1aide.conf(5) File Formats Manual aide.conf(5)
2
6 aide.conf - The configuration file for Advanced Intrusion Detection
7 Environment
8
10 aide.conf is the configuration file for Advanced Intrusion Detection
11 Environment. aide.conf contains the runtime configuration aide uses to
12 initiailize or check the aide database.
13
15 aide.conf is similar in to Tripwire(tm)'s configuration file. With lit‐
16 tle effort tw.conf can be converted to aide.conf.
17 aide.conf is case-sensitive. Leading and trailing whitespaces are
19 ignored.
20 There are three types of lines in aide.conf. First there are the con‐
22 figuration lines which are used to set configuration parameters and
23 define/undefine variables. Second, there are selection lines that are
24 used to indicate which files are added to the database. Third, macro
25 lines define or undefine variables within the config file. Lines begin‐
26 ning with # are ignored as comments.
27
29 These lines have the format parameter=value. See URLS for a list of
30 valid urls.
31 database
33 The url from which database is read. There can only be one of
34 these lines. If there are multiple database lines then the first
35 is used. The default value is "/usr/etc/aide.db".
36 database_out
38 The url to which the new database is written to. There can only
39 be one of these lines. If there are multiple database_out lines
40 then the first is used. The default value is
41 "/usr/etc/aide.db.new".
42 database_new
44 The url from which the other database for --compare is read.
45 There is no default for this one.
46 verbose
48 The level of messages that is output. This value can be 0-255
49 inclusive. This parameter can only be given once. Value from the
50 first occurence is used. If --verbose or -V is used then the
51 value from that is used. The default is 5. If verbosity is 20
52 then additional report output is written when doing --check,
53 --update or --compare.
54 report_url
56 The url that the output is written to. There can be multiple
57 instances of this parameter. Output is written to all of them.
58 The default is stdout.
59 gzip_dbout
61 Whether the output to the database is gzipped or not. Valid val‐
62 ues are yes,true,no and false. The default is no. This option is
63 available only if zlib support is compiled in.
64 acl_no_symlink_follow
66 Whether to check ACLs for symlinks or not. Valid values are
67 yes,true,no and false. The default is to follow symlinks. This
68 option is available only if acl support is compiled in.
69 warn_dead_symlinks
71 Whether to warn about dead symlinks or not. Valid values are
72 yes,true,no and false. The default is not to warn about dead
73 symlinks.
74 grouped
76 Whether to group the files in the report by added, removed and
77 changed files or not. Valid values are yes, true, no and false.
78 The default is to group the files in the report.
79 summarize_changes
81 Whether to summarize changes in the added, removed and changed
82 files sections of the report or not. Valid values are
83 yes,true,no and false. The default is not to summarize the
84 changes.
85 The general format is like the string YlZbpugamcinCAXSE, where Y
87 is replaced by the file-type (f for a regular file, d for a
88 directory, L for a symbolic link, D for a character device, B
89 for a block device, F for a FIFO, s for a unix socket, | for a
90 Solaris door, ! if file type has changed and ? otherwise).
91 The Z is replaced as follows: A = means that the size has not
93 changed, a < reports a shrinked size and a > reports a grown
94 size.
95 The other letters in the string are the actual letters that will
97 be output if the associated attribute for the item has been
98 changed or a "." for no change, a "+" if the attribute has been
99 added, a "-" if it has been removed, a ":" if the attribute is
100 listed in ignore_list or a " " if the attribute has not been
101 checked. The exceptions to this are: (1) a newly created file
102 replaces each letter with a "+", and (2) a removed file replaces
103 each letter with a "-".
104 The attribute that is associated with each letter is as follows:
106 o A l means that the link name has changed.
109 o A b means that the block count has changed.
111 o A p means that the permissions have changed.
113 o An u means that the uid has changed.
115 o A g means that the gid has changed.
117 o An a means that the access time has changed.
119 o A m means that the modification time has changed.
121 o A c means that the change time has changed.
123 o An i means that the inode has changed.
125 o A n means that the link count has changed.
127 o A C means that one or more checksums have changed.
129 The following letters are only available when explicitly enabled
131 using configure:
132 o A A means that the access control list has changed.
135 o A X means that the extended attributes have changed.
137 o A S means that the SELinux attributes have changed.
139 o A E means that the file attributes on a second extended
141 file system have changed.
142 report_attributes
144 Special group definition that lists parameters which are always
145 printed in the final report for changed files.
146 ignore_list
148 Special group definition that lists parameters which are to be
149 ignored from the final report.
150 config_version
152 The value of config_version is printed in the report and also
153 printed to the database. This is for informational purposes
154 only. It has no other functionality.
155 Group definitions
157 If the parameter is not one of the previous parameters then it
158 is regarded as a group definition. Value is then regarded as an
159 expression. Expression is of the following form.
160 <predefined group>| <expr> + <predefined group>
162 | <expr> - <predifined group>
163 See DEFAULT GROUPS for an explanation of default predefined
165 groups. Note that this is different from the way Tripwire(tm)
166 does it.
167 There is also a special group named "ignore_list". The prede‐
169 fined -groups listed in it are NOT displayed in the final
170 report.
171
173 aide supports three types of selection lines (regular, negative,
174 equals) Lines beginning with "/" are regular selection lines. Lines
175 beginning with "=" are equals selection lines. And lines beginning with
176 "!" are negative selection lines. The string following the first char‐
177 acter is taken as a regular expression matching to a complete filename,
178 including the path. In a regular selection rule the "/" is included in
179 the regular expression. Special characters in your filenames can be
180 escaped using two-digit URL encoding (for example, %20 to represent a
181 space). Following the regular expression is a group definition as
182 explained above. See EXAMPLES and doc/aide.conf for examples.
183 More in-depth discussion of the selection algorithm can be found in the
185 aide manual.
186
188 @@define VAR val
189 Define variable VAR to value val.
190 @@undef VAR
192 Undefine variable VAR.
193 @@ifdef VAR, @@ifndef VAR
195 @@ifdef begins an if statement. It must be terminated with an
196 @@endif statement. The lines between @@ifdef and @@endif are
197 used if variable VAR is defined. If there is an @@else statement
198 then the part between @@ifdef and @@else is used is VAR is
199 defined otherwise the part between @@else and @@endif is used.
200 @@ifndef reverses the logic of @@ifdef statement but otherwise
201 works similarly.
202 @@ifhost hostname, @@ifnhost hostname
204 @@ifhost works like @@ifdef only difference is that it checks
205 whether hostname equals the name of the host that aide is run‐
206 ning on. hostname is the name of the host without the domain‐
207 name (hostname, not hostname.aide.org).
208 @@{VAR}
210 @@{VAR} is replaced with the value of the variable VAR. If
211 variable VAR is not defined an empty string is used. Unlike
212 Tripwire(tm) @@VAR is NOT supported. One special VAR is @@{HOST‐
213 NAME} which is substituted for the hostname of the current sys‐
214 tem.
215 @@else Begins the else part of an if statement.
217 @@endif
219 Ends an if statement.
220 @@include VAR
222 Includes the file VAR. The content of the file is used as if it
223 were inserted in this part of the config file.
224
226 Urls can be one of the following. Input urls cannot be used as outputs
227 and vice versa.
228 stdout
230 stderr Output is sent to stdout,stderr respectively.
232 stdin Input is read from stdin.
234 file://filename
236 Input is read from filename or output is written to filename.
237 fd:number
239 Input is read from filedescriptor number or output is written to
240 number.
241
243 p: permissions
244 ftype: file type
246 i: inode
248 l: link name
250 n: number of links
252 u: user
254 g: group
256 s: size
258 b: block count
260 m: mtime
262 a: atime
264 c: ctime
266 S: check for growing size
268 I: ignore changed filename
270 ANF: allow new files
272 ARF: allow removed files
274 md5: md5 checksum
276 sha1: sha1 checksum
278 sha256: sha256 checksum
280 sha512: sha512 checksum
282 rmd160: rmd160 checksum
284 tiger: tiger checksum
286 haval: haval checksum
288 crc32: crc32 checksum
290 R: p+ftype+i+l+n+u+g+s+m+c+md5
292 L: p+ftype+i+l+n+u+g
294 E: Empty group
296 >: Growing logfile p+ftype+l+u+g+i+n+S
298 And also the following if you have mhash support enabled
300 gost: gost checksum
302 whirlpool: whirlpool checksum
304 The following are available and added to the default groups R, L and >
306 only when explicitly enabled using configure
308 acl: access control list
310 selinux: selinux attributes
312 xattrs: extended attributes
314 e2fsattrs: file attributes on a second extended file system
316 Please note that 'I' and 'c' are incompatible. When the name of a file
318 is changed, it's ctime is updated as well. When you put 'c' and 'I' in
319 the same rule the, a changed ctime is silently ignored.
320 When 'ANF' is used, new files are added to the new database, but are
322 ignored in the report.
323 When 'ARF' is used, files missing on disk are omitted from the new
325 database, but are ignored in the report.
326
328 / R
329 This adds all files on your machine to the database. This is one line
331 is a fully qualified configuration file.
332 !/dev
334 This ignores the /dev directory structure.
336 =/tmp
338 Only /tmp is taken into the database. None of its children are added.
340 All=p+i+n+u+g+s+m+c+a+md5+sha1+tiger+rmd160
342 This line defines group All. It has all attributes and all md checksum
344 functions. If you absolutely want all digest functions then you should
345 enable mhash support and add +crc32+haval+gost to the end of the defi‐
346 nition for All. Mhash support can only be enabled at compile-time.
347
349 =/foo p+i+l+n+u+g+s+m+c+md5
350 /foo/bar p+i+l+n+u+g+s+m+c+md5
352 This config adds all files under /foo because they match to regex /foo,
354 which is equivalent to /foo.* . What you probably want is:
355 =/foo$ p+i+l+n+u+g+s+m+c+md5
357 /foo/bar p+i+l+n+u+g+s+m+c+md5
359 Note that the following still works as expected because =/foo$ stop
361 recuring of directory /foo.
362 =/foo p+i+l+n+u+g+s+m+c+md5
364 In the following, the first is not allowed in AIDE. Use the latter
366 instead.
367 /foo epug
369 /foo e+p+u+g
371
373 aide(1) http://www.cs.tut.fi/~rammer/aide/manual.html
374
376 All trademarks are the property of their respective owners. No animals
377 were harmed while making this webpage or this piece of software.
378 aide.conf(5)