1aide.conf(5) File Formats Manual aide.conf(5)
2
6 aide.conf - The configuration file for Advanced Intrusion Detection
7 Environment
8
10 aide.conf is the configuration file for Advanced Intrusion Detection
11 Environment. aide.conf contains the runtime configuration aide uses to
12 initiailize or check the aide database.
13
15 aide.conf is similar in to Tripwire(tm)'s configuration file. With lit‐
16 tle effort tw.conf can be converted to aide.conf.
17 aide.conf is case-sensitive. Leading and trailing whitespaces are
19 ignored.
20 There are three types of lines in aide.conf. First there are the con‐
22 figuration lines which are used to set configuration parameters and
23 define/undefine variables. Second, there are selection lines that are
24 used to indicate which files are added to the database. Third, macro
25 lines define or undefine variables within the config file. Lines begin‐
26 ning with # are ignored as comments.
27
29 These lines have the format parameter=value. See URLS for a list of
30 valid urls.
31 database
33 The url from which database is read. There can only be one of
34 these lines. If there are multiple database lines then the first
35 is used. The default value is "/usr/etc/aide.db".
36 database_out
38 The url to which the new database is written to. There can only
39 be one of these lines. If there are multiple database_out lines
40 then the first is used. The default value is
41 "/usr/etc/aide.db.new".
42 database_new
44 The url from which the other database for --compare is read.
45 There is no default for this one.
46 verbose
48 The level of messages that is output. This value can be 0-255
49 inclusive. This parameter can only be given once. Value from the
50 first occurence is used. If --verbose or -V is used then the
51 value from that is used. The default is 5. If verbosity is 20
52 then additional report output is written when doing --check,
53 --update or --compare.
54 syslog_format
56 Valid values are yes,true,no and false. This option enables new
57 syslog format which is suitable for logging. Every change is
58 logged as one simple line. This option changes verbose level to
59 0 and prints everything that was changed. It is suggested to use
60 this option with "report_url=syslog:...". Default value is
61 "false/no". Maximum size of message is 1KB which is limitation
62 of syslog call. If message is greater than limit, message will
63 be truncated. Option summarize_changes has no impact for this
64 format.
65 Output always starts with:
67 "AIDE found differences between database and filesystem!!"
68 And it is followed by summary:
69 summary;total_number_of_files=1000;added_files=0;removed_files=0;changed_files=1
70 And finally there are logs about changes:
71 dir=/usr/sbin;Mtime_old=0000-00-00 00:00:00;Mtime_new=0000-00-00 00:00:00;...
72 report_url
74 The url that the output is written to. There can be multiple
75 instances of this parameter. Output is written to all of them.
76 The default is stdout.
77 gzip_dbout
79 Whether the output to the database is gzipped or not. Valid val‐
80 ues are yes,true,no and false. The default is no. This option is
81 available only if zlib support is compiled in.
82 acl_no_symlink_follow
84 Whether to check ACLs for symlinks or not. Valid values are
85 yes,true,no and false. The default is to follow symlinks. This
86 option is available only if acl support is compiled in.
87 warn_dead_symlinks
89 Whether to warn about dead symlinks or not. Valid values are
90 yes,true,no and false. The default is not to warn about dead
91 symlinks.
92 summarize_changes
94 Whether to summarize changes in the added, removed and changed
95 files sections of the report or not. Valid values are
96 yes,true,no and false. The default is not to summarize the
97 changes.
98 The general format is like the string YlZbpugamcinCAXS, where Y
100 is replaced by the file-type (f for a regular file, d for a
101 directory, L for a symbolic link, D for a character device, B
102 for a block device, F for a FIFO, s for a unix socket and ? oth‐
103 erwise).
104 The Z is replaced as follows: A = means that the size has not
106 changed, a < reports a shrinked size and a > reports a grown
107 size.
108 The other letters in the string are the actual letters that will
110 be output if the associated attribute for the item has been
111 changed or a "." for no change, a "+" if the attribute has been
112 added, a "-" if it has been removed, a ":" if the attribute is
113 listed in ignore_list or a " " if the attribute has not been
114 checked. The exceptions to this are: (1) a newly created file
115 replaces each letter with a "+", and (2) a removed file replaces
116 each letter with a "-".
117 The attribute that is associated with each letter is as follows:
119 o A l means that the link name has changed.
122 o A b means that the block count has changed.
124 o A p means that the permissions have changed.
126 o An u means that the uid has changed.
128 o A g means that the gid has changed.
130 o An a means that the access time has changed.
132 o A m means that the modification time has changed.
134 o A c means that the change time has changed.
136 o An i means that the inode has changed.
138 o A n means that the link count has changed.
140 o A C means that one or more checksums have changed.
142 o A A means that the access control list has changed.
144 o A X means that the extended attributes have changed.
146 o A S means that the SELinux attributes have changed.
148 report_attributes
150 Special group definition that lists parameters which are always
151 printed in the final report for changed files.
152 ignore_list
154 Special group definition that lists parameters which are to be
155 ignored from the final report.
156 config_version
158 The value of config_version is printed in the report and also
159 printed to the database. This is for informational purposes
160 only. It has no other functionality.
161 Group definitions
163 If the parameter is not one of the previous parameters then it
164 is regarded as a group definition. Value is then regarded as an
165 expression. Expression is of the following form.
166 <predefined group>| <expr> + <predefined group>
168 | <expr> - <predifined group>
169 See DEFAULT GROUPS for an explanation of default predefined
171 groups. Note that this is different from the way Tripwire(tm)
172 does it.
173 There is also a special group named "ignore_list". The prede‐
175 fined -groups listed in it are NOT displayed in the final
176 report.
177
179 aide supports three types of selection lines (regular, negative,
180 equals) Lines beginning with "/" are regular selection lines. Lines
181 beginning with "=" are equals selection lines. And lines beginning with
182 "!" are negative selection lines. The string following the first char‐
183 acter is taken as a regular expression matching to a complete filename,
184 including the path. In a regular selection rule the "/" is included in
185 the regular expression. Following the regular expression is a group
186 definition as explained above. See EXAMPLES and doc/aide.conf for exam‐
187 ples.
188 More in-depth discussion of the selection algorithm can be found in the
190 aide manual.
191
193 @@define VAR val
194 Define variable VAR to value val.
195 @@undef VAR
197 Undefine variable VAR.
198 @@ifdef VAR, @@ifndef VAR
200 @@ifdef begins an if statement. It must be terminated with an
201 @@endif statement. The lines between @@ifdef and @@endif are
202 used if variable VAR is defined. If there is an @@else statement
203 then the part between @@ifdef and @@else is used is VAR is
204 defined otherwise the part between @@else and @@endif is used.
205 @@ifndef reverses the logic of @@ifdef statement but otherwise
206 works similarly.
207 @@ifhost hostname, @@ifnhost hostname
209 @@ifhost works like @@ifdef only difference is that it checks
210 whether hostname equals the name of the host that aide is run‐
211 ning on. hostname is the name of the host without the domain‐
212 name (hostname, not hostname.aide.org).
213 @@{VAR}
215 @@{VAR} is replaced with the value of the variable VAR. If
216 variable VAR is not defined an empty string is used. Unlike
217 Tripwire(tm) @@VAR is NOT supported. One special VAR is @@{HOST‐
218 NAME} which is substituted for the hostname of the current sys‐
219 tem.
220 @@else Begins the else part of an if statement.
222 @@endif
224 Ends an if statement.
225 @@include VAR
227 Includes the file VAR. The content of the file is used as if it
228 were inserted in this part of the config file.
229
231 Urls can be one of the following. Input urls cannot be used as outputs
232 and vice versa.
233 stdout
235 stderr Output is sent to stdout,stderr respectively.
237 stdin Input is read from stdin.
239 file://filename
241 Input is read from filename or output is written to filename.
242 fd:number
244 Input is read from filedescriptor number or output is written to
245 number.
246
248 p: permissions
249 i: inode
251 l: link name
253 n: number of links
255 u: user
257 g: group
259 s: size
261 b: block count
263 m: mtime
265 a: atime
267 c: ctime
269 S: check for growing size
271 I: ignore changed filename
273 ANF: allow new files
275 ARF: allow removed files
277 md5: md5 checksum
279 sha1: sha1 checksum
281 sha256: sha256 checksum
283 sha512: sha512 checksum
285 rmd160: rmd160 checksum
287 tiger: tiger checksum
289 haval: haval checksum
291 crc32: crc32 checksum
293 R: p+i+l+n+u+g+s+m+c+md5
295 L: p+i+l+n+u+g
297 E: Empty group
299 >: Growing logfile p+l+u+g+i+n+S
301 And also the following if you have mhash support enabled
303 gost: gost checksum
305 whirlpool: whirlpool checksum
307 The followingg is available when explicitly enabled using configure
309 acl: access control list
311 selinux: selinux attributes
313 xattrs: extended attributes
315 Please note that 'I' and 'c' are incompatible. When the name of a file
317 is changed, it's ctime is updated as well. When you put 'c' and 'I' in
318 the same rule the, a changed ctime is silently ignored.
319 When 'ANF' is used, new files are added to the new database, but are
321 ignored in the report.
322 When 'ARF' is used, files missing on disk are omitted from the new
324 database, but are ignored in the report.
325
327 / R
328 This adds all files on your machine to the database. This is one line
330 is a fully qualified configuration file.
331 !/dev
333 This ignores the /dev directory structure.
335 =/tmp
337 Only /tmp is taken into the database. None of its children are added.
339 All=p+i+n+u+g+s+m+c+a+md5+sha1+tiger+rmd160
341 This line defines group All. It has all attributes and all md checksum
343 functions. If you absolutely want all digest functions then you should
344 enable mhash support and add +crc32+haval+gost to the end of the defi‐
345 nition for All. Mhash support can only be enabled at compile-time.
346
348 =/foo p+i+l+n+u+g+s+m+c+md5
349 /foo/bar p+i+l+n+u+g+s+m+c+md5
351 This config adds all files under /foo because they match to regex /foo,
353 which is equivalent to /foo.* . What you probably want is:
354 =/foo$ p+i+l+n+u+g+s+m+c+md5
356 /foo/bar p+i+l+n+u+g+s+m+c+md5
358 Note that the following still works as expected because =/foo$ stop
360 recuring of directory /foo.
361 =/foo p+i+l+n+u+g+s+m+c+md5
363 In the following, the first is not allowed in AIDE. Use the latter
365 instead.
366 /foo epug
368 /foo e+p+u+g
370
372 aide(1) http://www.cs.tut.fi/~rammer/aide/manual.html
373
375 All trademarks are the property of their respective owners. No animals
376 were harmed while making this webpage or this piece of software.
377 aide.conf(5)