1AIDE.CONF(5) AIDE AIDE.CONF(5)
2
6 aide.conf - The configuration file for Advanced Intrusion Detection
7 Environment
8
10 aide.conf is the configuration file for Advanced Intrusion Detection
11 Environment. aide.conf contains the runtime configuration aide uses to
12 initialize or check the AIDE database.
13
15 aide.conf is similar in to Tripwire(tm)'s configuration file. With lit‐
16 tle effort tw.conf can be converted to aide.conf.
17 aide.conf is case-sensitive. Leading and trailing white spaces are
19 ignored.
20 There are three types of lines in aide.conf. First there are the con‐
22 figuration lines which are used to set configuration parameters and
23 define/undefine variables. Second, there are (restricted) selection
24 lines that are used to indicate which files are added to the database.
25 Third, macro lines define or undefine variables within the config file.
26 Lines beginning with # are ignored as comments.
27
29 These lines have the format parameter=value. See URLS for a list of
30 valid urls.
31 database
33 The url from which database is read. There can only be one of
34 these lines. If there are multiple database lines then the first
35 is used. The default value is "/usr/etc/aide.db".
36 database_out
38 The url to which the new database is written to. There can only
39 be one of these lines. If there are multiple database_out lines
40 then the first is used. The default value is
41 "/usr/etc/aide.db.new".
42 database_new
44 The url from which the other database for --compare is read.
45 There is no default for this one.
46 database_attrs
48 The attributes of the (uncompressed) database files which are to
49 be added to the final report in verbose level 2 or higher. Only
50 checksum attributes are supported. To disable set database_attrs
51 to 'E'. By default all compiled in checksums are added to the
52 report.
53 database_add_metadata
55 Whether to add the AIDE version and the time of database genera‐
56 tion as comments to the database file or not. Valid values are
57 yes, true, no and false. The default is to add the AIDE version
58 and the time of database generation. This option may be set to
59 no by default in a future release.
60 verbose
62 The level of messages that is output. This value can be 0-255
63 inclusive. This parameter can only be given once. Value from the
64 first occurrence is used. If --verbose or -V is used then the
65 value from that is used. The default is 5. If verbosity is 20
66 then additional report output is written when doing --check,
67 --update or --compare.
68 syslog_format
70 Valid values are yes,true,no and false. This option enables new
71 syslog format which is suitable for logging. Every change is
72 logged as one simple line. This option changes verbose level to
73 0 and prints everything that was changed. It is suggested to use
74 this option with "report_url=syslog:...". Default value is
75 "false/no". Maximum size of message is 1KB which is limitation
76 of syslog call. If message is greater than limit, message will
77 be truncated. Option summarize_changes has no impact for this
78 format.
79 Output always starts with:
81 "AIDE found differences between database and filesystem!!"
82 And it is followed by summary:
83 summary;total_number_of_files=1000;added_files=0;removed_files=0;changed_files=1
84 And finally there are logs about changes:
85 dir=/usr/sbin;Mtime_old=0000-00-00 00:00:00;Mtime_new=0000-00-00 00:00:00;...
86 report_url
88 The url that the output is written to. There can be multiple
89 instances of this parameter. Output is written to all of them.
90 The default is stdout.
91 report_base16
93 Whether to base16 encode the checksums in the report or not.
94 Valid values are yes, true, no and false. The default is to
95 report checksums not in base16 but in base64 encoding.
96 report_detailed_init
98 Whether to report added files (verbose level >= 2) and their
99 details (verbose level >=7) in initialization mode or not. Valid
100 values are yes, true, no and false. The default is to not report
101 added files or their details in init mode.
102 report_quiet
104 Whether to suppress report output if no differences to the data‐
105 base have been found or not. Valid values are yes, true, no and
106 false. The default is to not suppress output in the report.
107 gzip_dbout
109 Whether the output to the database is gzipped or not. Valid val‐
110 ues are yes,true,no and false. The default is no. This option is
111 available only if zlib support is compiled in.
112 root_prefix
114 The prefix to strip from each file name in the file system
115 before applying the rules and writing to database. AIDE removes
116 a trailing slash from the prefix. The default is no (an empty)
117 prefix. This option has no effect in compare mode.
118 acl_no_symlink_follow
120 Whether to check ACLs for symlinks or not. Valid values are
121 yes,true,no and false. The default is to follow symlinks. This
122 option is available only if acl support is compiled in.
123 warn_dead_symlinks
125 Whether to warn about dead symlinks or not. Valid values are
126 yes,true,no and false. The default is not to warn about dead
127 symlinks.
128 grouped
130 Whether to group the files in the report by added, removed and
131 changed files or not. Valid values are yes, true, no and false.
132 The default is to group the files in the report.
133 summarize_changes
135 Whether to summarize changes in the added, removed and changed
136 files sections of the report or not. Valid values are
137 yes,true,no and false. The default is to summarize the changes.
138 The general format is like the string YlZbpugamcinCAXSE, where Y
140 is replaced by the file-type (f for a regular file, d for a
141 directory, l for a symbolic link, c for a character device, b
142 for a block device, p for a FIFO, s for a unix socket, D for a
143 Solaris door, P for a Solaris event port, ! if file type has
144 changed and ? otherwise).
145 The Z is replaced as follows: A = means that the size has not
147 changed, a < reports a shrinked size and a > reports a grown
148 size.
149 The other letters in the string are the actual letters that will
151 be output if the associated attribute for the item has been
152 changed or a "." for no change, a "+" if the attribute has been
153 added, a "-" if it has been removed, a ":" if the attribute is
154 ignored (but not forced) or a " " if the attribute has not been
155 checked. The exceptions to this are: (1) a newly created file
156 replaces each letter with a "+", and (2) a removed file replaces
157 each letter with a "-".
158 The attribute that is associated with each letter is as follows:
160 o A l means that the link name has changed.
163 o A b means that the block count has changed.
165 o A p means that the permissions have changed.
167 o An u means that the uid has changed.
169 o A g means that the gid has changed.
171 o An a means that the access time has changed.
173 o A m means that the modification time has changed.
175 o A c means that the change time has changed.
177 o An i means that the inode has changed.
179 o A n means that the link count has changed.
181 o A C means that one or more checksums have changed.
183 The following letters are only available when explicitly enabled
185 using configure:
186 o A A means that the access control list has changed.
189 o A X means that the extended attributes have changed.
191 o A S means that the SELinux attributes have changed.
193 o A E means that the file attributes on a second extended
195 file system have changed.
196 report_ignore_added_attrs
198 Special group definition that lists attributes whose addition is
199 to be ignored in the final report.
200 report_ignore_removed_attrs
202 Special group definition that lists attributes whose removal is
203 to be ignored in the final report.
204 report_ignore_changed_attrs
206 ignore_list (DEPRECATED, will be removed in a future release)
207 Special group definition that lists attributes whose change is
208 to be ignored in the final report.
209 report_force_attrs
211 report_attributes (DEPRECATED, will be removed in a future release)
212 Special group definition that lists attributes which are always
213 printed in the final report for changed files. If an attribute
214 is both ignored and forced the attribute is not considered for
215 file change but printed in the final report if the file has been
216 otherwise changed.
217 report_ignore_e2fsattrs
219 List (no delimiter) of ext2 file attributes which are to be
220 ignored in the final report. See chattr(1) for the available
221 attributes. Use '0' to not ignore any attribute. Ignored
222 attributes are represented by a ':' in the output. The default
223 is to not ignore any ext2 file attribute.
224 Example
226 Ignore changes of the ext2 file attributes compression error
227 (E), huge file (h), indexed directory (I):
228 report_ignore_e2fsattrs=EhI
230 config_version
232 The value of config_version is printed in the report and also
233 printed to the database. This is for informational purposes
234 only. It has no other functionality.
235 Group definitions
237 If the parameter is not one of the previous parameters then it
238 is regarded as a group definition. Value is then regarded as an
239 expression. Expression is of the following form.
240 <predefined group>| <expr> + <predefined group>
242 | <expr> - <predefined group>
243 See DEFAULT GROUPS for an explanation of default predefined
245 groups. Note that this is different from the way Tripwire(tm)
246 does it.
247
249 AIDE supports three types of selection lines:
250 Regular selection line:
252 <regex> <group>
254 Files and directories matching the regular expression are added to
256 the database.
257 Negative selection line:
260 !<regex>
262 Files and directories matching the regular expression are ignored
264 and not added to the database.
265 Equals selection line:
268 =<regex> <group>
270 Files and directories matching the regular expression are added to
272 the database. The children of directories are only added if the reg‐
273 ular expression ends with a "/". The children of sub-directories are
274 not added at all.
275 Every regular expression has to start with a "/". An implicit ^ is
278 added in front of each regular expression. In other words the regular
279 expressions are matched at the first position against the complete
280 filename (i.e. including the path). Special characters in your file‐
281 names can be escaped using two-digit URL encoding (for example, %20 to
282 represent a space).
283 See EXAMPLES and doc/aide.conf for examples.
285 More in-depth discussion of the selection algorithm can be found in the
287 AIDE manual.
288
290 Restricted selection lines are like normal selection lines but can be
291 restricted to file types. The following file types are supported:
292 f: restrict rule to regular files
295 d: restrict rule to directories
297 l: restrict rule to symbolic links
299 c: restrict rule to character devices
301 b: restrict rule to block devices
303 p: restrict rule to FIFO files
305 s: restrict rule to UNIX sockets
307 D: restrict rule to Solaris doors
309 P: restrict rule to Solaris event ports
311 The file types are separated by comma. The syntax of restricted selec‐
313 tion lines is as follows:
314 Restricted regular selection line:
316 <regex> <file types> <group>
317 Restricted negative selection line:
319 !<regex> <file types>
320 Restricted equals selection line:
322 =<regex> <file types> <group>
323 Examples
325 Only add directories and files to the database:
326 / d,f R
328 Add all but directory entries to the database:
330 !/run d
332 /run R
333 Use specific rule for directories:
335 /run d R-m-c-i
337 /run R
338
341 @@define VAR val
342 Define variable VAR to value val.
343 @@undef VAR
345 Undefine variable VAR.
346 @@ifdef VAR, @@ifndef VAR
348 @@ifdef begins an if statement. It must be terminated with an
349 @@endif statement. The lines between @@ifdef and @@endif are
350 used if variable VAR is defined. If there is an @@else statement
351 then the part between @@ifdef and @@else is used is VAR is
352 defined otherwise the part between @@else and @@endif is used.
353 @@ifndef reverses the logic of @@ifdef statement but otherwise
354 works similarly.
355 @@ifhost hostname, @@ifnhost hostname
357 @@ifhost works like @@ifdef only difference is that it checks
358 whether hostname equals the name of the host that AIDE is run‐
359 ning on. hostname is the name of the host without the domain‐
360 name (hostname, not hostname.example.com).
361 @@{VAR}
363 @@{VAR} is replaced with the value of the variable VAR. If
364 variable VAR is not defined an empty string is used. Unlike
365 Tripwire(tm) @@VAR is NOT supported. One special VAR is @@{HOST‐
366 NAME} which is substituted for the hostname of the current sys‐
367 tem.
368 @@else Begins the else part of an if statement.
370 @@endif
372 Ends an if statement.
373 @@include VAR
375 Includes the file VAR. The content of the file is used as if it
376 were inserted in this part of the config file.
377
379 Urls can be one of the following. Input urls cannot be used as outputs
380 and vice versa.
381 stdout
383 stderr Output is sent to stdout,stderr respectively.
385 stdin Input is read from stdin.
387 file://filename
389 Input is read from filename or output is written to filename.
390 fd:number
392 Input is read from filedescriptor number or output is written to
393 number.
394
396 p: permissions
397 ftype: file type
399 i: inode
401 l: link name
403 n: number of links
405 u: user
407 g: group
409 s: size
411 b: block count
413 m: mtime
415 a: atime
417 c: ctime
419 S: check for growing size
421 I: ignore changed filename
423 ANF: allow new files
425 ARF: allow removed files
427 md5: md5 checksum
429 sha1: sha1 checksum
431 sha256: sha256 checksum
433 sha512: sha512 checksum
435 rmd160: rmd160 checksum
437 tiger: tiger checksum
439 haval: haval checksum
441 crc32: crc32 checksum
443 R: p+ftype+i+l+n+u+g+s+m+c+md5+X
445 L: p+ftype+i+l+n+u+g+X
447 E: Empty group
449 X: acl+selinux+xattrs+e2fsattrs (if groups are explicitly enabled)
451 >: Growing file p+ftype+l+u+g+i+n+S+X
453 And also the following if you have mhash support enabled
455 gost: gost checksum
457 whirlpool: whirlpool checksum
459 The following are available only when explicitly enabled using config‐
461 ure
462 acl: access control list
464 selinux: selinux attributes
466 xattrs: extended attributes
468 e2fsattrs: file attributes on a second extended file system
470 Please note that 'I' and 'c' are incompatible. When the name of a file
472 is changed, it's ctime is updated as well. When you put 'c' and 'I' in
473 the same rule the, a changed ctime is silently ignored.
474 When 'ANF' is used, new files are added to the new database, but are
476 ignored in the report.
477 When 'ARF' is used, files missing on disk are omitted from the new
479 database, but are ignored in the report.
480
482 / R
483 This adds all files on your machine to the database. This one line is a
485 fully qualified configuration file.
486 !/dev
488 This ignores the /dev directory structure.
490 =/foo R
492 Only /foo and /foobar are taken into the database. None of their chil‐
494 dren are added.
495 =/foo/ R
497 Only /foo and its children (e.g. /foo/file and /foo/directory) are
499 taken into the database. The children of sub-directories (e.g.
500 /foo/directory/bar) are not added.
501 All=p+i+n+u+g+s+m+c+a+md5+sha1+tiger+rmd160
503 This line defines group All. It has all attributes and all md checksum
505 functions. If you absolutely want all digest functions then you should
506 enable mhash support and add +crc32+haval+gost to the end of the defi‐
507 nition for All. Mhash support can only be enabled at compile-time.
508
510 In the following, the first is not allowed in AIDE. Use the latter
511 instead.
512 /foo epug
514 /foo e+p+u+g
516
518 aide(1) manual.html
519
521 All trademarks are the property of their respective owners. No animals
522 were harmed while making this webpage or this piece of software.
523aide 0.16 Jul 25, 2016 AIDE.CONF(5)