Provided by: aide-dynamic_0.16~a2.git20130520-3_amd64 bug

NAME

       aide.conf - The configuration file for Advanced Intrusion Detection Environment

SYNOPSIS

       aide.conf  is  the  configuration  file  for  Advanced  Intrusion  Detection  Environment.
       aide.conf contains the runtime configuration aide uses to initiailize or  check  the  aide
       database.

FILE FORMAT

       aide.conf  is  similar in to Tripwire(tm)'s configuration file. With little effort tw.conf
       can be converted to aide.conf.

       aide.conf is case-sensitive. Leading and trailing whitespaces are ignored.

       There are three types of lines in aide.conf. First there are the configuration lines which
       are  used to set configuration parameters and define/undefine variables. Second, there are
       selection lines that are used to indicate which files are added to  the  database.  Third,
       macro  lines  define  or undefine variables within the config file. Lines beginning with #
       are ignored as comments.

CONFIG LINES

       These lines have the format parameter=value. See URLS for a list of valid urls.

       database
              The url from which database is read. There can only be one of these lines. If there
              are  multiple  database  lines  then  the first is used.  There is no valid default
              value in the Debian packages!

       database_out
              The url to which the new database is written to. There can only  be  one  of  these
              lines. If there are multiple database_out lines then the first is used. There is no
              valid default value in the Debian packages!

       database_new
              The url from which the other database for --compare is read.  There is  no  default
              for this one.

       database_attrs
              The  attributes  of  the (uncompressed) database files which are to be added to the
              final report in verbose level 2 or higher. Only checksum attributes are  supported.
              To  disable  set  database_attrs  to 'E'.  By default all compiled in checksums are
              added to the report.

       verbose
              The level of messages that is output. This  value  can  be  0-255  inclusive.  This
              parameter  can  only  be  given  once.  Value  from the first occurence is used. If
              --verbose or -V is used then the value from that is used.  The  default  is  5.  If
              verbosity  is  20  then  additional  report  output  is written when doing --check,
              --update or --compare.

       report_url
              The url that the output is written to. There can  be  multiple  instances  of  this
              parameter. Output is written to all of them. The default is stdout.

       report_base16
              Whether  to base16 encode the checksums in the report or not. Valid values are yes,
              true, no and false. The default is to report checksums not in base16 but in  base64
              encoding.

       report_detailed_init
              Whether to report added files (verbose level >= 2) and their details (verbose level
              >=6) in initialization mode or not. Valid values are yes, true, no and  false.  The
              default is to not report added files or their details in init mode.

       gzip_dbout
              Whether  the output to the database is gzipped or not. Valid values are yes,true,no
              and false. The default is no. This option is available  only  if  zlib  support  is
              compiled in.

       root_prefix
              The  prefix  to  strip  from  each file name in the file system before applying the
              rules and writing to database. Aide removes a trailing slash from the prefix.   The
              default is no (an empty) prefix. This option has no effect in compare mode.

       acl_no_symlink_follow
              Whether  to check ACLs for symlinks or not. Valid values are yes,true,no and false.
              The default is to follow symlinks. This option is available only if acl support  is
              compiled in.

       warn_dead_symlinks
              Whether to warn about dead symlinks or not. Valid values are yes,true,no and false.
              The default is not to warn about dead symlinks.

       grouped
              Whether to group the files in the report by added, removed  and  changed  files  or
              not.  Valid  values are yes, true, no and false.  The default is to group the files
              in the report.

       summarize_changes
              Whether to summarize changes in the added, removed and changed  files  sections  of
              the  report  or  not.  Valid  values  are yes,true,no and false.  The default is to
              summarize the changes.

              The general format is like the string YlZbpugamcinCAXSE, where Y is replaced by the
              file-type  (f for a regular file, d for a directory, L for a symbolic link, D for a
              character device, B for a block device, F for a FIFO, s for a unix socket, | for  a
              Solaris door, ! if file type has changed and ? otherwise).

              The  Z is replaced as follows: A = means that the size has not changed, a < reports
              a shrinked size and a > reports a grown size.

              The other letters in the string are the actual letters that will be output  if  the
              associated attribute for the item has been changed or a "." for no change, a "+" if
              the attribute has been added, a "-" if it has been removed, a ":" if the  attribute
              is  listed  in  ignore_list  or  a  "  " if the attribute has not been checked. The
              exceptions to this are: (1) a newly created file replaces each letter with  a  "+",
              and (2) a removed file replaces each letter with a "-".

              The attribute that is associated with each letter is as follows:

              o      A l means that the link name has changed.

              o      A b means that the block count has changed.

              o      A p means that the permissions have changed.

              o      An u means that the uid has changed.

              o      A g means that the gid has changed.

              o      An a means that the access time has changed.

              o      A m means that the modification time has changed.

              o      A c means that the change time has changed.

              o      An i means that the inode has changed.

              o      A n means that the link count has changed.

              o      A C means that one or more checksums have changed.

              The following letters are only available when explicitly enabled using configure:

              o      A A means that the access control list has changed.

              o      A X means that the extended attributes have changed.

              o      A S means that the SELinux attributes have changed.

              o      A  E  means  that  the file attributes on a second extended file system have
                     changed.

       report_attributes
              Special group definition that lists parameters which  are  always  printed  in  the
              final report for changed files.

       ignore_list
              Special  group  definition  that  lists parameters which are to be ignored from the
              final report.

       config_version
              The value of config_version is printed in  the  report  and  also  printed  to  the
              database. This is for informational purposes only. It has no other functionality.

       Group definitions
              If  the  parameter  is  not one of the previous parameters then it is regarded as a
              group definition. Value is then regarded as an expression.  Expression  is  of  the
              following form.

                  <predefined group>| <expr> + <predefined group>
                                    | <expr> - <predifined group>

              See DEFAULT GROUPS for an explanation of default predefined groups.  Note that this
              is different from the way Tripwire(tm) does it.

              There is also a special group named "ignore_list". The predefined -groups listed in
              it are NOT displayed in the final report.

SELECTION LINES

       aide  supports  three types of selection lines (regular, negative, equals) Lines beginning
       with "/" are regular selection lines. Lines beginning with "=" are equals selection lines.
       And lines beginning with "!"  are negative selection lines. The string following the first
       character is taken as a regular expression matching to a complete filename, including  the
       path.  In  a regular selection rule the "/" is included in the regular expression. Special
       characters in your filenames can be escaped using two-digit URL encoding (for example, %20
       to  represent  a  space).   Following  the  regular  expression  is  a group definition as
       explained above.  See EXAMPLES and doc/aide.conf for examples.

       More in-depth discussion of the selection algorithm can be found in the aide manual.

MACRO LINES

       @@define VAR val
              Define variable VAR to value val.

       @@undef VAR
              Undefine variable VAR.

       @@ifdef VAR, @@ifndef VAR
              @@ifdef begins an if statement. It must be terminated with  an  @@endif  statement.
              The lines between @@ifdef and @@endif are used if variable VAR is defined. If there
              is an @@else statement then the part between @@ifdef and @@else is used is  VAR  is
              defined  otherwise  the  part between @@else and @@endif is used. @@ifndef reverses
              the logic of @@ifdef statement but otherwise works similarly.

       @@ifhost hostname, @@ifnhost hostname
              @@ifhost works like @@ifdef only difference is  that  it  checks  whether  hostname
              equals  the  name of the host that aide is running on.  hostname is the name of the
              host without the domainname (hostname, not hostname.aide.org).

       @@{VAR}
              @@{VAR} is replaced with the value of the variable VAR.  If  variable  VAR  is  not
              defined  an  empty  string is used. Unlike Tripwire(tm) @@VAR is NOT supported. One
              special VAR is @@{HOSTNAME} which is substituted for the hostname  of  the  current
              system.

       @@else Begins the else part of an if statement.

       @@endif
              Ends an if statement.

       @@include VAR
              Includes  the  file  VAR. The content of the file is used as if it were inserted in
              this part of the config file.

URLS

       Urls can be one of the following. Input urls cannot be used as outputs and vice versa.

       stdout

       stderr Output is sent to stdout,stderr respectively.

       stdin  Input is read from stdin.

       file://filename
              Input is read from filename or output is written to filename.

       fd:number
              Input is read from filedescriptor number or output is written to number.

DEFAULT GROUPS

       p:   permissions

       ftype: file type

       i:   inode

       l:   link name

       n:   number of links

       u:   user

       g:   group

       s:   size

       b:   block count

       m:   mtime

       a:   atime

       c:   ctime

       S:   check for growing size

       I:   ignore changed filename

       ANF: allow new files

       ARF: allow removed files

       md5: md5 checksum

       sha1: sha1 checksum

       sha256: sha256 checksum

       sha512: sha512 checksum

       rmd160: rmd160 checksum

       tiger: tiger checksum

       haval: haval checksum

       crc32:    crc32 checksum

       R:   p+ftype+i+l+n+u+g+s+m+c+md5+X

       L:   p+ftype+i+l+n+u+g+X

       E:   Empty group

       X:   acl+selinux+xattrs+e2fsattrs (if groups are explicitly enabled)

       >:   Growing logfile p+ftype+l+u+g+i+n+S+X

       And also the following if you have mhash support enabled

       gost: gost checksum

       whirlpool: whirlpool checksum

       The following are available only when explicitly enabled using configure

       acl: access control list

       selinux: selinux attributes

       xattrs: extended attributes

       e2fsattrs: file attributes on a second extended file system

       Please note that 'I' and 'c' are incompatible. When the name of a file  is  changed,  it's
       ctime  is  updated as well. When you put 'c' and 'I' in the same rule the, a changed ctime
       is silently ignored.

       When 'ANF' is used, new files are added to the  new  database,  but  are  ignored  in  the
       report.

       When  'ARF'  is  used,  files  missing  on disk are omitted from the new database, but are
       ignored in the report.

EXAMPLES

              /    R

       This adds all files on your machine to the database. This is one line is a fully qualified
       configuration file.

              !/dev

       This ignores the /dev directory structure.

              =/tmp

       Only /tmp is taken into the database. None of its children are added.

              All=p+i+n+u+g+s+m+c+a+md5+sha1+tiger+rmd160

       This  line  defines group All. It has all attributes and all md checksum functions. If you
       absolutely want all digest  functions  then  you  should  enable  mhash  support  and  add
       +crc32+haval+gost  to the end of the definition for All. Mhash support can only be enabled
       at compile-time.

HINTS

              =/foo p+i+l+n+u+g+s+m+c+md5

              /foo/bar p+i+l+n+u+g+s+m+c+md5

       This config adds all files  under  /foo  because  they  match  to  regex  /foo,  which  is
       equivalent to /foo.* . What you probably want is:

              =/foo$ p+i+l+n+u+g+s+m+c+md5

              /foo/bar p+i+l+n+u+g+s+m+c+md5

       Note  that the following still works as expected because =/foo$ stop recuring of directory
       /foo.

              =/foo p+i+l+n+u+g+s+m+c+md5

       In the following, the first is not allowed in AIDE. Use the latter instead.

              /foo epug

              /foo e+p+u+g

SEE ALSO

       aide(1) http://www.cs.tut.fi/~rammer/aide/manual.html

DISCLAIMER

       All trademarks are the property of their respective owners.  No animals were harmed  while
       making this webpage or this piece of software.

                                                                                     aide.conf(5)