File: aide.conf.5.in

package info (click to toggle)
aide 0.16.1-1
  • links: PTS, VCS
  • area: main
  • in suites: buster, sid
  • size: 3,012 kB
  • sloc: ansic: 10,362; sh: 6,395; lex: 675; yacc: 324; makefile: 93
file content (497 lines) | stat: -rw-r--r-- 15,655 bytes parent folder | download
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
374
375
376
377
378
379
380
381
382
383
384
385
386
387
388
389
390
391
392
393
394
395
396
397
398
399
400
401
402
403
404
405
406
407
408
409
410
411
412
413
414
415
416
417
418
419
420
421
422
423
424
425
426
427
428
429
430
431
432
433
434
435
436
437
438
439
440
441
442
443
444
445
446
447
448
449
450
451
452
453
454
455
456
457
458
459
460
461
462
463
464
465
466
467
468
469
470
471
472
473
474
475
476
477
478
479
480
481
482
483
484
485
486
487
488
489
490
491
492
493
494
495
496
497
.TH AIDE.CONF 5 "Feb 25, 2019" "aide v0.16.1" "AIDE"
.SH NAME
aide.conf - The configuration file for Advanced Intrusion Detection
Environment
.PP
.SH SYNOPSIS
\fBaide.conf\fP is the configuration file for Advanced Intrusion
Detection Environment. \fBaide.conf\fP contains the runtime
configuration aide uses to initialize or check the AIDE database.
.PP
.SH "FILE FORMAT"
\fBaide.conf\fP is similar in to Tripwire(tm)'s configuration
file. With little effort tw.conf can be converted to aide.conf.
.PP
aide.conf is case-sensitive. Leading and trailing white spaces are
ignored.
.PP
There are three types of lines in \fBaide.conf\fP. First there are the
configuration lines which are used to set configuration parameters and
define/undefine variables. Second, there are (restricted) selection lines that
are used to indicate which files are added to the database. Third, macro lines
define or undefine variables within the config file. Lines beginning with #
are ignored as comments.
.PP
.SH "CONFIG LINES"
.PP
These lines have the format parameter=value. See URLS for a list of
valid urls.
.PP
.IP "database"
The url from which database is read. There can only be one of these
lines. If there are multiple database lines then the first is used.
There is no valid default value in the Debian packages!
.IP "database_out"
The url to which the new database is written to. There can only be one
of these lines. If there are multiple database_out lines then the
first is used. There is no valid default value in the Debian packages!
.IP "database_new"
The url from which the other database for \-\-compare is read.
There is no default for this one.
.IP "database_attrs"
The attributes of the (uncompressed) database files which are to be added to
the final report in verbose level 2 or higher. Only checksum attributes are
supported. To disable set
.I database_attrs
to
.RB ' E '.
By default all compiled in checksums are added to the report.
.IP "database_add_metadata"
Whether to add the AIDE version and the time of database generation as comments
to the database file or not. Valid values are yes, true, no and false. The
default is to add the AIDE version and the time of database generation. This
option may be set to no by default in a future release.
.IP "verbose"
The level of messages that is output. This value can be 0-255
inclusive. This parameter can only be given once. Value from the first
occurrence is used. If \-\-verbose or \-V is used then the value from that
is used. The default is 5. If verbosity is 20 then additional report
output is written when doing \-\-check, \-\-update or \-\-compare.
.IP "report_url"
The url that the output is written to. There can be multiple instances
of this parameter. Output is written to all of them. The default is
stdout.
.IP "report_base16"
Whether to base16 encode the checksums in the report or not. Valid values are
yes, true, no and false. The default is to report checksums not in base16 but
in base64 encoding.
.IP "report_detailed_init"
Whether to report added files (verbose level >= 2) and their details (verbose
level >=7) in initialization mode or not. Valid values are yes, true, no and
false. The default is to not report added files or their details in init mode.
.IP "report_quiet"
Whether to suppress report output if no differences to the database have been
found or not. Valid values are yes, true, no and false. The default is to not
suppress output in the report.
.IP "gzip_dbout"
Whether the output to the database is gzipped or not. Valid values are
yes,true,no and false. The default is no. This option is available only
if zlib support is compiled in.
.IP "root_prefix"
The prefix to strip from each file name in the file system before applying the
rules and writing to database. AIDE removes a trailing slash from the prefix.
The default is no (an empty) prefix. This option has no effect in
compare mode.
.IP "acl_no_symlink_follow"
Whether to check ACLs for symlinks or not. Valid values are
yes,true,no and false. The default is to follow symlinks. This option
is available only if acl support is compiled in.
.IP "warn_dead_symlinks"
Whether to warn about dead symlinks or not. Valid values are
yes,true,no and false. The default is not to warn about dead symlinks.
.IP "grouped"
Whether to group the files in the report by added, removed and changed
files or not. Valid values are yes, true, no and false.
The default is to group the files in the report.
.IP "summarize_changes"
Whether to summarize changes in the added, removed and changed files
sections of the report or not. Valid values are yes,true,no and false.
The default is to summarize the changes.

The general format is like the string YlZbpugamcinCAXSE, where Y is
replaced by the file-type (\fBf\fP for a regular file, \fBd\fP for a
directory, \fBl\fP for a symbolic link, \fBc\fP for a character device,
\fBb\fP for a block device, \fBp\fP for a FIFO, \fBs\fP for a unix
socket, \fBD\fP for a Solaris door, \fBP\fP for a Solaris event port, \fB!\fP
if file type has changed and \fB?\fP otherwise).

The Z is replaced as follows: A \fB=\fP means that the size has not changed,
a \fB<\fP reports a shrinked size and a \fB>\fP reports a grown size.

The other letters in the string are the actual letters that will be output
if the associated attribute for the item has been changed or a "." for no
change, a "+" if the attribute has been added, a "-" if it has been removed,
a ":" if the attribute is ignored (but not forced) or a " " if the attribute has
not been checked. The exceptions to this are: (1) a newly created file replaces
each letter with a "+", and (2) a removed file replaces each letter with a "-".

The attribute that is associated with each letter is as follows:

.RS
.IP o
A \fBl\fP means that the link name has changed.
.IP o
A \fBb\fP means that the block count has changed.
.IP o
A \fBp\fP means that the permissions have changed.
.IP o
An \fBu\fP means that the uid has changed.
.IP o
A \fBg\fP means that the gid has changed.
.IP o
An \fBa\fP means that the access time has changed.
.IP o
A \fBm\fP means that the modification time has changed.
.IP o
A \fBc\fP means that the change time has changed.
.IP o
An \fBi\fP means that the inode has changed.
.IP o
A \fBn\fP means that the link count has changed.
.IP o
A \fBC\fP means that one or more checksums have changed.
.RE

.RS
The following letters are only available when explicitly enabled using configure:
.RE

.RS
.IP o
A \fBA\fP means that the access control list has changed.
.IP o
A \fBX\fP means that the extended attributes have changed.
.IP o
A \fBS\fP means that the SELinux attributes have changed.
.IP o
A \fBE\fP means that the file attributes on a second extended file system have changed.
.RE
.IP "report_ignore_added_attrs"
Special group definition that lists attributes whose addition is to be ignored
in the final report.
.IP "report_ignore_removed_attrs"
Special group definition that lists attributes whose removal is to be ignored
in the final report.
.TP
report_ignore_changed_attrs
.TQ
ignore_list (DEPRECATED, will be removed in a future release)
Special group definition that lists attributes whose change is to be ignored
in the final report.
.TP
report_force_attrs
.TQ
report_attributes (DEPRECATED, will be removed in a future release)
Special group definition that lists attributes which are always printed in the
final report for changed files. If an attribute is both ignored and forced the
attribute is not considered for file change but printed in the final report if
the file has been otherwise changed.
.IP "report_ignore_e2fsattrs"
List (no delimiter) of ext2 file attributes which are to be ignored in the final report.
See
.BR chattr (1)
for the available attributes. Use '0' to not ignore any
attribute. Ignored attributes are represented by a ':' in the output. The
default is to not ignore any ext2 file attribute.

.RS
.B Example
.RS 3
Ignore changes of the ext2 file attributes compression error (E), huge file
(h), indexed directory (I):

.RS 3
.nf
report_ignore_e2fsattrs=EhI
.fi
.RE
.RE
.RE
.IP "config_version"
The value of config_version is printed in the report and also printed
to the database. This is for informational purposes only. It has no
other functionality.
.IP "Group definitions"
If the parameter is not one of the previous parameters then it is
regarded as a group definition. Value is then regarded as an
expression. Expression is of the following form.
.IP
.nf
    <predefined group>| <expr> + <predefined group>
                      | <expr> - <predefined group>
.fi
.IP
See DEFAULT GROUPS for an explanation of default predefined groups.
Note that this is different from the way Tripwire(tm) does it.
.PP
.SH "SELECTION LINES"
.PP
AIDE supports three types of selection lines:

Regular selection line:
.RS 3

.nf
.B <regex> <group>
.fi

Files and directories matching the regular expression are added to the
database.

.RE

Negative selection line:
.RS 3

.nf
.B !<regex>
.fi

Files and directories matching the regular expression are ignored and not added
to the database.

.RE

Equals selection line:
.RS 3

.nf
.B =<regex> <group>
.fi

Files and directories matching the regular expression are added to the
database. The children of directories are only added if the regular expression
ends with a "/". The children of sub-directories are not added at all.

.RE

Every regular expression has to start with a "/". An implicit ^ is added in
front of each regular expression. In other words the regular expressions are
matched at the first position against the complete filename (i.e. including the
path). Special characters in your filenames can be escaped using two-digit URL
encoding (for example, %20 to represent a space).

See EXAMPLES and doc/aide.conf for examples.
.PP
More in-depth discussion of the selection algorithm can be found in
the AIDE manual.
.IP
.PP
.SH "RESTRICTED SELECTION LINES"
.PP
Restricted selection lines are like normal selection lines but can be
restricted to file types. The following file types are supported:

.RS

\fBf\fP: restrict rule to regular files

\fBd\fP: restrict rule to directories

\fBl\fP: restrict rule to symbolic links

\fBc\fP: restrict rule to character devices

\fBb\fP: restrict rule to block devices

\fBp\fP: restrict rule to FIFO files

\fBs\fP: restrict rule to UNIX sockets

\fBD\fP: restrict rule to Solaris doors

\fBP\fP: restrict rule to Solaris event ports
.RE

The file types are separated by comma. The syntax of restricted
selection lines is as follows:

Restricted regular selection line:
.RS 3
.nf
.B <regex> <file types> <group>
.fi
.RE

Restricted negative selection line:
.RS 3
.nf
.B !<regex> <file types>
.fi
.RE

Restricted equals selection line:
.RS 3
.nf
.B =<regex> <file types> <group>
.fi
.RE

.B Examples
.RS 3
Only add directories and files to the database:

.RS 3
.nf
.B / d,f R
.fi
.RE
.RE

.RS 3
Add all but directory entries to the database:

.RS 3
.nf
.B !/run d
.B /run R
.fi
.RE
.RE

.RS 3
Use specific rule for directories:

.RS 3
.nf
.B /run d R-m-c-i
.B /run R
.fi
.RE
.RE

.PP
.SH "MACRO LINES"
.PP
.IP "@@define \fBVAR\fR \fBval\fR"
Define variable \fBVAR\fR to value \fBval\fR.
.IP "@@undef \fBVAR\fR"
Undefine variable \fBVAR\fR.
.IP "@@ifdef \fBVAR\fR, @@ifndef \fBVAR\fR"
@@ifdef begins an if statement. It must be terminated with an @@endif
statement. The lines between @@ifdef and @@endif are used if variable
\fBVAR\fR is defined. If there is an @@else statement then the part
between @@ifdef and @@else is used is \fBVAR\fR is defined otherwise
the part between @@else and @@endif is used. @@ifndef reverses the
logic of @@ifdef statement but otherwise works similarly.
.IP "@@ifhost \fBhostname\fR, @@ifnhost \fBhostname\fR"
@@ifhost works like @@ifdef only difference is that it checks whether
\fBhostname\fR equals the name of the host that AIDE is running on.
\fBhostname\fR is the name of the host without the domainname
(hostname, not hostname.example.com).
.IP "@@{\fBVAR\fR}"
@@{\fBVAR\fR} is replaced with the value of the variable \fBVAR\fR.
If variable \fBVAR\fR is not defined an empty string is used. Unlike
Tripwire(tm) @@VAR is NOT supported. One special \fBVAR\fR is @@{HOSTNAME}
which is substituted for the hostname of the current system.
.IP "@@else"
Begins the else part of an if statement.
.IP "@@endif"
Ends an if statement.
.IP "@@include \fBVAR\fR"
Includes the file \fBVAR\fR. The content of the file is used as if it
were inserted in this part of the config file.
.PP
.SH URLS
Urls can be one of the following. Input urls cannot be used as outputs
and vice versa.
.IP "stdout"
.IP "stderr"
Output is sent to stdout,stderr respectively.
.IP "stdin"
Input is read from stdin.
.IP "file://\fBfilename\fR"
Input is read from \fBfilename\fR or output is written to
\fBfilename\fR.
.IP "fd:\fBnumber\fR"
Input is read from filedescriptor \fBnumber\fR or output is written to
\fBnumber\fR.
.PP
.SH "DEFAULT GROUPS"
.PP
.IP "p:	permissions"
.IP "ftype: file type"
.IP "i:	inode"
.IP "l:	link name"
.IP "n:	number of links"
.IP "u:	user"
.IP "g:	group"
.IP "s:	size"
.IP "b:	block count"
.IP "m:	mtime"
.IP "a:	atime"
.IP "c:	ctime"
.IP "S:	check for growing size"
.IP "I:	ignore changed filename"
.IP "ANF:	allow new files
.IP "ARF:	allow removed files
.IP "md5:	md5 checksum"
.IP "sha1: sha1 checksum"
.IP "sha256: sha256 checksum"
.IP "sha512: sha512 checksum"
.IP "rmd160: rmd160 checksum"
.IP "tiger: tiger checksum"
.IP "haval: haval checksum"
.IP "crc32:	crc32 checksum"
.IP "R:	p+ftype+i+l+n+u+g+s+m+c+md5+X"
.IP "L:	p+ftype+i+l+n+u+g+X"
.IP "E:	Empty group"
.IP "X:	acl+selinux+xattrs+e2fsattrs (if groups are explicitly enabled)"
.IP ">:	Growing file p+ftype+l+u+g+i+n+S+X"
.LP
And also the following if you have mhash support enabled
.IP "gost: gost checksum"
.IP "whirlpool: whirlpool checksum"
.LP
The following are available only when explicitly enabled using configure
.IP "acl: access control list"
.IP "selinux: selinux attributes"
.IP "xattrs: extended attributes"
.IP "e2fsattrs: file attributes on a second extended file system
.LP
Please note that 'I' and 'c' are incompatible. When the name of a file
is changed, it's ctime is updated as well. When you put 'c' and 'I' in
the same rule the, a changed ctime is silently ignored.
.LP
When 'ANF' is used, new files are added to the new database, but are
ignored in the report.
.LP
When 'ARF' is used, files missing on disk are omitted from the new database,
but are ignored in the report.
.PP
.SH EXAMPLES
.IP
.B "/ R"
.LP
This adds all files on your machine to the database. This one line
is a fully qualified configuration file.
.IP
.B "!/dev"
.LP
This ignores the /dev directory structure.
.IP
.B "=/foo R"
.LP
Only /foo and /foobar are taken into the database. None of their children are
added.
.IP
.B "=/foo/ R"
.LP
Only /foo and its children (e.g. /foo/file and /foo/directory) are taken into
the database. The children of sub-directories (e.g. /foo/directory/bar) are not
added.
.IP
.B "\fBAll\fR=p+i+n+u+g+s+m+c+a+md5+sha1+tiger+rmd160"
.LP
This line defines group \fBAll\fR. It has all attributes and all
md checksum functions. If you absolutely want all digest functions
then you should enable mhash support and add
+crc32+haval+gost to the end of the definition for
\fBAll\fR. Mhash support can only be enabled at compile-time.
.PP
.SH HINTS
In the following, the first is not allowed in AIDE. Use the latter instead.
.IP
.B "/foo epug"
.IP
.B "/foo e+p+u+g"
.PP
.SH "SEE ALSO"
.BR aide (1)
.BR manual.html
.SH DISCLAIMER
All trademarks are the property of their respective owners.
No animals were harmed while making this webpage or this piece of
software.