aide.conf - The configuration file for Advanced Intrusion
Detection Environment
aide.conf is the configuration file for Advanced Intrusion
Detection Environment. aide.conf contains the runtime configuration
aide uses to initialize or check the AIDE database.
aide.conf is similar in to Tripwire(tm)'s configuration
file. With little effort tw.conf can be converted to aide.conf.
aide.conf is case-sensitive. Leading and trailing white spaces are
ignored.
There are three types of lines in aide.conf. First there
are the configuration lines which are used to set configuration parameters
and define/undefine variables. Second, there are (restricted) selection
lines that are used to indicate which files are added to the database.
Third, macro lines define or undefine variables within the config file.
Lines beginning with # are ignored as comments.
These lines have the format parameter=value. See URLS for a list
of valid urls.
- database
- The url from which database is read. There can only be one of these lines.
If there are multiple database lines then the first is used. There is no
valid default value in the Debian packages!
- database_out
- The url to which the new database is written to. There can only be one of
these lines. If there are multiple database_out lines then the first is
used. There is no valid default value in the Debian packages!
- database_new
- The url from which the other database for --compare is read. There is no
default for this one.
- database_attrs
- The attributes of the (uncompressed) database files which are to be added
to the final report in verbose level 2 or higher. Only checksum attributes
are supported. To disable set database_attrs to 'E'. By
default all compiled in checksums are added to the report.
- database_add_metadata
- Whether to add the AIDE version and the time of database generation as
comments to the database file or not. Valid values are yes, true, no and
false. The default is to add the AIDE version and the time of database
generation. This option may be set to no by default in a future
release.
- verbose
- The level of messages that is output. This value can be 0-255 inclusive.
This parameter can only be given once. Value from the first occurrence is
used. If --verbose or -V is used then the value from that is used. The
default is 5. If verbosity is 20 then additional report output is written
when doing --check, --update or --compare.
- report_url
- The url that the output is written to. There can be multiple instances of
this parameter. Output is written to all of them. The default is
stdout.
- report_base16
- Whether to base16 encode the checksums in the report or not. Valid values
are yes, true, no and false. The default is to report checksums not in
base16 but in base64 encoding.
- report_detailed_init
- Whether to report added files (verbose level >= 2) and their details
(verbose level >=7) in initialization mode or not. Valid values are
yes, true, no and false. The default is to not report added files or their
details in init mode.
- report_quiet
- Whether to suppress report output if no differences to the database have
been found or not. Valid values are yes, true, no and false. The default
is to not suppress output in the report.
- gzip_dbout
- Whether the output to the database is gzipped or not. Valid values are
yes,true,no and false. The default is no. This option is available only if
zlib support is compiled in.
- root_prefix
- The prefix to strip from each file name in the file system before applying
the rules and writing to database. AIDE removes a trailing slash from the
prefix. The default is no (an empty) prefix. This option has no effect in
compare mode.
- acl_no_symlink_follow
- Whether to check ACLs for symlinks or not. Valid values are yes,true,no
and false. The default is to follow symlinks. This option is available
only if acl support is compiled in.
- warn_dead_symlinks
- Whether to warn about dead symlinks or not. Valid values are yes,true,no
and false. The default is not to warn about dead symlinks.
- grouped
- Whether to group the files in the report by added, removed and changed
files or not. Valid values are yes, true, no and false. The default is to
group the files in the report.
- summarize_changes
- Whether to summarize changes in the added, removed and changed files
sections of the report or not. Valid values are yes,true,no and false. The
default is to summarize the changes.
The general format is like the string YlZbpugamcinCAXSE, where
Y is replaced by the file-type (f for a regular file, d
for a directory, l for a symbolic link, c for a character
device, b for a block device, p for a FIFO, s for a
unix socket, D for a Solaris door, P for a Solaris event
port, ! if file type has changed and ? otherwise).
The Z is replaced as follows: A = means that the size
has not changed, a < reports a shrinked size and a >
reports a grown size.
The other letters in the string are the actual letters that
will be output if the associated attribute for the item has been changed
or a "." for no change, a "+" if the attribute has
been added, a "-" if it has been removed, a ":" if
the attribute is ignored (but not forced) or a " " if the
attribute has not been checked. The exceptions to this are: (1) a newly
created file replaces each letter with a "+", and (2) a
removed file replaces each letter with a "-".
The attribute that is associated with each letter is as
follows:
- o
- A l means that the link name has changed.
- o
- A b means that the block count has changed.
- o
- A p means that the permissions have changed.
- o
- An u means that the uid has changed.
- o
- A g means that the gid has changed.
- o
- An a means that the access time has changed.
- o
- A m means that the modification time has changed.
- o
- A c means that the change time has changed.
- o
- An i means that the inode has changed.
- o
- A n means that the link count has changed.
- o
- A C means that one or more checksums have changed.
The following letters are only available when explicitly
enabled using configure:
- o
- A A means that the access control list has changed.
- o
- A X means that the extended attributes have changed.
- o
- A S means that the SELinux attributes have changed.
- o
- A E means that the file attributes on a second extended file system
have changed.
- report_ignore_added_attrs
- Special group definition that lists attributes whose addition is to be
ignored in the final report.
- report_ignore_removed_attrs
- Special group definition that lists attributes whose removal is to be
ignored in the final report.
- report_ignore_changed_attrs
- ignore_list
(DEPRECATED, will be removed in a future release)
- Special group definition that lists attributes whose change is to be
ignored in the final report.
- report_force_attrs
- report_attributes
(DEPRECATED, will be removed in a future release)
- Special group definition that lists attributes which are always printed in
the final report for changed files. If an attribute is both ignored and
forced the attribute is not considered for file change but printed in the
final report if the file has been otherwise changed.
- report_ignore_e2fsattrs
- List (no delimiter) of ext2 file attributes which are to be ignored in the
final report. See chattr(1) for the available attributes. Use '0'
to not ignore any attribute. Ignored attributes are represented by a ':'
in the output. The default is to not ignore any ext2 file attribute.
Example
Ignore changes of the ext2 file attributes compression
error (E), huge file (h), indexed directory (I):
report_ignore_e2fsattrs=EhI
- config_version
- The value of config_version is printed in the report and also printed to
the database. This is for informational purposes only. It has no other
functionality.
- Group definitions
- If the parameter is not one of the previous parameters then it is regarded
as a group definition. Value is then regarded as an expression. Expression
is of the following form.
-
<predefined group>| <expr> + <predefined group>
| <expr> - <predefined group>
- See DEFAULT GROUPS for an explanation of default predefined groups. Note
that this is different from the way Tripwire(tm) does it.
AIDE supports three types of selection lines:
Regular selection line:
<regex> <group>
Files and directories matching the regular expression are added to
the database.
Negative selection line:
!<regex>
Files and directories matching the regular expression are ignored
and not added to the database.
Equals selection line:
=<regex> <group>
Files and directories matching the regular expression are added to
the database. The children of directories are only added if the regular
expression ends with a "/". The children of sub-directories are
not added at all.
Every regular expression has to start with a "/". An
implicit ^ is added in front of each regular expression. In other words the
regular expressions are matched at the first position against the complete
filename (i.e. including the path). Special characters in your filenames can
be escaped using two-digit URL encoding (for example, %20 to represent a
space).
See EXAMPLES and doc/aide.conf for examples.
More in-depth discussion of the selection algorithm can be found
in the AIDE manual.
Restricted selection lines are like normal selection lines but can
be restricted to file types. The following file types are supported:
f: restrict rule to regular files
d: restrict rule to directories
l: restrict rule to symbolic links
c: restrict rule to character devices
b: restrict rule to block devices
p: restrict rule to FIFO files
s: restrict rule to UNIX sockets
D: restrict rule to Solaris doors
P: restrict rule to Solaris event ports
The file types are separated by comma. The syntax of restricted
selection lines is as follows:
Restricted regular selection line:
<regex> <file types> <group>
Restricted negative selection line:
Restricted equals selection line:
=<regex> <file types> <group>
Examples
Only add directories and files to the database:
Add all but directory entries to the database:
Use specific rule for directories:
- @@define VAR val
- Define variable VAR to value val.
- @@undef VAR
- Undefine variable VAR.
- @@ifdef VAR, @@ifndef VAR
- @@ifdef begins an if statement. It must be terminated with an @@endif
statement. The lines between @@ifdef and @@endif are used if variable
VAR is defined. If there is an @@else statement then the part
between @@ifdef and @@else is used is VAR is defined otherwise the
part between @@else and @@endif is used. @@ifndef reverses the logic of
@@ifdef statement but otherwise works similarly.
- @@ifhost hostname, @@ifnhost hostname
- @@ifhost works like @@ifdef only difference is that it checks whether
hostname equals the name of the host that AIDE is running on.
hostname is the name of the host without the domainname (hostname,
not hostname.example.com).
- @@{VAR}
- @@{VAR} is replaced with the value of the variable VAR. If
variable VAR is not defined an empty string is used. Unlike
Tripwire(tm) @@VAR is NOT supported. One special VAR is
@@{HOSTNAME} which is substituted for the hostname of the current
system.
- @@else
- Begins the else part of an if statement.
- @@endif
- Ends an if statement.
- @@include VAR
- Includes the file VAR. The content of the file is used as if it
were inserted in this part of the config file.
Urls can be one of the following. Input urls cannot be used as
outputs and vice versa.
- stdout
- stderr
- Output is sent to stdout,stderr respectively.
- stdin
- Input is read from stdin.
- file://filename
- Input is read from filename or output is written to
filename.
- fd:number
- Input is read from filedescriptor number or output is written to
number.
- / R
This adds all files on your machine to the database. This one line
is a fully qualified configuration file.
- !/dev
This ignores the /dev directory structure.
- =/foo R
Only /foo and /foobar are taken into the database. None of their
children are added.
- =/foo/ R
Only /foo and its children (e.g. /foo/file and /foo/directory) are
taken into the database. The children of sub-directories (e.g.
/foo/directory/bar) are not added.
- All=p+i+n+u+g+s+m+c+a+md5+sha1+tiger+rmd160
This line defines group All. It has all attributes and all
md checksum functions. If you absolutely want all digest functions then you
should enable mhash support and add +crc32+haval+gost to the end of the
definition for All. Mhash support can only be enabled at
compile-time.
In the following, the first is not allowed in AIDE. Use the latter
instead.
- /foo epug
- /foo e+p+u+g
All trademarks are the property of their respective owners. No
animals were harmed while making this webpage or this piece of software.