source-git / aide

Clone
Source Code
GIT

Blame doc/aide.conf.5.in

c8 c8s master
  1.   57cbf72f701a331f17c954848d94d6b6ccc8d984
  2.   doc
  3.   aide.conf.5.in
Blob History Raw
Packit Service 5e8d2a 
.TH AIDE.CONF 5 "Jul 25, 2016" "aide 0.16" "AIDE"
Packit Service 5e8d2a 
.SH NAME
Packit Service 5e8d2a 
aide.conf - The configuration file for Advanced Intrusion Detection
Packit Service 5e8d2a 
Environment
Packit Service 5e8d2a 
.PP
Packit Service 5e8d2a 
.SH SYNOPSIS
Packit Service 5e8d2a 
\fBaide.conf\fP is the configuration file for Advanced Intrusion
Packit Service 5e8d2a 
Detection Environment. \fBaide.conf\fP contains the runtime
Packit Service 5e8d2a 
configuration aide uses to initialize or check the AIDE database.
Packit Service 5e8d2a 
.PP
Packit Service 5e8d2a 
.SH "FILE FORMAT"
Packit Service 5e8d2a 
\fBaide.conf\fP is similar in to Tripwire(tm)'s configuration
Packit Service 5e8d2a 
file. With little effort tw.conf can be converted to aide.conf.
Packit Service 5e8d2a 
.PP
Packit Service 5e8d2a 
aide.conf is case-sensitive. Leading and trailing white spaces are
Packit Service 5e8d2a 
ignored.
Packit Service 5e8d2a 
.PP
Packit Service 5e8d2a 
There are three types of lines in \fBaide.conf\fP. First there are the
Packit Service 5e8d2a 
configuration lines which are used to set configuration parameters and
Packit Service 5e8d2a 
define/undefine variables. Second, there are (restricted) selection lines that
Packit Service 5e8d2a 
are used to indicate which files are added to the database. Third, macro lines
Packit Service 5e8d2a 
define or undefine variables within the config file. Lines beginning with #
Packit Service 5e8d2a 
are ignored as comments.
Packit Service 5e8d2a 
.PP
Packit Service 5e8d2a 
.SH "CONFIG LINES"
Packit Service 5e8d2a 
.PP
Packit Service 5e8d2a 
These lines have the format parameter=value. See URLS for a list of
Packit Service 5e8d2a 
valid urls.
Packit Service 5e8d2a 
.PP
Packit Service 5e8d2a 
.IP "database"
Packit Service 5e8d2a 
The url from which database is read. There can only be one of these
Packit Service 5e8d2a 
lines. If there are multiple database lines then the first is used.
Packit Service 5e8d2a 
The default value is "@prefix@/etc/aide.db".
Packit Service 5e8d2a 
.IP "database_out"
Packit Service 5e8d2a 
The url to which the new database is written to. There can only be one
Packit Service 5e8d2a 
of these lines. If there are multiple database_out lines then the
Packit Service 5e8d2a 
first is used. The default value is "@prefix@/etc/aide.db.new".
Packit Service 5e8d2a 
.IP "database_new"
Packit Service 5e8d2a 
The url from which the other database for \-\-compare is read.
Packit Service 5e8d2a 
There is no default for this one.
Packit Service 5e8d2a 
.IP "database_attrs"
Packit Service 5e8d2a 
The attributes of the (uncompressed) database files which are to be added to
Packit Service 5e8d2a 
the final report in verbose level 2 or higher. Only checksum attributes are
Packit Service 5e8d2a 
supported. To disable set
Packit Service 5e8d2a 
.I database_attrs
Packit Service 5e8d2a 
to
Packit Service 5e8d2a 
.RB ' E '.
Packit Service 5e8d2a 
By default all compiled in checksums are added to the report.
Packit Service 5e8d2a 
.IP "database_add_metadata"
Packit Service 5e8d2a 
Whether to add the AIDE version and the time of database generation as comments
Packit Service 5e8d2a 
to the database file or not. Valid values are yes, true, no and false. The
Packit Service 5e8d2a 
default is to add the AIDE version and the time of database generation. This
Packit Service 5e8d2a 
option may be set to no by default in a future release.
Packit Service 5e8d2a 
.IP "verbose"
Packit Service 5e8d2a 
The level of messages that is output. This value can be 0-255
Packit Service 5e8d2a 
inclusive. This parameter can only be given once. Value from the first
Packit Service 5e8d2a 
occurrence is used. If \-\-verbose or \-V is used then the value from that
Packit Service 5e8d2a 
is used. The default is 5. If verbosity is 20 then additional report
Packit Service 5e8d2a 
output is written when doing \-\-check, \-\-update or \-\-compare.
Packit Service 57cbf7 
.IP "syslog_format"
Packit Service 57cbf7 
Valid values are yes,true,no and false. This option enables new syslog format
Packit Service 57cbf7 
which is suitable for logging. Every change is logged as one simple line. This option
Packit Service 57cbf7 
changes verbose level to 0 and prints everything that was changed. It is suggested
Packit Service 57cbf7 
to use this option with "report_url=syslog:...". Default value is "false/no".
Packit Service 57cbf7 
Maximum size of message is 1KB which is limitation of syslog call. If message is
Packit Service 57cbf7 
greater than limit, message will be truncated.
Packit Service 57cbf7 
Option summarize_changes has no impact for this format.
Packit Service 57cbf7 
.nf
Packit Service 57cbf7 
.eo
Packit Service 57cbf7
Packit Service 57cbf7 
Output always starts with:
Packit Service 57cbf7 
"AIDE found differences between database and filesystem!!"
Packit Service 57cbf7 
And it is followed by summary:
Packit Service 57cbf7 
summary;total_number_of_files=1000;added_files=0;removed_files=0;changed_files=1
Packit Service 57cbf7 
And finally there are logs about changes:
Packit Service 57cbf7 
dir=/usr/sbin;Mtime_old=0000-00-00 00:00:00;Mtime_new=0000-00-00 00:00:00;...
Packit Service 57cbf7 
.ec
Packit Service 57cbf7 
.fi
Packit Service 5e8d2a 
.IP "report_url"
Packit Service 5e8d2a 
The url that the output is written to. There can be multiple instances
Packit Service 5e8d2a 
of this parameter. Output is written to all of them. The default is
Packit Service 5e8d2a 
stdout.
Packit Service 5e8d2a 
.IP "report_base16"
Packit Service 5e8d2a 
Whether to base16 encode the checksums in the report or not. Valid values are
Packit Service 5e8d2a 
yes, true, no and false. The default is to report checksums not in base16 but
Packit Service 5e8d2a 
in base64 encoding.
Packit Service 5e8d2a 
.IP "report_detailed_init"
Packit Service 5e8d2a 
Whether to report added files (verbose level >= 2) and their details (verbose
Packit Service 5e8d2a 
level >=7) in initialization mode or not. Valid values are yes, true, no and
Packit Service 5e8d2a 
false. The default is to not report added files or their details in init mode.
Packit Service 5e8d2a 
.IP "report_quiet"
Packit Service 5e8d2a 
Whether to suppress report output if no differences to the database have been
Packit Service 5e8d2a 
found or not. Valid values are yes, true, no and false. The default is to not
Packit Service 5e8d2a 
suppress output in the report.
Packit Service 5e8d2a 
.IP "gzip_dbout"
Packit Service 5e8d2a 
Whether the output to the database is gzipped or not. Valid values are
Packit Service 5e8d2a 
yes,true,no and false. The default is no. This option is available only
Packit Service 5e8d2a 
if zlib support is compiled in.
Packit Service 5e8d2a 
.IP "root_prefix"
Packit Service 5e8d2a 
The prefix to strip from each file name in the file system before applying the
Packit Service 5e8d2a 
rules and writing to database. AIDE removes a trailing slash from the prefix.
Packit Service 5e8d2a 
The default is no (an empty) prefix. This option has no effect in
Packit Service 5e8d2a 
compare mode.
Packit Service 5e8d2a 
.IP "acl_no_symlink_follow"
Packit Service 5e8d2a 
Whether to check ACLs for symlinks or not. Valid values are
Packit Service 5e8d2a 
yes,true,no and false. The default is to follow symlinks. This option
Packit Service 5e8d2a 
is available only if acl support is compiled in.
Packit Service 5e8d2a 
.IP "warn_dead_symlinks"
Packit Service 5e8d2a 
Whether to warn about dead symlinks or not. Valid values are
Packit Service 5e8d2a 
yes,true,no and false. The default is not to warn about dead symlinks.
Packit Service 5e8d2a 
.IP "grouped"
Packit Service 5e8d2a 
Whether to group the files in the report by added, removed and changed
Packit Service 5e8d2a 
files or not. Valid values are yes, true, no and false.
Packit Service 5e8d2a 
The default is to group the files in the report.
Packit Service 5e8d2a 
.IP "summarize_changes"
Packit Service 5e8d2a 
Whether to summarize changes in the added, removed and changed files
Packit Service 5e8d2a 
sections of the report or not. Valid values are yes,true,no and false.
Packit Service 5e8d2a 
The default is to summarize the changes.
Packit Service 5e8d2a
Packit Service 5e8d2a 
The general format is like the string YlZbpugamcinCAXSE, where Y is
Packit Service 5e8d2a 
replaced by the file-type (\fBf\fP for a regular file, \fBd\fP for a
Packit Service 5e8d2a 
directory, \fBl\fP for a symbolic link, \fBc\fP for a character device,
Packit Service 5e8d2a 
\fBb\fP for a block device, \fBp\fP for a FIFO, \fBs\fP for a unix
Packit Service 5e8d2a 
socket, \fBD\fP for a Solaris door, \fBP\fP for a Solaris event port, \fB!\fP
Packit Service 5e8d2a 
if file type has changed and \fB?\fP otherwise).
Packit Service 5e8d2a
Packit Service 5e8d2a 
The Z is replaced as follows: A \fB=\fP means that the size has not changed,
Packit Service 5e8d2a 
a \fB<\fP reports a shrinked size and a \fB>\fP reports a grown size.
Packit Service 5e8d2a
Packit Service 5e8d2a 
The other letters in the string are the actual letters that will be output
Packit Service 5e8d2a 
if the associated attribute for the item has been changed or a "." for no
Packit Service 5e8d2a 
change, a "+" if the attribute has been added, a "-" if it has been removed,
Packit Service 5e8d2a 
a ":" if the attribute is ignored (but not forced) or a " " if the attribute has
Packit Service 5e8d2a 
not been checked. The exceptions to this are: (1) a newly created file replaces
Packit Service 5e8d2a 
each letter with a "+", and (2) a removed file replaces each letter with a "-".
Packit Service 5e8d2a
Packit Service 5e8d2a 
The attribute that is associated with each letter is as follows:
Packit Service 5e8d2a
Packit Service 5e8d2a 
.RS
Packit Service 5e8d2a 
.IP o
Packit Service 5e8d2a 
A \fBl\fP means that the link name has changed.
Packit Service 5e8d2a 
.IP o
Packit Service 5e8d2a 
A \fBb\fP means that the block count has changed.
Packit Service 5e8d2a 
.IP o
Packit Service 5e8d2a 
A \fBp\fP means that the permissions have changed.
Packit Service 5e8d2a 
.IP o
Packit Service 5e8d2a 
An \fBu\fP means that the uid has changed.
Packit Service 5e8d2a 
.IP o
Packit Service 5e8d2a 
A \fBg\fP means that the gid has changed.
Packit Service 5e8d2a 
.IP o
Packit Service 5e8d2a 
An \fBa\fP means that the access time has changed.
Packit Service 5e8d2a 
.IP o
Packit Service 5e8d2a 
A \fBm\fP means that the modification time has changed.
Packit Service 5e8d2a 
.IP o
Packit Service 5e8d2a 
A \fBc\fP means that the change time has changed.
Packit Service 5e8d2a 
.IP o
Packit Service 5e8d2a 
An \fBi\fP means that the inode has changed.
Packit Service 5e8d2a 
.IP o
Packit Service 5e8d2a 
A \fBn\fP means that the link count has changed.
Packit Service 5e8d2a 
.IP o
Packit Service 5e8d2a 
A \fBC\fP means that one or more checksums have changed.
Packit Service 5e8d2a 
.RE
Packit Service 5e8d2a
Packit Service 5e8d2a 
.RS
Packit Service 5e8d2a 
The following letters are only available when explicitly enabled using configure:
Packit Service 5e8d2a 
.RE
Packit Service 5e8d2a
Packit Service 5e8d2a 
.RS
Packit Service 5e8d2a 
.IP o
Packit Service 5e8d2a 
A \fBA\fP means that the access control list has changed.
Packit Service 5e8d2a 
.IP o
Packit Service 5e8d2a 
A \fBX\fP means that the extended attributes have changed.
Packit Service 5e8d2a 
.IP o
Packit Service 5e8d2a 
A \fBS\fP means that the SELinux attributes have changed.
Packit Service 5e8d2a 
.IP o
Packit Service 5e8d2a 
A \fBE\fP means that the file attributes on a second extended file system have changed.
Packit Service 5e8d2a 
.RE
Packit Service 5e8d2a 
.IP "report_ignore_added_attrs"
Packit Service 5e8d2a 
Special group definition that lists attributes whose addition is to be ignored
Packit Service 5e8d2a 
in the final report.
Packit Service 5e8d2a 
.IP "report_ignore_removed_attrs"
Packit Service 5e8d2a 
Special group definition that lists attributes whose removal is to be ignored
Packit Service 5e8d2a 
in the final report.
Packit Service 5e8d2a 
.TP
Packit Service 5e8d2a 
report_ignore_changed_attrs
Packit Service 5e8d2a 
.TQ
Packit Service 5e8d2a 
ignore_list (DEPRECATED, will be removed in a future release)
Packit Service 5e8d2a 
Special group definition that lists attributes whose change is to be ignored
Packit Service 5e8d2a 
in the final report.
Packit Service 5e8d2a 
.TP
Packit Service 5e8d2a 
report_force_attrs
Packit Service 5e8d2a 
.TQ
Packit Service 5e8d2a 
report_attributes (DEPRECATED, will be removed in a future release)
Packit Service 5e8d2a 
Special group definition that lists attributes which are always printed in the
Packit Service 5e8d2a 
final report for changed files. If an attribute is both ignored and forced the
Packit Service 5e8d2a 
attribute is not considered for file change but printed in the final report if
Packit Service 5e8d2a 
the file has been otherwise changed.
Packit Service 5e8d2a 
.IP "report_ignore_e2fsattrs"
Packit Service 5e8d2a 
List (no delimiter) of ext2 file attributes which are to be ignored in the final report.
Packit Service 5e8d2a 
See
Packit Service 5e8d2a 
.BR chattr (1)
Packit Service 5e8d2a 
for the available attributes. Use '0' to not ignore any
Packit Service 5e8d2a 
attribute. Ignored attributes are represented by a ':' in the output. The
Packit Service 5e8d2a 
default is to not ignore any ext2 file attribute.
Packit Service 5e8d2a
Packit Service 5e8d2a 
.RS
Packit Service 5e8d2a 
.B Example
Packit Service 5e8d2a 
.RS 3
Packit Service 5e8d2a 
Ignore changes of the ext2 file attributes compression error (E), huge file
Packit Service 5e8d2a 
(h), indexed directory (I):
Packit Service 5e8d2a
Packit Service 5e8d2a 
.RS 3
Packit Service 5e8d2a 
.nf
Packit Service 5e8d2a 
report_ignore_e2fsattrs=EhI
Packit Service 5e8d2a 
.fi
Packit Service 5e8d2a 
.RE
Packit Service 5e8d2a 
.RE
Packit Service 5e8d2a 
.RE
Packit Service 5e8d2a 
.IP "config_version"
Packit Service 5e8d2a 
The value of config_version is printed in the report and also printed
Packit Service 5e8d2a 
to the database. This is for informational purposes only. It has no
Packit Service 5e8d2a 
other functionality.
Packit Service 5e8d2a 
.IP "Group definitions"
Packit Service 5e8d2a 
If the parameter is not one of the previous parameters then it is
Packit Service 5e8d2a 
regarded as a group definition. Value is then regarded as an
Packit Service 5e8d2a 
expression. Expression is of the following form.
Packit Service 5e8d2a 
.IP
Packit Service 5e8d2a 
.nf
Packit Service 5e8d2a 
    <predefined group>| <expr> + <predefined group>
Packit Service 5e8d2a 
                      | <expr> - <predefined group>
Packit Service 5e8d2a 
.fi
Packit Service 5e8d2a 
.IP
Packit Service 5e8d2a 
See DEFAULT GROUPS for an explanation of default predefined groups.
Packit Service 5e8d2a 
Note that this is different from the way Tripwire(tm) does it.
Packit Service 5e8d2a 
.PP
Packit Service 5e8d2a 
.SH "SELECTION LINES"
Packit Service 5e8d2a 
.PP
Packit Service 5e8d2a 
AIDE supports three types of selection lines:
Packit Service 5e8d2a
Packit Service 5e8d2a 
Regular selection line:
Packit Service 5e8d2a 
.RS 3
Packit Service 5e8d2a
Packit Service 5e8d2a 
.nf
Packit Service 5e8d2a 
.B <regex> <group>
Packit Service 5e8d2a 
.fi
Packit Service 5e8d2a
Packit Service 5e8d2a 
Files and directories matching the regular expression are added to the
Packit Service 5e8d2a 
database.
Packit Service 5e8d2a
Packit Service 5e8d2a 
.RE
Packit Service 5e8d2a
Packit Service 5e8d2a 
Negative selection line:
Packit Service 5e8d2a 
.RS 3
Packit Service 5e8d2a
Packit Service 5e8d2a 
.nf
Packit Service 5e8d2a 
.B !<regex>
Packit Service 5e8d2a 
.fi
Packit Service 5e8d2a
Packit Service 5e8d2a 
Files and directories matching the regular expression are ignored and not added
Packit Service 5e8d2a 
to the database.
Packit Service 5e8d2a
Packit Service 5e8d2a 
.RE
Packit Service 5e8d2a
Packit Service 5e8d2a 
Equals selection line:
Packit Service 5e8d2a 
.RS 3
Packit Service 5e8d2a
Packit Service 5e8d2a 
.nf
Packit Service 5e8d2a 
.B =<regex> <group>
Packit Service 5e8d2a 
.fi
Packit Service 5e8d2a
Packit Service 5e8d2a 
Files and directories matching the regular expression are added to the
Packit Service 5e8d2a 
database. The children of directories are only added if the regular expression
Packit Service 5e8d2a 
ends with a "/". The children of sub-directories are not added at all.
Packit Service 5e8d2a
Packit Service 5e8d2a 
.RE
Packit Service 5e8d2a
Packit Service 5e8d2a 
Every regular expression has to start with a "/". An implicit ^ is added in
Packit Service 5e8d2a 
front of each regular expression. In other words the regular expressions are
Packit Service 5e8d2a 
matched at the first position against the complete filename (i.e. including the
Packit Service 5e8d2a 
path). Special characters in your filenames can be escaped using two-digit URL
Packit Service 5e8d2a 
encoding (for example, %20 to represent a space).
Packit Service 5e8d2a
Packit Service 5e8d2a 
See EXAMPLES and doc/aide.conf for examples.
Packit Service 5e8d2a 
.PP
Packit Service 5e8d2a 
More in-depth discussion of the selection algorithm can be found in
Packit Service 5e8d2a 
the AIDE manual.
Packit Service 5e8d2a 
.IP
Packit Service 5e8d2a 
.PP
Packit Service 5e8d2a 
.SH "RESTRICTED SELECTION LINES"
Packit Service 5e8d2a 
.PP
Packit Service 5e8d2a 
Restricted selection lines are like normal selection lines but can be
Packit Service 5e8d2a 
restricted to file types. The following file types are supported:
Packit Service 5e8d2a
Packit Service 5e8d2a 
.RS
Packit Service 5e8d2a
Packit Service 5e8d2a 
\fBf\fP: restrict rule to regular files
Packit Service 5e8d2a
Packit Service 5e8d2a 
\fBd\fP: restrict rule to directories
Packit Service 5e8d2a
Packit Service 5e8d2a 
\fBl\fP: restrict rule to symbolic links
Packit Service 5e8d2a
Packit Service 5e8d2a 
\fBc\fP: restrict rule to character devices
Packit Service 5e8d2a
Packit Service 5e8d2a 
\fBb\fP: restrict rule to block devices
Packit Service 5e8d2a
Packit Service 5e8d2a 
\fBp\fP: restrict rule to FIFO files
Packit Service 5e8d2a
Packit Service 5e8d2a 
\fBs\fP: restrict rule to UNIX sockets
Packit Service 5e8d2a
Packit Service 5e8d2a 
\fBD\fP: restrict rule to Solaris doors
Packit Service 5e8d2a
Packit Service 5e8d2a 
\fBP\fP: restrict rule to Solaris event ports
Packit Service 5e8d2a 
.RE
Packit Service 5e8d2a
Packit Service 5e8d2a 
The file types are separated by comma. The syntax of restricted
Packit Service 5e8d2a 
selection lines is as follows:
Packit Service 5e8d2a
Packit Service 5e8d2a 
Restricted regular selection line:
Packit Service 5e8d2a 
.RS 3
Packit Service 5e8d2a 
.nf
Packit Service 5e8d2a 
.B <regex> <file types> <group>
Packit Service 5e8d2a 
.fi
Packit Service 5e8d2a 
.RE
Packit Service 5e8d2a
Packit Service 5e8d2a 
Restricted negative selection line:
Packit Service 5e8d2a 
.RS 3
Packit Service 5e8d2a 
.nf
Packit Service 5e8d2a 
.B !<regex> <file types>
Packit Service 5e8d2a 
.fi
Packit Service 5e8d2a 
.RE
Packit Service 5e8d2a
Packit Service 5e8d2a 
Restricted equals selection line:
Packit Service 5e8d2a 
.RS 3
Packit Service 5e8d2a 
.nf
Packit Service 5e8d2a 
.B =<regex> <file types> <group>
Packit Service 5e8d2a 
.fi
Packit Service 5e8d2a 
.RE
Packit Service 5e8d2a
Packit Service 5e8d2a 
.B Examples
Packit Service 5e8d2a 
.RS 3
Packit Service 5e8d2a 
Only add directories and files to the database:
Packit Service 5e8d2a
Packit Service 5e8d2a 
.RS 3
Packit Service 5e8d2a 
.nf
Packit Service 5e8d2a 
.B / d,f R
Packit Service 5e8d2a 
.fi
Packit Service 5e8d2a 
.RE
Packit Service 5e8d2a 
.RE
Packit Service 5e8d2a
Packit Service 5e8d2a 
.RS 3
Packit Service 5e8d2a 
Add all but directory entries to the database:
Packit Service 5e8d2a
Packit Service 5e8d2a 
.RS 3
Packit Service 5e8d2a 
.nf
Packit Service 5e8d2a 
.B !/run d
Packit Service 5e8d2a 
.B /run R
Packit Service 5e8d2a 
.fi
Packit Service 5e8d2a 
.RE
Packit Service 5e8d2a 
.RE
Packit Service 5e8d2a
Packit Service 5e8d2a 
.RS 3
Packit Service 5e8d2a 
Use specific rule for directories:
Packit Service 5e8d2a
Packit Service 5e8d2a 
.RS 3
Packit Service 5e8d2a 
.nf
Packit Service 5e8d2a 
.B /run d R-m-c-i
Packit Service 5e8d2a 
.B /run R
Packit Service 5e8d2a 
.fi
Packit Service 5e8d2a 
.RE
Packit Service 5e8d2a 
.RE
Packit Service 5e8d2a
Packit Service 5e8d2a 
.PP
Packit Service 5e8d2a 
.SH "MACRO LINES"
Packit Service 5e8d2a 
.PP
Packit Service 5e8d2a 
.IP "@@define \fBVAR\fR \fBval\fR"
Packit Service 5e8d2a 
Define variable \fBVAR\fR to value \fBval\fR.
Packit Service 5e8d2a 
.IP "@@undef \fBVAR\fR"
Packit Service 5e8d2a 
Undefine variable \fBVAR\fR.
Packit Service 5e8d2a 
.IP "@@ifdef \fBVAR\fR, @@ifndef \fBVAR\fR"
Packit Service 5e8d2a 
@@ifdef begins an if statement. It must be terminated with an @@endif
Packit Service 5e8d2a 
statement. The lines between @@ifdef and @@endif are used if variable
Packit Service 5e8d2a 
\fBVAR\fR is defined. If there is an @@else statement then the part
Packit Service 5e8d2a 
between @@ifdef and @@else is used is \fBVAR\fR is defined otherwise
Packit Service 5e8d2a 
the part between @@else and @@endif is used. @@ifndef reverses the
Packit Service 5e8d2a 
logic of @@ifdef statement but otherwise works similarly.
Packit Service 5e8d2a 
.IP "@@ifhost \fBhostname\fR, @@ifnhost \fBhostname\fR"
Packit Service 5e8d2a 
@@ifhost works like @@ifdef only difference is that it checks whether
Packit Service 5e8d2a 
\fBhostname\fR equals the name of the host that AIDE is running on.
Packit Service 5e8d2a 
\fBhostname\fR is the name of the host without the domainname
Packit Service 5e8d2a 
(hostname, not hostname.example.com).
Packit Service 5e8d2a 
.IP "@@{\fBVAR\fR}"
Packit Service 5e8d2a 
@@{\fBVAR\fR} is replaced with the value of the variable \fBVAR\fR.
Packit Service 5e8d2a 
If variable \fBVAR\fR is not defined an empty string is used. Unlike
Packit Service 5e8d2a 
Tripwire(tm) @@VAR is NOT supported. One special \fBVAR\fR is @@{HOSTNAME}
Packit Service 5e8d2a 
which is substituted for the hostname of the current system.
Packit Service 5e8d2a 
.IP "@@else"
Packit Service 5e8d2a 
Begins the else part of an if statement.
Packit Service 5e8d2a 
.IP "@@endif"
Packit Service 5e8d2a 
Ends an if statement.
Packit Service 5e8d2a 
.IP "@@include \fBVAR\fR"
Packit Service 5e8d2a 
Includes the file \fBVAR\fR. The content of the file is used as if it
Packit Service 5e8d2a 
were inserted in this part of the config file.
Packit Service 5e8d2a 
.PP
Packit Service 5e8d2a 
.SH URLS
Packit Service 5e8d2a 
Urls can be one of the following. Input urls cannot be used as outputs
Packit Service 5e8d2a 
and vice versa.
Packit Service 5e8d2a 
.IP "stdout"
Packit Service 5e8d2a 
.IP "stderr"
Packit Service 5e8d2a 
Output is sent to stdout,stderr respectively.
Packit Service 5e8d2a 
.IP "stdin"
Packit Service 5e8d2a 
Input is read from stdin.
Packit Service 5e8d2a 
.IP "file://\fBfilename\fR"
Packit Service 5e8d2a 
Input is read from \fBfilename\fR or output is written to
Packit Service 5e8d2a 
\fBfilename\fR.
Packit Service 5e8d2a 
.IP "fd:\fBnumber\fR"
Packit Service 5e8d2a 
Input is read from filedescriptor \fBnumber\fR or output is written to
Packit Service 5e8d2a 
\fBnumber\fR.
Packit Service 5e8d2a 
.PP
Packit Service 5e8d2a 
.SH "DEFAULT GROUPS"
Packit Service 5e8d2a 
.PP
Packit Service 5e8d2a 
.IP "p:	permissions"
Packit Service 5e8d2a 
.IP "ftype: file type"
Packit Service 5e8d2a 
.IP "i:	inode"
Packit Service 5e8d2a 
.IP "l:	link name"
Packit Service 5e8d2a 
.IP "n:	number of links"
Packit Service 5e8d2a 
.IP "u:	user"
Packit Service 5e8d2a 
.IP "g:	group"
Packit Service 5e8d2a 
.IP "s:	size"
Packit Service 5e8d2a 
.IP "b:	block count"
Packit Service 5e8d2a 
.IP "m:	mtime"
Packit Service 5e8d2a 
.IP "a:	atime"
Packit Service 5e8d2a 
.IP "c:	ctime"
Packit Service 5e8d2a 
.IP "S:	check for growing size"
Packit Service 5e8d2a 
.IP "I:	ignore changed filename"
Packit Service 5e8d2a 
.IP "ANF:	allow new files
Packit Service 5e8d2a 
.IP "ARF:	allow removed files
Packit Service 5e8d2a 
.IP "md5:	md5 checksum"
Packit Service 5e8d2a 
.IP "sha1: sha1 checksum"
Packit Service 5e8d2a 
.IP "sha256: sha256 checksum"
Packit Service 5e8d2a 
.IP "sha512: sha512 checksum"
Packit Service 5e8d2a 
.IP "rmd160: rmd160 checksum"
Packit Service 5e8d2a 
.IP "tiger: tiger checksum"
Packit Service 5e8d2a 
.IP "haval: haval checksum"
Packit Service 5e8d2a 
.IP "crc32:	crc32 checksum"
Packit Service 5e8d2a 
.IP "R:	p+ftype+i+l+n+u+g+s+m+c+md5+X"
Packit Service 5e8d2a 
.IP "L:	p+ftype+i+l+n+u+g+X"
Packit Service 5e8d2a 
.IP "E:	Empty group"
Packit Service 5e8d2a 
.IP "X:	acl+selinux+xattrs+e2fsattrs (if groups are explicitly enabled)"
Packit Service 5e8d2a 
.IP ">:	Growing file p+ftype+l+u+g+i+n+S+X"
Packit Service 5e8d2a 
.LP
Packit Service 5e8d2a 
And also the following if you have mhash support enabled
Packit Service 5e8d2a 
.IP "gost: gost checksum"
Packit Service 5e8d2a 
.IP "whirlpool: whirlpool checksum"
Packit Service 5e8d2a 
.LP
Packit Service 5e8d2a 
The following are available only when explicitly enabled using configure
Packit Service 5e8d2a 
.IP "acl: access control list"
Packit Service 5e8d2a 
.IP "selinux: selinux attributes"
Packit Service 5e8d2a 
.IP "xattrs: extended attributes"
Packit Service 5e8d2a 
.IP "e2fsattrs: file attributes on a second extended file system
Packit Service 5e8d2a 
.LP
Packit Service 5e8d2a 
Please note that 'I' and 'c' are incompatible. When the name of a file
Packit Service 5e8d2a 
is changed, it's ctime is updated as well. When you put 'c' and 'I' in
Packit Service 5e8d2a 
the same rule the, a changed ctime is silently ignored.
Packit Service 5e8d2a 
.LP
Packit Service 5e8d2a 
When 'ANF' is used, new files are added to the new database, but are
Packit Service 5e8d2a 
ignored in the report.
Packit Service 5e8d2a 
.LP
Packit Service 5e8d2a 
When 'ARF' is used, files missing on disk are omitted from the new database,
Packit Service 5e8d2a 
but are ignored in the report.
Packit Service 5e8d2a 
.PP
Packit Service 5e8d2a 
.SH EXAMPLES
Packit Service 5e8d2a 
.IP
Packit Service 5e8d2a 
.B "/ R"
Packit Service 5e8d2a 
.LP
Packit Service 5e8d2a 
This adds all files on your machine to the database. This one line
Packit Service 5e8d2a 
is a fully qualified configuration file.
Packit Service 5e8d2a 
.IP
Packit Service 5e8d2a 
.B "!/dev"
Packit Service 5e8d2a 
.LP
Packit Service 5e8d2a 
This ignores the /dev directory structure.
Packit Service 5e8d2a 
.IP
Packit Service 5e8d2a 
.B "=/foo R"
Packit Service 5e8d2a 
.LP
Packit Service 5e8d2a 
Only /foo and /foobar are taken into the database. None of their children are
Packit Service 5e8d2a 
added.
Packit Service 5e8d2a 
.IP
Packit Service 5e8d2a 
.B "=/foo/ R"
Packit Service 5e8d2a 
.LP
Packit Service 5e8d2a 
Only /foo and its children (e.g. /foo/file and /foo/directory) are taken into
Packit Service 5e8d2a 
the database. The children of sub-directories (e.g. /foo/directory/bar) are not
Packit Service 5e8d2a 
added.
Packit Service 5e8d2a 
.IP
Packit Service 5e8d2a 
.B "\fBAll\fR=p+i+n+u+g+s+m+c+a+md5+sha1+tiger+rmd160"
Packit Service 5e8d2a 
.LP
Packit Service 5e8d2a 
This line defines group \fBAll\fR. It has all attributes and all
Packit Service 5e8d2a 
md checksum functions. If you absolutely want all digest functions
Packit Service 5e8d2a 
then you should enable mhash support and add
Packit Service 5e8d2a 
+crc32+haval+gost to the end of the definition for
Packit Service 5e8d2a 
\fBAll\fR. Mhash support can only be enabled at compile-time.
Packit Service 5e8d2a 
.PP
Packit Service 5e8d2a 
.SH HINTS
Packit Service 5e8d2a 
In the following, the first is not allowed in AIDE. Use the latter instead.
Packit Service 5e8d2a 
.IP
Packit Service 5e8d2a 
.B "/foo epug"
Packit Service 5e8d2a 
.IP
Packit Service 5e8d2a 
.B "/foo e+p+u+g"
Packit Service 5e8d2a 
.PP
Packit Service 5e8d2a 
.SH "SEE ALSO"
Packit Service 5e8d2a 
.BR aide (1)
Packit Service 5e8d2a 
.BR manual.html
Packit Service 5e8d2a 
.SH DISCLAIMER
Packit Service 5e8d2a 
All trademarks are the property of their respective owners.
Packit Service 5e8d2a 
No animals were harmed while making this webpage or this piece of
Packit Service 5e8d2a 
software.
Packit Service 5e8d2a
Packit Service 5e8d2a

Powered by Pagure 5.14.1

SSH Hostkey/Fingerprint | Documentation