Provided by: aide_0.17.4-1_amd64 bug

NAME

       aide.conf - The configuration file for Advanced Intrusion Detection Environment

SYNOPSIS

       aide.conf  is  the  configuration  file  for  Advanced  Intrusion  Detection  Environment.
       aide.conf contains the runtime configuration aide uses to initialize  or  check  the  AIDE
       database.

FILE FORMAT

       aide.conf  is case-sensitive. Leading and trailing white spaces are ignored. AIDE uses the
       backslash character (\) as escape character for ' ' (space), '@' and '\' (backslash) (e.g.
       '\  ' or '\@'). To literally match a '\' in a file path with a regular expression you have
       to escape the backslash twice (i.e. '\\\\').

       There are three types of lines in aide.conf. First there  are  the  configuration  options
       which  are  used  to  set  configuration  parameters  and define groups. Second, there are
       (restricted) rules that are used to indicate which files are added to the database. Third,
       macro  lines  define  or undefine variables within the config file. Lines beginning with #
       are ignored as comments.

CONFIG OPTIONS

       These lines have the format parameter=value. See URLS for a list of valid urls.

       database_in (type: URL, default: see --version output)
       database (DEPRECATED, will be removed in a future release)
              The url from which database is read. There can only be one of these lines. If there
              are multiple database lines then the first is used.

       database_out (type: URL, default: see --version output)
              The  url  to  which  the new database is written to. There can only be one of these
              lines. If there are multiple database_out lines then the first is used.

       database_new (type: URL, default: <none>)
              The url from which the other database for --compare is read.

       database_attrs (type: attribute expression, default: H)
              The attributes of the (uncompressed) database files which are to be  added  to  the
              reports  in  report  level  >=  database_attributes  . Only checksum attributes are
              supported. To disable set database_attrs to 'E'.

       database_add_metadata (type: bool, default: true)
              Whether to add the AIDE version and the time of database generation as comments  to
              the  database  file  or not. This option may be set to false by default in a future
              release.

       log_level (type: log level, default: warning)
              The log level to use. Log messages are written to stderr.  If  there  are  multiple
              log_level  lines  then  the  first  one is used. The --log-level or -L command line
              option overwrites this option.

              The following log levels are available:

                     error: show unrecoverable issues that have to be handled by the user. Errors
                     are fatal to the AIDE process.

                     warning:  additionally  show  recoverable  issues  that  most likely lead to
                     unexpected behaviour and should be handled by the user

                     notice:  additionally  show  recoverable  issues  that  sometimes  lead   to
                     unexpected behaviour and might be handled by the user.

                     info: additionally show informational messages

                     rule: additionally show messages to help to debug the path rule matching

                     config: additionally show messages to help to debug config and rule parsing

                     debug:  additionally  show messages that are useful to debug the application
                     (very verbose)

                     trace: detailed information about the flow of the application (e.g.  in-loop
                     logging) (even more verbose)

       verbose (type: number, range: 0 - 255, default: 5)
              Removed in AIDE v0.17, use log_level and report_level options instead

       gzip_dbout (type: bool, default: false)
              Whether the output to the database is gzipped or not. This option is available only
              if zlib support is compiled in.

       root_prefix (type: path, default: <empty>)
              The prefix to strip from each file name in the  file  system  before  applying  the
              rules  and  writing to database. AIDE removes a trailing slash from the prefix.  If
              there are multiple root_prefix lines then the first one is used. This option has no
              effect in compare mode.

       acl_no_symlink_follow (type: bool, default: false)
              Whether  to  check  ACLs  for symlinks or not. This option is available only if acl
              support is compiled in.

       warn_dead_symlinks (type: path, default: false)
              Whether to warn about dead symlinks or not.

       config_version (type: string, default: <empty>)
              The value of config_version is printed in  the  report  and  also  printed  to  the
              database. This is for informational purposes only. It has no other functionality.

       Group definitions
              If  the  parameter  is  not one of the previous parameters then it is regarded as a
              group definition. Value is then regarded as an attribute expression.

              See DEFAULT GROUPS for an explanation of default predefined groups.

              Group names are limited to alphanumeric characters (A-Za-z0-9).

REPORT OPTIONS

       report_url (type: URL, default: stdout)

              The URL that the output is written to.

              Multiple instances of the report_url option are supported.

              Examples:

                 report_url=file:/var/log/aide.log

                    Write report to /var/log/aide.log.

                 report_url=stdout

                    Write report to stdout.

                 report_url=syslog:<LOG_FACILITY>

                    Write report to syslog using LOG_FACILITY.

       The following report options are available (to take effect they  have  to  be  set  before
       report_url):

       report_level (type: report level, default: changed_attributes)

              The report level to use. The available report levels are as follows:

              minimal: print single line whether AIDE found differences to the database

              summary: additionally print number of added, removed and changed files

              database_attributes: additionally print database checksums

              list_entries: additionally print lists of added, removed and changed entries

              changed_attributes: additionally print details about changed entries

              added_removed_attributes:  additionally  print  details  about  added  and  removed
              attributes

              added_removed_entries: additionally print details about added and removed entries

       report_base16 (type: bool, default: false)
              Base16 encode the checksums in the report. The default is to  report  checksums  in
              base64 encoding.

       report_detailed_init (type: bool, default: false)
              Report  added  files (report level >= list_entries) and their details (report level
              >= added_removed_entries) in initialization mode.

       report_quiet (type: bool, default: false)
              Suppress report output if no differences to the database have been found.

       report_append (type: bool, default: false)
              Append to the report URL.

       report_grouped (type: bool, default: true)
       grouped (DEPRECATED, will be removed in a future release)
              Group the files in the report by added, removed and changed files.

       report_summarize_changes (type: bool, default: true)
       summarize_changes (DEPRECATED, will be removed in a future release)
              Summarize changes in the added, removed and changed files sections of the report.

              The general format is like the string YlZbpugamcinHAXSEC, where Y  is  replaced  by
              the  file-type  (f  for a regular file, d for a directory, l for a symbolic link, c
              for a character device, b for a block device, p for a FIFO, s for a unix socket,  D
              for  a  Solaris door, P for a Solaris event port, !  if file type has changed and ?
              otherwise).

              The Z is replaced as follows: A = means that the size has not changed, a <  reports
              a shrinked size and a > reports a grown size.

              The  other  letters in the string are the actual letters that will be output if the
              associated attribute for the item has been changed or a "." for no change, a "+" if
              the  attribute has been added, a "-" if it has been removed, a ":" if the attribute
              is ignored (but not forced) or a " " if the attribute has  not  been  checked.  The
              exceptions  to  this are: (1) a newly created file replaces each letter with a "+",
              and (2) a removed file replaces each letter with a "-".

              The attribute that is associated with each letter is as follows:

              o      A l means that the link name has changed.

              o      A b means that the block count has changed.

              o      A p means that the permissions have changed.

              o      An u means that the uid has changed.

              o      A g means that the gid has changed.

              o      An a means that the access time has changed.

              o      A m means that the modification time has changed.

              o      A c means that the change time has changed.

              o      An i means that the inode has changed.

              o      A n means that the link count has changed.

              o      A H means that one or more message digests have changed.

              The following letters are only available when explicitly enabled using configure:

              o      A A means that the access control list has changed.

              o      A X means that the extended attributes have changed.

              o      A S means that the SELinux attributes have changed.

              o      A E means that the file attributes on a second  extended  file  system  have
                     changed.

              o      A C means that the file capabilities have changed.

       report_ignore_added_attrs (type: attribute expression, default: empty)
              Attributes whose addition is to be ignored in the report.

       report_ignore_removed_attrs (type: attribute expression, default: empty)
              Attributes whose removal is to be ignored in the report.

       report_ignore_changed_attrs (type: attribute expression, default: empty)
       ignore_list (removed in AIDE v0.17)
              Attributes whose change is to be ignored in the report.

       report_force_attrs (type: attribute expression, default: empty)
       report_attributes (removed in AIDE v0.17)
              Attributes  which  are  always  printed  in  the  report  for  changed files. If an
              attribute is both ignored and forced the  attribute  is  not  considered  for  file
              change  but  printed  in  the  final  report as long as the file has been otherwise
              changed.

       report_ignore_e2fsattrs (type: string, default: 0)
              List (no delimiter) of ext2 file attributes which are to be ignored in the  report.
              See  chattr(1)  for  the  available  attributes.  Use  0  (zero)  to not ignore any
              attribute. Ignored attributes are represented by a ':' in the output.

              Example:

                 Ignore changes of the ext2 file attributes compression error (E), huge file (h),
                 indexed directory (I):

                    report_ignore_e2fsattrs=EhI

RULES

       AIDE supports three types of rules:

       Regular rule:

          <regex> <attribute expression>

          Files and directories matching the regular expression are added to the database.

       Negative rule:

          !<regex>

          Files  and directories matching the regular expression are ignored and not added to the
          database. The children of matching directories are also ignored.

       Equals rule:

          =<regex> <attribute expression>

          Files and directories matching the regular expression are added to  the  database.  The
          children  of  directories are only added if the regular expression ends with a "/". The
          children of sub-directories are not added at all.

       Every regular expression has to start with a "/". An implicit ^ is added in front of  each
       regular  expression.  In  other  words  the  regular  expressions are matched at the first
       position against the complete filename (i.e. including the path).  Special  characters  in
       your  filenames can be escaped using two-digit URL encoding (for example, %20 to represent
       a space).

       See EXAMPLES and doc/aide.conf for examples.

       More in-depth discussion of the selection algorithm can be found in the AIDE manual.

RESTRICTED RULES

       Restricted rules are like normal rules but can be restricted to file types. The  following
       file types are supported:

              f: restrict rule to regular files

              d: restrict rule to directories

              l: restrict rule to symbolic links

              c: restrict rule to character devices

              b: restrict rule to block devices

              p: restrict rule to FIFO files

              s: restrict rule to UNIX sockets

              D: restrict rule to Solaris doors

              P: restrict rule to Solaris event ports

       The file types are separated by comma. The syntax of restricted rules is as follows:

       Restricted regular rule:
          <regex> <file types> <attribute expression>

       Restricted negative rule:
          !<regex> <file types>

       Restricted equals rule:
          =<regex> <file types> <attribute expression>

       Examples
          Only add directories and files to the database:

             / d,f R

          Add all but directory entries to the database:

             !/run d
             /run R

          Use specific rule for directories:

             /run d R-m-c-i
             /run R

MACRO LINES

       @@define VAR val
              Define variable VAR to value val.

       @@undef VAR
              Undefine variable VAR.

       @@ifdef VAR, @@ifndef VAR
              @@ifdef  begins  an  if statement. It must be terminated with an @@endif statement.
              The lines between @@ifdef and @@endif are used if variable VAR is defined. If there
              is  an  @@else statement then the part between @@ifdef and @@else is used is VAR is
              defined otherwise the part between @@else and @@endif is  used.  @@ifndef  reverses
              the logic of @@ifdef statement but otherwise works similarly.

       @@ifhost hostname, @@ifnhost hostname
              @@ifhost  works  like  @@ifdef  only  difference is that it checks whether hostname
              equals the name of the host that AIDE is running on.  hostname is the name  of  the
              host without the domainname (hostname, not hostname.example.com).

       @@{VAR}
              @@{VAR}  is  replaced  with  the value of the variable VAR.  If variable VAR is not
              defined an empty string is used.

              Variables are supported in strings and in regular expressions of selection lines.

              Pre-defined marco variables:

                 @@{HOSTNAME}: hostname of the current system

       @@else Begins the else part of an if statement.

       @@endif
              Ends an if statement.

       @@include FILE
              Include FILE.

              The content of the file is used as if it were inserted in this part of  the  config
              file.

              The maximum depth of nested includes is 16.

       @@include DIRECTORY REGEX
              Include  all  (regular)  files found in DIRECTORY matching regular expression REGEX
              (sub-directories are ignored). The file are included in lexical sort order.

              The content of the files is used as if it were inserted in this part of the  config
              file.

       @@x_include FILE
       @@x_include DIRECTORY REGEX
              @x_include is identical to @@include, except that if a config file is executable is
              is run and the output is used as config.

              If the executable file exits with status greater than zero or writes to stderr aide
              stops with an error.

              For security reasons DIRECTORY and each executable config file must be owned by the
              current user and must not be group- or world-writable.

       @@x_include_setenv VAR VALUE

              Adds the variable VAR with the value VALUE to the environment used for config  file
              execution.

              Environment  variable  names are limited to alphanumeric characters (A-Za-z0-9) and
              the underscore '_' and must not begin with a digit.

TYPES

       bool
          Valid values are yes, true, no or false.

       attribute expression

          An attribute expression is of the following form:

                   <group>
                 | <expr> + <group>
                 | <expr> - <group>

       URLS
          Urls can be one of the following. Input urls cannot be used as outputs and vice versa.

                 stdout

                 stderr Output is sent to stdout, stderr respectively.

                 stdin  Input is read from stdin.

                 file:/path
                        Input is read from path or output is written to path.

                 fd:number
                        Input is read from filedescriptor number or output is written to number.

                 syslog:LOG_FACILITY
                        Output is written to syslog using LOG_FACILITY.

DEFAULT GROUPS

       File attribute groups

          ftype: file type

          p: permissions

          i: inode

          l: link name

          n: number of links

          u: user

          g: group

          s: size

          b: block count

          m: mtime

          a: atime

          c: ctime

          acl: access control list (requires libacl)

          selinux: selinux attributes (requires libselinux)

          xattrs: extended attributes (requires libattr)

          e2fsattrs: file attributes on a second extended file system (requires libext2fs)

          caps: file capabilities (requires libcap2)

       Use 'aide --version' to show which compiled in groups are available.

       Special groups

          S:   check for growing size

          I:   ignore changed filename
                 Note: when c is also set in the same rule a ctime change  is  ignored  when  the
                 name of a file is changed

          ANF: allow new files
                 When  'ANF' is used, new files are added to the new database, but are ignored in
                 the report.

          ARF: allow removed files
                 When 'ARF' is used, files missing on disk are omitted from the new database, but
                 are ignored in the report.

       Hashsums groups

          md5: MD5 checksum

          sha1: SHA-1 checksum

          sha256: SHA-256 checksum

          sha512: SHA-512 checksum

          rmd160: RIPEMD-160 checksum

          tiger: tiger checksum

          haval: haval256 checksum (libmhash only)

          crc32:    crc32 checksum

          crc32b:   crc32 checksum (libmhash only)

          gost: GOST R 34.11-94 checksum

          whirlpool: whirlpool checksum

          stribog256: GOST R 34.11-2012, 256 bit checksum (libgcrypt only)

          stribog512: GOST R 34.11-2012, 512 bit checksum (libgcrypt only)

       Use 'aide --version' to show which compiled hashsums are available.

       Compound groups

          R:   p+ftype+i+l+n+u+g+s+m+c+md5+X

          L:   p+ftype+i+l+n+u+g+X

          >:   Growing file p+ftype+l+u+g+i+n+S+X

          H:   all compiled in hashsums

          X:   acl+selinux+xattrs+e2fsattrs+caps (if groups are compiled in)

          E:   Empty group

       Please run 'aide --version' to list the default compound groups.

EXAMPLES

              / R

       This  adds  all  files on your machine to the database. This one line is a fully qualified
       configuration file.

              !/dev$

       This ignores the /dev directory structure.

              =/foo R

       Only /foo and /foobar are taken into the database. None of their children are added.

              =/foo/ R

       Only /foo and its  children  (e.g.  /foo/file  and  /foo/directory)  are  taken  into  the
       database. The children of sub-directories (e.g. /foo/directory/bar) are not added.

              All=ftype+p+l+u+g+s+m+c+a+i+b+n+H+X

       This  line  defines group All. It has all attributes, all compiled in hashsums (H) and all
       compiled in extra file attributes  (X).   See  '--version'  output  for  the  compiled  in
       hashsums and extra groups.

HINTS

       In the following, the first is not allowed in AIDE. Use the latter instead.

              /foo epug

              /foo e+p+u+g

SEE ALSO

       aide(1)

DISCLAIMER

       All  trademarks are the property of their respective owners.  No animals were harmed while
       making this webpage or this piece of software.