NAME

aide - Advanced Intrusion Detection Environment

SYNOPSIS

aide [parameters] command

DESCRIPTION

AIDE is an intrusion detection system for checking the integrity of files.

COMMANDS

--check, -C

Checks the database for inconsistencies. You must have an initialized database to do this. This is also the default command. Without any command aide does a check.

--init, -i

Initialize the database. You must initialize a database and move it to the appropriate place (see database_in config option) before you can use the --check command.

--dry-init, -n

Traverse the file system, match each file against the rule tree and report to stdout.

Neither reports nor the database are written in this mode.

To change the log level in this mode please use the --log-level command line parameter.

In this mode aide exits with status 0.

--update, -u

Checks the database and updates the database non-interactively. The input and output databases must be different.

--compare, -E

Compares two databases. They must be defined in config file with database=<url> and database_new=<url>.

--config-check, -D

Stops after reading in the configuration file. Any errors will be reported. To change the log level in this mode please use the --log-level command line parameter.

--path-check=file_type:path, -p file_type:path

Read configuration and match provided file_type and path against rule tree. The path is independent of what is in the actual file system and needs to be absolute. See RESTRICTED RULES section in aide.conf (5) for supported file types.

To change the log level in this mode please use the --log-level command line parameter.

In this mode aide exits with status 0 if the file would be added to the tree, 1 if not and 2 if the file does not match a specified limit.

PARAMETERS

--config=configfile , -c configfile: Configuration is read from file configfile (see --version output for default value). Use '-' for stdin.
--limit=REGEX , -l REGEX: Limit command to entries matching REGEX. Note that the REGEX only matches at the first position.

Example

Only check and update the database entries matching /etc (i.e. the /etc directory) while leaving all other entries unchecked and unchanged:

aide --update --limit /etc

--before="configparameters" , -B "configparameters": These configparameters are handled before the reading of the configuration file. See aide.conf (5) for more details on what to put here.
--after="configparameters" , -A "configparameters": These configparameters are handled after the reading of the configuration file. See aide.conf (5) for more details on what to put here.
--log-level=log_level,-Llog_level: The log level to use (see aide.conf (5) for available log levels and more details). This overwrites the log_level value set in any configuration file.
--verbose=verbosity_level,-Vverbosity_level: Removed in AIDE v0.17, use log_level and report_level config options instead (see aide.conf (5) for details).
--version,-v: aide prints out its version number
--help,-h: Prints out the standard help message.

EXIT STATUS

Normally, the exit status is 0 if no errors occurred. Except when the --check, --compare or --update command was requested, in which case the exit status is defined as:

1 * (new files reported?) +
2 * (removed files reported?) +
4 * (changed files reported?)

Since those three cases can occur together, the respective error codes are added. For example, if there are new files and removed files reported, the exit status will be 1 + 2 = 3.

Additionally, the following exit codes are defined for generic error conditions:

14 Writing error
15 Invalid argument error
16 Unimplemented function error
17 Configuration error
18 IO error
19 Version mismatch error
20 EXEC error
21 File lock error

SIGNAL HANDLING

Please note that due to mmap issues, aide cannot be terminated with SIGTERM. Use SIGKILL to terminate.

SIGUSR1 toggles the log_level between current and debug level.

NOTES

The checksums in the database and in the output are by default base64 encoded (see also report_base16 option). To decode them you can use the following shell command:

echo <encoded_checksum> | base64 -d | hexdump -v -e '32/1 "%02x" "\n"'

FILES

See --version output for the default config file and the default database_in and database_out config values.

BUGS

There are probably bugs in this release. Please report them at https://github.com/aide/aide/issues .

DISCLAIMER

All trademarks are the property of their respective owners. No animals were harmed while making this webpage or this piece of software. Although some pizza delivery guy's feelings were hurt.

2021-02-10

aide v0.17.3