1aide.conf(5) File Formats Manual aide.conf(5)
2
6 aide.conf - The configuration file for Advanced Intrusion Detection
7 Environment
8
10 aide.conf is the configuration file for Advanced Intrusion Detection
11 Environment. aide.conf contains the runtime configuration aide uses to
12 initiailize or check the aide database.
13
15 aide.conf is similar in to Tripwire(tm)'s configuration file. With lit‐
16 tle effort tw.conf can be converted to aide.conf.
17 Aide.conf is case-sensitive. Leading and trailing whitespaces are
19 ignored.
20 There are three types of lines in aide.conf. First there are the con‐
22 figuration lines which are used to set configuration parameters and
23 define/undefine variables. Second, there are selection lines that are
24 used to indicate which files are added to the database. Third, macro
25 lines define or undefine variables within the config file. Lines begin‐
26 ning with # are ignored as comments.
27
29 These lines have the format parameter=value. See URLS for a list of
30 valid urls.
31 database
33 The url from which database is read. There can only be one of
34 these lines. If there are multiple database lines then the first
35 is used. The default value is "/usr/etc/aide.db".
36 database_out
38 The url to which the new database is written to. There can only
39 be one of these lines. If there are multiple database_out lines
40 then the first is used. The default value is
41 "/usr/etc/aide.db.new".
42 database_new
44 The url from which the other database for --compare is read.
45 There is no default for this one.
46 verbose
48 The level of messages that is output. This value can be 0-255
49 inclusive. This parameter can only be given once. Value from the
50 first occurence is used. If --verbose or -V is used then the
51 value from that is used. The default is 5. If verbosity is 20
52 then additional report output is written when doing --check,
53 --update or --compare.
54 report_url
56 The url that the output is written to. There can be multiple
57 instances of this parameter. Output is written to all of them.
58 The default is stdout.
59 gzip_dbout
61 Whether the output to the database is gzipped or not. Valid val‐
62 ues are yes,true,no and false. The default is no. This option is
63 available only if zlib support is compiled in.
64 acl_no_symlink_follow
66 Whether to check ACLs for symlinks or not. Valid values are
67 yes,true,no and false. The default is to follow symlinks. This
68 option is available only if acl support is compiled in.
69 warn_dead_symlinks
71 Whether to warn about dead symlinks or not. Valid values are
72 yes,true,no and false. The default is not to warn about dead
73 symlinks.
74 report_attributes
76 Special group definition that lists parameters which are always
77 printed in the final report for changed files.
78 ignore_list
80 Special group definition that lists parameters which are to be
81 ignored from the final report.
82 config_version
84 The value of config_version is printed in the report and also
85 printed to the database. This is for informational purposes
86 only. It has no other functionality.
87 Group definitions
89 If the parameter is not one of the previous parameters then it
90 is regarded as a group definition. Value is then regarded as an
91 expression. Expression is of the following form.
92 <predefined group>| <expr> + <predefined group>
94 | <expr> - <predifined group>
95 See DEFAULT GROUPS for an explanation of default predefined
97 groups. Note that this is different from the way Tripwire(tm)
98 does it.
99 There is also a special group named "ignore_list". The prede‐
101 fined -groups listed in it are NOT displayed in the final
102 report.
103
105 aide supports three types of selection lines (regular, negative,
106 equals) Lines beginning with "/" are regular selection lines. Lines
107 beginning with "=" are equals selection lines. And lines beginning with
108 "!" are negative selection lines. The string following the first char‐
109 acter is taken as a regular expression matching to a complete filename,
110 including the path. In a regular selection rule the "/" is included in
111 the regular expression. Following the regular expression is a group
112 definition as explained above. See EXAMPLES and doc/aide.conf for exam‐
113 ples.
114 More in-depth discussion of the selection algorithm can be found in the
116 aide manual.
117
119 @@define VAR val
120 Define variable VAR to value val.
121 @@undef VAR
123 Undefine variable VAR.
124 @@ifdef VAR, @@ifndef VAR
126 @@ifdef begins an if statement. It must be terminated with an
127 @@endif statement. The lines between @@ifdef and @@endif are
128 used if variable VAR is defined. If there is an @@else statement
129 then the part between @@ifdef and @@else is used is VAR is
130 defined otherwise the part between @@else and @@endif is used.
131 @@ifndef reverses the logic of @@ifdef statement but otherwise
132 works similarly.
133 @@ifhost hostname, @@ifnhost hostname
135 @@ifhost works like @@ifdef only difference is that it checks
136 whether hostname equals the name of the host that aide is run‐
137 ning on. hostname is the name of the host without the domain‐
138 name (hostname, not hostname.aide.org).
139 @@{VAR}
141 @@{VAR} is replaced with the value of the variable VAR. If
142 variable VAR is not defined an empty string is used. Unlike
143 Tripwire(tm) @@VAR is NOT supported. One special VAR is @@{HOST‐
144 NAME} which is substituted for the hostname of the current sys‐
145 tem.
146 @@else Begins the else part of an if statement.
148 @@endif
150 Ends an if statement.
151 @@include VAR
153 Includes the file VAR. The content of the file is used as if it
154 were inserted in this part of the config file.
155
157 Urls can be one of the following. Input urls cannot be used as outputs
158 and vice versa.
159 stdout
161 stderr Output is sent to stdout,stderr respectively.
163 stdin Input is read from stdin.
165 file://filename
167 Input is read from filename or output is written to filename.
168 fd:number
170 Input is read from filedescriptor number or output is written to
171 number.
172
174 p: permissions
175 i: inode
177 n: number of links
179 u: user
181 g: group
183 s: size
185 m: mtime
187 a: atime
189 c: ctime
191 S: check for growing size
193 I: ignore changed filename
195 ANF: allow new files
197 ARF: allow removed files
199 md5: md5 checksum
201 sha1: sha1 checksum
203 rmd160: rmd160 checksum
205 tiger: tiger checksum
207 R: p+i+n+u+g+s+m+c+md5
209 L: p+i+n+u+g
211 E: Empty group
213 >: Growing logfile p+u+g+i+n+S
215 And also the following if you have mhash support enabled
217 crc32: crc32 checksum
219 haval: haval checksum
221 gost: gost checksum
223 Please note that 'I' and 'c' are incompatible. When the name of a file
225 is changed, it's ctime is updated as well. When you put 'c' and 'I' in
226 the same rule the, a changed ctime is silently ignored.
227 When 'ANF' is used, new files are added to the new database, but are
229 ignored in the report.
230 When 'ARF' is used, files missing on disk are omitted from the new
232 database, but are ignored in the report.
233
235 / R
236 This adds all files on your machine to the database. This is one line
238 is a fully qualified configuration file.
239 !/dev
241 This ignores the /dev directory structure.
243 =/tmp
245 Only /tmp is taken into the database. None of its children are added.
247 All=p+i+n+u+g+s+m+c+a+md5+sha1+tiger+rmd160
249 This line defines group All. It has all attributes and all md checksum
251 functions. If you absolutely want all digest functions then you should
252 enable mhash support and add +crc32+haval+gost to the end of the defi‐
253 nition for All. Mhash support can only be enabled at compile-time.
254
256 =/foo p+i+n+u+g+s+m+c+md5
257 /foo/bar p+i+n+u+g+s+m+c+md5
259 This config adds all files under /foo because they match to regex /foo,
261 which is equivalent to /foo.* . What you probably want is:
262 =/foo$ p+i+n+u+g+s+m+c+md5
264 /foo/bar p+i+n+u+g+s+m+c+md5
266 Note that the following still works as expected because =/foo$ stop
268 recuring of directory /foo.
269 =/foo p+i+n+u+g+s+m+c+md5
271 In the following, the first is not allowed in AIDE. Use the latter
273 instead.
274 /foo epug
276 /foo e+p+u+g
278
280 aide(1) http://www.cs.tut.fi/~rammer/aide/manual.html
281
283 All trademarks are the property of their respective owners. No animals
284 were harmed while making this webpage or this piece of software.
285 aide.conf(5)