figuration lines which are used to set configuration parameters and
23 define/undefine variables. Second, there are selection lines that are
24 used to indicate which files are added to the database. Third, macro
25 lines define or undefine variables within the config file. Lines begin‐
26 ning with # are ignored as comments.
27
29 These lines have the format parameter=value. See URLS for a list of
30 valid urls.
31
32 database
33 The url from which database is read. There can only be one of
34 these lines. If there are multiple database lines then the first
35 is used. The default value is "/usr/etc/aide.db".
36
37 database_out
38 The url to which the new database is written to. There can only
39 be one of these lines. If there are multiple database_out lines
40 then the first is used. The default value is
41 "/usr/etc/aide.db.new".
42
43 database_new
44 The url from which the other database for --compare is read.
45 There is no default for this one.
46
47 verbose
48 The level of messages that is output. This value can be 0-255
49 inclusive. This parameter can only be given once. Value from the
50 first occurence is used. If --verbose or -V is used then the
51 value from that is used. The default is 5. If verbosity is 20
52 then additional report output is written when doing --check,
53 --update or --compare.
54
55 syslog_format
56 Valid values are yes,true,no and false. This option enables new
57 syslog format which is suitable for logging. Every change is
58 logged as one simple line. This option changes verbose level to
59 0 and prints everything that was changed. It is suggested to use
60 this option with "report_url=syslog:...". Default value is
61 "false/no". Maximum size of message is 1KB which is limitation
62 of syslog call. If message is greater than limit, message will
63 be truncated. Option summarize_changes has no impact for this
64 format.
65
66 Output always starts with:
67 "AIDE found differences between database and filesystem!!"
68 And it is followed by summary:
69 summary;total_number_of_files=1000;added_files=0;removed_files=0;changed_files=1
70 And finally there are logs about changes:
71 dir=/usr/sbin;Mtime_old=0000-00-00 00:00:00;Mtime_new=0000-00-00 00:00:00;...
72
73 report_url
74 The url that the output is written to. There can be multiple
75 instances of this parameter. Output is written to all of them.
76 The default is stdout.
77
78 gzip_dbout
79 Whether the output to the database is gzipped or not. Valid val‐
80 ues are yes,true,no and false. The default is no. This option is
81 available only if zlib support is compiled in.
82
83 acl_no_symlink_follow
84 Whether to check ACLs for symlinks or not. Valid values are
85 yes,true,no and false. The default is to follow symlinks. This
86 option is available only if acl support is compiled in.
87
88 warn_dead_symlinks
89 Whether to warn about dead symlinks or not. Valid values are
90 yes,true,no and false. The default is not to warn about dead
91 symlinks.
92
93 grouped
94 Whether to group the files in the report by added, removed and
95 changed files or not. Valid values are yes, true, no and false.
96 The default is to group the files in the report.
97
98 summarize_changes
99 Whether to summarize changes in the added, removed and changed
100 files sections of the report or not. Valid values are
101 yes,true,no and false. The default is not to summarize the
102 changes.
103
104 The general format is like the string YlZbpugamcinCAXSE, where Y
105 is replaced by the file-type (f for a regular file, d for a
106 directory, L for a symbolic link, D for a character device, B
107 for a block device, F for a FIFO, s for a unix socket, | for a
108 Solaris door, ! if file type has changed and ? otherwise).
109
110 The Z is replaced as follows: A = means that the size has not
111 changed, a < reports a shrinked size and a > reports a grown
112 size.
113
114 The other letters in the string are the actual letters that will
115 be output if the associated attribute for the item has been
116 changed or a "." for no change, a "+" if the attribute has been
117 added, a "-" if it has been removed, a ":" if the attribute is
118 listed in ignore_list or a " " if the attribute has not been
119 checked. The exceptions to this are: (1) a newly created file
120 replaces each letter with a "+", and (2) a removed file replaces
121 each letter with a "-".
122
123 The attribute that is associated with each letter is as follows:
124
125
126 o A l means that the link name has changed.
127
128 o A b means that the block count has changed.
129
130 o A p means that the permissions have changed.
131
132 o An u means that the uid has changed.
133
134 o A g means that the gid has changed.
135
136 o An a means that the access time has changed.
137
138 o A m means that the modification time has changed.
139
140 o A c means that the change time has changed.
141
142 o An i means that the inode has changed.
143
144 o A n means that the link count has changed.
145
146 o A C means that one or more checksums have changed.
147
148 The following letters are only available when explicitly enabled
149 using configure:
150
151
152 o A A means that the access control list has changed.
153
154 o A X means that the extended attributes have changed.
155
156 o A S means that the SELinux attributes have changed.
157
158 o A E means that the file attributes on a second extended
159 file system have changed.
160
161 report_attributes
162 Special group definition that lists parameters which are always
163 printed in the final report for changed files.
164
165 ignore_list
166 Special group definition that lists parameters which are to be
167 ignored from the final report.
168
169 config_version
170 The value of config_version is printed in the report and also
171 printed to the database. This is for informational purposes
172 only. It has no other functionality.
173
174 Group definitions
175 If the parameter is not one of the previous parameters then it
176 is regarded as a group definition. Value is then regarded as an
177 expression. Expression is of the following form.
178
179 <predefined group>| <expr> + <predefined group>
180 | <expr> - <predifined group>
181
182 See DEFAULT GROUPS for an explanation of default predefined
183 groups. Note that this is different from the way Tripwire(tm)
184 does it.
185
186 There is also a special group named "ignore_list". The prede‐
187 fined -groups listed in it are NOT displayed in the final
188 report.
189
191 aide supports three types of selection lines (regular, negative,
192 equals) Lines beginning with "/" are regular selection lines. Lines
193 beginning with "=" are equals selection lines. And lines beginning with
194 "!" are negative selection lines. The string following the first char‐
195 acter is taken as a regular expression matching to a complete filename,
196 including the path. In a regular selection rule the "/" is included in
197 the regular expression. Special characters in your filenames can be
198 escaped using two-digit URL encoding (for example, %20 to represent a
199 space). Following the regular expression is a group definition as
200 explained above. See EXAMPLES and doc/aide.conf for examples.
201
202 More in-depth discussion of the selection algorithm can be found in the
203 aide manual.
204
206 @@define VAR val
207 Define variable VAR to value val.
208
209 @@undef VAR
210 Undefine variable VAR.
211
212 @@ifdef VAR, @@ifndef VAR
213 @@ifdef begins an if statement. It must be terminated with an
214 @@endif statement. The lines between @@ifdef and @@endif are
215 used if variable VAR is defined. If there is an @@else statement
216 then the part between @@ifdef and @@else is used is VAR is
217 defined otherwise the part between @@else and @@endif is used.
218 @@ifndef reverses the logic of @@ifdef statement but otherwise
219 works similarly.
220
221 @@ifhost hostname, @@ifnhost hostname
222 @@ifhost works like @@ifdef only difference is that it checks
223 whether hostname equals the name of the host that aide is run‐
224 ning on. hostname is the name of the host without the domain‐
225 name (hostname, not hostname.aide.org).
226
227 @@{VAR}
228 @@{VAR} is replaced with the value of the variable VAR. If
229 variable VAR is not defined an empty string is used. Unlike
230 Tripwire(tm) @@VAR is NOT supported. One special VAR is @@{HOST‐
231 NAME} which is substituted for the hostname of the current sys‐
232 tem.
233
234 @@else Begins the else part of an if statement.
235
236 @@endif
237 Ends an if statement.
238
239 @@include VAR
240 Includes the file VAR. The content of the file is used as if it
241 were inserted in this part of the config file.
242
244 Urls can be one of the following. Input urls cannot be used as outputs
245 and vice versa.
246
247 stdout
248
249 stderr Output is sent to stdout,stderr respectively.
250
251 stdin Input is read from stdin.
252
253 file://filename
254 Input is read from filename or output is written to filename.
255
256 fd:number
257 Input is read from filedescriptor number or output is written to
258 number.
259
261 p: permissions
262
263 ftype: file type
264
265 i: inode
266
267 l: link name
268
269 n: number of links
270
271 u: user
272
273 g: group
274
275 s: size
276
277 b: block count
278
279 m: mtime
280
281 a: atime
282
283 c: ctime
284
285 S: check for growing size
286
287 I: ignore changed filename
288
289 ANF: allow new files
290
291 ARF: allow removed files
292
293 md5: md5 checksum
294
295 sha1: sha1 checksum
296
297 sha256: sha256 checksum
298
299 sha512: sha512 checksum
300
301 rmd160: rmd160 checksum
302
303 tiger: tiger checksum
304
305 haval: haval checksum
306
307 crc32: crc32 checksum
308
309 R: p+ftype+i+l+n+u+g+s+m+c+md5
310
311 L: p+ftype+i+l+n+u+g
312
313 E: Empty group
314
315 >: Growing logfile p+ftype+l+u+g+i+n+S
316
317 And also the following if you have mhash support enabled
318
319 gost: gost checksum
320
321 whirlpool: whirlpool checksum
322
323 The following are available and added to the default groups R, L and >
324
325 only when explicitly enabled using configure
326
327 acl: access control list
328
329 selinux: selinux attributes
330
331 xattrs: extended attributes
332
333 e2fsattrs: file attributes on a second extended file system
334
335 Please note that 'I' and 'c' are incompatible. When the name of a file
336 is changed, it's ctime is updated as well. When you put 'c' and 'I' in
337 the same rule the, a changed ctime is silently ignored.
338
339 When 'ANF' is used, new files are added to the new database, but are
340 ignored in the report.
341
342 When 'ARF' is used, files missing on disk are omitted from the new
343 database, but are ignored in the report.
344
346 / R
347
348 This adds all files on your machine to the database. This is one line
349 is a fully qualified configuration file.
350
351 !/dev
352
353 This ignores the /dev directory structure.
354
355 =/tmp
356
357 Only /tmp is taken into the database. None of its children are added.
358
359 All=p+i+n+u+g+s+m+c+a+md5+sha1+tiger+rmd160
360
361 This line defines group All. It has all attributes and all md checksum
362 functions. If you absolutely want all digest functions then you should
363 enable mhash support and add +crc32+haval+gost to the end of the defi‐
364 nition for All. Mhash support can only be enabled at compile-time.
365
367 =/foo p+i+l+n+u+g+s+m+c+md5
368
369 /foo/bar p+i+l+n+u+g+s+m+c+md5
370
371 This config adds all files under /foo because they match to regex /foo,
372 which is equivalent to /foo.* . What you probably want is:
373
374 =/foo$ p+i+l+n+u+g+s+m+c+md5
375
376 /foo/bar p+i+l+n+u+g+s+m+c+md5
377
378 Note that the following still works as expected because =/foo$ stop
379 recuring of directory /foo.
380
381 =/foo p+i+l+n+u+g+s+m+c+md5
382
383 In the following, the first is not allowed in AIDE. Use the latter
384 instead.
385
386 /foo epug
387
388 /foo e+p+u+g
389
391 aide(1) http://www.cs.tut.fi/~rammer/aide/manual.html
392
394 All trademarks are the property of their respective owners. No animals
395 were harmed while making this webpage or this piece of software.
396
397
398
399
400
401 aide.conf(5)