aide.conf man page on Scientific

Man page or keyword search:  
man Server   26626 pages
apropos Keyword Search (all sections)
Output format
Scientific logo
[printable version]

aide.conf(5)							  aide.conf(5)

       aide.conf  -  The  configuration	 file for Advanced Intrusion Detection

       aide.conf is the configuration file for	Advanced  Intrusion  Detection
       Environment.  aide.conf contains the runtime configuration aide uses to
       initiailize or check the aide database.

       aide.conf is similar in to Tripwire(tm)'s configuration file. With lit‐
       tle effort tw.conf can be converted to aide.conf.

       aide.conf  is  case-sensitive.  Leading	and  trailing  whitespaces are

       There are three types of lines in aide.conf. First there are  the  con‐
       figuration  lines  which	 are  used to set configuration parameters and
       define/undefine variables. Second, there are selection lines  that  are
       used  to	 indicate  which files are added to the database. Third, macro
       lines define or undefine variables within the config file. Lines begin‐
       ning with # are ignored as comments.

       These  lines  have  the	format parameter=value. See URLS for a list of
       valid urls.

	      The url from which database is read. There can only  be  one  of
	      these lines. If there are multiple database lines then the first
	      is used.	The default value is "/usr/etc/aide.db".

	      The url to which the new database is written to. There can  only
	      be  one of these lines. If there are multiple database_out lines
	      then   the   first   is	used.	 The	default	   value    is

	      The  url	from  which  the other database for --compare is read.
	      There is no default for this one.

	      The level of messages that is output. This value	can  be	 0-255
	      inclusive. This parameter can only be given once. Value from the
	      first occurence is used. If --verbose or -V  is  used  then  the
	      value  from  that	 is used. The default is 5. If verbosity is 20
	      then additional report output is	written	 when  doing  --check,
	      --update or --compare.

	      The  url	that  the  output is written to. There can be multiple
	      instances of this parameter. Output is written to all  of	 them.
	      The default is stdout.

	      Whether the output to the database is gzipped or not. Valid val‐
	      ues are yes,true,no and false. The default is no. This option is
	      available only if zlib support is compiled in.

	      Whether  to  check  ACLs	for  symlinks or not. Valid values are
	      yes,true,no and false. The default is to follow  symlinks.  This
	      option is available only if acl support is compiled in.

	      Whether  to  warn	 about	dead symlinks or not. Valid values are
	      yes,true,no and false. The default is not	 to  warn  about  dead

	      Whether  to  summarize changes in the added, removed and changed
	      files  sections  of  the	report	or  not.  Valid	  values   are
	      yes,true,no  and	false.	 The  default  is not to summarize the

	      The general format is like the string YlZbpugamcinCAXS, where  Y
	      is  replaced  by	the  file-type	(f for a regular file, d for a
	      directory, L for a symbolic link, D for a	 character  device,  B
	      for a block device, F for a FIFO, s for a unix socket and ? oth‐

	      The Z is replaced as follows: A = means that the	size  has  not
	      changed,	a  <  reports  a shrinked size and a > reports a grown

	      The other letters in the string are the actual letters that will
	      be  output  if  the  associated  attribute for the item has been
	      changed or a "." for no change, a "+" if the attribute has  been
	      added,  a	 "-" if it has been removed, a ":" if the attribute is
	      listed in ignore_list or a " " if the  attribute	has  not  been
	      checked.	The  exceptions	 to this are: (1) a newly created file
	      replaces each letter with a "+", and (2) a removed file replaces
	      each letter with a "-".

	      The attribute that is associated with each letter is as follows:

	      o	     A l means that the link name has changed.

	      o	     A b means that the block count has changed.

	      o	     A p means that the permissions have changed.

	      o	     An u means that the uid has changed.

	      o	     A g means that the gid has changed.

	      o	     An a means that the access time has changed.

	      o	     A m means that the modification time has changed.

	      o	     A c means that the change time has changed.

	      o	     An i means that the inode has changed.

	      o	     A n means that the link count has changed.

	      o	     A C means that one or more checksums have changed.

	      o	     A A means that the access control list has changed.

	      o	     A X means that the extended attributes have changed.

	      o	     A S means that the SELinux attributes have changed.

	      Special  group definition that lists parameters which are always
	      printed in the final report for changed files.

	      Special group definition that lists parameters which are	to  be
	      ignored from the final report.

	      The  value  of  config_version is printed in the report and also
	      printed to the database.	This  is  for  informational  purposes
	      only. It has no other functionality.

       Group definitions
	      If  the  parameter is not one of the previous parameters then it
	      is regarded as a group definition. Value is then regarded as  an
	      expression. Expression is of the following form.

		  <predefined group>| <expr> + <predefined group>
				    | <expr> - <predifined group>

	      See  DEFAULT  GROUPS  for	 an  explanation of default predefined
	      groups.  Note that this is different from the  way  Tripwire(tm)
	      does it.

	      There  is	 also  a special group named "ignore_list". The prede‐
	      fined -groups listed in  it  are	NOT  displayed	in  the	 final

       aide  supports  three  types  of	 selection  lines  (regular, negative,
       equals) Lines beginning with "/" are  regular  selection	 lines.	 Lines
       beginning with "=" are equals selection lines. And lines beginning with
       "!"  are negative selection lines. The string following the first char‐
       acter is taken as a regular expression matching to a complete filename,
       including the path. In a regular selection rule the "/" is included  in
       the  regular  expression.  Following  the regular expression is a group
       definition as explained above. See EXAMPLES and doc/aide.conf for exam‐

       More in-depth discussion of the selection algorithm can be found in the
       aide manual.

       @@define VAR val
	      Define variable VAR to value val.

       @@undef VAR
	      Undefine variable VAR.

       @@ifdef VAR, @@ifndef VAR
	      @@ifdef begins an if statement. It must be  terminated  with  an
	      @@endif  statement.  The	lines  between @@ifdef and @@endif are
	      used if variable VAR is defined. If there is an @@else statement
	      then  the	 part  between	@@ifdef	 and  @@else is used is VAR is
	      defined otherwise the part between @@else and @@endif  is	 used.
	      @@ifndef	reverses  the logic of @@ifdef statement but otherwise
	      works similarly.

       @@ifhost hostname, @@ifnhost hostname
	      @@ifhost works like @@ifdef only difference is  that  it	checks
	      whether  hostname	 equals the name of the host that aide is run‐
	      ning on.	hostname is the name of the host without  the  domain‐
	      name (hostname, not

	      @@{VAR}  is  replaced  with  the	value of the variable VAR.  If
	      variable VAR is not defined an  empty  string  is	 used.	Unlike
	      Tripwire(tm) @@VAR is NOT supported. One special VAR is @@{HOST‐
	      NAME} which is substituted for the hostname of the current  sys‐

       @@else Begins the else part of an if statement.

	      Ends an if statement.

       @@include VAR
	      Includes	the file VAR. The content of the file is used as if it
	      were inserted in this part of the config file.

       Urls can be one of the following. Input urls cannot be used as  outputs
       and vice versa.


       stderr Output is sent to stdout,stderr respectively.

       stdin  Input is read from stdin.

	      Input is read from filename or output is written to filename.

	      Input is read from filedescriptor number or output is written to

       p:   permissions

       i:   inode

       l:   link name

       n:   number of links

       u:   user

       g:   group

       s:   size

       b:   block count

       m:   mtime

       a:   atime

       c:   ctime

       S:   check for growing size

       I:   ignore changed filename

       ANF: allow new files

       ARF: allow removed files

       md5: md5 checksum

       sha1: sha1 checksum

       sha256: sha256 checksum

       sha512: sha512 checksum

       rmd160: rmd160 checksum

       tiger: tiger checksum

       haval: haval checksum

       crc32:	 crc32 checksum

       R:   p+i+l+n+u+g+s+m+c+md5

       L:   p+i+l+n+u+g

       E:   Empty group

       >:   Growing logfile p+l+u+g+i+n+S

       And also the following if you have mhash support enabled

       gost: gost checksum

       whirlpool: whirlpool checksum

       The followingg is available when explicitly enabled using configure

       acl: access control list

       selinux: selinux attributes

       xattrs: extended attributes

       Please note that 'I' and 'c' are incompatible. When the name of a  file
       is  changed, it's ctime is updated as well. When you put 'c' and 'I' in
       the same rule the, a changed ctime is silently ignored.

       When 'ANF' is used, new files are added to the new  database,  but  are
       ignored in the report.

       When  'ARF'  is	used,  files  missing on disk are omitted from the new
       database, but are ignored in the report.

	      /	   R

       This adds all files on your machine to the database. This is  one  line
       is a fully qualified configuration file.


       This ignores the /dev directory structure.


       Only /tmp is taken into the database. None of its children are added.


       This  line defines group All. It has all attributes and all md checksum
       functions. If you absolutely want all digest functions then you	should
       enable  mhash support and add +crc32+haval+gost to the end of the defi‐
       nition for All. Mhash support can only be enabled at compile-time.

	      =/foo p+i+l+n+u+g+s+m+c+md5

	      /foo/bar p+i+l+n+u+g+s+m+c+md5

       This config adds all files under /foo because they match to regex /foo,
       which is equivalent to /foo.* . What you probably want is:

	      =/foo$ p+i+l+n+u+g+s+m+c+md5

	      /foo/bar p+i+l+n+u+g+s+m+c+md5

       Note  that  the	following  still works as expected because =/foo$ stop
       recuring of directory /foo.

	      =/foo p+i+l+n+u+g+s+m+c+md5

       In the following, the first is not allowed  in  AIDE.  Use  the	latter

	      /foo epug

	      /foo e+p+u+g


       All trademarks are the property of their respective owners.  No animals
       were harmed while making this webpage or this piece of software.


List of man pages available for Scientific

Copyright (c) for man pages and the logo by the respective OS vendor.

For those who want to learn more, the polarhome community provides shell access and support.

[legal] [privacy] [GNU] [policy] [cookies] [netiquette] [sponsors] [FAQ]
Polarhome, production since 1999.
Member of Polarhome portal.
Based on Fawad Halim's script.
Vote for polarhome
Free Shell Accounts :: the biggest list on the net