Skip site navigation (1)Skip section navigation (2)

FreeBSD Manual Pages

  
 
  

home | help
AIDE.CONF(5)			     AIDE			  AIDE.CONF(5)

NAME
       aide.conf - The configuration file for Advanced Intrusion Detection En-
       vironment

SYNOPSIS
       aide.conf is the	configuration file for	Advanced  Intrusion  Detection
       Environment.  aide.conf contains	the runtime configuration aide uses to
       initialize or check the AIDE database.

FILE FORMAT
       aide.conf is similar in to Tripwire(tm)'s configuration file. With lit-
       tle effort tw.conf can be converted to aide.conf.

       aide.conf  is case-sensitive. Leading and trailing white	spaces are ig-
       nored.

       There are three types of	lines in aide.conf. First there	are  the  con-
       figuration lines	which are used to set configuration parameters and de-
       fine/undefine variables.	Second,	there are (restricted) selection lines
       that are	used to	indicate which files are added to the database.	Third,
       macro lines define or undefine variables	within the config file.	 Lines
       beginning with #	are ignored as comments.

CONFIG LINES
       These  lines  have  the	format parameter=value.	See URLS for a list of
       valid urls.

       database
	      The url from which database is read. There can only  be  one  of
	      these lines. If there are	multiple database lines	then the first
	      is used.	The default value is "/usr/local/etc/aide.db".

       database_out
	      The url to which the new database	is written to. There can  only
	      be  one of these lines. If there are multiple database_out lines
	      then  the	 first	is  used.  The	default	 value	is   "/usr/lo-
	      cal/etc/aide.db.new".

       database_new
	      The  url	from  which  the other database	for --compare is read.
	      There is no default for this one.

       database_attrs
	      The attributes of	the (uncompressed) database files which	are to
	      be  added	to the final report in verbose level 2 or higher. Only
	      checksum attributes are supported. To disable set	database_attrs
	      to  'E'.	 By default all	compiled in checksums are added	to the
	      report.

       database_add_metadata
	      Whether to add the AIDE version and the time of database genera-
	      tion  as	comments to the	database file or not. Valid values are
	      yes, true, no and	false. The default is to add the AIDE  version
	      and  the	time of	database generation. This option may be	set to
	      no by default in a future	release.

       verbose
	      The level	of messages that is output. This value	can  be	 0-255
	      inclusive. This parameter	can only be given once.	Value from the
	      first occurrence is used.	If --verbose or	-V is  used  then  the
	      value  from  that	 is used. The default is 5. If verbosity is 20
	      then additional report output is	written	 when  doing  --check,
	      --update or --compare.

       report_url
	      The url that the output is written to. There can be multiple in-
	      stances of this parameter. Output	is written to all of them. The
	      default is stdout.

       report_base16
	      Whether  to  base16  encode  the checksums in the	report or not.
	      Valid values are yes, true, no and false.	The default is to  re-
	      port checksums not in base16 but in base64 encoding.

       report_detailed_init
	      Whether to report	added files (verbose level >= 2) and their de-
	      tails (verbose level >=7)	in initialization mode or  not.	 Valid
	      values are yes, true, no and false. The default is to not	report
	      added files or their details in init mode.

       report_quiet
	      Whether to suppress report output	if no differences to the data-
	      base  have been found or not. Valid values are yes, true,	no and
	      false. The default is to not suppress output in the report.

       gzip_dbout
	      Whether the output to the	database is gzipped or not. Valid val-
	      ues are yes,true,no and false. The default is no.	This option is
	      available	only if	zlib support is	compiled in.

       root_prefix
	      The prefix to strip from each file name in the file  system  be-
	      fore  applying the rules and writing to database.	AIDE removes a
	      trailing slash from the prefix.  The default is  no  (an	empty)
	      prefix. This option has no effect	in compare mode.

       acl_no_symlink_follow
	      Whether  to  check  ACLs	for  symlinks or not. Valid values are
	      yes,true,no and false. The default is to follow  symlinks.  This
	      option is	available only if acl support is compiled in.

       warn_dead_symlinks
	      Whether  to  warn	 about	dead symlinks or not. Valid values are
	      yes,true,no and false. The default is not	 to  warn  about  dead
	      symlinks.

       grouped
	      Whether  to  group the files in the report by added, removed and
	      changed files or not. Valid values are yes, true,	no and	false.
	      The default is to	group the files	in the report.

       summarize_changes
	      Whether  to  summarize changes in	the added, removed and changed
	      files  sections  of  the	report	or  not.  Valid	  values   are
	      yes,true,no and false.  The default is to	summarize the changes.

	      The general format is like the string YlZbpugamcinCAXSE, where Y
	      is replaced by the file-type (f for a regular file, d for	a  di-
	      rectory,	l for a	symbolic link, c for a character device, b for
	      a	block device, p	for a FIFO, s for a unix socket, D for	a  So-
	      laris  door,  P  for  a  Solaris event port, !  if file type has
	      changed and ? otherwise).

	      The Z is replaced	as follows: A =	means that the	size  has  not
	      changed,	a  <  reports  a shrinked size and a > reports a grown
	      size.

	      The other	letters	in the string are the actual letters that will
	      be  output  if  the  associated  attribute for the item has been
	      changed or a "." for no change, a	"+" if the attribute has  been
	      added,  a	 "-" if	it has been removed, a ":" if the attribute is
	      ignored (but not forced) or a " "	if the attribute has not  been
	      checked.	The  exceptions	 to this are: (1) a newly created file
	      replaces each letter with	a "+", and (2) a removed file replaces
	      each letter with a "-".

	      The attribute that is associated with each letter	is as follows:

	      o	     A l means that the	link name has changed.

	      o	     A b means that the	block count has	changed.

	      o	     A p means that the	permissions have changed.

	      o	     An	u means	that the uid has changed.

	      o	     A g means that the	gid has	changed.

	      o	     An	a means	that the access	time has changed.

	      o	     A m means that the	modification time has changed.

	      o	     A c means that the	change time has	changed.

	      o	     An	i means	that the inode has changed.

	      o	     A n means that the	link count has changed.

	      o	     A C means that one	or more	checksums have changed.

	      The following letters are	only available when explicitly enabled
	      using configure:

	      o	     A A means that the	access control list has	changed.

	      o	     A X means that the	extended attributes have changed.

	      o	     A S means that the	SELinux	attributes have	changed.

	      o	     A E means that the	file attributes	on a  second  extended
		     file system have changed.

       report_ignore_added_attrs
	      Special group definition that lists attributes whose addition is
	      to be ignored in the final report.

       report_ignore_removed_attrs
	      Special group definition that lists attributes whose removal  is
	      to be ignored in the final report.

       report_ignore_changed_attrs
       ignore_list (DEPRECATED,	will be	removed	in a future release)
	      Special  group  definition that lists attributes whose change is
	      to be ignored in the final report.

       report_force_attrs
       report_attributes (DEPRECATED, will be removed in a future release)
	      Special group definition that lists attributes which are	always
	      printed  in  the final report for	changed	files. If an attribute
	      is both ignored and forced the attribute is not  considered  for
	      file change but printed in the final report if the file has been
	      otherwise	changed.

       report_ignore_e2fsattrs
	      List (no delimiter) of ext2 file attributes which	are to be  ig-
	      nored  in	the final report.  See chattr(1) for the available at-
	      tributes.	Use '0'	to  not	 ignore	 any  attribute.  Ignored  at-
	      tributes	are represented	by a ':' in the	output.	The default is
	      to not ignore any	ext2 file attribute.

	      Example
		 Ignore	changes	of the ext2 file attributes compression	 error
		 (E), huge file	(h), indexed directory (I):

		    report_ignore_e2fsattrs=EhI

       config_version
	      The  value  of  config_version is	printed	in the report and also
	      printed to the database.	This  is  for  informational  purposes
	      only. It has no other functionality.

       Group definitions
	      If  the  parameter is not	one of the previous parameters then it
	      is regarded as a group definition. Value is then regarded	as  an
	      expression. Expression is	of the following form.

		  <predefined group>| <expr> + <predefined group>
				    | <expr> - <predefined group>

	      See  DEFAULT  GROUPS  for	 an  explanation of default predefined
	      groups.  Note that this is different from	the  way  Tripwire(tm)
	      does it.

SELECTION LINES
       AIDE supports three types of selection lines:

       Regular selection line:

	  <regex> <group>

	  Files	 and  directories matching the regular expression are added to
	  the database.

       Negative	selection line:

	  !<regex>

	  Files	and directories	matching the regular  expression  are  ignored
	  and not added	to the database.

       Equals selection	line:

	  =<regex> <group>

	  Files	 and  directories matching the regular expression are added to
	  the database.	The children of	directories are	only added if the reg-
	  ular expression ends with a "/". The children	of sub-directories are
	  not added at all.

       Every regular expression	has to start with a  "/".  An  implicit	 ^  is
       added  in  front	of each	regular	expression. In other words the regular
       expressions are matched at the  first  position	against	 the  complete
       filename	 (i.e.	including  the path). Special characters in your file-
       names can be escaped using two-digit URL	encoding (for example, %20  to
       represent a space).

       See EXAMPLES and	doc/aide.conf for examples.

       More in-depth discussion	of the selection algorithm can be found	in the
       AIDE manual.

RESTRICTED SELECTION LINES
       Restricted selection lines are like normal selection lines but  can  be
       restricted to file types. The following file types are supported:

	      f: restrict rule to regular files

	      d: restrict rule to directories

	      l: restrict rule to symbolic links

	      c: restrict rule to character devices

	      b: restrict rule to block	devices

	      p: restrict rule to FIFO files

	      s: restrict rule to UNIX sockets

	      D: restrict rule to Solaris doors

	      P: restrict rule to Solaris event	ports

       The  file types are separated by	comma. The syntax of restricted	selec-
       tion lines is as	follows:

       Restricted regular selection line:
	  <regex> <file	types> <group>

       Restricted negative selection line:
	  !<regex> <file types>

       Restricted equals selection line:
	  =<regex> <file types>	<group>

       Examples
	  Only add directories and files to the	database:

	     / d,f R

	  Add all but directory	entries	to the database:

	     !/run d
	     /run R

	  Use specific rule for	directories:

	     /run d R-m-c-i
	     /run R

MACRO LINES
       @@define	VAR val
	      Define variable VAR to value val.

       @@undef VAR
	      Undefine variable	VAR.

       @@ifdef VAR, @@ifndef VAR
	      @@ifdef begins an	if statement. It must be  terminated  with  an
	      @@endif  statement.  The	lines  between @@ifdef and @@endif are
	      used if variable VAR is defined. If there	is an @@else statement
	      then  the	 part between @@ifdef and @@else is used is VAR	is de-
	      fined otherwise the part between @@else  and  @@endif  is	 used.
	      @@ifndef	reverses  the logic of @@ifdef statement but otherwise
	      works similarly.

       @@ifhost	hostname, @@ifnhost hostname
	      @@ifhost works like @@ifdef only difference is  that  it	checks
	      whether  hostname	 equals	the name of the	host that AIDE is run-
	      ning on.	hostname is the	name of	the host without  the  domain-
	      name (hostname, not hostname.example.com).

       @@{VAR}
	      @@{VAR}  is  replaced  with  the	value of the variable VAR.  If
	      variable VAR is not defined an  empty  string  is	 used.	Unlike
	      Tripwire(tm) @@VAR is NOT	supported. One special VAR is @@{HOST-
	      NAME} which is substituted for the hostname of the current  sys-
	      tem.

       @@else Begins the else part of an if statement.

       @@endif
	      Ends an if statement.

       @@include VAR
	      Includes	the file VAR. The content of the file is used as if it
	      were inserted in this part of the	config file.

URLS
       Urls can	be one of the following. Input urls cannot be used as  outputs
       and vice	versa.

       stdout

       stderr Output is	sent to	stdout,stderr respectively.

       stdin  Input is read from stdin.

       file://filename
	      Input is read from filename or output is written to filename.

       fd:number
	      Input is read from filedescriptor	number or output is written to
	      number.

DEFAULT	GROUPS
       p:   permissions

       ftype: file type

       i:   inode

       l:   link name

       n:   number of links

       u:   user

       g:   group

       s:   size

       b:   block count

       m:   mtime

       a:   atime

       c:   ctime

       S:   check for growing size

       I:   ignore changed filename

       ANF: allow new files

       ARF: allow removed files

       md5: md5	checksum

       sha1: sha1 checksum

       sha256: sha256 checksum

       sha512: sha512 checksum

       rmd160: rmd160 checksum

       tiger: tiger checksum

       haval: haval checksum

       crc32:	 crc32 checksum

       R:   p+ftype+i+l+n+u+g+s+m+c+md5+X

       L:   p+ftype+i+l+n+u+g+X

       E:   Empty group

       X:   acl+selinux+xattrs+e2fsattrs (if groups are	explicitly enabled)

       >:   Growing file p+ftype+l+u+g+i+n+S+X

       And also	the following if you have mhash	support	enabled

       gost: gost checksum

       whirlpool: whirlpool checksum

       The following are available only	when explicitly	enabled	using  config-
       ure

       acl: access control list

       selinux:	selinux	attributes

       xattrs: extended	attributes

       e2fsattrs: file attributes on a second extended file system

       Please  note that 'I' and 'c' are incompatible. When the	name of	a file
       is changed, it's	ctime is updated as well. When you put 'c' and 'I'  in
       the same	rule the, a changed ctime is silently ignored.

       When  'ANF'  is	used, new files	are added to the new database, but are
       ignored in the report.

       When 'ARF' is used, files missing on disk  are  omitted	from  the  new
       database, but are ignored in the	report.

EXAMPLES
	      /	R

       This adds all files on your machine to the database. This one line is a
       fully qualified configuration file.

	      !/dev

       This ignores the	/dev directory structure.

	      =/foo R

       Only /foo and /foobar are taken into the	database. None of their	 chil-
       dren are	added.

	      =/foo/ R

       Only  /foo  and	its  children  (e.g. /foo/file and /foo/directory) are
       taken into the database.	The children of	sub-directories	(e.g. /foo/di-
       rectory/bar) are	not added.

	      All=p+i+n+u+g+s+m+c+a+md5+sha1+tiger+rmd160

       This  line defines group	All. It	has all	attributes and all md checksum
       functions. If you absolutely want all digest functions then you	should
       enable  mhash support and add +crc32+haval+gost to the end of the defi-
       nition for All. Mhash support can only be enabled at compile-time.

HINTS
       In the following, the first is not allowed in AIDE. Use the latter  in-
       stead.

	      /foo epug

	      /foo e+p+u+g

SEE ALSO
       aide(1) manual.html

DISCLAIMER
       All trademarks are the property of their	respective owners.  No animals
       were harmed while making	this webpage or	this piece of software.

aide 0.16			 Jul 25, 2016			  AIDE.CONF(5)

NAME | SYNOPSIS | FILE FORMAT | CONFIG LINES | SELECTION LINES | RESTRICTED SELECTION LINES | MACRO LINES | URLS | DEFAULT GROUPS | EXAMPLES | HINTS | SEE ALSO | DISCLAIMER

Want to link to this manual page? Use this URL:
<https://www.freebsd.org/cgi/man.cgi?query=aide.conf&sektion=5&manpath=FreeBSD+12.1-RELEASE+and+Ports>

home | help