1aide.conf(5) File Formats Manual aide.conf(5)
2
3
4
6 aide.conf - The configuration file for Advanced Intrusion Detection
7 Environment
8
10 aide.conf is the configuration file for Advanced Intrusion Detection
11 Environment. aide.conf contains the runtime configuration aide uses to
12 initiailize or check the aide database.
13
15 aide.conf is similar in to Tripwire(tm)'s configuration file. With lit‐
16 tle effort tw.conf can be converted to aide.conf.
17
18 aide.conf is case-sensitive. Leading and trailing whitespaces are
19 ignored.
20
21 There are three types of lines in aide.conf. First there are the con‐
22 figuration lines which are used to set configuration parameters and
23 define/undefine variables. Second, there are selection lines that are
24 used to indicate which files are added to the database. Third, macro
25 lines define or undefine variables within the config file. Lines begin‐
26 ning with # are ignored as comments.
27
29 These lines have the format parameter=value. See URLS for a list of
30 valid urls.
31
32 database
33 The url from which database is read. There can only be one of
34 these lines. If there are multiple database lines then the first
35 is used. The default value is "/usr/etc/aide.db".
36
37 database_out
38 The url to which the new database is written to. There can only
39 be one of these lines. If there are multiple database_out lines
40 then the first is used. The default value is
41 "/usr/etc/aide.db.new".
42
43 database_new
44 The url from which the other database for --compare is read.
45 There is no default for this one.
46
47 verbose
48 The level of messages that is output. This value can be 0-255
49 inclusive. This parameter can only be given once. Value from the
50 first occurence is used. If --verbose or -V is used then the
51 value from that is used. The default is 5. If verbosity is 20
52 then additional report output is written when doing --check,
53 --update or --compare.
54
55 syslog_format
56 Valid values are yes,true,no and false. This option enables new
57 syslog format which is suitable for logging. Every change is
58 logged as one simple line. This option changes verbose level to
59 0 and prints everything that was changed. It is suggested to use
60 this option with "report_url=syslog:...". Default value is
61 "false/no". Maximum size of message is 1KB which is limitation
62 of syslog call. If message is greater than limit, message will
63 be truncated. Option summarize_changes has no impact for this
64 format.
65
66 Output always starts with:
67 "AIDE found differences between database and filesystem!!"
68 And it is followed by summary:
69 summary;total_number_of_files=1000;added_files=0;removed_files=0;changed_files=1
70 And finally there are logs about changes:
71 dir=/usr/sbin;Mtime_old=0000-00-00 00:00:00;Mtime_new=0000-00-00 00:00:00;...
72
73 report_url
74 The url that the output is written to. There can be multiple
75 instances of this parameter. Output is written to all of them.
76 The default is stdout.
77
78 gzip_dbout
79 Whether the output to the database is gzipped or not. Valid val‐
80 ues are yes,true,no and false. The default is no. This option is
81 available only if zlib support is compiled in.
82
83 acl_no_symlink_follow
84 Whether to check ACLs for symlinks or not. Valid values are
85 yes,true,no and false. The default is to follow symlinks. This
86 option is available only if acl support is compiled in.
87
88 warn_dead_symlinks
89 Whether to warn about dead symlinks or not. Valid values are
90 yes,true,no and false. The default is not to warn about dead
91 symlinks.
92
93 summarize_changes
94 Whether to summarize changes in the added, removed and changed
95 files sections of the report or not. Valid values are
96 yes,true,no and false. The default is not to summarize the
97 changes.
98
99 The general format is like the string YlZbpugamcinCAXS, where Y
100 is replaced by the file-type (f for a regular file, d for a
101 directory, L for a symbolic link, D for a character device, B
102 for a block device, F for a FIFO, s for a unix socket and ? oth‐
103 erwise).
104
105 The Z is replaced as follows: A = means that the size has not
106 changed, a < reports a shrinked size and a > reports a grown
107 size.
108
109 The other letters in the string are the actual letters that will
110 be output if the associated attribute for the item has been
111 changed or a "." for no change, a "+" if the attribute has been
112 added, a "-" if it has been removed, a ":" if the attribute is
113 listed in ignore_list or a " " if the attribute has not been
114 checked. The exceptions to this are: (1) a newly created file
115 replaces each letter with a "+", and (2) a removed file replaces
116 each letter with a "-".
117
118 The attribute that is associated with each letter is as follows:
119
120
121 o A l means that the link name has changed.
122
123 o A b means that the block count has changed.
124
125 o A p means that the permissions have changed.
126
127 o An u means that the uid has changed.
128
129 o A g means that the gid has changed.
130
131 o An a means that the access time has changed.
132
133 o A m means that the modification time has changed.
134
135 o A c means that the change time has changed.
136
137 o An i means that the inode has changed.
138
139 o A n means that the link count has changed.
140
141 o A C means that one or more checksums have changed.
142
143 o A A means that the access control list has changed.
144
145 o A X means that the extended attributes have changed.
146
147 o A S means that the SELinux attributes have changed.
148
149 report_attributes
150 Special group definition that lists parameters which are always
151 printed in the final report for changed files.
152
153 ignore_list
154 Special group definition that lists parameters which are to be
155 ignored from the final report.
156
157 config_version
158 The value of config_version is printed in the report and also
159 printed to the database. This is for informational purposes
160 only. It has no other functionality.
161
162 Group definitions
163 If the parameter is not one of the previous parameters then it
164 is regarded as a group definition. Value is then regarded as an
165 expression. Expression is of the following form.
166
167 <predefined group>| <expr> + <predefined group>
168 | <expr> - <predifined group>
169
170 See DEFAULT GROUPS for an explanation of default predefined
171 groups. Note that this is different from the way Tripwire(tm)
172 does it.
173
174 There is also a special group named "ignore_list". The prede‐
175 fined -groups listed in it are NOT displayed in the final
176 report.
177
179 aide supports three types of selection lines (regular, negative,
180 equals) Lines beginning with "/" are regular selection lines. Lines
181 beginning with "=" are equals selection lines. And lines beginning with
182 "!" are negative selection lines. The string following the first char‐
183 acter is taken as a regular expression matching to a complete filename,
184 including the path. In a regular selection rule the "/" is included in
185 the regular expression. Following the regular expression is a group
186 definition as explained above. See EXAMPLES and doc/aide.conf for exam‐
187 ples.
188
189 More in-depth discussion of the selection algorithm can be found in the
190 aide manual.
191
193 @@define VAR val
194 Define variable VAR to value val.
195
196 @@undef VAR
197 Undefine variable VAR.
198
199 @@ifdef VAR, @@ifndef VAR
200 @@ifdef begins an if statement. It must be terminated with an
201 @@endif statement. The lines between @@ifdef and @@endif are
202 used if variable VAR is defined. If there is an @@else statement
203 then the part between @@ifdef and @@else is used is VAR is
204 defined otherwise the part between @@else and @@endif is used.
205 @@ifndef reverses the logic of @@ifdef statement but otherwise
206 works similarly.
207
208 @@ifhost hostname, @@ifnhost hostname
209 @@ifhost works like @@ifdef only difference is that it checks
210 whether hostname equals the name of the host that aide is run‐
211 ning on. hostname is the name of the host without the domain‐
212 name (hostname, not hostname.aide.org).
213
214 @@{VAR}
215 @@{VAR} is replaced with the value of the variable VAR. If
216 variable VAR is not defined an empty string is used. Unlike
217 Tripwire(tm) @@VAR is NOT supported. One special VAR is @@{HOST‐
218 NAME} which is substituted for the hostname of the current sys‐
219 tem.
220
221 @@else Begins the else part of an if statement.
222
223 @@endif
224 Ends an if statement.
225
226 @@include VAR
227 Includes the file VAR. The content of the file is used as if it
228 were inserted in this part of the config file.
229
231 Urls can be one of the following. Input urls cannot be used as outputs
232 and vice versa.
233
234 stdout
235
236 stderr Output is sent to stdout,stderr respectively.
237
238 stdin Input is read from stdin.
239
240 file://filename
241 Input is read from filename or output is written to filename.
242
243 fd:number
244 Input is read from filedescriptor number or output is written to
245 number.
246
248 p: permissions
249
250 i: inode
251
252 l: link name
253
254 n: number of links
255
256 u: user
257
258 g: group
259
260 s: size
261
262 b: block count
263
264 m: mtime
265
266 a: atime
267
268 c: ctime
269
270 S: check for growing size
271
272 I: ignore changed filename
273
274 ANF: allow new files
275
276 ARF: allow removed files
277
278 md5: md5 checksum
279
280 sha1: sha1 checksum
281
282 sha256: sha256 checksum
283
284 sha512: sha512 checksum
285
286 rmd160: rmd160 checksum
287
288 tiger: tiger checksum
289
290 haval: haval checksum
291
292 crc32: crc32 checksum
293
294 R: p+i+l+n+u+g+s+m+c+md5
295
296 L: p+i+l+n+u+g
297
298 E: Empty group
299
300 >: Growing logfile p+l+u+g+i+n+S
301
302 And also the following if you have mhash support enabled
303
304 gost: gost checksum
305
306 whirlpool: whirlpool checksum
307
308 The followingg is available when explicitly enabled using configure
309
310 acl: access control list
311
312 selinux: selinux attributes
313
314 xattrs: extended attributes
315
316 Please note that 'I' and 'c' are incompatible. When the name of a file
317 is changed, it's ctime is updated as well. When you put 'c' and 'I' in
318 the same rule the, a changed ctime is silently ignored.
319
320 When 'ANF' is used, new files are added to the new database, but are
321 ignored in the report.
322
323 When 'ARF' is used, files missing on disk are omitted from the new
324 database, but are ignored in the report.
325
327 / R
328
329 This adds all files on your machine to the database. This is one line
330 is a fully qualified configuration file.
331
332 !/dev
333
334 This ignores the /dev directory structure.
335
336 =/tmp
337
338 Only /tmp is taken into the database. None of its children are added.
339
340 All=p+i+n+u+g+s+m+c+a+md5+sha1+tiger+rmd160
341
342 This line defines group All. It has all attributes and all md checksum
343 functions. If you absolutely want all digest functions then you should
344 enable mhash support and add +crc32+haval+gost to the end of the defi‐
345 nition for All. Mhash support can only be enabled at compile-time.
346
348 =/foo p+i+l+n+u+g+s+m+c+md5
349
350 /foo/bar p+i+l+n+u+g+s+m+c+md5
351
352 This config adds all files under /foo because they match to regex /foo,
353 which is equivalent to /foo.* . What you probably want is:
354
355 =/foo$ p+i+l+n+u+g+s+m+c+md5
356
357 /foo/bar p+i+l+n+u+g+s+m+c+md5
358
359 Note that the following still works as expected because =/foo$ stop
360 recuring of directory /foo.
361
362 =/foo p+i+l+n+u+g+s+m+c+md5
363
364 In the following, the first is not allowed in AIDE. Use the latter
365 instead.
366
367 /foo epug
368
369 /foo e+p+u+g
370
372 aide(1) http://www.cs.tut.fi/~rammer/aide/manual.html
373
375 All trademarks are the property of their respective owners. No animals
376 were harmed while making this webpage or this piece of software.
377
378
379
380
381
382 aide.conf(5)