1AIDE.CONF(5)                         AIDE                         AIDE.CONF(5)
2
3
4

NAME

6       aide.conf  -  The  configuration  file for Advanced Intrusion Detection
7       Environment
8

SYNOPSIS

10       aide.conf is the configuration file for  Advanced  Intrusion  Detection
11       Environment.  aide.conf contains the runtime configuration aide uses to
12       initialize or check the AIDE database.
13

FILE FORMAT

15       aide.conf is similar in to Tripwire(tm)'s configuration file. With lit‐
16       tle effort tw.conf can be converted to aide.conf.
17
18       aide.conf  is  case-sensitive.  Leading  and  trailing white spaces are
19       ignored.
20
21       There are three types of lines in aide.conf. First there are  the  con‐
22       figuration  lines  which  are  used to set configuration parameters and
23       define/undefine variables. Second,  there  are  (restricted)  selection
24       lines  that are used to indicate which files are added to the database.
25       Third, macro lines define or undefine variables within the config file.
26       Lines beginning with # are ignored as comments.
27

CONFIG LINES

29       These  lines  have  the  format parameter=value. See URLS for a list of
30       valid urls.
31
32       database
33              The url from which database is read. There can only  be  one  of
34              these lines. If there are multiple database lines then the first
35              is used.  The default value is "/usr/etc/aide.db".
36
37       database_out
38              The url to which the new database is written to. There can  only
39              be  one of these lines. If there are multiple database_out lines
40              then   the   first   is   used.    The    default    value    is
41              "/usr/etc/aide.db.new".
42
43       database_new
44              The  url  from  which  the other database for --compare is read.
45              There is no default for this one.
46
47       database_attrs
48              The attributes of the (uncompressed) database files which are to
49              be  added to the final report in verbose level 2 or higher. Only
50              checksum attributes are supported. To disable set database_attrs
51              to  'E'.   By default all compiled in checksums are added to the
52              report.
53
54       database_add_metadata
55              Whether to add the AIDE version and the time of database genera‐
56              tion  as  comments to the database file or not. Valid values are
57              yes, true, no and false. The default is to add the AIDE  version
58              and  the  time of database generation. This option may be set to
59              no by default in a future release.
60
61       verbose
62              The level of messages that is output. This value  can  be  0-255
63              inclusive. This parameter can only be given once. Value from the
64              first occurrence is used. If --verbose or -V is  used  then  the
65              value  from  that  is used. The default is 5. If verbosity is 20
66              then additional report output is  written  when  doing  --check,
67              --update or --compare.
68
69       syslog_format
70              Valid  values are yes,true,no and false. This option enables new
71              syslog format which is suitable for  logging.  Every  change  is
72              logged  as one simple line. This option changes verbose level to
73              0 and prints everything that was changed. It is suggested to use
74              this  option  with  "report_url=syslog:...".  Default  value  is
75              "false/no".  Maximum size of message is 1KB which is  limitation
76              of  syslog  call. If message is greater than limit, message will
77              be truncated.  Option summarize_changes has no impact  for  this
78              format.
79
80              Output always starts with:
81              "AIDE found differences between database and filesystem!!"
82              And it is followed by summary:
83              summary;total_number_of_files=1000;added_files=0;removed_files=0;changed_files=1
84              And finally there are logs about changes:
85              dir=/usr/sbin;Mtime_old=0000-00-00 00:00:00;Mtime_new=0000-00-00 00:00:00;...
86
87       report_url
88              The  url  that  the  output is written to. There can be multiple
89              instances of this parameter. Output is written to all  of  them.
90              The default is stdout.
91
92       report_base16
93              Whether  to  base16  encode  the checksums in the report or not.
94              Valid values are yes, true, no and  false.  The  default  is  to
95              report checksums not in base16 but in base64 encoding.
96
97       report_detailed_init
98              Whether  to  report  added  files (verbose level >= 2) and their
99              details (verbose level >=7) in initialization mode or not. Valid
100              values are yes, true, no and false. The default is to not report
101              added files or their details in init mode.
102
103       report_quiet
104              Whether to suppress report output if no differences to the data‐
105              base  have been found or not. Valid values are yes, true, no and
106              false. The default is to not suppress output in the report.
107
108       gzip_dbout
109              Whether the output to the database is gzipped or not. Valid val‐
110              ues are yes,true,no and false. The default is no. This option is
111              available only if zlib support is compiled in.
112
113       root_prefix
114              The prefix to strip from each  file  name  in  the  file  system
115              before  applying the rules and writing to database. AIDE removes
116              a trailing slash from the prefix.  The default is no (an  empty)
117              prefix. This option has no effect in compare mode.
118
119       acl_no_symlink_follow
120              Whether  to  check  ACLs  for  symlinks or not. Valid values are
121              yes,true,no and false. The default is to follow  symlinks.  This
122              option is available only if acl support is compiled in.
123
124       warn_dead_symlinks
125              Whether  to  warn  about  dead symlinks or not. Valid values are
126              yes,true,no and false. The default is not  to  warn  about  dead
127              symlinks.
128
129       grouped
130              Whether  to  group the files in the report by added, removed and
131              changed files or not. Valid values are yes, true, no and  false.
132              The default is to group the files in the report.
133
134       summarize_changes
135              Whether  to  summarize changes in the added, removed and changed
136              files  sections  of  the  report  or  not.  Valid   values   are
137              yes,true,no and false.  The default is to summarize the changes.
138
139              The general format is like the string YlZbpugamcinCAXSE, where Y
140              is replaced by the file-type (f for a  regular  file,  d  for  a
141              directory,  l  for  a symbolic link, c for a character device, b
142              for a block device, p for a FIFO, s for a unix socket, D  for  a
143              Solaris  door,  P  for a Solaris event port, !  if file type has
144              changed and ? otherwise).
145
146              The Z is replaced as follows: A = means that the  size  has  not
147              changed,  a  <  reports  a shrinked size and a > reports a grown
148              size.
149
150              The other letters in the string are the actual letters that will
151              be  output  if  the  associated  attribute for the item has been
152              changed or a "." for no change, a "+" if the attribute has  been
153              added,  a  "-" if it has been removed, a ":" if the attribute is
154              ignored (but not forced) or a " " if the attribute has not  been
155              checked.  The  exceptions  to this are: (1) a newly created file
156              replaces each letter with a "+", and (2) a removed file replaces
157              each letter with a "-".
158
159              The attribute that is associated with each letter is as follows:
160
161
162              o      A l means that the link name has changed.
163
164              o      A b means that the block count has changed.
165
166              o      A p means that the permissions have changed.
167
168              o      An u means that the uid has changed.
169
170              o      A g means that the gid has changed.
171
172              o      An a means that the access time has changed.
173
174              o      A m means that the modification time has changed.
175
176              o      A c means that the change time has changed.
177
178              o      An i means that the inode has changed.
179
180              o      A n means that the link count has changed.
181
182              o      A C means that one or more checksums have changed.
183
184              The following letters are only available when explicitly enabled
185              using configure:
186
187
188              o      A A means that the access control list has changed.
189
190              o      A X means that the extended attributes have changed.
191
192              o      A S means that the SELinux attributes have changed.
193
194              o      A E means that the file attributes on a  second  extended
195                     file system have changed.
196
197       report_ignore_added_attrs
198              Special group definition that lists attributes whose addition is
199              to be ignored in the final report.
200
201       report_ignore_removed_attrs
202              Special group definition that lists attributes whose removal  is
203              to be ignored in the final report.
204
205       report_ignore_changed_attrs
206       ignore_list (DEPRECATED, will be removed in a future release)
207              Special  group  definition that lists attributes whose change is
208              to be ignored in the final report.
209
210       report_force_attrs
211       report_attributes (DEPRECATED, will be removed in a future release)
212              Special group definition that lists attributes which are  always
213              printed  in  the final report for changed files. If an attribute
214              is both ignored and forced the attribute is not  considered  for
215              file change but printed in the final report if the file has been
216              otherwise changed.
217
218       report_ignore_e2fsattrs
219              List (no delimiter) of ext2 file  attributes  which  are  to  be
220              ignored  in  the  final report.  See chattr(1) for the available
221              attributes.  Use  '0'  to  not  ignore  any  attribute.  Ignored
222              attributes  are  represented by a ':' in the output. The default
223              is to not ignore any ext2 file attribute.
224
225              Example
226                 Ignore changes of the ext2 file attributes compression  error
227                 (E), huge file (h), indexed directory (I):
228
229                    report_ignore_e2fsattrs=EhI
230
231       config_version
232              The  value  of  config_version is printed in the report and also
233              printed to the database.  This  is  for  informational  purposes
234              only. It has no other functionality.
235
236       Group definitions
237              If  the  parameter is not one of the previous parameters then it
238              is regarded as a group definition. Value is then regarded as  an
239              expression. Expression is of the following form.
240
241                  <predefined group>| <expr> + <predefined group>
242                                    | <expr> - <predefined group>
243
244              See  DEFAULT  GROUPS  for  an  explanation of default predefined
245              groups.  Note that this is different from the  way  Tripwire(tm)
246              does it.
247

SELECTION LINES

249       AIDE supports three types of selection lines:
250
251       Regular selection line:
252
253          <regex> <group>
254
255          Files  and  directories matching the regular expression are added to
256          the database.
257
258
259       Negative selection line:
260
261          !<regex>
262
263          Files and directories matching the regular  expression  are  ignored
264          and not added to the database.
265
266
267       Equals selection line:
268
269          =<regex> <group>
270
271          Files  and  directories matching the regular expression are added to
272          the database. The children of directories are only added if the reg‐
273          ular expression ends with a "/". The children of sub-directories are
274          not added at all.
275
276
277       Every regular expression has to start with a  "/".  An  implicit  ^  is
278       added  in  front of each regular expression. In other words the regular
279       expressions are matched at the  first  position  against  the  complete
280       filename  (i.e.  including  the path). Special characters in your file‐
281       names can be escaped using two-digit URL encoding (for example, %20  to
282       represent a space).
283
284       See EXAMPLES and doc/aide.conf for examples.
285
286       More in-depth discussion of the selection algorithm can be found in the
287       AIDE manual.
288

RESTRICTED SELECTION LINES

290       Restricted selection lines are like normal selection lines but  can  be
291       restricted to file types. The following file types are supported:
292
293
294              f: restrict rule to regular files
295
296              d: restrict rule to directories
297
298              l: restrict rule to symbolic links
299
300              c: restrict rule to character devices
301
302              b: restrict rule to block devices
303
304              p: restrict rule to FIFO files
305
306              s: restrict rule to UNIX sockets
307
308              D: restrict rule to Solaris doors
309
310              P: restrict rule to Solaris event ports
311
312       The  file types are separated by comma. The syntax of restricted selec‐
313       tion lines is as follows:
314
315       Restricted regular selection line:
316          <regex> <file types> <group>
317
318       Restricted negative selection line:
319          !<regex> <file types>
320
321       Restricted equals selection line:
322          =<regex> <file types> <group>
323
324       Examples
325          Only add directories and files to the database:
326
327             / d,f R
328
329          Add all but directory entries to the database:
330
331             !/run d
332             /run R
333
334          Use specific rule for directories:
335
336             /run d R-m-c-i
337             /run R
338
339

MACRO LINES

341       @@define VAR val
342              Define variable VAR to value val.
343
344       @@undef VAR
345              Undefine variable VAR.
346
347       @@ifdef VAR, @@ifndef VAR
348              @@ifdef begins an if statement. It must be  terminated  with  an
349              @@endif  statement.  The  lines  between @@ifdef and @@endif are
350              used if variable VAR is defined. If there is an @@else statement
351              then  the  part  between  @@ifdef  and  @@else is used is VAR is
352              defined otherwise the part between @@else and @@endif  is  used.
353              @@ifndef  reverses  the logic of @@ifdef statement but otherwise
354              works similarly.
355
356       @@ifhost hostname, @@ifnhost hostname
357              @@ifhost works like @@ifdef only difference is  that  it  checks
358              whether  hostname  equals the name of the host that AIDE is run‐
359              ning on.  hostname is the name of the host without  the  domain‐
360              name (hostname, not hostname.example.com).
361
362       @@{VAR}
363              @@{VAR}  is  replaced  with  the  value of the variable VAR.  If
364              variable VAR is not defined an  empty  string  is  used.  Unlike
365              Tripwire(tm) @@VAR is NOT supported. One special VAR is @@{HOST‐
366              NAME} which is substituted for the hostname of the current  sys‐
367              tem.
368
369       @@else Begins the else part of an if statement.
370
371       @@endif
372              Ends an if statement.
373
374       @@include VAR
375              Includes  the file VAR. The content of the file is used as if it
376              were inserted in this part of the config file.
377

URLS

379       Urls can be one of the following. Input urls cannot be used as  outputs
380       and vice versa.
381
382       stdout
383
384       stderr Output is sent to stdout,stderr respectively.
385
386       stdin  Input is read from stdin.
387
388       file://filename
389              Input is read from filename or output is written to filename.
390
391       fd:number
392              Input is read from filedescriptor number or output is written to
393              number.
394

DEFAULT GROUPS

396       p:   permissions
397
398       ftype: file type
399
400       i:   inode
401
402       l:   link name
403
404       n:   number of links
405
406       u:   user
407
408       g:   group
409
410       s:   size
411
412       b:   block count
413
414       m:   mtime
415
416       a:   atime
417
418       c:   ctime
419
420       S:   check for growing size
421
422       I:   ignore changed filename
423
424       ANF: allow new files
425
426       ARF: allow removed files
427
428       md5: md5 checksum
429
430       sha1: sha1 checksum
431
432       sha256: sha256 checksum
433
434       sha512: sha512 checksum
435
436       rmd160: rmd160 checksum
437
438       tiger: tiger checksum
439
440       haval: haval checksum
441
442       crc32:    crc32 checksum
443
444       R:   p+ftype+i+l+n+u+g+s+m+c+md5+X
445
446       L:   p+ftype+i+l+n+u+g+X
447
448       E:   Empty group
449
450       X:   acl+selinux+xattrs+e2fsattrs (if groups are explicitly enabled)
451
452       >:   Growing file p+ftype+l+u+g+i+n+S+X
453
454       And also the following if you have mhash support enabled
455
456       gost: gost checksum
457
458       whirlpool: whirlpool checksum
459
460       The following are available only when explicitly enabled using  config‐
461       ure
462
463       acl: access control list
464
465       selinux: selinux attributes
466
467       xattrs: extended attributes
468
469       e2fsattrs: file attributes on a second extended file system
470
471       Please  note that 'I' and 'c' are incompatible. When the name of a file
472       is changed, it's ctime is updated as well. When you put 'c' and 'I'  in
473       the same rule the, a changed ctime is silently ignored.
474
475       When  'ANF'  is  used, new files are added to the new database, but are
476       ignored in the report.
477
478       When 'ARF' is used, files missing on disk  are  omitted  from  the  new
479       database, but are ignored in the report.
480

EXAMPLES

482              / R
483
484       This adds all files on your machine to the database. This one line is a
485       fully qualified configuration file.
486
487              !/dev
488
489       This ignores the /dev directory structure.
490
491              =/foo R
492
493       Only /foo and /foobar are taken into the database. None of their  chil‐
494       dren are added.
495
496              =/foo/ R
497
498       Only  /foo  and  its  children  (e.g. /foo/file and /foo/directory) are
499       taken  into  the  database.  The  children  of  sub-directories   (e.g.
500       /foo/directory/bar) are not added.
501
502              All=p+i+n+u+g+s+m+c+a+md5+sha1+tiger+rmd160
503
504       This  line defines group All. It has all attributes and all md checksum
505       functions. If you absolutely want all digest functions then you  should
506       enable  mhash support and add +crc32+haval+gost to the end of the defi‐
507       nition for All. Mhash support can only be enabled at compile-time.
508

HINTS

510       In the following, the first is not allowed  in  AIDE.  Use  the  latter
511       instead.
512
513              /foo epug
514
515              /foo e+p+u+g
516

SEE ALSO

518       aide(1) manual.html
519

DISCLAIMER

521       All trademarks are the property of their respective owners.  No animals
522       were harmed while making this webpage or this piece of software.
523
524
525
526
527
528aide 0.16                        Jul 25, 2016                     AIDE.CONF(5)
Impressum