Scroll to navigation

AIDE.CONF(5) AIDE AIDE.CONF(5)

NAME

aide.conf - The configuration file for Advanced Intrusion Detection Environment

SYNOPSIS

aide.conf is the configuration file for Advanced Intrusion Detection Environment. aide.conf contains the runtime configuration aide uses to initialize or check the AIDE database.

FILE FORMAT

aide.conf is case-sensitive. Leading and trailing white spaces are ignored. Each config lines must end with new line.

AIDE uses the backslash character (\) as escape character for ' ' (space), '@' and '\' (backslash) (e.g. '\ ' or '\@'). To literally match a '\' in a file path with a regular expression you have to escape the backslash twice (i.e. '\\\\').

There are three types of lines in aide.conf. First there are the configuration options which are used to set configuration parameters and define groups. Second, there are (restricted) rules that are used to indicate which files are added to the database. Third, macro lines define or undefine variables within the config file. Lines beginning with # are ignored as comments.

CONFIG OPTIONS

These lines have the format parameter=value. See URLS for a list of valid urls.

The url from which database is read. There can only be one of these lines. If there are multiple database lines then the first is used.

Examples:

database_in=file:/var/lib/aide/aide.db

Read database locally from /var/lib/aide/aide.db.

database_in=stdin

Read database from stdin.

database_in=https://example.com/aide.db

Read database remotely from https://example.com/aide.db.

The url to which the new database is written to. There can only be one of these lines. If there are multiple database_out lines then the first is used.
The url from which the other database for --compare is read.
The attributes of the (uncompressed) database files which are to be added to the reports in report level >= database_attributes . Only checksum attributes are supported. To disable set database_attrs to 'E'.
Whether to add the AIDE version and the time of database generation as comments to the database file or not. This option may be set to false by default in a future release.

The log level to use. Log messages are written to stderr. If there are multiple log_level lines then the first one is used. The --log-level or -L command line option overwrites this option.

The following log levels are available:

error: show unrecoverable issues that have to be handled by the user. Errors are fatal to the AIDE process.

warning: additionally show recoverable issues that most likely lead to unexpected behaviour and should be handled by the user

notice: additionally show recoverable issues that sometimes lead to unexpected behaviour and might be handled by the user.

info: additionally show informational messages

rule: additionally show messages to help to debug the path rule matching

compare: additionally show messages to help to debug file comparison and (special) attribute handling

config: additionally show messages to help to debug config and rule parsing

debug: additionally show messages that are useful to debug the application (very verbose)

thread: additionally show messages about thread processing (e.g. broadcast events)

trace: detailed information about the flow of the application (e.g. in-loop logging) (even more verbose)

Removed, use log_level and report_level options instead.
Whether the output to the database is gzipped or not. This option is available only if zlib support is compiled in.
The prefix to strip from each file name in the file system before applying the rules and writing to database. AIDE removes a trailing slash from the prefix. If there are multiple root_prefix lines then the first one is used. This option has no effect in compare mode.
Whether to check ACLs for symlinks or not. This option is available only if acl support is compiled in.
Whether to warn about dead symlinks or not.
The value of config_version is printed in the report and also printed to the database. This is for informational purposes only. It has no other functionality.
Whether to warn on unrestricted rules during config check. To explicitly define unrestricted rules use 0 (zero) as restriction character.
Specifies the number of simultaneous workers (threads) for file attribute processing (i.a. hashsum calculation).

The number of workers can be a positive integer (e.g. '4') or the percentage of the available processors (e.g. '60%'). The resulting number of workers is rounded up to the next integer (e.g. '60%' of 8 processors results in 5 workers).

If there are multiple num_workers lines then the first one is used.

Use 0 (zero) to disable multi-threading.

The default value 1 (single worker thread) may be changed in a future release.

REPORT OPTIONS

The URL that the output is written to.

Multiple instances of the report_url option are supported.

Examples:

report_url=file:/var/log/aide.log

Write report to /var/log/aide.log.

report_url=stdout

Write report to stdout.

report_url=syslog:<LOG_FACILITY>

Write report to syslog using LOG_FACILITY.

The following report options are available (to take effect they have to be set before report_url):

The report level to use. The available report levels are as follows:

minimal: print single line whether AIDE found differences to the database

summary: additionally print number of added, removed and changed files

database_attributes: additionally print database checksums

list_entries: additionally print lists of added, removed and changed entries

changed_attributes: additionally print details about changed entries

Example:

File: /var/lib/apt/extended_states

Perm : -rw-r--r-- | -rw-------
Uid : 0 | 106

The left column shows the old value (e.g. from the database_in database) and the right column shows the new value (e.g. from the file system).

added_removed_attributes: additionally print details about added and removed attributes

added_removed_entries: additionally print details about added and removed entries

The report format to use. The available report formats are as follows:

plain: Print report in plain human-readable format.

json: Print report in json machine-readable format.

Base16 encode the checksums in the report. The default is to report checksums in base64 encoding.
Report added files (report level >= list_entries) and their details (report level >= added_removed_entries) in initialization mode.
Suppress report output if no differences to the database have been found.
Append to the report URL.
Group the files in the report by added, removed and changed files.
Summarize changes in the added, removed and changed files sections of the report.

The general format is like the string YlZbpugamcinHAXSEC, where Y is replaced by the file-type ('f' for a regular file, 'd' for a directory, 'l' for a symbolic link, 'c' for a character device, 'b' for a block device, 'p' for a FIFO, 's' for a unix socket, 'D' for a Solaris door, 'P' for a Solaris event port, '!' if file type has changed and '?' otherwise).

The Z is replaced as follows: A '=' means that the size has not changed, a '<' reports a shrinked size and a '>' reports a grown size. The other letters in the string are the actual letters that will be output if the associated attribute for the item has been changed or a '.' for no change.

Otherwise a '+' is shown if the attribute has been added, a '-' if it has been removed, a ':' if the attribute is ignored (but not forced) or a ' ' if the attribute has not been checked.

The exceptions to this are: (1) a newly created file replaces each letter with a '+', and (2) a removed file replaces each letter with a '-'.

The attribute that is associated with each letter is as follows:

A l means that the link name has changed.
A b means that the block count has changed.
A p means that the permissions have changed.
An u means that the uid has changed.
A g means that the gid has changed.
An a means that the access time has changed.
A m means that the modification time has changed.
A c means that the change time has changed.
An i means that the inode has changed.
A n means that the link count has changed.
A H means that one or more message digests have changed.

The following letters are only available when explicitly enabled using configure:

A A means that the access control list has changed.
A X means that the extended attributes have changed.
A S means that the SELinux attributes have changed.
A E means that the file attributes on a second extended file system have changed.
A C means that the file capabilities have changed.
Attributes whose addition is to be ignored in the report.
Attributes whose removal is to be ignored in the report.
Attributes whose change is to be ignored in the report.
Attributes which are always printed in the report for changed files. If an attribute is both ignored and forced the attribute is not considered for file change but printed in the final report as long as the file has been otherwise changed.
List (no delimiter) of ext2 file attributes which are to be ignored in the report. See chattr(1) for the available attributes. Use 0 (zero) to not ignore any attribute. Ignored attributes are represented by a ':' in the report.

By default AIDE also reports changes of the read-only attributes mentioned in chattr(1) (see example below how to ignore those changes).

Example:

Ignore changes of the read-only ext2 file attributes verify (V), inline data (N), indexed directory (I) and encrypted (E):

report_ignore_e2fsattrs=VNIE

GROUPS

Groups are aggregations of attributes.

Group definitions have the format <group name> = <attribute expression>.

Group names are limited to alphanumeric characters (A-Za-z0-9).

See ATTRIBUTES for a description of all available attributes.

Default groups

p+ftype+i+l+n+u+g+s+m+c+md5+X
p+ftype+i+l+n+u+g+X
>
Growing file p+ftype+l+u+g+i+n+s+growing+X
all compiled in hashsums (added in AIDE v0.17)
acl+selinux+xattrs+e2fsattrs+caps (if attributes are compiled in, added in AIDE v0.16)
Empty group

RULES

AIDE supports three types of rules:

<regex> <attribute expression>

Files and directories matching the regular expression are added to the database.

!<regex>

Files and directories matching the regular expression are ignored and not added to the database. The children of matching directories are also ignored.

=<regex> <attribute expression>

Files and directories matching the regular expression are added to the database. The children of directories are only added if the regular expression ends with a "/". The children of sub-directories are not added at all.

Every regular expression has to start with an explicit "/". An implicit ^ is added in front of each regular expression. In other words, the regular expressions are matched at the first position against the complete path. Special characters can be escaped using two-digit URL encoding (for example, %20 to represent a space).

AIDE uses a deepest-match algorithm to find the tree node to search, but a first-match algorithm inside the node. (see also rule log level).

See EXAMPLES for examples.

More in-depth discussion of the selection algorithm can be found in the AIDE manual.

RESTRICTED RULES

Restricted rules are like normal rules but can be restricted to file types (added in AIDE v0.16). The following file types are supported:

restrict rule to regular files
restrict rule to directories
restrict rule to symbolic links
restrict rule to character devices
restrict rule to block devices
restrict rule to FIFO files
restrict rule to UNIX sockets
restrict rule to Solaris doors
restrict rule to Solaris event ports
0
empty restriction, i.e. don't restrict rule (added in AIDE v0.18)

Multiple restrictions can be given as a comma-separated list.

The syntax of restricted rules is as follows:

<regex> <file types> <attribute expression>
!<regex> <file types>
=<regex> <file types> <attribute expression>

MACRO LINES

@@define VAR val
Define variable VAR to value val.
@@undef VAR
Undefine variable VAR.
@@if boolean_expression (added in AIDE v0.18)
@@else
@@endif
@@if begins an if statement. It must be terminated with an @@endif statement. The lines between @@if and @@endif are used if the boolean_expression evaluates to true. If there is an @@else statement then the part between @@if and @@else is used if boolean_expression evaluates to true otherwise the part between @@else and @@endif is used.

Available operators and functions in boolean expressions:

not boolean_expression
Evaluates to true if the boolean_expression is false, and false if the boolean_expression is true.

defined VARIABLE

Evaluates to true if VARIABLE is defined.

hostname HOSTNAME

Evaluates to true if HOSTNAME equals the hostname of the machine that AIDE is running on. hostname is the name of the host without the domainname (ie 'hostname', not 'hostname.example.com').

exists PATH

Evaluates to true if PATH exists.

@@ifdef VARIABLE (DEPRECATED since AIDE v0.18, will be removed in AIDE v0.20)
same as @@if defined VARIABLE
@@ifndef VARIABLE (DEPRECATED since AIDE v0.18, will be removed in AIDE v0.20)
same as @@if not defined VARIABLE
@@ifhost HOSTNAME (DEPRECATED since AIDE v0.18, will be removed in AIDE v0.20)
same as @@if hostname HOSTNAME
@@ifnhost HOSTNAME (DEPRECATED since AIDE v0.18, will be removed in AIDE v0.20)
same as @@if not hostname HOSTNAME

@@{VAR}
@@{VAR} is replaced with the value of the variable VAR. If variable VAR is not defined an empty string is used.

Variables are supported in strings and in regular expressions of selection lines.

Pre-defined marco variables:

@@{HOSTNAME}: hostname of the current system

@@include FILE
Include FILE.

The content of the file is used as if it were inserted in this part of the config file.

The maximum depth of nested includes is 16.

@@include DIRECTORY REGEX [RULE_PREFIX] (added in AIDE v0.17)
Include all (regular) files found in DIRECTORY matching regular expression REGEX (sub-directories are ignored). The file are included in lexical sort order.

If RULE_PREFIX is set, all rules included by the statement are prefixed with given RULE_PREFIX (added in AIDE v0.18). Prefixes from nested include statements are concatenated.

The content of the files is used as if it were inserted in this part of the config file.

@@x_include FILE (added in AIDE v0.17)
@@x_include DIRECTORY REGEX [RULE_PREFIX] (added in AIDE v0.17)
@x_include is identical to @@include, except that if a config file is executable is is run and the output is used as config.

If the executable file exits with status greater than zero or writes to stderr aide stops with an error.

For security reasons DIRECTORY and each executable config file must be owned by the current user or root. They must not be group- or world-writable.

@@x_include_setenv VAR VALUE (added in AIDE v0.17)

Adds the variable VAR with the value VALUE to the environment used for config file execution.

Environment variable names are limited to alphanumeric characters (A-Za-z0-9) and the underscore '_' and must not begin with a digit.

TYPES

bool

Valid values are yes, true, no or false.

attribute expression

An attribute expression is of the following form:


<attribute/group> | <expr> + <attribute/group> | <expr> - <attribute/group>

URLS

Urls can be one of the following. Input urls cannot be used as outputs and vice versa.

Output is sent to stdout, stderr respectively.
Input is read from stdin.
Input is read from path or output is written to path.
Input is read from filedescriptor number or output is written to number.
Output is written to syslog using LOG_FACILITY.

ATTRIBUTES

File attributes

file type (added in AIDE v0.15)
permissions
inode
link name
number of links
user
group
size
block count
mtime
atime
ctime
access control list (requires libacl)
selinux attributes (requires libselinux)
extended attributes (requires libattr)
file attributes on a second extended file system, see also report_ignore_e2fsattrs option (requires libext2fs, added in AIDE v0.15)
file capabilities (requires libcap2, added in AIDE v0.17)

Use 'aide --version' to show which compiled-in attributes are available.

Special attributes

check for growing size (DEPRECATED since AIDE v0.18, will be removed in AIDE v0.20)

Use growing+s attributes instead

ignore changed filename

When I is used, the inode of the old file is used to search for a moved file in the new database.

Source and target file have to be located in the same directory and must share the same attributes (except for special attributes ANF, ARF, I, growing, and compressed).

For moved entries a change of the ctime attribute is ignored.

ignore growing file (added in AIDE v0.18)

When growing is used, changes of the following attributes are ignored:

size: if new size is greater than old size

bcount: if new bcount is greater than old bcount

atime: if new atime is greater than old atime

mtime: if new mtime is greater than old mtime

ctime: if new ctime is greater than old ctime

hashsums: if the hashsum of the new file restricted to the old size equals the hashsums of the old file

For hashsum attributes the growing attribute is ignored in compare mode.

ignore compressed file (added in AIDE v0.18)

When compressed is used, the uncompressed hashsums of the new compressed file (supported compressions: gzip) are used to search for the uncompressed file in the old database.

The old uncompressed and the new compressed file have to be located in the same directory and must share the same attributes (except for special attributes ANF, ARF, I, growing, and compressed) including at least one hashsum.

Changes of the inode, size, bcount and ctime attributes are ignored.

The growing attribute (i.e. the old file size) is not considered for compressed files during the calculation of the uncompressed hashsums.

The compressed attribute is ignored in compare mode.

allow new files

When 'ANF' is used, new files are added to the new database, but are ignored in the report.

allow removed files

When 'ARF' is used, files missing on disk are omitted from the new database, but are ignored in the report.

Hashsums attributes

MD5 checksum (not in libgcrypt FIPS mode)
SHA-1 checksum
SHA-256 checksum
SHA-512 checksum
RIPEMD-160 checksum
tiger checksum
haval256 checksum (libmhash only)
crc32 checksum
crc32 checksum (libmhash only)
GOST R 34.11-94 checksum
whirlpool checksum
GOST R 34.11-2012, 256 bit checksum (libgcrypt only, added in AIDE v0.17)
GOST R 34.11-2012, 512 bit checksum (libgcrypt only, added in AIDE v0.17)

Use 'aide --version' to show which hashsums are available.

EXAMPLES

/ R
This adds all files on your machine to the database. This one line is a fully qualified configuration file.
!/dev$
This ignores the /dev directory structure.
=/foo R
Only /foo and /foobar are taken into the database. None of their children are added.
=/foo/ R
Only /foo and its children (e.g. /foo/file and /foo/directory) are taken into the database. The children of sub-directories (e.g. /foo/directory/bar) are not added.
/ d,f R
Only add directories and files to the database
!/run d
/run R
Add all but directory entries to the database
/run d R-m-c-i
/run R
Use specific rule for directories
Check permissions, owner, group and file type
Check size and block count
Files that stay static

Full = InodeData+StaticFile

/ 0 Full
This line defines group Full. It has all attributes, all compiled in hashsums (H) and all compiled in extra file attributes (X). See '--version' output for the compiled in hashsums and extra groups. The example rule is the typical catch-all rule at the end of the rule list.
/etc/ssl/certs/ca-certificates\\.crt$ VarTime
Files that change their mtimes or ctimes but not their contents.
/var/lib/nfs/etab$ f VarInode
Files that are recreated regularly but do not change their contents
/etc/resolv\\.conf$ f VarFile
Files that change their contents during system operation
/var/lib/snmp$ d VarDir
Directories that change their contents during system operation
/run/samba$ d RecreatedDir
Directories that are recreated regularly and change their contents

Logs pose a number of special challenges to AIDE. An active log is nearly constantly being written to. The process of log rotation changes file names for files that are supposed to have unaltered contents. To save space, Logs are compressed in the process of their rotation, and finally, they get deleted. AIDE is supposed to handle all those cases without generating reports, and it is still expected to flag the cases when an attacker tampers with logs.

The following examples suggest a way to handle the common case of log rotation with the logrotate(8) program, with its options compress, delaycompress and nocopytruncate set. The vast majority of logs are rotated this way on most Linux systems.

/var/log/foo\\.log$ f ActLog
An Active Log is typically named foo.log. It is constanty being written to. The file does neither change its mode nor its inode number. The size only increases, and what is written to the file is not supposed to change (growing). During log rotation, foo.log is typically renamed to foo.log.1 (or foo.log.0) and the process is instructed to write to a new foo.log. Log content is written to a new file (ANF) and will eventually be renamed to foo.log.1 (I). The growing attribute suppresses reports for files that just had content appended when compared to the database. A change of the old content is still reported!
/var/log/foo\\.log\\.1$ f RotLog
foo.log.0 or foo.log.1 is called the Rotated Log, the previously active log renamed to the first name of the Log Series that is formed by the rotation mechanism. Right after rotation, the file might still being written to by the daemon. To aide, this looks like the Active Log's size decreases and its inode and timestamps change. The Rotated Log is not supposed to change its attributes once the process has stopped writing to it. Reports might be generated if aide runs while the process still writes to the Rotated Log, but this is quite unlikely to happen. Some log rotation mechanisms rename foo.log to foo.log.0 to foo.log.1.gz, others rename foo.log to foo.log.1 to foo.2.log.gz.
/var/log/foo\\.log\\.2\\.gz$ f CompSerLog
In the next rotation step, foo.log.1 gets compressed to foo.log.2.gz, becoming the Compressed Log in the Log Series. With this rule, AIDE does not report this step because it uncompresses the contents of the file and takes the checksum of the uncompressed content. The contents strictly doesn't change, but some attribute changes are ignored (compressed).
/var/log/foo\\.log\\.[345]\\.gz$ f MidlSerLog
In the next log rotation, all foo.log.{x} get renamed to foo.log.{x+1}. The other attributes are not supposed to change.
/var/log/foo\\.log\\.6\\.gz$ f LastSerLog
The configuration of the log rotation process specifies a number of log generations to keep. The last log in the series is therefore removed from the disk (ARF).

aide 0.18 does not yet support the following cases of log rotation:

It might be the case that a log is actually created, but never written to. This commonly happens on rarely used web servers that use the log rotation as a method to cater for data protection regulation. In result, all files in a series are identical, breaking the heuristics that aide uses to detect log rotation. A possible workaround is to begin a newly rotated log with a timestamp. With logrotate, this can be done in a postrotate scriptlet.
With logrotate's nodelaycompress option, a log is immediately compressed after renaming it from the Active Log name. For the time being, it is recommended to always use the delaycompress option to avoid this behavior.
With logrotate's copytruncate option, the Active Log is not renamed and newly created but copied to the new file name. After the copy operation, the old file is truncated to zero size, allowing the daemon to continuously write to the already open file handle. aide uses the Inode number to detect the rotation process. That doesn't work with copytruncate because the Inode stays with the Active Log. For the time being, it is recommended to avoid the copytruncate option to avoid this behavior.

HINTS

In the following, the first is not allowed in AIDE. Use the latter instead.

/foo epug
/foo e+p+u+g

SEE ALSO

aide(1)

DISCLAIMER

All trademarks are the property of their respective owners. No animals were harmed while making this webpage or this piece of software.

2024-05-09 aide v0.18.8