1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
|
.TH AIDE 1 "2025-08-13" "aide v0.19.2" "User Commands"
.SH NAME
\fBaide\fP \- Advanced Intrusion Detection Environment
.SH SYNOPSIS
\fBaide\fP
\%[\fBparameters\fP]
\%\fBcommand\fP
.SH DESCRIPTION
\fBAIDE\fP is an intrusion detection system for checking the integrity
of files.
.SH COMMANDS
.PP
.IP "--check, -C"
Checks the database for inconsistencies. You must have an initialized
database to do this. This is also the default command. Without any
command \fBaide\fP does a check.
.IP "--init, -i"
Initialize the database. You must initialize a database and move it to
the appropriate place (see \fBdatabase_in\fR config option) before you can use
the \-\-check command.
.IP "--dry-init, -n (added in AIDE v0.17)"
Traverse the file system, match each file against the rule tree and report to stdout.
Neither reports nor the database are written in this mode.
To change the log level in this mode please use the \fB--log-level\fR command line parameter.
In this mode aide exits with status 0.
.IP "--update, -u"
Checks the database and updates the database non-interactively.
The input and output databases must be different.
.IP "--compare, -E"
Compares two databases. They must be defined in config file with
database=<url> and database_new=<url>.
.IP "--list (added in AIDE v0.19)"
List the entries of the database in human readable format (analogous to the
detailed report output of new files). Note that the checksums are base16 encoded.
.IP "--config-check, -D"
Stops after reading in the configuration file. Any errors will be reported.
To change the log level in this mode please use the \fB--log-level\fR
command line parameter.
.IP "--path-check=\fIfile_type\fR[=\fIfile_system_type\fR]:\fIpath\fR, -p \fIfile_type\fR[=\fIfile_system_type\fR]:\fIpath\fR (added in AIDE v0.17)"
Read configuration and match provided file_type, optionally file system type
(added in AIDE v0.19, Linux only) and path against rule tree.
The path is independent of what is in the actual file system and needs to be
absolute. See RESTRICTED RULES section in aide.conf (5) for supported file
types and file system types.
Please note that the specified file system type is only applied to the file and
not to the parent directories of the path. If a restricted rule cannot be
matched against a parent directory due to the missing file system type aide
raises a warning.
To change the log level in this mode please use the \fB--log-level\fR command line parameter.
In this mode aide exits with status 0 if the file would be added to the tree, 1
if not and 2 if the file does not match the specified limit.
.SH PARAMETERS
.IP "--config=\fBconfigfile\fR , -c \fBconfigfile\fR"
Configuration is read from file \fBconfigfile\fR (see \fB--version\fP output for default value).
Use '-' for stdin.
.IP "--limit=\fBREGEX\fR , -l \fBREGEX\fR (added in AIDE v0.16)"
Limit command to entries matching REGEX. Note that the REGEX only matches
at the first position.
.RS
.B Example
.RS 3
Only check and update the database entries matching /etc (i.e. the /etc
directory) while leaving all other entries unchecked and unchanged:
.RS 3
.nf
aide --update --limit /etc
.fi
.RE
.RE
.RE
.IP "--before=\(dq\fBconfigparameters\fR\(dq , -B \(dq\fBconfigparameters\fR\(dq"
These \fBconfigparameters\fR are handled before the reading of the
configuration file. See aide.conf (5) for more details on what to put
here.
.IP "--after=\(dq\fBconfigparameters\fR\(dq , -A \(dq\fBconfigparameters\fR\(dq"
These \fBconfigparameters\fR are handled after the reading of the
configuration file. See aide.conf (5) for more details on what to put
here.
.IP "--log-level=\fBlog_level\fR,-L\fBlog_level\fR (added in AIDE v0.17)"
The log level to use (see aide.conf (5) for available log levels and more details).
This overwrites the log_level value set in any configuration file.
.IP "--verbose=\fBverbosity_level\fR,-V\fBverbosity_level\fR (REMOVED in AIDE v0.17)"
Removed, use \fBlog_level\fR and \fBreport_level\fR config options instead (see aide.conf (5) for details).
.IP "--report=\fBreporter\fR,-r \fBreporter\fR (REMOVED in AIDE v0.17)"
Removed, use \fBreport_url\fR config option instead (see aide.conf (5) for details).
.IP "--workers=\fBWORKERS\fR , -W \fBWORKERS\fR (added in AIDE v0.18)"
Specifies the number of workers (see aide.conf (5) for details). This
overwrites the num_workers value set in any configuration file.
.IP "--no-progress (added in AIDE v0.19)"
Turn progress off explicitly. By default progress is shown if standard error is
connected to a terminal.
.IP "--no-color (added in AIDE v0.19)"
Turn colored log output off explicitly. By default colored log output is
enabled if standard error is connected to a terminal.
.IP "--version,-v"
Print version information and exit.
.IP "--help,-h"
Prints out the standard help message.
.PP
.SH EXIT STATUS
Normally, the exit status is 0 if no errors occurred. Except when the
.BR --check ,
.BR --compare " or"
.B --update
command was requested, in which case the exit status is defined as:
.IP "1 * (new files reported?) +"
.IP "2 * (removed files reported?) +"
.IP "4 * (changed files reported?)"
.PP
Since those three cases can occur together, the respective error codes
are added. For example, if there are new files and removed files reported,
the exit status will be 1 + 2 = 3.
.PP
Additionally, the following exit codes are defined for generic error
conditions:
.IP "14 Writing error"
.IP "15 Invalid argument error"
.IP "16 Unimplemented function error"
.IP "17 Configuration error"
.IP "18 IO error"
.IP "19 Version mismatch error"
.IP "20 EXEC error"
.IP "21 File lock error"
.IP "22 Memory allocation error"
.IP "23 Thread error"
.IP "24 Database error"
.IP "25 received SIGINT, SIGTERM or SIGHUP"
.PP
.SH SIGNAL HANDLING
.IP "\fBSIGINT\fR, \fBSIGTERM\fR, \fBSIGHUP\fR"
Remove an incompletely written database (only if database file was created by aide) and exit (code 25).
.IP \fBSIGUSR1\fR
Toggle the log_level between current and debug level.
\fBSIGUSR1\fR is only handled after config parsing.
.IP \fBSIGWINCH\fR
Resize the progress bar (if enabled).
.PP
.SH NOTES
.IP "Checksum encoding"
The checksums in the database and in the output are by default base64
encoded (see also report_base16 option).
To decode them you can use the following shell command:
echo <encoded_checksum> | base64 \-d | hexdump \-v \-e '32/1 "%02x" "\\n"'
.IP "Control characters"
Control characters (00-31 and 127) are always escaped in log and plain report
output. They are escaped by a literal backslash (\\) followed by exactly 3
digits representing the character in octal notation (e.g. a newline is output
as "\fB\\012\fR"). A literal backslash is not escaped unless it is followed by
3 digits (0-9), in this case the literal backslash is escaped as
"\fB\\134\fR". Reports in JSON format are escaped according to the JSON specs
(e.g. a newline is output as "\fB\\b\fR" or an escape (\fBESC\fR) is output as
"\fB\\u001b\fR")
.PP
.SH FILES
See \fB--version\fR output for the default \fBconfig file\fR and the
default \fBdatabase_in\fR and \fBdatabase_out\fR config values.
.SH SEE ALSO
.BR aide.conf (5)
.SH BUGS
There are probably bugs in this release. Please report them
at https://github.com/aide/aide/issues .
.SH DISCLAIMER
All trademarks are the property of their respective owners.
No animals were harmed while making this webpage or this piece of
software. Although some pizza delivery guy's feelings were hurt.
.BR
|
