1AIDE.CONF(5) AIDE AIDE.CONF(5)
2
6 aide.conf - The configuration file for Advanced Intrusion Detection
7 Environment
8
10 aide.conf is the configuration file for Advanced Intrusion Detection
11 Environment. aide.conf contains the runtime configuration aide uses to
12 initialize or check the AIDE database.
13
15 aide.conf is similar in to Tripwire(tm)'s configuration file. With lit‐
16 tle effort tw.conf can be converted to aide.conf.
17 aide.conf is case-sensitive. Leading and trailing white spaces are
19 ignored.
20 There are three types of lines in aide.conf. First there are the con‐
22 figuration lines which are used to set configuration parameters and
23 define/undefine variables. Second, there are (restricted) selection
24 lines that are used to indicate which files are added to the database.
25 Third, macro lines define or undefine variables within the config file.
26 Lines beginning with # are ignored as comments.
27
29 These lines have the format parameter=value. See URLS for a list of
30 valid urls.
31 database
33 The url from which database is read. There can only be one of
34 these lines. If there are multiple database lines then the first
35 is used. The default value is "/usr/etc/aide.db".
36 database_out
38 The url to which the new database is written to. There can only
39 be one of these lines. If there are multiple database_out lines
40 then the first is used. The default value is
41 "/usr/etc/aide.db.new".
42 database_new
44 The url from which the other database for --compare is read.
45 There is no default for this one.
46 database_attrs
48 The attributes of the (uncompressed) database files which are to
49 be added to the final report in verbose level 2 or higher. Only
50 checksum attributes are supported. To disable set database_attrs
51 to 'E'. By default all compiled in checksums are added to the
52 report.
53 database_add_metadata
55 Whether to add the AIDE version and the time of database genera‐
56 tion as comments to the database file or not. Valid values are
57 yes, true, no and false. The default is to add the AIDE version
58 and the time of database generation. This option may be set to
59 no by default in a future release.
60 verbose
62 The level of messages that is output. This value can be 0-255
63 inclusive. This parameter can only be given once. Value from the
64 first occurrence is used. If --verbose or -V is used then the
65 value from that is used. The default is 5. If verbosity is 20
66 then additional report output is written when doing --check,
67 --update or --compare.
68 report_url
70 The url that the output is written to. There can be multiple
71 instances of this parameter. Output is written to all of them.
72 The default is stdout.
73 report_base16
75 Whether to base16 encode the checksums in the report or not.
76 Valid values are yes, true, no and false. The default is to
77 report checksums not in base16 but in base64 encoding.
78 report_detailed_init
80 Whether to report added files (verbose level >= 2) and their
81 details (verbose level >=7) in initialization mode or not. Valid
82 values are yes, true, no and false. The default is to not report
83 added files or their details in init mode.
84 report_quiet
86 Whether to suppress report output if no differences to the data‐
87 base have been found or not. Valid values are yes, true, no and
88 false. The default is to not suppress output in the report.
89 gzip_dbout
91 Whether the output to the database is gzipped or not. Valid val‐
92 ues are yes,true,no and false. The default is no. This option is
93 available only if zlib support is compiled in.
94 root_prefix
96 The prefix to strip from each file name in the file system
97 before applying the rules and writing to database. AIDE removes
98 a trailing slash from the prefix. The default is no (an empty)
99 prefix. This option has no effect in compare mode.
100 acl_no_symlink_follow
102 Whether to check ACLs for symlinks or not. Valid values are
103 yes,true,no and false. The default is to follow symlinks. This
104 option is available only if acl support is compiled in.
105 warn_dead_symlinks
107 Whether to warn about dead symlinks or not. Valid values are
108 yes,true,no and false. The default is not to warn about dead
109 symlinks.
110 grouped
112 Whether to group the files in the report by added, removed and
113 changed files or not. Valid values are yes, true, no and false.
114 The default is to group the files in the report.
115 summarize_changes
117 Whether to summarize changes in the added, removed and changed
118 files sections of the report or not. Valid values are
119 yes,true,no and false. The default is to summarize the changes.
120 The general format is like the string YlZbpugamcinCAXSE, where Y
122 is replaced by the file-type (f for a regular file, d for a
123 directory, l for a symbolic link, c for a character device, b
124 for a block device, p for a FIFO, s for a unix socket, D for a
125 Solaris door, P for a Solaris event port, ! if file type has
126 changed and ? otherwise).
127 The Z is replaced as follows: A = means that the size has not
129 changed, a < reports a shrinked size and a > reports a grown
130 size.
131 The other letters in the string are the actual letters that will
133 be output if the associated attribute for the item has been
134 changed or a "." for no change, a "+" if the attribute has been
135 added, a "-" if it has been removed, a ":" if the attribute is
136 ignored (but not forced) or a " " if the attribute has not been
137 checked. The exceptions to this are: (1) a newly created file
138 replaces each letter with a "+", and (2) a removed file replaces
139 each letter with a "-".
140 The attribute that is associated with each letter is as follows:
142 o A l means that the link name has changed.
145 o A b means that the block count has changed.
147 o A p means that the permissions have changed.
149 o An u means that the uid has changed.
151 o A g means that the gid has changed.
153 o An a means that the access time has changed.
155 o A m means that the modification time has changed.
157 o A c means that the change time has changed.
159 o An i means that the inode has changed.
161 o A n means that the link count has changed.
163 o A C means that one or more checksums have changed.
165 The following letters are only available when explicitly enabled
167 using configure:
168 o A A means that the access control list has changed.
171 o A X means that the extended attributes have changed.
173 o A S means that the SELinux attributes have changed.
175 o A E means that the file attributes on a second extended
177 file system have changed.
178 report_ignore_added_attrs
180 Special group definition that lists attributes whose addition is
181 to be ignored in the final report.
182 report_ignore_removed_attrs
184 Special group definition that lists attributes whose removal is
185 to be ignored in the final report.
186 report_ignore_changed_attrs
188 ignore_list (DEPRECATED, will be removed in a future release)
189 Special group definition that lists attributes whose change is
190 to be ignored in the final report.
191 report_force_attrs
193 report_attributes (DEPRECATED, will be removed in a future release)
194 Special group definition that lists attributes which are always
195 printed in the final report for changed files. If an attribute
196 is both ignored and forced the attribute is not considered for
197 file change but printed in the final report if the file has been
198 otherwise changed.
199 report_ignore_e2fsattrs
201 List (no delimiter) of ext2 file attributes which are to be
202 ignored in the final report. See chattr(1) for the available
203 attributes. Use '0' to not ignore any attribute. Ignored
204 attributes are represented by a ':' in the output. The default
205 is to not ignore any ext2 file attribute.
206 Example
208 Ignore changes of the ext2 file attributes compression error
209 (E), huge file (h), indexed directory (I):
210 report_ignore_e2fsattrs=EhI
212 config_version
214 The value of config_version is printed in the report and also
215 printed to the database. This is for informational purposes
216 only. It has no other functionality.
217 Group definitions
219 If the parameter is not one of the previous parameters then it
220 is regarded as a group definition. Value is then regarded as an
221 expression. Expression is of the following form.
222 <predefined group>| <expr> + <predefined group>
224 | <expr> - <predefined group>
225 See DEFAULT GROUPS for an explanation of default predefined
227 groups. Note that this is different from the way Tripwire(tm)
228 does it.
229
231 AIDE supports three types of selection lines:
232 Regular selection line:
234 <regex> <group>
236 Files and directories matching the regular expression are added to
238 the database.
239 Negative selection line:
242 !<regex>
244 Files and directories matching the regular expression are ignored
246 and not added to the database.
247 Equals selection line:
250 =<regex> <group>
252 Files and directories matching the regular expression are added to
254 the database. The children of directories are only added if the reg‐
255 ular expression ends with a "/". The children of sub-directories are
256 not added at all.
257 Every regular expression has to start with a "/". An implicit ^ is
260 added in front of each regular expression. In other words the regular
261 expressions are matched at the first position against the complete
262 filename (i.e. including the path). Special characters in your file‐
263 names can be escaped using two-digit URL encoding (for example, %20 to
264 represent a space).
265 See EXAMPLES and doc/aide.conf for examples.
267 More in-depth discussion of the selection algorithm can be found in the
269 AIDE manual.
270
272 Restricted selection lines are like normal selection lines but can be
273 restricted to file types. The following file types are supported:
274 f: restrict rule to regular files
277 d: restrict rule to directories
279 l: restrict rule to symbolic links
281 c: restrict rule to character devices
283 b: restrict rule to block devices
285 p: restrict rule to FIFO files
287 s: restrict rule to UNIX sockets
289 D: restrict rule to Solaris doors
291 P: restrict rule to Solaris event ports
293 The file types are separated by comma. The syntax of restricted selec‐
295 tion lines is as follows:
296 Restricted regular selection line:
298 <regex> <file types> <group>
299 Restricted negative selection line:
301 !<regex> <file types>
302 Restricted equals selection line:
304 =<regex> <file types> <group>
305 Examples
307 Only add directories and files to the database:
308 / d,f R
310 Add all but directory entries to the database:
312 !/run d
314 /run R
315 Use specific rule for directories:
317 /run d R-m-c-i
319 /run R
320
323 @@define VAR val
324 Define variable VAR to value val.
325 @@undef VAR
327 Undefine variable VAR.
328 @@ifdef VAR, @@ifndef VAR
330 @@ifdef begins an if statement. It must be terminated with an
331 @@endif statement. The lines between @@ifdef and @@endif are
332 used if variable VAR is defined. If there is an @@else statement
333 then the part between @@ifdef and @@else is used is VAR is
334 defined otherwise the part between @@else and @@endif is used.
335 @@ifndef reverses the logic of @@ifdef statement but otherwise
336 works similarly.
337 @@ifhost hostname, @@ifnhost hostname
339 @@ifhost works like @@ifdef only difference is that it checks
340 whether hostname equals the name of the host that AIDE is run‐
341 ning on. hostname is the name of the host without the domain‐
342 name (hostname, not hostname.example.com).
343 @@{VAR}
345 @@{VAR} is replaced with the value of the variable VAR. If
346 variable VAR is not defined an empty string is used. Unlike
347 Tripwire(tm) @@VAR is NOT supported. One special VAR is @@{HOST‐
348 NAME} which is substituted for the hostname of the current sys‐
349 tem.
350 @@else Begins the else part of an if statement.
352 @@endif
354 Ends an if statement.
355 @@include VAR
357 Includes the file VAR. The content of the file is used as if it
358 were inserted in this part of the config file.
359
361 Urls can be one of the following. Input urls cannot be used as outputs
362 and vice versa.
363 stdout
365 stderr Output is sent to stdout,stderr respectively.
367 stdin Input is read from stdin.
369 file://filename
371 Input is read from filename or output is written to filename.
372 fd:number
374 Input is read from filedescriptor number or output is written to
375 number.
376
378 p: permissions
379 ftype: file type
381 i: inode
383 l: link name
385 n: number of links
387 u: user
389 g: group
391 s: size
393 b: block count
395 m: mtime
397 a: atime
399 c: ctime
401 S: check for growing size
403 I: ignore changed filename
405 ANF: allow new files
407 ARF: allow removed files
409 md5: md5 checksum
411 sha1: sha1 checksum
413 sha256: sha256 checksum
415 sha512: sha512 checksum
417 rmd160: rmd160 checksum
419 tiger: tiger checksum
421 haval: haval checksum
423 crc32: crc32 checksum
425 R: p+ftype+i+l+n+u+g+s+m+c+md5+X
427 L: p+ftype+i+l+n+u+g+X
429 E: Empty group
431 X: acl+selinux+xattrs+e2fsattrs (if groups are explicitly enabled)
433 >: Growing file p+ftype+l+u+g+i+n+S+X
435 And also the following if you have mhash support enabled
437 gost: gost checksum
439 whirlpool: whirlpool checksum
441 The following are available only when explicitly enabled using config‐
443 ure
444 acl: access control list
446 selinux: selinux attributes
448 xattrs: extended attributes
450 e2fsattrs: file attributes on a second extended file system
452 Please note that 'I' and 'c' are incompatible. When the name of a file
454 is changed, it's ctime is updated as well. When you put 'c' and 'I' in
455 the same rule the, a changed ctime is silently ignored.
456 When 'ANF' is used, new files are added to the new database, but are
458 ignored in the report.
459 When 'ARF' is used, files missing on disk are omitted from the new
461 database, but are ignored in the report.
462
464 / R
465 This adds all files on your machine to the database. This one line is a
467 fully qualified configuration file.
468 !/dev
470 This ignores the /dev directory structure.
472 =/foo R
474 Only /foo and /foobar are taken into the database. None of their chil‐
476 dren are added.
477 =/foo/ R
479 Only /foo and its children (e.g. /foo/file and /foo/directory) are
481 taken into the database. The children of sub-directories (e.g.
482 /foo/directory/bar) are not added.
483 All=p+i+n+u+g+s+m+c+a+md5+sha1+tiger+rmd160
485 This line defines group All. It has all attributes and all md checksum
487 functions. If you absolutely want all digest functions then you should
488 enable mhash support and add +crc32+haval+gost to the end of the defi‐
489 nition for All. Mhash support can only be enabled at compile-time.
490
492 In the following, the first is not allowed in AIDE. Use the latter
493 instead.
494 /foo epug
496 /foo e+p+u+g
498
500 aide(1) manual.html
501
503 All trademarks are the property of their respective owners. No animals
504 were harmed while making this webpage or this piece of software.
505aide 0.16 Jul 25, 2016 AIDE.CONF(5)