Provided by: aide-common_0.15.1-3ubuntu1_all bug

NAME

       aide.conf  -  The  configuration  file for Advanced Intrusion Detection
       Environment

SYNOPSIS

       aide.conf is the configuration file for  Advanced  Intrusion  Detection
       Environment.  aide.conf contains the runtime configuration aide uses to
       initiailize or check the aide database.

FILE FORMAT

       aide.conf is similar in  to  Tripwire(tm)'s  configuration  file.  With
       little effort tw.conf can be converted to aide.conf.

       aide.conf  is  case-sensitive.  Leading  and  trailing  whitespaces are
       ignored.

       There are three types of  lines  in  aide.conf.  First  there  are  the
       configuration  lines which are used to set configuration parameters and
       define/undefine variables. Second, there are selection lines  that  are
       used  to  indicate  which files are added to the database. Third, macro
       lines define or  undefine  variables  within  the  config  file.  Lines
       beginning with # are ignored as comments.

CONFIG LINES

       These  lines  have  the  format parameter=value. See URLS for a list of
       valid urls.

       database
              The url from which database is read. There can only  be  one  of
              these lines. If there are multiple database lines then the first
              is used.   There  is  no  valid  default  value  in  the  Debian
              packages!

       database_out
              The  url to which the new database is written to. There can only
              be one of these lines. If there are multiple database_out  lines
              then  the  first is used. There is no valid default value in the
              Debian packages!

       database_new
              The url from which the other database  for  --compare  is  read.
              There is no default for this one.

       verbose
              The  level  of  messages that is output. This value can be 0-255
              inclusive. This parameter can only be given once. Value from the
              first  occurence  is  used.  If --verbose or -V is used then the
              value from that is used. The default is 5. If  verbosity  is  20
              then  additional  report  output  is written when doing --check,
              --update or --compare.

       report_url
              The url that the output is written to.  There  can  be  multiple
              instances  of  this parameter. Output is written to all of them.
              The default is stdout.

       gzip_dbout
              Whether the output to the database  is  gzipped  or  not.  Valid
              values are yes,true,no and false. The default is no. This option
              is available only if zlib support is compiled in.

       acl_no_symlink_follow
              Whether to check ACLs for symlinks  or  not.  Valid  values  are
              yes,true,no  and  false. The default is to follow symlinks. This
              option is available only if acl support is compiled in.

       warn_dead_symlinks
              Whether to warn about dead symlinks or  not.  Valid  values  are
              yes,true,no  and  false.  The  default is not to warn about dead
              symlinks.

       grouped
              Whether to group the files in the report by added,  removed  and
              changed  files or not. Valid values are yes, true, no and false.
              The default is to group the files in the report.

       summarize_changes
              Whether to summarize changes in the added, removed  and  changed
              files   sections   of  the  report  or  not.  Valid  values  are
              yes,true,no and false.  The default  is  not  to  summarize  the
              changes.

              The general format is like the string YlZbpugamcinCAXSE, where Y
              is replaced by the file-type (f for a  regular  file,  d  for  a
              directory,  L  for  a symbolic link, D for a character device, B
              for a block device, F for a FIFO, s for a unix socket, |  for  a
              Solaris door, ! if file type has changed and ? otherwise).

              The  Z  is  replaced as follows: A = means that the size has not
              changed, a < reports a shrinked size and a  >  reports  a  grown
              size.

              The other letters in the string are the actual letters that will
              be output if the associated attribute  for  the  item  has  been
              changed  or a "." for no change, a "+" if the attribute has been
              added, a "-" if it has been removed, a ":" if the  attribute  is
              listed  in  ignore_list  or  a " " if the attribute has not been
              checked. The exceptions to this are: (1) a  newly  created  file
              replaces each letter with a "+", and (2) a removed file replaces
              each letter with a "-".

              The attribute that is associated with each letter is as follows:

              o      A l means that the link name has changed.

              o      A b means that the block count has changed.

              o      A p means that the permissions have changed.

              o      An u means that the uid has changed.

              o      A g means that the gid has changed.

              o      An a means that the access time has changed.

              o      A m means that the modification time has changed.

              o      A c means that the change time has changed.

              o      An i means that the inode has changed.

              o      A n means that the link count has changed.

              o      A C means that one or more checksums have changed.

              The following letters are only available when explicitly enabled
              using configure:

              o      A A means that the access control list has changed.

              o      A X means that the extended attributes have changed.

              o      A S means that the SELinux attributes have changed.

              o      A  E  means that the file attributes on a second extended
                     file system have changed.

       report_attributes
              Special group definition that lists parameters which are  always
              printed in the final report for changed files.

       ignore_list
              Special  group  definition that lists parameters which are to be
              ignored from the final report.

       config_version
              The value of config_version is printed in the  report  and  also
              printed  to  the  database.  This  is for informational purposes
              only. It has no other functionality.

       Group definitions
              If the parameter is not one of the previous parameters  then  it
              is  regarded as a group definition. Value is then regarded as an
              expression. Expression is of the following form.

                  <predefined group>| <expr> + <predefined group>
                                    | <expr> - <predifined group>

              See DEFAULT GROUPS for  an  explanation  of  default  predefined
              groups.   Note  that this is different from the way Tripwire(tm)
              does it.

              There  is  also  a  special  group  named   "ignore_list".   The
              predefined  -groups  listed in it are NOT displayed in the final
              report.

SELECTION LINES

       aide supports  three  types  of  selection  lines  (regular,  negative,
       equals)  Lines  beginning  with  "/" are regular selection lines. Lines
       beginning with "=" are equals selection lines. And lines beginning with
       "!"   are  negative  selection  lines.  The  string following the first
       character is taken as a  regular  expression  matching  to  a  complete
       filename,  including  the  path. In a regular selection rule the "/" is
       included  in  the  regular  expression.  Special  characters  in   your
       filenames can be escaped using two-digit URL encoding (for example, %20
       to represent a space).  Following the regular  expression  is  a  group
       definition  as  explained  above.   See  EXAMPLES and doc/aide.conf for
       examples.

       More in-depth discussion of the selection algorithm can be found in the
       aide manual.

MACRO LINES

       @@define VAR val
              Define variable VAR to value val.

       @@undef VAR
              Undefine variable VAR.

       @@ifdef VAR, @@ifndef VAR
              @@ifdef  begins  an  if statement. It must be terminated with an
              @@endif statement. The lines between  @@ifdef  and  @@endif  are
              used if variable VAR is defined. If there is an @@else statement
              then the part between @@ifdef and  @@else  is  used  is  VAR  is
              defined  otherwise  the part between @@else and @@endif is used.
              @@ifndef reverses the logic of @@ifdef statement  but  otherwise
              works similarly.

       @@ifhost hostname, @@ifnhost hostname
              @@ifhost  works  like  @@ifdef only difference is that it checks
              whether hostname equals the  name  of  the  host  that  aide  is
              running  on.   hostname  is  the  name  of  the host without the
              domainname (hostname, not hostname.aide.org).

       @@{VAR}
              @@{VAR} is replaced with the value  of  the  variable  VAR.   If
              variable  VAR  is  not  defined  an empty string is used. Unlike
              Tripwire(tm)  @@VAR  is  NOT  supported.  One  special  VAR   is
              @@{HOSTNAME}  which  is  substituted  for  the  hostname  of the
              current system.

       @@else Begins the else part of an if statement.

       @@endif
              Ends an if statement.

       @@include VAR
              Includes the file VAR. The content of the file is used as if  it
              were inserted in this part of the config file.

URLS

       Urls  can be one of the following. Input urls cannot be used as outputs
       and vice versa.

       stdout

       stderr Output is sent to stdout,stderr respectively.

       stdin  Input is read from stdin.

       file://filename
              Input is read from filename or output is written to filename.

       fd:number
              Input is read from filedescriptor number or output is written to
              number.

DEFAULT GROUPS

       p:   permissions

       ftype: file type

       i:   inode

       l:   link name

       n:   number of links

       u:   user

       g:   group

       s:   size

       b:   block count

       m:   mtime

       a:   atime

       c:   ctime

       S:   check for growing size

       I:   ignore changed filename

       ANF: allow new files

       ARF: allow removed files

       md5: md5 checksum

       sha1: sha1 checksum

       sha256: sha256 checksum

       sha512: sha512 checksum

       rmd160: rmd160 checksum

       tiger: tiger checksum

       haval: haval checksum

       crc32:    crc32 checksum

       R:   p+ftype+i+l+n+u+g+s+m+c+md5

       L:   p+ftype+i+l+n+u+g

       E:   Empty group

       >:   Growing logfile p+ftype+l+u+g+i+n+S

       And also the following if you have mhash support enabled

       gost: gost checksum

       whirlpool: whirlpool checksum

       The following are available and added to the default groups R, L and >

       only when explicitly enabled using configure

       acl: access control list

       selinux: selinux attributes

       xattrs: extended attributes

       e2fsattrs: file attributes on a second extended file system

       Please  note that 'I' and 'c' are incompatible. When the name of a file
       is changed, it's ctime is updated as well. When you put 'c' and 'I'  in
       the same rule the, a changed ctime is silently ignored.

       When  'ANF'  is  used, new files are added to the new database, but are
       ignored in the report.

       When 'ARF' is used, files missing on disk  are  omitted  from  the  new
       database, but are ignored in the report.

EXAMPLES

              /    R

       This  adds  all files on your machine to the database. This is one line
       is a fully qualified configuration file.

              !/dev

       This ignores the /dev directory structure.

              =/tmp

       Only /tmp is taken into the database. None of its children are added.

              All=p+i+n+u+g+s+m+c+a+md5+sha1+tiger+rmd160

       This line defines group All. It has all attributes and all md  checksum
       functions.  If you absolutely want all digest functions then you should
       enable mhash support and  add  +crc32+haval+gost  to  the  end  of  the
       definition for All. Mhash support can only be enabled at compile-time.

HINTS

              =/foo p+i+l+n+u+g+s+m+c+md5

              /foo/bar p+i+l+n+u+g+s+m+c+md5

       This config adds all files under /foo because they match to regex /foo,
       which is equivalent to /foo.* . What you probably want is:

              =/foo$ p+i+l+n+u+g+s+m+c+md5

              /foo/bar p+i+l+n+u+g+s+m+c+md5

       Note that the following still works as  expected  because  =/foo$  stop
       recuring of directory /foo.

              =/foo p+i+l+n+u+g+s+m+c+md5

       In  the  following,  the  first  is not allowed in AIDE. Use the latter
       instead.

              /foo epug

              /foo e+p+u+g

SEE ALSO

       aide(1) http://www.cs.tut.fi/~rammer/aide/manual.html

DISCLAIMER

       All trademarks are the property of their respective owners.  No animals
       were harmed while making this webpage or this piece of software.

                                                                  aide.conf(5)