Provided by: aide-xen_0.16-3ubuntu0.1_amd64 
NAME
aide.conf - The configuration file for Advanced Intrusion Detection Environment
SYNOPSIS
aide.conf is the configuration file for Advanced Intrusion Detection Environment. aide.conf contains the
runtime configuration aide uses to initialize or check the AIDE database.
FILE FORMAT
aide.conf is similar in to Tripwire(tm)'s configuration file. With little effort tw.conf can be converted
to aide.conf.
aide.conf is case-sensitive. Leading and trailing white spaces are ignored.
There are three types of lines in aide.conf. First there are the configuration lines which are used to
set configuration parameters and define/undefine variables. Second, there are (restricted) selection
lines that are used to indicate which files are added to the database. Third, macro lines define or
undefine variables within the config file. Lines beginning with # are ignored as comments.
CONFIG LINES
These lines have the format parameter=value. See URLS for a list of valid urls.
database
The url from which database is read. There can only be one of these lines. If there are multiple
database lines then the first is used. There is no valid default value in the Debian packages!
database_out
The url to which the new database is written to. There can only be one of these lines. If there
are multiple database_out lines then the first is used. There is no valid default value in the
Debian packages!
database_new
The url from which the other database for --compare is read. There is no default for this one.
database_attrs
The attributes of the (uncompressed) database files which are to be added to the final report in
verbose level 2 or higher. Only checksum attributes are supported. To disable set database_attrs
to 'E'. By default all compiled in checksums are added to the report.
database_add_metadata
Whether to add the AIDE version and the time of database generation as comments to the database
file or not. Valid values are yes, true, no and false. The default is to add the AIDE version and
the time of database generation. This option may be set to no by default in a future release.
verbose
The level of messages that is output. This value can be 0-255 inclusive. This parameter can only
be given once. Value from the first occurrence is used. If --verbose or -V is used then the value
from that is used. The default is 5. If verbosity is 20 then additional report output is written
when doing --check, --update or --compare.
report_url
The url that the output is written to. There can be multiple instances of this parameter. Output
is written to all of them. The default is stdout.
report_base16
Whether to base16 encode the checksums in the report or not. Valid values are yes, true, no and
false. The default is to report checksums not in base16 but in base64 encoding.
report_detailed_init
Whether to report added files (verbose level >= 2) and their details (verbose level >=7) in
initialization mode or not. Valid values are yes, true, no and false. The default is to not report
added files or their details in init mode.
report_quiet
Whether to suppress report output if no differences to the database have been found or not. Valid
values are yes, true, no and false. The default is to not suppress output in the report.
gzip_dbout
Whether the output to the database is gzipped or not. Valid values are yes,true,no and false. The
default is no. This option is available only if zlib support is compiled in.
root_prefix
The prefix to strip from each file name in the file system before applying the rules and writing
to database. AIDE removes a trailing slash from the prefix. The default is no (an empty) prefix.
This option has no effect in compare mode.
acl_no_symlink_follow
Whether to check ACLs for symlinks or not. Valid values are yes,true,no and false. The default is
to follow symlinks. This option is available only if acl support is compiled in.
warn_dead_symlinks
Whether to warn about dead symlinks or not. Valid values are yes,true,no and false. The default is
not to warn about dead symlinks.
grouped
Whether to group the files in the report by added, removed and changed files or not. Valid values
are yes, true, no and false. The default is to group the files in the report.
summarize_changes
Whether to summarize changes in the added, removed and changed files sections of the report or
not. Valid values are yes,true,no and false. The default is to summarize the changes.
The general format is like the string YlZbpugamcinCAXSE, where Y is replaced by the file-type (f
for a regular file, d for a directory, l for a symbolic link, c for a character device, b for a
block device, p for a FIFO, s for a unix socket, D for a Solaris door, P for a Solaris event port,
! if file type has changed and ? otherwise).
The Z is replaced as follows: A = means that the size has not changed, a < reports a shrinked size
and a > reports a grown size.
The other letters in the string are the actual letters that will be output if the associated
attribute for the item has been changed or a "." for no change, a "+" if the attribute has been
added, a "-" if it has been removed, a ":" if the attribute is ignored (but not forced) or a " "
if the attribute has not been checked. The exceptions to this are: (1) a newly created file
replaces each letter with a "+", and (2) a removed file replaces each letter with a "-".
The attribute that is associated with each letter is as follows:
o A l means that the link name has changed.
o A b means that the block count has changed.
o A p means that the permissions have changed.
o An u means that the uid has changed.
o A g means that the gid has changed.
o An a means that the access time has changed.
o A m means that the modification time has changed.
o A c means that the change time has changed.
o An i means that the inode has changed.
o A n means that the link count has changed.
o A C means that one or more checksums have changed.
The following letters are only available when explicitly enabled using configure:
o A A means that the access control list has changed.
o A X means that the extended attributes have changed.
o A S means that the SELinux attributes have changed.
o A E means that the file attributes on a second extended file system have changed.
report_ignore_added_attrs
Special group definition that lists attributes whose addition is to be ignored in the final
report.
report_ignore_removed_attrs
Special group definition that lists attributes whose removal is to be ignored in the final report.
report_ignore_changed_attrs
ignore_list (DEPRECATED, will be removed in a future release)
Special group definition that lists attributes whose change is to be ignored in the final report.
report_force_attrs
report_attributes (DEPRECATED, will be removed in a future release)
Special group definition that lists attributes which are always printed in the final report for
changed files. If an attribute is both ignored and forced the attribute is not considered for file
change but printed in the final report if the file has been otherwise changed.
report_ignore_e2fsattrs
List (no delimiter) of ext2 file attributes which are to be ignored in the final report. See
chattr(1) for the available attributes. Use '0' to not ignore any attribute. Ignored attributes
are represented by a ':' in the output. The default is to not ignore any ext2 file attribute.
Example
Ignore changes of the ext2 file attributes compression error (E), huge file (h), indexed
directory (I):
report_ignore_e2fsattrs=EhI
config_version
The value of config_version is printed in the report and also printed to the database. This is for
informational purposes only. It has no other functionality.
Group definitions
If the parameter is not one of the previous parameters then it is regarded as a group definition.
Value is then regarded as an expression. Expression is of the following form.
<predefined group>| <expr> + <predefined group>
| <expr> - <predefined group>
See DEFAULT GROUPS for an explanation of default predefined groups. Note that this is different
from the way Tripwire(tm) does it.
SELECTION LINES
AIDE supports three types of selection lines:
Regular selection line:
<regex> <group>
Files and directories matching the regular expression are added to the database.
Negative selection line:
!<regex>
Files and directories matching the regular expression are ignored and not added to the database.
Equals selection line:
=<regex> <group>
Files and directories matching the regular expression are added to the database. The children of
directories are only added if the regular expression ends with a "/". The children of sub-directories
are not added at all.
Every regular expression has to start with a "/". An implicit ^ is added in front of each regular
expression. In other words the regular expressions are matched at the first position against the complete
filename (i.e. including the path). Special characters in your filenames can be escaped using two-digit
URL encoding (for example, %20 to represent a space).
See EXAMPLES and doc/aide.conf for examples.
More in-depth discussion of the selection algorithm can be found in the AIDE manual.
RESTRICTED SELECTION LINES
Restricted selection lines are like normal selection lines but can be restricted to file types. The
following file types are supported:
f: restrict rule to regular files
d: restrict rule to directories
l: restrict rule to symbolic links
c: restrict rule to character devices
b: restrict rule to block devices
p: restrict rule to FIFO files
s: restrict rule to UNIX sockets
D: restrict rule to Solaris doors
P: restrict rule to Solaris event ports
The file types are separated by comma. The syntax of restricted selection lines is as follows:
Restricted regular selection line:
<regex> <file types> <group>
Restricted negative selection line:
!<regex> <file types>
Restricted equals selection line:
=<regex> <file types> <group>
Examples
Only add directories and files to the database:
/ d,f R
Add all but directory entries to the database:
!/run d
/run R
Use specific rule for directories:
/run d R-m-c-i
/run R
MACRO LINES
@@define VAR val
Define variable VAR to value val.
@@undef VAR
Undefine variable VAR.
@@ifdef VAR, @@ifndef VAR
@@ifdef begins an if statement. It must be terminated with an @@endif statement. The lines between
@@ifdef and @@endif are used if variable VAR is defined. If there is an @@else statement then the
part between @@ifdef and @@else is used is VAR is defined otherwise the part between @@else and
@@endif is used. @@ifndef reverses the logic of @@ifdef statement but otherwise works similarly.
@@ifhost hostname, @@ifnhost hostname
@@ifhost works like @@ifdef only difference is that it checks whether hostname equals the name of
the host that AIDE is running on. hostname is the name of the host without the domainname
(hostname, not hostname.example.com).
@@{VAR}
@@{VAR} is replaced with the value of the variable VAR. If variable VAR is not defined an empty
string is used. Unlike Tripwire(tm) @@VAR is NOT supported. One special VAR is @@{HOSTNAME} which
is substituted for the hostname of the current system.
@@else Begins the else part of an if statement.
@@endif
Ends an if statement.
@@include VAR
Includes the file VAR. The content of the file is used as if it were inserted in this part of the
config file.
URLS
Urls can be one of the following. Input urls cannot be used as outputs and vice versa.
stdout
stderr Output is sent to stdout,stderr respectively.
stdin Input is read from stdin.
file://filename
Input is read from filename or output is written to filename.
fd:number
Input is read from filedescriptor number or output is written to number.
DEFAULT GROUPS
p: permissions
ftype: file type
i: inode
l: link name
n: number of links
u: user
g: group
s: size
b: block count
m: mtime
a: atime
c: ctime
S: check for growing size
I: ignore changed filename
ANF: allow new files
ARF: allow removed files
md5: md5 checksum
sha1: sha1 checksum
sha256: sha256 checksum
sha512: sha512 checksum
rmd160: rmd160 checksum
tiger: tiger checksum
haval: haval checksum
crc32: crc32 checksum
R: p+ftype+i+l+n+u+g+s+m+c+md5+X
L: p+ftype+i+l+n+u+g+X
E: Empty group
X: acl+selinux+xattrs+e2fsattrs (if groups are explicitly enabled)
>: Growing file p+ftype+l+u+g+i+n+S+X
And also the following if you have mhash support enabled
gost: gost checksum
whirlpool: whirlpool checksum
The following are available only when explicitly enabled using configure
acl: access control list
selinux: selinux attributes
xattrs: extended attributes
e2fsattrs: file attributes on a second extended file system
Please note that 'I' and 'c' are incompatible. When the name of a file is changed, it's ctime is updated
as well. When you put 'c' and 'I' in the same rule the, a changed ctime is silently ignored.
When 'ANF' is used, new files are added to the new database, but are ignored in the report.
When 'ARF' is used, files missing on disk are omitted from the new database, but are ignored in the
report.
EXAMPLES
/ R
This adds all files on your machine to the database. This one line is a fully qualified configuration
file.
!/dev
This ignores the /dev directory structure.
=/foo R
Only /foo and /foobar are taken into the database. None of their children are added.
=/foo/ R
Only /foo and its children (e.g. /foo/file and /foo/directory) are taken into the database. The children
of sub-directories (e.g. /foo/directory/bar) are not added.
All=p+i+n+u+g+s+m+c+a+md5+sha1+tiger+rmd160
This line defines group All. It has all attributes and all md checksum functions. If you absolutely want
all digest functions then you should enable mhash support and add +crc32+haval+gost to the end of the
definition for All. Mhash support can only be enabled at compile-time.
HINTS
In the following, the first is not allowed in AIDE. Use the latter instead.
/foo epug
/foo e+p+u+g
SEE ALSO
aide(1) manual.html
DISCLAIMER
All trademarks are the property of their respective owners. No animals were harmed while making this
webpage or this piece of software.
aide 0.16 Jul 25, 2016 AIDE.CONF(5)