1AIDE.CONF(5) AIDE AIDE.CONF(5)
2
6 aide.conf - The configuration file for Advanced Intrusion Detection En‐
7 vironment
8
10 aide.conf is the configuration file for Advanced Intrusion Detection
11 Environment. aide.conf contains the runtime configuration aide uses to
12 initialize or check the AIDE database.
13
15 aide.conf is case-sensitive. Leading and trailing white spaces are ig‐
16 nored. Each config lines must end with new line.
17 AIDE uses the backslash character (\) as escape character for ' '
19 (space), '@' and '\' (backslash) (e.g. '\ ' or '\@'). To literally
20 match a '\' in a file path with a regular expression you have to escape
21 the backslash twice (i.e. '\\\\').
22 There are three types of lines in aide.conf. First there are the con‐
24 figuration options which are used to set configuration parameters and
25 define groups. Second, there are (restricted) rules that are used to
26 indicate which files are added to the database. Third, macro lines de‐
27 fine or undefine variables within the config file. Lines beginning with
28 # are ignored as comments.
29
31 These lines have the format parameter=value. See URLS for a list of
32 valid urls.
33 database_in (type: URL, default: see --version output, added in AIDE
35 v0.17)
36 database (DEPRECATED since AIDE v0.17, will be removed in AIDE v0.19)
37 The url from which database is read. There can only be one of
38 these lines. If there are multiple database lines then the first
39 is used.
40 Examples:
42 database_in=file:/var/lib/aide/aide.db
44 Read database locally from /var/lib/aide/aide.db.
46 database_in=stdin
49 Read database from stdin.
51 database_in=https://example.com/aide.db
54 Read database remotely from https://example.com/aide.db.
56 database_out (type: URL, default: see --version output)
61 The url to which the new database is written to. There can only
62 be one of these lines. If there are multiple database_out lines
63 then the first is used.
64 database_new (type: URL, default: <none>)
66 The url from which the other database for --compare is read.
67 database_attrs (type: attribute expression, default: H, added in AIDE
69 v0.16)
70 The attributes of the (uncompressed) database files which are to
71 be added to the reports in report level >= database_attributes .
72 Only checksum attributes are supported. To disable set data‐
73 base_attrs to 'E'.
74 database_add_metadata (type: bool, default: true, added in AIDE v0.16)
76 Whether to add the AIDE version and the time of database genera‐
77 tion as comments to the database file or not. This option may be
78 set to false by default in a future release.
79 log_level (type: log level, default: warning, added in AIDE v0.17)
82 The log level to use. Log messages are written to stderr. If
83 there are multiple log_level lines then the first one is used.
84 The --log-level or -L command line option overwrites this op‐
85 tion.
86 The following log levels are available:
88 error: show unrecoverable issues that have to be handled
90 by the user. Errors are fatal to the AIDE process.
91 warning: additionally show recoverable issues that most
93 likely lead to unexpected behaviour and should be handled
94 by the user
95 notice: additionally show recoverable issues that some‐
97 times lead to unexpected behaviour and might be handled
98 by the user.
99 info: additionally show informational messages
101 rule: additionally show messages to help to debug the
103 path rule matching
104 compare: additionally show messages to help to debug file
106 comparison and (special) attribute handling
107 config: additionally show messages to help to debug con‐
109 fig and rule parsing
110 debug: additionally show messages that are useful to de‐
112 bug the application (very verbose)
113 thread: additionally show messages about thread process‐
115 ing (e.g. broadcast events)
116 trace: detailed information about the flow of the appli‐
118 cation (e.g. in-loop logging) (even more verbose)
119 verbose (type: number, range: 0 - 255, default: 5, REMOVED in AIDE
124 v0.17)
125 Removed, use log_level and report_level options instead.
126 gzip_dbout (type: bool, default: false)
128 Whether the output to the database is gzipped or not. This op‐
129 tion is available only if zlib support is compiled in.
130 root_prefix (type: path, default: <empty>, added in AIDE v0.16)
132 The prefix to strip from each file name in the file system be‐
133 fore applying the rules and writing to database. AIDE removes a
134 trailing slash from the prefix. If there are multiple root_pre‐
135 fix lines then the first one is used. This option has no effect
136 in compare mode.
137 acl_no_symlink_follow (type: bool, default: false)
139 Whether to check ACLs for symlinks or not. This option is avail‐
140 able only if acl support is compiled in.
141 warn_dead_symlinks (type: path, default: false)
143 Whether to warn about dead symlinks or not.
144 config_version (type: string, default: <empty>)
146 The value of config_version is printed in the report and also
147 printed to the database. This is for informational purposes
148 only. It has no other functionality.
149 config_check_warn_unrestricted_rules (type: bool, default: false, added
151 in AIDE v0.18)
152 Whether to warn on unrestricted rules during config check. To
153 explicitly define unrestricted rules use 0 (zero) as restriction
154 character.
155 num_workers (type: number|percentage, default: 1, added in AIDE v0.18)
157 Specifies the number of simultaneous workers (threads) for file
158 attribute processing (i.a. hashsum calculation).
159 The number of workers can be a positive integer (e.g. '4') or
161 the percentage of the available processors (e.g. '60%'). The re‐
162 sulting number of workers is rounded up to the next integer
163 (e.g. '60%' of 8 processors results in 5 workers).
164 If there are multiple num_workers lines then the first one is
166 used.
167 Use 0 (zero) to disable multi-threading.
169 The default value 1 (single worker thread) may be changed in a
171 future release.
172
175 report_url (type: URL, default: stdout)
176 The URL that the output is written to.
178 Multiple instances of the report_url option are supported.
180 Examples:
182 report_url=file:/var/log/aide.log
184 Write report to /var/log/aide.log.
186 report_url=stdout
188 Write report to stdout.
190 report_url=syslog:<LOG_FACILITY>
192 Write report to syslog using LOG_FACILITY.
194 The following report options are available (to take effect they have to
198 be set before report_url):
199 report_level (type: report level, default: changed_attributes, added in
201 AIDE v0.17)
202 The report level to use. The available report levels are as fol‐
204 lows:
205 minimal: print single line whether AIDE found differences to the
207 database
208 summary: additionally print number of added, removed and changed
210 files
211 database_attributes: additionally print database checksums
213 list_entries: additionally print lists of added, removed and
215 changed entries
216 changed_attributes: additionally print details about changed en‐
218 tries
219 Example:
221 File: /var/lib/apt/extended_states
223 Perm : -rw-r--r-- | -rw-------
224 Uid : 0 | 106
225 The left column shows the old value (e.g. from the data‐
228 base_in database) and the right column shows the new
229 value (e.g. from the file system).
230 added_removed_attributes: additionally print details about added
233 and removed attributes
234 added_removed_entries: additionally print details about added
236 and removed entries
237 report_format (type: report format, default: plain, added in AIDE
240 v0.18)
241 The report format to use. The available report formats are as
242 follows:
243 plain: Print report in plain human-readable format.
245 json: Print report in json machine-readable format.
247 report_base16 (type: bool, default: false, added in AIDE v0.17)
250 Base16 encode the checksums in the report. The default is to re‐
251 port checksums in base64 encoding.
252 report_detailed_init (type: bool, default: false, added in AIDE v0.16)
254 Report added files (report level >= list_entries) and their de‐
255 tails (report level >= added_removed_entries) in initialization
256 mode.
257 report_quiet (type: bool, default: false, added in AIDE v0.16)
259 Suppress report output if no differences to the database have
260 been found.
261 report_append (type: bool, default: false, added in AIDE v0.17)
263 Append to the report URL.
264 report_grouped (type: bool, default: true, added in AIDE v0.17)
266 grouped (DEPRECATED since AIDE v0.17, will be removed in AIDE v0.19)
267 Group the files in the report by added, removed and changed
268 files.
269 report_summarize_changes (type: bool, default: true, added in AIDE
271 v0.17)
272 summarize_changes (DEPRECATED since AIDE v0.17, will be removed in AIDE
273 v0.19)
274 Summarize changes in the added, removed and changed files sec‐
275 tions of the report.
276 The general format is like the string YlZbpugamcinHAXSEC, where
278 Y is replaced by the file-type ('f' for a regular file, 'd' for
279 a directory, 'l' for a symbolic link, 'c' for a character de‐
280 vice, 'b' for a block device, 'p' for a FIFO, 's' for a unix
281 socket, 'D' for a Solaris door, 'P' for a Solaris event port,
282 '!' if file type has changed and '?' otherwise).
283 The Z is replaced as follows: A '=' means that the size has not
285 changed, a '<' reports a shrinked size and a '>' reports a grown
286 size. The other letters in the string are the actual letters
287 that will be output if the associated attribute for the item has
288 been changed or a '.' for no change.
289 Otherwise a '+' is shown if the attribute has been added, a '-'
291 if it has been removed, a ':' if the attribute is ignored (but
292 not forced) or a ' ' if the attribute has not been checked.
293 The exceptions to this are: (1) a newly created file replaces
295 each letter with a '+', and (2) a removed file replaces each
296 letter with a '-'.
297 The attribute that is associated with each letter is as follows:
299 o A l means that the link name has changed.
302 o A b means that the block count has changed.
304 o A p means that the permissions have changed.
306 o An u means that the uid has changed.
308 o A g means that the gid has changed.
310 o An a means that the access time has changed.
312 o A m means that the modification time has changed.
314 o A c means that the change time has changed.
316 o An i means that the inode has changed.
318 o A n means that the link count has changed.
320 o A H means that one or more message digests have changed.
322 The following letters are only available when explicitly enabled
324 using configure:
325 o A A means that the access control list has changed.
328 o A X means that the extended attributes have changed.
330 o A S means that the SELinux attributes have changed.
332 o A E means that the file attributes on a second extended
334 file system have changed.
335 o A C means that the file capabilities have changed.
337 report_ignore_added_attrs (type: attribute expression, default: empty,
339 added in AIDE v0.16)
340 Attributes whose addition is to be ignored in the report.
341 report_ignore_removed_attrs (type: attribute expression, default:
343 empty, added in AIDE v0.16)
344 Attributes whose removal is to be ignored in the report.
345 report_ignore_changed_attrs (type: attribute expression, default:
347 empty, added in AIDE v0.16)
348 ignore_list (REMOVED in AIDE v0.17)
349 Attributes whose change is to be ignored in the report.
350 report_force_attrs (type: attribute expression, default: empty, added
352 in AIDE v0.16)
353 report_attributes (REMOVED in AIDE v0.17)
354 Attributes which are always printed in the report for changed
355 files. If an attribute is both ignored and forced the attribute
356 is not considered for file change but printed in the final re‐
357 port as long as the file has been otherwise changed.
358 report_ignore_e2fsattrs (type: string, default: 0, added in AIDE v0.16)
360 List (no delimiter) of ext2 file attributes which are to be ig‐
361 nored in the report. See chattr(1) for the available at‐
362 tributes. Use 0 (zero) to not ignore any attribute. Ignored at‐
363 tributes are represented by a ':' in the report.
364 By default AIDE also reports changes of the read-only attributes
366 mentioned in chattr(1) (see example below how to ignore those
367 changes).
368 Example:
370 Ignore changes of the read-only ext2 file attributes verify
372 (V), inline data (N), indexed directory (I) and encrypted
373 (E):
374 report_ignore_e2fsattrs=VNIE
376
379 Groups are aggregations of attributes.
380 Group definitions have the format <group name> = <attribute expres‐
382 sion>.
383 Group names are limited to alphanumeric characters (A-Za-z0-9).
385 See ATTRIBUTES for a description of all available attributes.
387 Default groups
390 R p+ftype+i+l+n+u+g+s+m+c+md5+X
392 L p+ftype+i+l+n+u+g+X
394 > Growing file p+ftype+l+u+g+i+n+s+growing+X
396 H all compiled in hashsums (added in AIDE v0.17)
398 X acl+selinux+xattrs+e2fsattrs+caps (if attributes are compiled
400 in, added in AIDE v0.16)
401 E Empty group
403 Use 'aide --version' to list the default compound groups.
405
409 AIDE supports three types of rules:
410 Regular rule:
412 <regex> <attribute expression>
413 Files and directories matching the regular expression are added
415 to the database.
416 Negative rule:
419 !<regex>
420 Files and directories matching the regular expression are ig‐
422 nored and not added to the database. The children of matching
423 directories are also ignored.
424 Equals rule:
427 =<regex> <attribute expression>
428 Files and directories matching the regular expression are added
430 to the database. The children of directories are only added if
431 the regular expression ends with a "/". The children of sub-di‐
432 rectories are not added at all.
433 Every regular expression has to start with an explicit "/". An im‐
436 plicit ^ is added in front of each regular expression. In other words,
437 the regular expressions are matched at the first position against the
438 complete path. Special characters can be escaped using two-digit URL
439 encoding (for example, %20 to represent a space).
440 AIDE uses a deepest-match algorithm to find the tree node to search,
442 but a first-match algorithm inside the node. (see also rule log
443 level).
444 See EXAMPLES for examples.
446 More in-depth discussion of the selection algorithm can be found in the
448 AIDE manual.
449
451 Restricted rules are like normal rules but can be restricted to file
452 types (added in AIDE v0.16). The following file types are supported:
453 f restrict rule to regular files
456 d restrict rule to directories
458 l restrict rule to symbolic links
460 c restrict rule to character devices
462 b restrict rule to block devices
464 p restrict rule to FIFO files
466 s restrict rule to UNIX sockets
468 D restrict rule to Solaris doors
470 P restrict rule to Solaris event ports
472 0 empty restriction, i.e. don't restrict rule (added in AIDE
474 v0.18)
475 Multiple restrictions can be given as a comma-separated list.
477 The syntax of restricted rules is as follows:
479 Restricted regular rule
481 <regex> <file types> <attribute expression>
482 Restricted negative rule
484 !<regex> <file types>
485 Restricted equals rule
487 =<regex> <file types> <attribute expression>
488
492 @@define VAR val
493 Define variable VAR to value val.
494 @@undef VAR
496 Undefine variable VAR.
497 @@if boolean_expression (added in AIDE v0.18)
499 @@else
500 @@endif
501 @@if begins an if statement. It must be terminated with an @@en‐
502 dif statement. The lines between @@if and @@endif are used if
503 the boolean_expression evaluates to true. If there is an @@else
504 statement then the part between @@if and @@else is used if bool‐
505 ean_expression evaluates to true otherwise the part between
506 @@else and @@endif is used.
507 Available operators and functions in boolean expressions:
509 not boolean_expression
511 Evaluates to true if the boolean_expression is false, and
512 false if the boolean_expression is true.
513 defined VARIABLE
515 Evaluates to true if VARIABLE is defined.
517 hostname HOSTNAME
519 Evaluates to true if HOSTNAME equals the hostname of the
521 machine that AIDE is running on. hostname is the name of
522 the host without the domainname (ie 'hostname', not 'host‐
523 name.example.com').
524 exists PATH
526 Evaluates to true if PATH exists.
528 @@ifdef VARIABLE (DEPRECATED since AIDE v0.18, will be removed in AIDE
532 v0.20)
533 same as @@if defined VARIABLE
534 @@ifndef VARIABLE (DEPRECATED since AIDE v0.18, will be removed in AIDE
536 v0.20)
537 same as @@if not defined VARIABLE
538 @@ifhost HOSTNAME (DEPRECATED since AIDE v0.18, will be removed in AIDE
540 v0.20)
541 same as @@if hostname HOSTNAME
542 @@ifnhost HOSTNAME (DEPRECATED since AIDE v0.18, will be removed in
544 AIDE v0.20)
545 same as @@if not hostname HOSTNAME
546 @@{VAR}
549 @@{VAR} is replaced with the value of the variable VAR. If
550 variable VAR is not defined an empty string is used.
551 Variables are supported in strings and in regular expressions of
553 selection lines.
554 Pre-defined marco variables:
556 @@{HOSTNAME}: hostname of the current system
558 @@include FILE
562 Include FILE.
563 The content of the file is used as if it were inserted in this
565 part of the config file.
566 The maximum depth of nested includes is 16.
568 @@include DIRECTORY REGEX [RULE_PREFIX] (added in AIDE v0.17)
571 Include all (regular) files found in DIRECTORY matching regular
572 expression REGEX (sub-directories are ignored). The file are in‐
573 cluded in lexical sort order.
574 If RULE_PREFIX is set, all rules included by the statement are
576 prefixed with given RULE_PREFIX (added in AIDE v0.18). Prefixes
577 from nested include statements are concatenated.
578 The content of the files is used as if it were inserted in this
580 part of the config file.
581 @@x_include FILE (added in AIDE v0.17)
584 @@x_include DIRECTORY REGEX [RULE_PREFIX] (added in AIDE v0.17)
585 @x_include is identical to @@include, except that if a config
586 file is executable is is run and the output is used as config.
587 If the executable file exits with status greater than zero or
589 writes to stderr aide stops with an error.
590 For security reasons DIRECTORY and each executable config file
592 must be owned by the current user or root. They must not be
593 group- or world-writable.
594 @@x_include_setenv VAR VALUE (added in AIDE v0.17)
597 Adds the variable VAR with the value VALUE to the environment
599 used for config file execution.
600 Environment variable names are limited to alphanumeric charac‐
602 ters (A-Za-z0-9) and the underscore '_' and must not begin with
603 a digit.
604
607 bool
608 Valid values are yes, true, no or false.
609 attribute expression
611 An attribute expression is of the following form:
613 <attribute/group>
615 | <expr> + <attribute/group>
616 | <expr> - <attribute/group>
617 URLS
619 Urls can be one of the following. Input urls cannot be used as out‐
620 puts and vice versa.
621 stdout
624 stderr Output is sent to stdout, stderr respectively.
626 stdin Input is read from stdin.
628 file:/path
630 Input is read from path or output is written to path.
631 fd:number
633 Input is read from filedescriptor number or output is
634 written to number.
635 syslog:LOG_FACILITY
637 Output is written to syslog using LOG_FACILITY.
638
643 File attributes
644 ftype file type (added in AIDE v0.15)
646 p permissions
648 i inode
650 l link name
652 n number of links
654 u user
656 g group
658 s size
660 b block count
662 m mtime
664 a atime
666 c ctime
668 acl access control list (requires libacl)
670 selinux
672 selinux attributes (requires libselinux)
673 xattrs extended attributes (requires libattr)
675 e2fsattrs
677 file attributes on a second extended file system, see also re‐
678 port_ignore_e2fsattrs option (requires libext2fs, added in AIDE
679 v0.15)
680 caps file capabilities (requires libcap2, added in AIDE v0.17)
682 Use 'aide --version' to show which compiled-in attributes are avail‐
684 able.
685 Special attributes
687 S check for growing size (DEPRECATED since AIDE v0.18, will be re‐
689 moved in AIDE v0.20)
690 Use growing+s attributes instead
692 I ignore changed filename
694 When I is used, the inode of the old file is used to search for
696 a moved file in the new database.
697 Source and target file have to be located in the same directory
699 and must share the same attributes (except for special at‐
700 tributes ANF, ARF, I, growing, and compressed).
701 For moved entries a change of the ctime attribute is ignored.
703 growing
706 ignore growing file (added in AIDE v0.18)
707 When growing is used, changes of the following attributes are
709 ignored:
710 size: if new size is greater than old size
712 bcount: if new bcount is greater than old bcount
714 atime: if new atime is greater than old atime
716 mtime: if new mtime is greater than old mtime
718 ctime: if new ctime is greater than old ctime
720 hashsums: if the hashsum of the new file restricted to the old
722 size equals the hashsums of the old file
723 For hashsum attributes the growing attribute is ignored in com‐
725 pare mode.
726 compressed
729 ignore compressed file (added in AIDE v0.18)
730 When compressed is used, the uncompressed hashsums of the new
732 compressed file (supported compressions: gzip) are used to
733 search for the uncompressed file in the old database.
734 The old uncompressed and the new compressed file have to be lo‐
736 cated in the same directory and must share the same attributes
737 (except for special attributes ANF, ARF, I, growing, and com‐
738 pressed) including at least one hashsum.
739 Changes of the inode, size, bcount and ctime attributes are ig‐
741 nored.
742 The growing attribute (i.e. the old file size) is not considered
744 for compressed files during the calculation of the uncompressed
745 hashsums.
746 The compressed attribute is ignored in compare mode.
748 ANF allow new files
751 When 'ANF' is used, new files are added to the new database, but
753 are ignored in the report.
754 ARF allow removed files
756 When 'ARF' is used, files missing on disk are omitted from the
758 new database, but are ignored in the report.
759 Hashsums attributes
761 md5 MD5 checksum (not in libgcrypt FIPS mode)
763 sha1 SHA-1 checksum
765 sha256 SHA-256 checksum
767 sha512 SHA-512 checksum
769 rmd160 RIPEMD-160 checksum
771 tiger tiger checksum
773 haval haval256 checksum (libmhash only)
775 crc32 crc32 checksum
777 crc32b crc32 checksum (libmhash only)
779 gost GOST R 34.11-94 checksum
781 whirlpool
783 whirlpool checksum
784 stribog256
786 GOST R 34.11-2012, 256 bit checksum (libgcrypt only, added in
787 AIDE v0.17)
788 stribog512
790 GOST R 34.11-2012, 512 bit checksum (libgcrypt only, added in
791 AIDE v0.17)
792 Use 'aide --version' to show which hashsums are available.
794
798 / R This adds all files on your machine to the database. This one
799 line is a fully qualified configuration file.
800 !/dev$ This ignores the /dev directory structure.
802 =/foo R
804 Only /foo and /foobar are taken into the database. None of
805 their children are added.
806 =/foo/ R
808 Only /foo and its children (e.g. /foo/file and /foo/directory)
809 are taken into the database. The children of sub-directories
810 (e.g. /foo/directory/bar) are not added.
811 / d,f R
813 Only add directories and files to the database
814 !/run d
816 /run R Add all but directory entries to the database
817 /run d R-m-c-i
819 /run R Use specific rule for directories
820 Suggested Groups
822 OwnerMode = p+u+g+ftype
824 Check permissions, owner, group and file type
825 Size = s+b
827 Check size and block count
828 InodeData = OwnerMode+n+i+Size+l+X
830 StaticFile = m+c+Checksums
831 Files that stay static
832 Full = InodeData+StaticFile
834 Full = ftype+p+l+u+g+s+m+c+a+i+b+n+H+X
835 / 0 Full
836 This line defines group Full. It has all attributes, all com‐
837 piled in hashsums (H) and all compiled in extra file attributes
838 (X). See '--version' output for the compiled in hashsums and
839 extra groups. The example rule is the typical catch-all rule at
840 the end of the rule list.
841 VarTime = InodeData+Checksums
843 /etc/ssl/certs/ca-certificates\\.crt$ VarTime
844 Files that change their mtimes or ctimes but not their contents.
845 VarInode = VarTime-i
847 /var/lib/nfs/etab$ f VarInode
848 Files that are recreated regularly but do not change their con‐
849 tents
850 VarFile = OwnerMode+n+l+X
852 /etc/resolv\\.conf$ f VarFile
853 Files that change their contents during system operation
854 VarDir = OwnerMode+n+i+X
856 /var/lib/snmp$ d VarDir
857 Directories that change their contents during system operation
858 RecreatedDir = OwnerMode+n+X
860 /run/samba$ d RecreatedDir
861 Directories that are recreated regularly and change their con‐
862 tents
863 Log Handling
865 Logs pose a number of special challenges to AIDE. An active log is
867 nearly constantly being written to. The process of log rotation
868 changes file names for files that are supposed to have unaltered con‐
869 tents. To save space, Logs are compressed in the process of their ro‐
870 tation, and finally, they get deleted. AIDE is supposed to handle all
871 those cases without generating reports, and it is still expected to
872 flag the cases when an attacker tampers with logs.
873 The following examples suggest a way to handle the common case of log
875 rotation with the logrotate(8) program, with its options compress, de‐
876 laycompress and nocopytruncate set. The vast majority of logs are ro‐
877 tated this way on most Linux systems.
878 ActLog=Full+growing+ANF+I
880 /var/log/foo\\.log$ f ActLog
881 An Active Log is typically named foo.log. It is constanty being
882 written to. The file does neither change its mode nor its inode
883 number. The size only increases, and what is written to the
884 file is not supposed to change (growing). During log rotation,
885 foo.log is typically renamed to foo.log.1 (or foo.log.0) and the
886 process is instructed to write to a new foo.log. Log content is
887 written to a new file (ANF) and will eventually be renamed to
888 foo.log.1 (I). The growing attribute suppresses reports for
889 files that just had content appended when compared to the data‐
890 base. A change of the old content is still reported!
891 RotLog=Full
893 /var/log/foo\\.log\\.1$ f RogLog
894 foo.log.0 or foo.log.1 is called the Rotated Log, the previously
895 active log renamed to the first name of the Log Series that is
896 formed by the rotation mechanism. Right after rotation, the
897 file might still being written to by the daemon. To aide, this
898 looks like the Active Log's size decreases and its inode and
899 timestamps change. The Rotated Log is not supposed to change
900 its attributes once the process has stopped writing to it. Re‐
901 ports might be generated if aide runs while the process still
902 writes to the Rotated Log, but this is quite unlikely to happen.
903 Some log rotation mechanisms rename foo.log to foo.log.0 to
904 foo.log.1.gz, others rename foo.log to foo.log.1 to
905 foo.2.log.gz.
906 CompSerLog=Full+I+compressed
908 /var/log/foo\\.log\\.2\\.gz$ f CompSerLog
909 In the next rotation step, foo.log.1 gets compressed to
910 foo.log.2.gz, becoming the Compressed Log in the Log Series.
911 With this rule, AIDE does not report this step because it uncom‐
912 presses the contents of the file and takes the checksum of the
913 uncompressed content. The contents strictly doesn't change, but
914 some attribute changes are ignored (compressed).
915 MidlSerLog=Full+I
917 /var/log/foo\\.log\\.[345]\\.gz$ f MidlSerLog
918 In the next log rotation, all foo.log.{x} get renamed to
919 foo.log.{x+1}. The other attributes are not supposed to change.
920 LastSerLog=Full+ARF
922 /var/log/foo\\.log\\.6\\.gz$ f LastSerLog
923 The configuration of the log rotation process specifies a number
924 of log generations to keep. The last log in the series is there‐
925 fore removed from the disk (ARF).
926 aide 0.18 does not yet support the following cases of log rotation:
928 empty files
930 It might be the case that a log is actually created, but never
931 written to. This commonly happens on rarely used web servers
932 that use the log rotation as a method to cater for data protec‐
933 tion regulation. In result, all files in a series are identi‐
934 cal, breaking the heuristics that aide uses to detect log rota‐
935 tion. A possible workaround is to begin a newly rotated log
936 with a timestamp. With logrotate, this can be done in a postro‐
937 tate scriptlet.
938 nodelaycompress
940 With logrotate's nodelaycompress option, a log is immediately
941 compressed after renaming it from the Active Log name. For the
942 time being, it is recommended to always use the delaycompress
943 option to avoid this behavior.
944 copytruncate
946 With logrotate's copytruncate option, the Active Log is not re‐
947 named and newly created but copied to the new file name. After
948 the copy operation, the old file is truncated to zero size, al‐
949 lowing the daemon to continuously write to the already open file
950 handle. aide uses the Inode number to detect the rotation
951 process. That doesn't work with copytruncate because the Inode
952 stays with the Active Log. For the time being, it is recom‐
953 mended to avoid the copytruncate option to avoid this behavior.
954
956 In the following, the first is not allowed in AIDE. Use the latter in‐
957 stead.
958 /foo epug
960 /foo e+p+u+g
962
964 aide(1)
965
967 All trademarks are the property of their respective owners. No animals
968 were harmed while making this webpage or this piece of software.
969aide v0.18.4 2023-06-13 AIDE.CONF(5)