3
aide.conf - The configuration file for Advanced Intrusion Detection
7
\fBaide.conf\fP is the configuration file for Advanced Intrusion
8
Detection Environment. \fBaide.conf\fP contains the runtime
9
configuration aide uses to initiailize or check the aide database.
12
\fBaide.conf\fP is similar in to Tripwire(tm)'s configuration
13
file. With little effort tw.conf can be converted to aide.conf.
15
aide.conf is case-sensitive. Leading and trailing whitespaces are
18
There are three types of lines in \fBaide.conf\fP. First there are the
19
configuration lines which are used to set configuration parameters and
20
define/undefine variables. Second, there are selection lines that are used
21
to indicate which files are added to the database. Third, macro lines
22
define or undefine variables within the config file. Lines beginning
23
with # are ignored as comments.
27
These lines have the format parameter=value. See URLS for a list of
31
The url from which database is read. There can only be one of these
32
lines. If there are multiple database lines then the first is used.
33
The default value is "@prefix@/etc/aide.db".
35
The url to which the new database is written to. There can only be one
36
of these lines. If there are multiple database_out lines then the
37
first is used. The default value is "@prefix@/etc/aide.db.new".
39
The url from which the other database for \-\-compare is read.
40
There is no default for this one.
42
The level of messages that is output. This value can be 0-255
43
inclusive. This parameter can only be given once. Value from the first
44
occurence is used. If \-\-verbose or \-V is used then the value from that
45
is used. The default is 5. If verbosity is 20 then additional report
46
output is written when doing \-\-check, \-\-update or \-\-compare.
48
The url that the output is written to. There can be multiple instances
49
of this parameter. Output is written to all of them. The default is
52
Whether the output to the database is gzipped or not. Valid values are
53
yes,true,no and false. The default is no. This option is available only
54
if zlib support is compiled in.
55
.IP "acl_no_symlink_follow"
56
Whether to check ACLs for symlinks or not. Valid values are
57
yes,true,no and false. The default is to follow symlinks. This option
58
is available only if acl support is compiled in.
59
.IP "warn_dead_symlinks"
60
Whether to warn about dead symlinks or not. Valid values are
61
yes,true,no and false. The default is not to warn about dead symlinks.
63
Whether to group the files in the report by added, removed and changed
64
files or not. Valid values are yes, true, no and false.
65
The default is to group the files in the report.
66
.IP "summarize_changes"
67
Whether to summarize changes in the added, removed and changed files
68
sections of the report or not. Valid values are yes,true,no and false.
69
The default is not to summarize the changes.
71
The general format is like the string YlZbpugamcinCAXSE, where Y is
72
replaced by the file-type (\fBf\fP for a regular file, \fBd\fP for a
73
directory, \fBL\fP for a symbolic link, \fBD\fP for a character device,
74
\fBB\fP for a block device, \fBF\fP for a FIFO, \fBs\fP for a unix
75
socket, \fB|\fP for a Solaris door, \fB!\fP if file type has changed and \fB?\fP otherwise).
77
The Z is replaced as follows: A \fB=\fP means that the size has not changed,
78
a \fB<\fP reports a shrinked size and a \fB>\fP reports a grown size.
80
The other letters in the string are the actual letters that will be output
81
if the associated attribute for the item has been changed or a "." for no
82
change, a "+" if the attribute has been added, a "-" if it has been removed,
83
a ":" if the attribute is listed in ignore_list or a " " if the attribute has
84
not been checked. The exceptions to this are: (1) a newly created file replaces
85
each letter with a "+", and (2) a removed file replaces each letter with a "-".
87
The attribute that is associated with each letter is as follows:
91
A \fBl\fP means that the link name has changed.
93
A \fBb\fP means that the block count has changed.
95
A \fBp\fP means that the permissions have changed.
97
An \fBu\fP means that the uid has changed.
99
A \fBg\fP means that the gid has changed.
101
An \fBa\fP means that the access time has changed.
103
A \fBm\fP means that the modification time has changed.
105
A \fBc\fP means that the change time has changed.
107
An \fBi\fP means that the inode has changed.
109
A \fBn\fP means that the link count has changed.
111
A \fBC\fP means that one or more checksums have changed.
115
The following letters are only available when explicitly enabled using configure:
120
A \fBA\fP means that the access control list has changed.
122
A \fBX\fP means that the extended attributes have changed.
124
A \fBS\fP means that the SELinux attributes have changed.
126
A \fBE\fP means that the file attributes on a second extended file system have changed.
128
.IP "report_attributes"
129
Special group definition that lists parameters which are always printed
130
in the final report for changed files.
132
Special group definition that lists parameters which are to be ignored
133
from the final report.
135
The value of config_version is printed in the report and also printed
136
to the database. This is for informational purposes only. It has no
138
.IP "Group definitions"
139
If the parameter is not one of the previous parameters then it is
140
regarded as a group definition. Value is then regarded as an
141
expression. Expression is of the following form.
144
<predefined group>| <expr> + <predefined group>
145
| <expr> - <predifined group>
148
See DEFAULT GROUPS for an explanation of default predefined groups.
149
Note that this is different from the way Tripwire(tm) does it.
151
There is also a special group named "ignore_list". The predefined
152
\-groups listed in it are NOT displayed in the final report.
154
.SH "SELECTION LINES"
156
aide supports three types of selection lines (regular, negative, equals)
157
Lines beginning with "/" are regular selection lines. Lines beginning
158
with "=" are equals selection lines. And lines beginning with "!"
159
are negative selection lines. The string following the first character
160
is taken as a regular expression matching to a complete filename,
161
including the path. In a regular selection rule the "/" is included in the
162
regular expression. Special characters in your filenames can be escaped
163
using two-digit URL encoding (for example, %20 to represent a space).
164
Following the regular expression is a group definition as explained above.
165
See EXAMPLES and doc/aide.conf for examples.
167
More in-depth discussion of the selection algorithm can be found in
173
.IP "@@define \fBVAR\fR \fBval\fR"
174
Define variable \fBVAR\fR to value \fBval\fR.
175
.IP "@@undef \fBVAR\fR"
176
Undefine variable \fBVAR\fR.
177
.IP "@@ifdef \fBVAR\fR, @@ifndef \fBVAR\fR"
178
@@ifdef begins an if statement. It must be terminated with an @@endif
179
statement. The lines between @@ifdef and @@endif are used if variable
180
\fBVAR\fR is defined. If there is an @@else statement then the part
181
between @@ifdef and @@else is used is \fBVAR\fR is defined otherwise
182
the part between @@else and @@endif is used. @@ifndef reverses the
183
logic of @@ifdef statement but otherwise works similarly.
184
.IP "@@ifhost \fBhostname\fR, @@ifnhost \fBhostname\fR"
185
@@ifhost works like @@ifdef only difference is that it checks whether
186
\fBhostname\fR equals the name of the host that aide is running on.
187
\fBhostname\fR is the name of the host without the domainname
188
(hostname, not hostname.aide.org).
190
@@{\fBVAR\fR} is replaced with the value of the variable \fBVAR\fR.
191
If variable \fBVAR\fR is not defined an empty string is used. Unlike
192
Tripwire(tm) @@VAR is NOT supported. One special \fBVAR\fR is @@{HOSTNAME}
193
which is substituted for the hostname of the current system.
195
Begins the else part of an if statement.
197
Ends an if statement.
198
.IP "@@include \fBVAR\fR"
199
Includes the file \fBVAR\fR. The content of the file is used as if it
200
were inserted in this part of the config file.
203
Urls can be one of the following. Input urls cannot be used as outputs
207
Output is sent to stdout,stderr respectively.
209
Input is read from stdin.
210
.IP "file://\fBfilename\fR"
211
Input is read from \fBfilename\fR or output is written to
213
.IP "fd:\fBnumber\fR"
214
Input is read from filedescriptor \fBnumber\fR or output is written to
220
.IP "ftype: file type"
223
.IP "n: number of links"
231
.IP "S: check for growing size"
232
.IP "I: ignore changed filename"
233
.IP "ANF: allow new files
234
.IP "ARF: allow removed files
235
.IP "md5: md5 checksum"
236
.IP "sha1: sha1 checksum"
237
.IP "sha256: sha256 checksum"
238
.IP "sha512: sha512 checksum"
239
.IP "rmd160: rmd160 checksum"
240
.IP "tiger: tiger checksum"
241
.IP "haval: haval checksum"
242
.IP "crc32: crc32 checksum"
243
.IP "R: p+ftype+i+l+n+u+g+s+m+c+md5"
244
.IP "L: p+ftype+i+l+n+u+g"
246
.IP ">: Growing logfile p+ftype+l+u+g+i+n+S"
247
.IP "And also the following if you have mhash support enabled"
248
.IP "gost: gost checksum"
249
.IP "whirlpool: whirlpool checksum"
250
.IP "The following are available and added to the default groups R, L and >
251
.IP "only when explicitly enabled using configure"
252
.IP "acl: access control list"
253
.IP "selinux: selinux attributes"
254
.IP "xattrs: extended attributes"
255
.IP "e2fsattrs: file attributes on a second extended file system
257
Please note that 'I' and 'c' are incompatible. When the name of a file
258
is changed, it's ctime is updated as well. When you put 'c' and 'I' in
259
the same rule the, a changed ctime is silently ignored.
261
When 'ANF' is used, new files are added to the new database, but are
262
ignored in the report.
264
When 'ARF' is used, files missing on disk are omitted from the new database,
265
but are ignored in the report.
271
This adds all files on your machine to the database. This is one line
272
is a fully qualified configuration file.
276
This ignores the /dev directory structure.
280
Only /tmp is taken into the database. None of its children are added.
282
.B "\fBAll\fR=p+i+n+u+g+s+m+c+a+md5+sha1+tiger+rmd160"
284
This line defines group \fBAll\fR. It has all attributes and all
285
md checksum functions. If you absolutely want all digest functions
286
then you should enable mhash support and add
287
+crc32+haval+gost to the end of the definition for
288
\fBAll\fR. Mhash support can only be enabled at compile-time.
292
.B "=/foo p+i+l+n+u+g+s+m+c+md5"
294
.B "/foo/bar p+i+l+n+u+g+s+m+c+md5"
296
This config adds all files under /foo because they match to regex /foo,
297
which is equivalent to /foo.* . What you probably want is:
299
.B "=/foo$ p+i+l+n+u+g+s+m+c+md5"
301
.B "/foo/bar p+i+l+n+u+g+s+m+c+md5"
303
Note that the following still works as expected because =/foo$ stop
304
recuring of directory /foo.
306
.B "=/foo p+i+l+n+u+g+s+m+c+md5"
308
In the following, the first is not allowed in AIDE. Use the latter instead.
316
.BR http://www.cs.tut.fi/~rammer/aide/manual.html
318
All trademarks are the property of their respective owners.
319
No animals were harmed while making this webpage or this piece of