|
|
| |
AIDE.CONF(5) |
AIDE |
AIDE.CONF(5) |
aide.conf - The configuration file for Advanced Intrusion Detection Environment
aide.conf is the configuration file for Advanced Intrusion Detection
Environment. aide.conf contains the runtime configuration aide uses to
initialize or check the AIDE database.
aide.conf is case-sensitive. Leading and trailing white spaces are ignored. AIDE
uses the backslash character (\) as escape character for ' ' (space),
'@' and '\' (backslash) (e.g. '\ ' or '\@'). To literally match a '\'
in a file path with a regular expression you have to escape the backslash
twice (i.e. '\\\\').
There are three types of lines in aide.conf. First there
are the configuration options which are used to set configuration parameters
and define groups. Second, there are (restricted) rules that are used to
indicate which files are added to the database. Third, macro lines define or
undefine variables within the config file. Lines beginning with # are
ignored as comments.
These lines have the format parameter=value. See URLS for a list of valid urls.
- database_in (type: URL, default: see --version output)
- database (DEPRECATED, will be removed in a future release)
- The url from which database is read. There can only be one of these lines.
If there are multiple database lines then the first is used.
- database_out (type: URL, default: see --version output)
- The url to which the new database is written to. There can only be one of
these lines. If there are multiple database_out lines then the first is
used.
- database_new (type: URL, default: <none>)
- The url from which the other database for --compare is read.
- database_attrs (type: attribute expression, default: H)
- The attributes of the (uncompressed) database files which are to be added
to the reports in report level >= database_attributes . Only
checksum attributes are supported. To disable set database_attrs to
'E'.
- database_add_metadata (type: bool, default: true)
- Whether to add the AIDE version and the time of database generation as
comments to the database file or not. This option may be set to false by
default in a future release.
- log_level (type: log level, default: warning)
- The log level to use. Log messages are written to stderr. If there
are multiple log_level lines then the first one is used. The
--log-level or -L command line option overwrites this option.
The following log levels are available:
error: show unrecoverable issues that have to be
handled by the user. Errors are fatal to the AIDE process.
warning: additionally show recoverable issues that most
likely lead to unexpected behaviour and should be handled by the user
notice: additionally show recoverable issues that sometimes
lead to unexpected behaviour and might be handled by the user.
info: additionally show informational messages
rule: additionally show messages to help to debug the path
rule matching
config: additionally show messages to help to debug config
and rule parsing
debug: additionally show messages that are useful to debug
the application (very verbose)
trace: detailed information about the flow of the
application (e.g. in-loop logging) (even more verbose)
- verbose (type: number, range: 0 - 255, default: 5)
- Removed in AIDE v0.17, use log_level and report_level
options instead
- gzip_dbout (type: bool, default: false)
- Whether the output to the database is gzipped or not. This option is
available only if zlib support is compiled in.
- root_prefix (type: path, default: <empty>)
- The prefix to strip from each file name in the file system before applying
the rules and writing to database. AIDE removes a trailing slash from the
prefix. If there are multiple root_prefix lines then the first one is
used. This option has no effect in compare mode.
- acl_no_symlink_follow (type: bool, default: false)
- Whether to check ACLs for symlinks or not. This option is available only
if acl support is compiled in.
- warn_dead_symlinks (type: path, default: false)
- Whether to warn about dead symlinks or not.
- config_version (type: string, default: <empty>)
- The value of config_version is printed in the report and also printed to
the database. This is for informational purposes only. It has no other
functionality.
- Group definitions
- If the parameter is not one of the previous parameters then it is regarded
as a group definition. Value is then regarded as an attribute
expression.
- See DEFAULT GROUPS for an explanation of default predefined groups.
Group names are limited to alphanumeric characters
(A-Za-z0-9).
- report_url (type: URL, default: stdout)
-
The URL that the output is written to.
Multiple instances of the report_url option are
supported.
Examples:
report_url=file:/var/log/aide.log
Write report to /var/log/aide.log.
report_url=stdout
Write report to stdout.
report_url=syslog:<LOG_FACILITY>
Write report to syslog using
LOG_FACILITY.
The following report options are available (to take effect they
have to be set before report_url):
- report_level (type: report level, default: changed_attributes)
-
The report level to use. The available report levels are as
follows:
minimal: print single line whether AIDE found
differences to the database
summary: additionally print number of added, removed and
changed files
database_attributes: additionally print database
checksums
list_entries: additionally print lists of added, removed
and changed entries
changed_attributes: additionally print details about
changed entries
added_removed_attributes: additionally print details about
added and removed attributes
added_removed_entries: additionally print details about
added and removed entries
- report_base16 (type: bool, default: false)
- Base16 encode the checksums in the report. The default is to report
checksums in base64 encoding.
- report_detailed_init (type: bool, default: false)
- Report added files (report level >= list_entries) and their
details (report level >= added_removed_entries) in
initialization mode.
- report_quiet (type: bool, default: false)
- Suppress report output if no differences to the database have been
found.
- report_append (type: bool, default: false)
- Append to the report URL.
- report_grouped (type: bool, default: true)
- grouped (DEPRECATED, will be removed in a future release)
- Group the files in the report by added, removed and changed files.
- report_summarize_changes (type: bool, default: true)
- summarize_changes (DEPRECATED, will be removed in a future release)
- Summarize changes in the added, removed and changed files sections of the
report.
The general format is like the string YlZbpugamcinHAXSEC,
where Y is replaced by the file-type (f for a regular file,
d for a directory, l for a symbolic link, c for a
character device, b for a block device, p for a FIFO,
s for a unix socket, D for a Solaris door, P for a
Solaris event port, ! if file type has changed and ?
otherwise).
The Z is replaced as follows: A = means that the size
has not changed, a < reports a shrinked size and a >
reports a grown size.
The other letters in the string are the actual letters that
will be output if the associated attribute for the item has been changed
or a "." for no change, a "+" if the attribute has
been added, a "-" if it has been removed, a ":" if
the attribute is ignored (but not forced) or a " " if the
attribute has not been checked. The exceptions to this are: (1) a newly
created file replaces each letter with a "+", and (2) a
removed file replaces each letter with a "-".
The attribute that is associated with each letter is as
follows:
- o
- A l means that the link name has changed.
- o
- A b means that the block count has changed.
- o
- A p means that the permissions have changed.
- o
- An u means that the uid has changed.
- o
- A g means that the gid has changed.
- o
- An a means that the access time has changed.
- o
- A m means that the modification time has changed.
- o
- A c means that the change time has changed.
- o
- An i means that the inode has changed.
- o
- A n means that the link count has changed.
- o
- A H means that one or more message digests have changed.
The following letters are only available when explicitly
enabled using configure:
- o
- A A means that the access control list has changed.
- o
- A X means that the extended attributes have changed.
- o
- A S means that the SELinux attributes have changed.
- o
- A E means that the file attributes on a second extended file system
have changed.
- o
- A C means that the file capabilities have changed.
- report_ignore_added_attrs (type: attribute expression, default:
empty)
- Attributes whose addition is to be ignored in the report.
- report_ignore_removed_attrs (type: attribute expression, default:
empty)
- Attributes whose removal is to be ignored in the report.
- report_ignore_changed_attrs (type: attribute expression, default:
empty)
- ignore_list (removed in AIDE v0.17)
- Attributes whose change is to be ignored in the report.
- report_force_attrs (type: attribute expression, default:
empty)
- report_attributes (removed in AIDE v0.17)
- Attributes which are always printed in the report for changed files. If an
attribute is both ignored and forced the attribute is not considered for
file change but printed in the final report as long as the file has been
otherwise changed.
- report_ignore_e2fsattrs (type: string, default: 0)
- List (no delimiter) of ext2 file attributes which are to be ignored in the
report. See chattr(1) for the available attributes. Use 0
(zero) to not ignore any attribute. Ignored attributes are represented by
a ':' in the output.
Example:
Ignore changes of the ext2 file attributes compression
error (E), huge file (h), indexed directory (I):
report_ignore_e2fsattrs=EhI
AIDE supports three types of rules:
Regular rule:
<regex> <attribute expression>
Files and directories matching the regular expression are added to
the database.
Negative rule:
!<regex>
Files and directories matching the regular expression are ignored
and not added to the database. The children of matching directories are also
ignored.
Equals rule:
=<regex> <attribute expression>
Files and directories matching the regular expression are added to
the database. The children of directories are only added if the regular
expression ends with a "/". The children of sub-directories are
not added at all.
Every regular expression has to start with a "/". An
implicit ^ is added in front of each regular expression. In other words the
regular expressions are matched at the first position against the complete
filename (i.e. including the path). Special characters in your filenames can
be escaped using two-digit URL encoding (for example, %20 to represent a
space).
See EXAMPLES and doc/aide.conf for examples.
More in-depth discussion of the selection algorithm can be found
in the AIDE manual.
Restricted rules are like normal rules but can be restricted to file types. The
following file types are supported:
f: restrict rule to regular files
d: restrict rule to directories
l: restrict rule to symbolic links
c: restrict rule to character devices
b: restrict rule to block devices
p: restrict rule to FIFO files
s: restrict rule to UNIX sockets
D: restrict rule to Solaris doors
P: restrict rule to Solaris event ports
The file types are separated by comma. The syntax of restricted
rules is as follows:
Restricted regular rule:
<regex> <file types> <attribute expression>
Restricted negative rule:
Restricted equals rule:
=<regex> <file types> <attribute expression>
Examples
Only add directories and files to the database:
Add all but directory entries to the database:
Use specific rule for directories:
- @@define VAR val
- Define variable VAR to value val.
- @@undef VAR
- Undefine variable VAR.
- @@ifdef VAR, @@ifndef VAR
- @@ifdef begins an if statement. It must be terminated with an @@endif
statement. The lines between @@ifdef and @@endif are used if variable
VAR is defined. If there is an @@else statement then the part
between @@ifdef and @@else is used is VAR is defined otherwise the
part between @@else and @@endif is used. @@ifndef reverses the logic of
@@ifdef statement but otherwise works similarly.
- @@ifhost hostname, @@ifnhost hostname
- @@ifhost works like @@ifdef only difference is that it checks whether
hostname equals the name of the host that AIDE is running on.
hostname is the name of the host without the domainname (hostname,
not hostname.example.com).
- @@{VAR}
- @@{VAR} is replaced with the value of the variable VAR. If
variable VAR is not defined an empty string is used.
Variables are supported in strings and in regular expressions
of selection lines.
Pre-defined marco variables:
@@{HOSTNAME}: hostname of the current system
- @@else
- Begins the else part of an if statement.
- @@endif
- Ends an if statement.
- @@include FILE
- Include FILE.
The content of the file is used as if it were inserted in this
part of the config file.
The maximum depth of nested includes is 16.
- @@include DIRECTORY REGEX
- Include all (regular) files found in DIRECTORY matching regular
expression REGEX (sub-directories are ignored). The file are
included in lexical sort order.
The content of the files is used as if it were inserted in
this part of the config file.
- @@x_include FILE
- @@x_include DIRECTORY REGEX
- @x_include is identical to @@include, except that if a
config file is executable is is run and the output is used as config.
If the executable file exits with status greater than zero or
writes to stderr aide stops with an error.
For security reasons DIRECTORY and each executable
config file must be owned by the current user and must not be group- or
world-writable.
- @@x_include_setenv VAR VALUE
-
Adds the variable VAR with the value VALUE to
the environment used for config file execution.
Environment variable names are limited to alphanumeric
characters (A-Za-z0-9) and the underscore '_' and must not
begin with a digit.
bool
Valid values are yes, true, no or
false.
attribute expression
An attribute expression is of the following form:
-
<group>
| <expr> + <group>
| <expr> - <group>
URLS
Urls can be one of the following. Input urls cannot be
used as outputs and vice versa.
- stdout
- stderr
- Output is sent to stdout, stderr respectively.
- stdin
- Input is read from stdin.
- file:/path
- Input is read from path or output is written to path.
- fd:number
- Input is read from filedescriptor number or output is written to
number.
- syslog:LOG_FACILITY
- Output is written to syslog using LOG_FACILITY.
File attribute groups
- ftype: file type
- p: permissions
- i: inode
- l: link name
- n: number of links
- u: user
- g: group
- s: size
- b: block count
- m: mtime
- a: atime
- c: ctime
- acl: access control list (requires libacl)
- selinux: selinux attributes (requires libselinux)
- xattrs: extended attributes (requires libattr)
- e2fsattrs: file attributes on a second extended file system
(requires libext2fs)
- caps: file capabilities (requires libcap2)
Use 'aide --version' to show which compiled in groups are
available.
Special groups
- S: check for growing size
- I: ignore changed filename
- Note: when c is also set in the same rule a ctime change is ignored
when the name of a file is changed
- ANF: allow new files
- When 'ANF' is used, new files are added to the new database, but are
ignored in the report.
- ARF: allow removed files
- When 'ARF' is used, files missing on disk are omitted from the new
database, but are ignored in the report.
Hashsums groups
- md5: MD5 checksum
- sha1: SHA-1 checksum
- sha256: SHA-256 checksum
- sha512: SHA-512 checksum
- rmd160: RIPEMD-160 checksum
- tiger: tiger checksum
- haval: haval256 checksum (libmhash only)
- crc32: crc32 checksum
- crc32b: crc32 checksum (libmhash only)
- gost: GOST R 34.11-94 checksum
- whirlpool: whirlpool checksum
- stribog256: GOST R 34.11-2012, 256 bit checksum (libgcrypt
only)
- stribog512: GOST R 34.11-2012, 512 bit checksum (libgcrypt
only)
Use 'aide --version' to show which compiled hashsums are
available.
Compound groups
- R: p+ftype+i+l+n+u+g+s+m+c+md5+X
- L: p+ftype+i+l+n+u+g+X
- >: Growing file p+ftype+l+u+g+i+n+S+X
- H: all compiled in hashsums
- X: acl+selinux+xattrs+e2fsattrs+caps (if groups are compiled in)
- E: Empty group
Please run 'aide --version' to list the default compound
groups.
- / R
This adds all files on your machine to the database. This one line
is a fully qualified configuration file.
- !/dev$
This ignores the /dev directory structure.
- =/foo R
Only /foo and /foobar are taken into the database. None of their
children are added.
- =/foo/ R
Only /foo and its children (e.g. /foo/file and /foo/directory) are
taken into the database. The children of sub-directories (e.g.
/foo/directory/bar) are not added.
- All=ftype+p+l+u+g+s+m+c+a+i+b+n+H+X
This line defines group All. It has all attributes, all
compiled in hashsums (H) and all compiled in extra file attributes
(X). See '--version' output for the compiled in hashsums and extra
groups.
In the following, the first is not allowed in AIDE. Use the latter instead.
- /foo epug
- /foo e+p+u+g
All trademarks are the property of their respective owners. No animals were
harmed while making this webpage or this piece of software.
Visit the GSP FreeBSD Man Page Interface. Output converted with ManDoc. |