1aide.conf(5) File Formats Manual aide.conf(5)
2
3
4
6 aide.conf - The configuration file for Advanced Intrusion Detection
7 Environment
8
10 aide.conf is the configuration file for Advanced Intrusion Detection
11 Environment. aide.conf contains the runtime configuration aide uses to
12 initiailize or check the aide database.
13
15 aide.conf is similar in to Tripwire(tm)'s configuration file. With lit‐
16 tle effort tw.conf can be converted to aide.conf.
17
18 aide.conf is case-sensitive. Leading and trailing whitespaces are
19 ignored.
20
21 There are three types of lines in aide.conf. First there are the con‐
22 figuration lines which are used to set configuration parameters and
23 define/undefine variables. Second, there are selection lines that are
24 used to indicate which files are added to the database. Third, macro
25 lines define or undefine variables within the config file. Lines begin‐
26 ning with # are ignored as comments.
27
29 These lines have the format parameter=value. See URLS for a list of
30 valid urls.
31
32 database
33 The url from which database is read. There can only be one of
34 these lines. If there are multiple database lines then the first
35 is used. The default value is "/usr/etc/aide.db".
36
37 database_out
38 The url to which the new database is written to. There can only
39 be one of these lines. If there are multiple database_out lines
40 then the first is used. The default value is
41 "/usr/etc/aide.db.new".
42
43 database_new
44 The url from which the other database for --compare is read.
45 There is no default for this one.
46
47 verbose
48 The level of messages that is output. This value can be 0-255
49 inclusive. This parameter can only be given once. Value from the
50 first occurence is used. If --verbose or -V is used then the
51 value from that is used. The default is 5. If verbosity is 20
52 then additional report output is written when doing --check,
53 --update or --compare.
54
55 report_url
56 The url that the output is written to. There can be multiple
57 instances of this parameter. Output is written to all of them.
58 The default is stdout.
59
60 gzip_dbout
61 Whether the output to the database is gzipped or not. Valid val‐
62 ues are yes,true,no and false. The default is no. This option is
63 available only if zlib support is compiled in.
64
65 acl_no_symlink_follow
66 Whether to check ACLs for symlinks or not. Valid values are
67 yes,true,no and false. The default is to follow symlinks. This
68 option is available only if acl support is compiled in.
69
70 warn_dead_symlinks
71 Whether to warn about dead symlinks or not. Valid values are
72 yes,true,no and false. The default is not to warn about dead
73 symlinks.
74
75 grouped
76 Whether to group the files in the report by added, removed and
77 changed files or not. Valid values are yes, true, no and false.
78 The default is to group the files in the report.
79
80 summarize_changes
81 Whether to summarize changes in the added, removed and changed
82 files sections of the report or not. Valid values are
83 yes,true,no and false. The default is not to summarize the
84 changes.
85
86 The general format is like the string YlZbpugamcinCAXSE, where Y
87 is replaced by the file-type (f for a regular file, d for a
88 directory, L for a symbolic link, D for a character device, B
89 for a block device, F for a FIFO, s for a unix socket, | for a
90 Solaris door, ! if file type has changed and ? otherwise).
91
92 The Z is replaced as follows: A = means that the size has not
93 changed, a < reports a shrinked size and a > reports a grown
94 size.
95
96 The other letters in the string are the actual letters that will
97 be output if the associated attribute for the item has been
98 changed or a "." for no change, a "+" if the attribute has been
99 added, a "-" if it has been removed, a ":" if the attribute is
100 listed in ignore_list or a " " if the attribute has not been
101 checked. The exceptions to this are: (1) a newly created file
102 replaces each letter with a "+", and (2) a removed file replaces
103 each letter with a "-".
104
105 The attribute that is associated with each letter is as follows:
106
107
108 o A l means that the link name has changed.
109
110 o A b means that the block count has changed.
111
112 o A p means that the permissions have changed.
113
114 o An u means that the uid has changed.
115
116 o A g means that the gid has changed.
117
118 o An a means that the access time has changed.
119
120 o A m means that the modification time has changed.
121
122 o A c means that the change time has changed.
123
124 o An i means that the inode has changed.
125
126 o A n means that the link count has changed.
127
128 o A C means that one or more checksums have changed.
129
130 The following letters are only available when explicitly enabled
131 using configure:
132
133
134 o A A means that the access control list has changed.
135
136 o A X means that the extended attributes have changed.
137
138 o A S means that the SELinux attributes have changed.
139
140 o A E means that the file attributes on a second extended
141 file system have changed.
142
143 report_attributes
144 Special group definition that lists parameters which are always
145 printed in the final report for changed files.
146
147 ignore_list
148 Special group definition that lists parameters which are to be
149 ignored from the final report.
150
151 config_version
152 The value of config_version is printed in the report and also
153 printed to the database. This is for informational purposes
154 only. It has no other functionality.
155
156 Group definitions
157 If the parameter is not one of the previous parameters then it
158 is regarded as a group definition. Value is then regarded as an
159 expression. Expression is of the following form.
160
161 <predefined group>| <expr> + <predefined group>
162 | <expr> - <predifined group>
163
164 See DEFAULT GROUPS for an explanation of default predefined
165 groups. Note that this is different from the way Tripwire(tm)
166 does it.
167
168 There is also a special group named "ignore_list". The prede‐
169 fined -groups listed in it are NOT displayed in the final
170 report.
171
173 aide supports three types of selection lines (regular, negative,
174 equals) Lines beginning with "/" are regular selection lines. Lines
175 beginning with "=" are equals selection lines. And lines beginning with
176 "!" are negative selection lines. The string following the first char‐
177 acter is taken as a regular expression matching to a complete filename,
178 including the path. In a regular selection rule the "/" is included in
179 the regular expression. Special characters in your filenames can be
180 escaped using two-digit URL encoding (for example, %20 to represent a
181 space). Following the regular expression is a group definition as
182 explained above. See EXAMPLES and doc/aide.conf for examples.
183
184 More in-depth discussion of the selection algorithm can be found in the
185 aide manual.
186
188 @@define VAR val
189 Define variable VAR to value val.
190
191 @@undef VAR
192 Undefine variable VAR.
193
194 @@ifdef VAR, @@ifndef VAR
195 @@ifdef begins an if statement. It must be terminated with an
196 @@endif statement. The lines between @@ifdef and @@endif are
197 used if variable VAR is defined. If there is an @@else statement
198 then the part between @@ifdef and @@else is used is VAR is
199 defined otherwise the part between @@else and @@endif is used.
200 @@ifndef reverses the logic of @@ifdef statement but otherwise
201 works similarly.
202
203 @@ifhost hostname, @@ifnhost hostname
204 @@ifhost works like @@ifdef only difference is that it checks
205 whether hostname equals the name of the host that aide is run‐
206 ning on. hostname is the name of the host without the domain‐
207 name (hostname, not hostname.aide.org).
208
209 @@{VAR}
210 @@{VAR} is replaced with the value of the variable VAR. If
211 variable VAR is not defined an empty string is used. Unlike
212 Tripwire(tm) @@VAR is NOT supported. One special VAR is @@{HOST‐
213 NAME} which is substituted for the hostname of the current sys‐
214 tem.
215
216 @@else Begins the else part of an if statement.
217
218 @@endif
219 Ends an if statement.
220
221 @@include VAR
222 Includes the file VAR. The content of the file is used as if it
223 were inserted in this part of the config file.
224
226 Urls can be one of the following. Input urls cannot be used as outputs
227 and vice versa.
228
229 stdout
230
231 stderr Output is sent to stdout,stderr respectively.
232
233 stdin Input is read from stdin.
234
235 file://filename
236 Input is read from filename or output is written to filename.
237
238 fd:number
239 Input is read from filedescriptor number or output is written to
240 number.
241
243 p: permissions
244
245 ftype: file type
246
247 i: inode
248
249 l: link name
250
251 n: number of links
252
253 u: user
254
255 g: group
256
257 s: size
258
259 b: block count
260
261 m: mtime
262
263 a: atime
264
265 c: ctime
266
267 S: check for growing size
268
269 I: ignore changed filename
270
271 ANF: allow new files
272
273 ARF: allow removed files
274
275 md5: md5 checksum
276
277 sha1: sha1 checksum
278
279 sha256: sha256 checksum
280
281 sha512: sha512 checksum
282
283 rmd160: rmd160 checksum
284
285 tiger: tiger checksum
286
287 haval: haval checksum
288
289 crc32: crc32 checksum
290
291 R: p+ftype+i+l+n+u+g+s+m+c+md5
292
293 L: p+ftype+i+l+n+u+g
294
295 E: Empty group
296
297 >: Growing logfile p+ftype+l+u+g+i+n+S
298
299 And also the following if you have mhash support enabled
300
301 gost: gost checksum
302
303 whirlpool: whirlpool checksum
304
305 The following are available and added to the default groups R, L and >
306
307 only when explicitly enabled using configure
308
309 acl: access control list
310
311 selinux: selinux attributes
312
313 xattrs: extended attributes
314
315 e2fsattrs: file attributes on a second extended file system
316
317 Please note that 'I' and 'c' are incompatible. When the name of a file
318 is changed, it's ctime is updated as well. When you put 'c' and 'I' in
319 the same rule the, a changed ctime is silently ignored.
320
321 When 'ANF' is used, new files are added to the new database, but are
322 ignored in the report.
323
324 When 'ARF' is used, files missing on disk are omitted from the new
325 database, but are ignored in the report.
326
328 / R
329
330 This adds all files on your machine to the database. This is one line
331 is a fully qualified configuration file.
332
333 !/dev
334
335 This ignores the /dev directory structure.
336
337 =/tmp
338
339 Only /tmp is taken into the database. None of its children are added.
340
341 All=p+i+n+u+g+s+m+c+a+md5+sha1+tiger+rmd160
342
343 This line defines group All. It has all attributes and all md checksum
344 functions. If you absolutely want all digest functions then you should
345 enable mhash support and add +crc32+haval+gost to the end of the defi‐
346 nition for All. Mhash support can only be enabled at compile-time.
347
349 =/foo p+i+l+n+u+g+s+m+c+md5
350
351 /foo/bar p+i+l+n+u+g+s+m+c+md5
352
353 This config adds all files under /foo because they match to regex /foo,
354 which is equivalent to /foo.* . What you probably want is:
355
356 =/foo$ p+i+l+n+u+g+s+m+c+md5
357
358 /foo/bar p+i+l+n+u+g+s+m+c+md5
359
360 Note that the following still works as expected because =/foo$ stop
361 recuring of directory /foo.
362
363 =/foo p+i+l+n+u+g+s+m+c+md5
364
365 In the following, the first is not allowed in AIDE. Use the latter
366 instead.
367
368 /foo epug
369
370 /foo e+p+u+g
371
373 aide(1) http://www.cs.tut.fi/~rammer/aide/manual.html
374
376 All trademarks are the property of their respective owners. No animals
377 were harmed while making this webpage or this piece of software.
378
379
380
381
382
383 aide.conf(5)