aide.conf(5)aide.conf(5)NAMEaide.conf - The configuration file for Advanced Intrusion Detection
Environment
SYNOPSISaide.conf is the configuration file for Advanced Intrusion Detection
Environment. aide.conf contains the runtime configuration aide uses to
initiailize or check the aide database.
FILE FORMATaide.conf is similar in to Tripwire(tm)'s configuration file. With lit‐
tle effort tw.conf can be converted to aide.conf.
aide.conf is case-sensitive. Leading and trailing whitespaces are
ignored.
There are three types of lines in aide.conf. First there are the con‐
figuration lines which are used to set configuration parameters and
define/undefine variables. Second, there are selection lines that are
used to indicate which files are added to the database. Third, macro
lines define or undefine variables within the config file. Lines begin‐
ning with # are ignored as comments.
CONFIG LINES
These lines have the format parameter=value. See URLS for a list of
valid urls.
database
The url from which database is read. There can only be one of
these lines. If there are multiple database lines then the first
is used. The default value is "/usr/etc/aide.db".
database_out
The url to which the new database is written to. There can only
be one of these lines. If there are multiple database_out lines
then the first is used. The default value is
"/usr/etc/aide.db.new".
database_new
The url from which the other database for --compare is read.
There is no default for this one.
verbose
The level of messages that is output. This value can be 0-255
inclusive. This parameter can only be given once. Value from the
first occurence is used. If --verbose or -V is used then the
value from that is used. The default is 5. If verbosity is 20
then additional report output is written when doing --check,
--update or --compare.
report_url
The url that the output is written to. There can be multiple
instances of this parameter. Output is written to all of them.
The default is stdout.
gzip_dbout
Whether the output to the database is gzipped or not. Valid val‐
ues are yes,true,no and false. The default is no. This option is
available only if zlib support is compiled in.
acl_no_symlink_follow
Whether to check ACLs for symlinks or not. Valid values are
yes,true,no and false. The default is to follow symlinks. This
option is available only if acl support is compiled in.
warn_dead_symlinks
Whether to warn about dead symlinks or not. Valid values are
yes,true,no and false. The default is not to warn about dead
symlinks.
grouped
Whether to group the files in the report by added, removed and
changed files or not. Valid values are yes, true, no and false.
The default is to group the files in the report.
summarize_changes
Whether to summarize changes in the added, removed and changed
files sections of the report or not. Valid values are
yes,true,no and false. The default is not to summarize the
changes.
The general format is like the string YlZbpugamcinCAXSE, where Y
is replaced by the file-type (f for a regular file, d for a
directory, L for a symbolic link, D for a character device, B
for a block device, F for a FIFO, s for a unix socket, | for a
Solaris door, ! if file type has changed and ? otherwise).
The Z is replaced as follows: A = means that the size has not
changed, a < reports a shrinked size and a > reports a grown
size.
The other letters in the string are the actual letters that will
be output if the associated attribute for the item has been
changed or a "." for no change, a "+" if the attribute has been
added, a "-" if it has been removed, a ":" if the attribute is
listed in ignore_list or a " " if the attribute has not been
checked. The exceptions to this are: (1) a newly created file
replaces each letter with a "+", and (2) a removed file replaces
each letter with a "-".
The attribute that is associated with each letter is as follows:
o A l means that the link name has changed.
o A b means that the block count has changed.
o A p means that the permissions have changed.
o An u means that the uid has changed.
o A g means that the gid has changed.
o An a means that the access time has changed.
o A m means that the modification time has changed.
o A c means that the change time has changed.
o An i means that the inode has changed.
o A n means that the link count has changed.
o A C means that one or more checksums have changed.
The following letters are only available when explicitly enabled
using configure:
o A A means that the access control list has changed.
o A X means that the extended attributes have changed.
o A S means that the SELinux attributes have changed.
o A E means that the file attributes on a second extended
file system have changed.
report_attributes
Special group definition that lists parameters which are always
printed in the final report for changed files.
ignore_list
Special group definition that lists parameters which are to be
ignored from the final report.
config_version
The value of config_version is printed in the report and also
printed to the database. This is for informational purposes
only. It has no other functionality.
Group definitions
If the parameter is not one of the previous parameters then it
is regarded as a group definition. Value is then regarded as an
expression. Expression is of the following form.
<predefined group>| <expr> + <predefined group>
| <expr> - <predifined group>
See DEFAULT GROUPS for an explanation of default predefined
groups. Note that this is different from the way Tripwire(tm)
does it.
There is also a special group named "ignore_list". The prede‐
fined -groups listed in it are NOT displayed in the final
report.
SELECTION LINES
aide supports three types of selection lines (regular, negative,
equals) Lines beginning with "/" are regular selection lines. Lines
beginning with "=" are equals selection lines. And lines beginning with
"!" are negative selection lines. The string following the first char‐
acter is taken as a regular expression matching to a complete filename,
including the path. In a regular selection rule the "/" is included in
the regular expression. Special characters in your filenames can be
escaped using two-digit URL encoding (for example, %20 to represent a
space). Following the regular expression is a group definition as
explained above. See EXAMPLES and doc/aide.conf for examples.
More in-depth discussion of the selection algorithm can be found in the
aide manual.
MACRO LINES
@@define VAR val
Define variable VAR to value val.
@@undef VAR
Undefine variable VAR.
@@ifdef VAR, @@ifndef VAR
@@ifdef begins an if statement. It must be terminated with an
@@endif statement. The lines between @@ifdef and @@endif are
used if variable VAR is defined. If there is an @@else statement
then the part between @@ifdef and @@else is used is VAR is
defined otherwise the part between @@else and @@endif is used.
@@ifndef reverses the logic of @@ifdef statement but otherwise
works similarly.
@@ifhost hostname, @@ifnhost hostname
@@ifhost works like @@ifdef only difference is that it checks
whether hostname equals the name of the host that aide is run‐
ning on. hostname is the name of the host without the domain‐
name (hostname, not hostname.aide.org).
@@{VAR}
@@{VAR} is replaced with the value of the variable VAR. If
variable VAR is not defined an empty string is used. Unlike
Tripwire(tm) @@VAR is NOT supported. One special VAR is @@{HOST‐
NAME} which is substituted for the hostname of the current sys‐
tem.
@@else Begins the else part of an if statement.
@@endif
Ends an if statement.
@@include VAR
Includes the file VAR. The content of the file is used as if it
were inserted in this part of the config file.
URLS
Urls can be one of the following. Input urls cannot be used as outputs
and vice versa.
stdout
stderr Output is sent to stdout,stderr respectively.
stdin Input is read from stdin.
file://filename
Input is read from filename or output is written to filename.
fd:number
Input is read from filedescriptor number or output is written to
number.
DEFAULT GROUPS
p: permissions
ftype: file type
i: inode
l: link name
n: number of links
u: user
g: group
s: size
b: block count
m: mtime
a: atime
c: ctime
S: check for growing size
I: ignore changed filename
ANF: allow new files
ARF: allow removed files
md5: md5 checksum
sha1: sha1 checksum
sha256: sha256 checksum
sha512: sha512 checksum
rmd160: rmd160 checksum
tiger: tiger checksum
haval: haval checksum
crc32: crc32 checksum
R: p+ftype+i+l+n+u+g+s+m+c+md5
L: p+ftype+i+l+n+u+g
E: Empty group
>: Growing logfile p+ftype+l+u+g+i+n+S
And also the following if you have mhash support enabled
gost: gost checksum
whirlpool: whirlpool checksum
The following are available and added to the default groups R, L and >
only when explicitly enabled using configure
acl: access control list
selinux: selinux attributes
xattrs: extended attributes
e2fsattrs: file attributes on a second extended file system
Please note that 'I' and 'c' are incompatible. When the name of a file
is changed, it's ctime is updated as well. When you put 'c' and 'I' in
the same rule the, a changed ctime is silently ignored.
When 'ANF' is used, new files are added to the new database, but are
ignored in the report.
When 'ARF' is used, files missing on disk are omitted from the new
database, but are ignored in the report.
EXAMPLES
/ R
This adds all files on your machine to the database. This is one line
is a fully qualified configuration file.
!/dev
This ignores the /dev directory structure.
=/tmp
Only /tmp is taken into the database. None of its children are added.
All=p+i+n+u+g+s+m+c+a+md5+sha1+tiger+rmd160
This line defines group All. It has all attributes and all md checksum
functions. If you absolutely want all digest functions then you should
enable mhash support and add +crc32+haval+gost to the end of the defi‐
nition for All. Mhash support can only be enabled at compile-time.
HINTS
=/foo p+i+l+n+u+g+s+m+c+md5
/foo/bar p+i+l+n+u+g+s+m+c+md5
This config adds all files under /foo because they match to regex /foo,
which is equivalent to /foo.* . What you probably want is:
=/foo$ p+i+l+n+u+g+s+m+c+md5
/foo/bar p+i+l+n+u+g+s+m+c+md5
Note that the following still works as expected because =/foo$ stop
recuring of directory /foo.
=/foo p+i+l+n+u+g+s+m+c+md5
In the following, the first is not allowed in AIDE. Use the latter
instead.
/foo epug
/foo e+p+u+g
SEE ALSOaide(1) http://www.cs.tut.fi/~rammer/aide/manual.html
DISCLAIMER
All trademarks are the property of their respective owners. No animals
were harmed while making this webpage or this piece of software.
aide.conf(5)
