|
Packit Service |
5e8d2a |
.TH AIDE.CONF 5 "Jul 25, 2016" "aide 0.16" "AIDE"
|
|
Packit Service |
5e8d2a |
.SH NAME
|
|
Packit Service |
5e8d2a |
aide.conf - The configuration file for Advanced Intrusion Detection
|
|
Packit Service |
5e8d2a |
Environment
|
|
Packit Service |
5e8d2a |
.PP
|
|
Packit Service |
5e8d2a |
.SH SYNOPSIS
|
|
Packit Service |
5e8d2a |
\fBaide.conf\fP is the configuration file for Advanced Intrusion
|
|
Packit Service |
5e8d2a |
Detection Environment. \fBaide.conf\fP contains the runtime
|
|
Packit Service |
5e8d2a |
configuration aide uses to initialize or check the AIDE database.
|
|
Packit Service |
5e8d2a |
.PP
|
|
Packit Service |
5e8d2a |
.SH "FILE FORMAT"
|
|
Packit Service |
5e8d2a |
\fBaide.conf\fP is similar in to Tripwire(tm)'s configuration
|
|
Packit Service |
5e8d2a |
file. With little effort tw.conf can be converted to aide.conf.
|
|
Packit Service |
5e8d2a |
.PP
|
|
Packit Service |
5e8d2a |
aide.conf is case-sensitive. Leading and trailing white spaces are
|
|
Packit Service |
5e8d2a |
ignored.
|
|
Packit Service |
5e8d2a |
.PP
|
|
Packit Service |
5e8d2a |
There are three types of lines in \fBaide.conf\fP. First there are the
|
|
Packit Service |
5e8d2a |
configuration lines which are used to set configuration parameters and
|
|
Packit Service |
5e8d2a |
define/undefine variables. Second, there are (restricted) selection lines that
|
|
Packit Service |
5e8d2a |
are used to indicate which files are added to the database. Third, macro lines
|
|
Packit Service |
5e8d2a |
define or undefine variables within the config file. Lines beginning with #
|
|
Packit Service |
5e8d2a |
are ignored as comments.
|
|
Packit Service |
5e8d2a |
.PP
|
|
Packit Service |
5e8d2a |
.SH "CONFIG LINES"
|
|
Packit Service |
5e8d2a |
.PP
|
|
Packit Service |
5e8d2a |
These lines have the format parameter=value. See URLS for a list of
|
|
Packit Service |
5e8d2a |
valid urls.
|
|
Packit Service |
5e8d2a |
.PP
|
|
Packit Service |
5e8d2a |
.IP "database"
|
|
Packit Service |
5e8d2a |
The url from which database is read. There can only be one of these
|
|
Packit Service |
5e8d2a |
lines. If there are multiple database lines then the first is used.
|
|
Packit Service |
5e8d2a |
The default value is "@prefix@/etc/aide.db".
|
|
Packit Service |
5e8d2a |
.IP "database_out"
|
|
Packit Service |
5e8d2a |
The url to which the new database is written to. There can only be one
|
|
Packit Service |
5e8d2a |
of these lines. If there are multiple database_out lines then the
|
|
Packit Service |
5e8d2a |
first is used. The default value is "@prefix@/etc/aide.db.new".
|
|
Packit Service |
5e8d2a |
.IP "database_new"
|
|
Packit Service |
5e8d2a |
The url from which the other database for \-\-compare is read.
|
|
Packit Service |
5e8d2a |
There is no default for this one.
|
|
Packit Service |
5e8d2a |
.IP "database_attrs"
|
|
Packit Service |
5e8d2a |
The attributes of the (uncompressed) database files which are to be added to
|
|
Packit Service |
5e8d2a |
the final report in verbose level 2 or higher. Only checksum attributes are
|
|
Packit Service |
5e8d2a |
supported. To disable set
|
|
Packit Service |
5e8d2a |
.I database_attrs
|
|
Packit Service |
5e8d2a |
to
|
|
Packit Service |
5e8d2a |
.RB ' E '.
|
|
Packit Service |
5e8d2a |
By default all compiled in checksums are added to the report.
|
|
Packit Service |
5e8d2a |
.IP "database_add_metadata"
|
|
Packit Service |
5e8d2a |
Whether to add the AIDE version and the time of database generation as comments
|
|
Packit Service |
5e8d2a |
to the database file or not. Valid values are yes, true, no and false. The
|
|
Packit Service |
5e8d2a |
default is to add the AIDE version and the time of database generation. This
|
|
Packit Service |
5e8d2a |
option may be set to no by default in a future release.
|
|
Packit Service |
5e8d2a |
.IP "verbose"
|
|
Packit Service |
5e8d2a |
The level of messages that is output. This value can be 0-255
|
|
Packit Service |
5e8d2a |
inclusive. This parameter can only be given once. Value from the first
|
|
Packit Service |
5e8d2a |
occurrence is used. If \-\-verbose or \-V is used then the value from that
|
|
Packit Service |
5e8d2a |
is used. The default is 5. If verbosity is 20 then additional report
|
|
Packit Service |
5e8d2a |
output is written when doing \-\-check, \-\-update or \-\-compare.
|
|
Packit Service |
5e8d2a |
.IP "report_url"
|
|
Packit Service |
5e8d2a |
The url that the output is written to. There can be multiple instances
|
|
Packit Service |
5e8d2a |
of this parameter. Output is written to all of them. The default is
|
|
Packit Service |
5e8d2a |
stdout.
|
|
Packit Service |
5e8d2a |
.IP "report_base16"
|
|
Packit Service |
5e8d2a |
Whether to base16 encode the checksums in the report or not. Valid values are
|
|
Packit Service |
5e8d2a |
yes, true, no and false. The default is to report checksums not in base16 but
|
|
Packit Service |
5e8d2a |
in base64 encoding.
|
|
Packit Service |
5e8d2a |
.IP "report_detailed_init"
|
|
Packit Service |
5e8d2a |
Whether to report added files (verbose level >= 2) and their details (verbose
|
|
Packit Service |
5e8d2a |
level >=7) in initialization mode or not. Valid values are yes, true, no and
|
|
Packit Service |
5e8d2a |
false. The default is to not report added files or their details in init mode.
|
|
Packit Service |
5e8d2a |
.IP "report_quiet"
|
|
Packit Service |
5e8d2a |
Whether to suppress report output if no differences to the database have been
|
|
Packit Service |
5e8d2a |
found or not. Valid values are yes, true, no and false. The default is to not
|
|
Packit Service |
5e8d2a |
suppress output in the report.
|
|
Packit Service |
5e8d2a |
.IP "gzip_dbout"
|
|
Packit Service |
5e8d2a |
Whether the output to the database is gzipped or not. Valid values are
|
|
Packit Service |
5e8d2a |
yes,true,no and false. The default is no. This option is available only
|
|
Packit Service |
5e8d2a |
if zlib support is compiled in.
|
|
Packit Service |
5e8d2a |
.IP "root_prefix"
|
|
Packit Service |
5e8d2a |
The prefix to strip from each file name in the file system before applying the
|
|
Packit Service |
5e8d2a |
rules and writing to database. AIDE removes a trailing slash from the prefix.
|
|
Packit Service |
5e8d2a |
The default is no (an empty) prefix. This option has no effect in
|
|
Packit Service |
5e8d2a |
compare mode.
|
|
Packit Service |
5e8d2a |
.IP "acl_no_symlink_follow"
|
|
Packit Service |
5e8d2a |
Whether to check ACLs for symlinks or not. Valid values are
|
|
Packit Service |
5e8d2a |
yes,true,no and false. The default is to follow symlinks. This option
|
|
Packit Service |
5e8d2a |
is available only if acl support is compiled in.
|
|
Packit Service |
5e8d2a |
.IP "warn_dead_symlinks"
|
|
Packit Service |
5e8d2a |
Whether to warn about dead symlinks or not. Valid values are
|
|
Packit Service |
5e8d2a |
yes,true,no and false. The default is not to warn about dead symlinks.
|
|
Packit Service |
5e8d2a |
.IP "grouped"
|
|
Packit Service |
5e8d2a |
Whether to group the files in the report by added, removed and changed
|
|
Packit Service |
5e8d2a |
files or not. Valid values are yes, true, no and false.
|
|
Packit Service |
5e8d2a |
The default is to group the files in the report.
|
|
Packit Service |
5e8d2a |
.IP "summarize_changes"
|
|
Packit Service |
5e8d2a |
Whether to summarize changes in the added, removed and changed files
|
|
Packit Service |
5e8d2a |
sections of the report or not. Valid values are yes,true,no and false.
|
|
Packit Service |
5e8d2a |
The default is to summarize the changes.
|
|
Packit Service |
5e8d2a |
|
|
Packit Service |
5e8d2a |
The general format is like the string YlZbpugamcinCAXSE, where Y is
|
|
Packit Service |
5e8d2a |
replaced by the file-type (\fBf\fP for a regular file, \fBd\fP for a
|
|
Packit Service |
5e8d2a |
directory, \fBl\fP for a symbolic link, \fBc\fP for a character device,
|
|
Packit Service |
5e8d2a |
\fBb\fP for a block device, \fBp\fP for a FIFO, \fBs\fP for a unix
|
|
Packit Service |
5e8d2a |
socket, \fBD\fP for a Solaris door, \fBP\fP for a Solaris event port, \fB!\fP
|
|
Packit Service |
5e8d2a |
if file type has changed and \fB?\fP otherwise).
|
|
Packit Service |
5e8d2a |
|
|
Packit Service |
5e8d2a |
The Z is replaced as follows: A \fB=\fP means that the size has not changed,
|
|
Packit Service |
5e8d2a |
a \fB<\fP reports a shrinked size and a \fB>\fP reports a grown size.
|
|
Packit Service |
5e8d2a |
|
|
Packit Service |
5e8d2a |
The other letters in the string are the actual letters that will be output
|
|
Packit Service |
5e8d2a |
if the associated attribute for the item has been changed or a "." for no
|
|
Packit Service |
5e8d2a |
change, a "+" if the attribute has been added, a "-" if it has been removed,
|
|
Packit Service |
5e8d2a |
a ":" if the attribute is ignored (but not forced) or a " " if the attribute has
|
|
Packit Service |
5e8d2a |
not been checked. The exceptions to this are: (1) a newly created file replaces
|
|
Packit Service |
5e8d2a |
each letter with a "+", and (2) a removed file replaces each letter with a "-".
|
|
Packit Service |
5e8d2a |
|
|
Packit Service |
5e8d2a |
The attribute that is associated with each letter is as follows:
|
|
Packit Service |
5e8d2a |
|
|
Packit Service |
5e8d2a |
.RS
|
|
Packit Service |
5e8d2a |
.IP o
|
|
Packit Service |
5e8d2a |
A \fBl\fP means that the link name has changed.
|
|
Packit Service |
5e8d2a |
.IP o
|
|
Packit Service |
5e8d2a |
A \fBb\fP means that the block count has changed.
|
|
Packit Service |
5e8d2a |
.IP o
|
|
Packit Service |
5e8d2a |
A \fBp\fP means that the permissions have changed.
|
|
Packit Service |
5e8d2a |
.IP o
|
|
Packit Service |
5e8d2a |
An \fBu\fP means that the uid has changed.
|
|
Packit Service |
5e8d2a |
.IP o
|
|
Packit Service |
5e8d2a |
A \fBg\fP means that the gid has changed.
|
|
Packit Service |
5e8d2a |
.IP o
|
|
Packit Service |
5e8d2a |
An \fBa\fP means that the access time has changed.
|
|
Packit Service |
5e8d2a |
.IP o
|
|
Packit Service |
5e8d2a |
A \fBm\fP means that the modification time has changed.
|
|
Packit Service |
5e8d2a |
.IP o
|
|
Packit Service |
5e8d2a |
A \fBc\fP means that the change time has changed.
|
|
Packit Service |
5e8d2a |
.IP o
|
|
Packit Service |
5e8d2a |
An \fBi\fP means that the inode has changed.
|
|
Packit Service |
5e8d2a |
.IP o
|
|
Packit Service |
5e8d2a |
A \fBn\fP means that the link count has changed.
|
|
Packit Service |
5e8d2a |
.IP o
|
|
Packit Service |
5e8d2a |
A \fBC\fP means that one or more checksums have changed.
|
|
Packit Service |
5e8d2a |
.RE
|
|
Packit Service |
5e8d2a |
|
|
Packit Service |
5e8d2a |
.RS
|
|
Packit Service |
5e8d2a |
The following letters are only available when explicitly enabled using configure:
|
|
Packit Service |
5e8d2a |
.RE
|
|
Packit Service |
5e8d2a |
|
|
Packit Service |
5e8d2a |
.RS
|
|
Packit Service |
5e8d2a |
.IP o
|
|
Packit Service |
5e8d2a |
A \fBA\fP means that the access control list has changed.
|
|
Packit Service |
5e8d2a |
.IP o
|
|
Packit Service |
5e8d2a |
A \fBX\fP means that the extended attributes have changed.
|
|
Packit Service |
5e8d2a |
.IP o
|
|
Packit Service |
5e8d2a |
A \fBS\fP means that the SELinux attributes have changed.
|
|
Packit Service |
5e8d2a |
.IP o
|
|
Packit Service |
5e8d2a |
A \fBE\fP means that the file attributes on a second extended file system have changed.
|
|
Packit Service |
5e8d2a |
.RE
|
|
Packit Service |
5e8d2a |
.IP "report_ignore_added_attrs"
|
|
Packit Service |
5e8d2a |
Special group definition that lists attributes whose addition is to be ignored
|
|
Packit Service |
5e8d2a |
in the final report.
|
|
Packit Service |
5e8d2a |
.IP "report_ignore_removed_attrs"
|
|
Packit Service |
5e8d2a |
Special group definition that lists attributes whose removal is to be ignored
|
|
Packit Service |
5e8d2a |
in the final report.
|
|
Packit Service |
5e8d2a |
.TP
|
|
Packit Service |
5e8d2a |
report_ignore_changed_attrs
|
|
Packit Service |
5e8d2a |
.TQ
|
|
Packit Service |
5e8d2a |
ignore_list (DEPRECATED, will be removed in a future release)
|
|
Packit Service |
5e8d2a |
Special group definition that lists attributes whose change is to be ignored
|
|
Packit Service |
5e8d2a |
in the final report.
|
|
Packit Service |
5e8d2a |
.TP
|
|
Packit Service |
5e8d2a |
report_force_attrs
|
|
Packit Service |
5e8d2a |
.TQ
|
|
Packit Service |
5e8d2a |
report_attributes (DEPRECATED, will be removed in a future release)
|
|
Packit Service |
5e8d2a |
Special group definition that lists attributes which are always printed in the
|
|
Packit Service |
5e8d2a |
final report for changed files. If an attribute is both ignored and forced the
|
|
Packit Service |
5e8d2a |
attribute is not considered for file change but printed in the final report if
|
|
Packit Service |
5e8d2a |
the file has been otherwise changed.
|
|
Packit Service |
5e8d2a |
.IP "report_ignore_e2fsattrs"
|
|
Packit Service |
5e8d2a |
List (no delimiter) of ext2 file attributes which are to be ignored in the final report.
|
|
Packit Service |
5e8d2a |
See
|
|
Packit Service |
5e8d2a |
.BR chattr (1)
|
|
Packit Service |
5e8d2a |
for the available attributes. Use '0' to not ignore any
|
|
Packit Service |
5e8d2a |
attribute. Ignored attributes are represented by a ':' in the output. The
|
|
Packit Service |
5e8d2a |
default is to not ignore any ext2 file attribute.
|
|
Packit Service |
5e8d2a |
|
|
Packit Service |
5e8d2a |
.RS
|
|
Packit Service |
5e8d2a |
.B Example
|
|
Packit Service |
5e8d2a |
.RS 3
|
|
Packit Service |
5e8d2a |
Ignore changes of the ext2 file attributes compression error (E), huge file
|
|
Packit Service |
5e8d2a |
(h), indexed directory (I):
|
|
Packit Service |
5e8d2a |
|
|
Packit Service |
5e8d2a |
.RS 3
|
|
Packit Service |
5e8d2a |
.nf
|
|
Packit Service |
5e8d2a |
report_ignore_e2fsattrs=EhI
|
|
Packit Service |
5e8d2a |
.fi
|
|
Packit Service |
5e8d2a |
.RE
|
|
Packit Service |
5e8d2a |
.RE
|
|
Packit Service |
5e8d2a |
.RE
|
|
Packit Service |
5e8d2a |
.IP "config_version"
|
|
Packit Service |
5e8d2a |
The value of config_version is printed in the report and also printed
|
|
Packit Service |
5e8d2a |
to the database. This is for informational purposes only. It has no
|
|
Packit Service |
5e8d2a |
other functionality.
|
|
Packit Service |
5e8d2a |
.IP "Group definitions"
|
|
Packit Service |
5e8d2a |
If the parameter is not one of the previous parameters then it is
|
|
Packit Service |
5e8d2a |
regarded as a group definition. Value is then regarded as an
|
|
Packit Service |
5e8d2a |
expression. Expression is of the following form.
|
|
Packit Service |
5e8d2a |
.IP
|
|
Packit Service |
5e8d2a |
.nf
|
|
Packit Service |
5e8d2a |
<predefined group>| <expr> + <predefined group>
|
|
Packit Service |
5e8d2a |
| <expr> - <predefined group>
|
|
Packit Service |
5e8d2a |
.fi
|
|
Packit Service |
5e8d2a |
.IP
|
|
Packit Service |
5e8d2a |
See DEFAULT GROUPS for an explanation of default predefined groups.
|
|
Packit Service |
5e8d2a |
Note that this is different from the way Tripwire(tm) does it.
|
|
Packit Service |
5e8d2a |
.PP
|
|
Packit Service |
5e8d2a |
.SH "SELECTION LINES"
|
|
Packit Service |
5e8d2a |
.PP
|
|
Packit Service |
5e8d2a |
AIDE supports three types of selection lines:
|
|
Packit Service |
5e8d2a |
|
|
Packit Service |
5e8d2a |
Regular selection line:
|
|
Packit Service |
5e8d2a |
.RS 3
|
|
Packit Service |
5e8d2a |
|
|
Packit Service |
5e8d2a |
.nf
|
|
Packit Service |
5e8d2a |
.B <regex> <group>
|
|
Packit Service |
5e8d2a |
.fi
|
|
Packit Service |
5e8d2a |
|
|
Packit Service |
5e8d2a |
Files and directories matching the regular expression are added to the
|
|
Packit Service |
5e8d2a |
database.
|
|
Packit Service |
5e8d2a |
|
|
Packit Service |
5e8d2a |
.RE
|
|
Packit Service |
5e8d2a |
|
|
Packit Service |
5e8d2a |
Negative selection line:
|
|
Packit Service |
5e8d2a |
.RS 3
|
|
Packit Service |
5e8d2a |
|
|
Packit Service |
5e8d2a |
.nf
|
|
Packit Service |
5e8d2a |
.B !<regex>
|
|
Packit Service |
5e8d2a |
.fi
|
|
Packit Service |
5e8d2a |
|
|
Packit Service |
5e8d2a |
Files and directories matching the regular expression are ignored and not added
|
|
Packit Service |
5e8d2a |
to the database.
|
|
Packit Service |
5e8d2a |
|
|
Packit Service |
5e8d2a |
.RE
|
|
Packit Service |
5e8d2a |
|
|
Packit Service |
5e8d2a |
Equals selection line:
|
|
Packit Service |
5e8d2a |
.RS 3
|
|
Packit Service |
5e8d2a |
|
|
Packit Service |
5e8d2a |
.nf
|
|
Packit Service |
5e8d2a |
.B =<regex> <group>
|
|
Packit Service |
5e8d2a |
.fi
|
|
Packit Service |
5e8d2a |
|
|
Packit Service |
5e8d2a |
Files and directories matching the regular expression are added to the
|
|
Packit Service |
5e8d2a |
database. The children of directories are only added if the regular expression
|
|
Packit Service |
5e8d2a |
ends with a "/". The children of sub-directories are not added at all.
|
|
Packit Service |
5e8d2a |
|
|
Packit Service |
5e8d2a |
.RE
|
|
Packit Service |
5e8d2a |
|
|
Packit Service |
5e8d2a |
Every regular expression has to start with a "/". An implicit ^ is added in
|
|
Packit Service |
5e8d2a |
front of each regular expression. In other words the regular expressions are
|
|
Packit Service |
5e8d2a |
matched at the first position against the complete filename (i.e. including the
|
|
Packit Service |
5e8d2a |
path). Special characters in your filenames can be escaped using two-digit URL
|
|
Packit Service |
5e8d2a |
encoding (for example, %20 to represent a space).
|
|
Packit Service |
5e8d2a |
|
|
Packit Service |
5e8d2a |
See EXAMPLES and doc/aide.conf for examples.
|
|
Packit Service |
5e8d2a |
.PP
|
|
Packit Service |
5e8d2a |
More in-depth discussion of the selection algorithm can be found in
|
|
Packit Service |
5e8d2a |
the AIDE manual.
|
|
Packit Service |
5e8d2a |
.IP
|
|
Packit Service |
5e8d2a |
.PP
|
|
Packit Service |
5e8d2a |
.SH "RESTRICTED SELECTION LINES"
|
|
Packit Service |
5e8d2a |
.PP
|
|
Packit Service |
5e8d2a |
Restricted selection lines are like normal selection lines but can be
|
|
Packit Service |
5e8d2a |
restricted to file types. The following file types are supported:
|
|
Packit Service |
5e8d2a |
|
|
Packit Service |
5e8d2a |
.RS
|
|
Packit Service |
5e8d2a |
|
|
Packit Service |
5e8d2a |
\fBf\fP: restrict rule to regular files
|
|
Packit Service |
5e8d2a |
|
|
Packit Service |
5e8d2a |
\fBd\fP: restrict rule to directories
|
|
Packit Service |
5e8d2a |
|
|
Packit Service |
5e8d2a |
\fBl\fP: restrict rule to symbolic links
|
|
Packit Service |
5e8d2a |
|
|
Packit Service |
5e8d2a |
\fBc\fP: restrict rule to character devices
|
|
Packit Service |
5e8d2a |
|
|
Packit Service |
5e8d2a |
\fBb\fP: restrict rule to block devices
|
|
Packit Service |
5e8d2a |
|
|
Packit Service |
5e8d2a |
\fBp\fP: restrict rule to FIFO files
|
|
Packit Service |
5e8d2a |
|
|
Packit Service |
5e8d2a |
\fBs\fP: restrict rule to UNIX sockets
|
|
Packit Service |
5e8d2a |
|
|
Packit Service |
5e8d2a |
\fBD\fP: restrict rule to Solaris doors
|
|
Packit Service |
5e8d2a |
|
|
Packit Service |
5e8d2a |
\fBP\fP: restrict rule to Solaris event ports
|
|
Packit Service |
5e8d2a |
.RE
|
|
Packit Service |
5e8d2a |
|
|
Packit Service |
5e8d2a |
The file types are separated by comma. The syntax of restricted
|
|
Packit Service |
5e8d2a |
selection lines is as follows:
|
|
Packit Service |
5e8d2a |
|
|
Packit Service |
5e8d2a |
Restricted regular selection line:
|
|
Packit Service |
5e8d2a |
.RS 3
|
|
Packit Service |
5e8d2a |
.nf
|
|
Packit Service |
5e8d2a |
.B <regex> <file types> <group>
|
|
Packit Service |
5e8d2a |
.fi
|
|
Packit Service |
5e8d2a |
.RE
|
|
Packit Service |
5e8d2a |
|
|
Packit Service |
5e8d2a |
Restricted negative selection line:
|
|
Packit Service |
5e8d2a |
.RS 3
|
|
Packit Service |
5e8d2a |
.nf
|
|
Packit Service |
5e8d2a |
.B !<regex> <file types>
|
|
Packit Service |
5e8d2a |
.fi
|
|
Packit Service |
5e8d2a |
.RE
|
|
Packit Service |
5e8d2a |
|
|
Packit Service |
5e8d2a |
Restricted equals selection line:
|
|
Packit Service |
5e8d2a |
.RS 3
|
|
Packit Service |
5e8d2a |
.nf
|
|
Packit Service |
5e8d2a |
.B =<regex> <file types> <group>
|
|
Packit Service |
5e8d2a |
.fi
|
|
Packit Service |
5e8d2a |
.RE
|
|
Packit Service |
5e8d2a |
|
|
Packit Service |
5e8d2a |
.B Examples
|
|
Packit Service |
5e8d2a |
.RS 3
|
|
Packit Service |
5e8d2a |
Only add directories and files to the database:
|
|
Packit Service |
5e8d2a |
|
|
Packit Service |
5e8d2a |
.RS 3
|
|
Packit Service |
5e8d2a |
.nf
|
|
Packit Service |
5e8d2a |
.B / d,f R
|
|
Packit Service |
5e8d2a |
.fi
|
|
Packit Service |
5e8d2a |
.RE
|
|
Packit Service |
5e8d2a |
.RE
|
|
Packit Service |
5e8d2a |
|
|
Packit Service |
5e8d2a |
.RS 3
|
|
Packit Service |
5e8d2a |
Add all but directory entries to the database:
|
|
Packit Service |
5e8d2a |
|
|
Packit Service |
5e8d2a |
.RS 3
|
|
Packit Service |
5e8d2a |
.nf
|
|
Packit Service |
5e8d2a |
.B !/run d
|
|
Packit Service |
5e8d2a |
.B /run R
|
|
Packit Service |
5e8d2a |
.fi
|
|
Packit Service |
5e8d2a |
.RE
|
|
Packit Service |
5e8d2a |
.RE
|
|
Packit Service |
5e8d2a |
|
|
Packit Service |
5e8d2a |
.RS 3
|
|
Packit Service |
5e8d2a |
Use specific rule for directories:
|
|
Packit Service |
5e8d2a |
|
|
Packit Service |
5e8d2a |
.RS 3
|
|
Packit Service |
5e8d2a |
.nf
|
|
Packit Service |
5e8d2a |
.B /run d R-m-c-i
|
|
Packit Service |
5e8d2a |
.B /run R
|
|
Packit Service |
5e8d2a |
.fi
|
|
Packit Service |
5e8d2a |
.RE
|
|
Packit Service |
5e8d2a |
.RE
|
|
Packit Service |
5e8d2a |
|
|
Packit Service |
5e8d2a |
.PP
|
|
Packit Service |
5e8d2a |
.SH "MACRO LINES"
|
|
Packit Service |
5e8d2a |
.PP
|
|
Packit Service |
5e8d2a |
.IP "@@define \fBVAR\fR \fBval\fR"
|
|
Packit Service |
5e8d2a |
Define variable \fBVAR\fR to value \fBval\fR.
|
|
Packit Service |
5e8d2a |
.IP "@@undef \fBVAR\fR"
|
|
Packit Service |
5e8d2a |
Undefine variable \fBVAR\fR.
|
|
Packit Service |
5e8d2a |
.IP "@@ifdef \fBVAR\fR, @@ifndef \fBVAR\fR"
|
|
Packit Service |
5e8d2a |
@@ifdef begins an if statement. It must be terminated with an @@endif
|
|
Packit Service |
5e8d2a |
statement. The lines between @@ifdef and @@endif are used if variable
|
|
Packit Service |
5e8d2a |
\fBVAR\fR is defined. If there is an @@else statement then the part
|
|
Packit Service |
5e8d2a |
between @@ifdef and @@else is used is \fBVAR\fR is defined otherwise
|
|
Packit Service |
5e8d2a |
the part between @@else and @@endif is used. @@ifndef reverses the
|
|
Packit Service |
5e8d2a |
logic of @@ifdef statement but otherwise works similarly.
|
|
Packit Service |
5e8d2a |
.IP "@@ifhost \fBhostname\fR, @@ifnhost \fBhostname\fR"
|
|
Packit Service |
5e8d2a |
@@ifhost works like @@ifdef only difference is that it checks whether
|
|
Packit Service |
5e8d2a |
\fBhostname\fR equals the name of the host that AIDE is running on.
|
|
Packit Service |
5e8d2a |
\fBhostname\fR is the name of the host without the domainname
|
|
Packit Service |
5e8d2a |
(hostname, not hostname.example.com).
|
|
Packit Service |
5e8d2a |
.IP "@@{\fBVAR\fR}"
|
|
Packit Service |
5e8d2a |
@@{\fBVAR\fR} is replaced with the value of the variable \fBVAR\fR.
|
|
Packit Service |
5e8d2a |
If variable \fBVAR\fR is not defined an empty string is used. Unlike
|
|
Packit Service |
5e8d2a |
Tripwire(tm) @@VAR is NOT supported. One special \fBVAR\fR is @@{HOSTNAME}
|
|
Packit Service |
5e8d2a |
which is substituted for the hostname of the current system.
|
|
Packit Service |
5e8d2a |
.IP "@@else"
|
|
Packit Service |
5e8d2a |
Begins the else part of an if statement.
|
|
Packit Service |
5e8d2a |
.IP "@@endif"
|
|
Packit Service |
5e8d2a |
Ends an if statement.
|
|
Packit Service |
5e8d2a |
.IP "@@include \fBVAR\fR"
|
|
Packit Service |
5e8d2a |
Includes the file \fBVAR\fR. The content of the file is used as if it
|
|
Packit Service |
5e8d2a |
were inserted in this part of the config file.
|
|
Packit Service |
5e8d2a |
.PP
|
|
Packit Service |
5e8d2a |
.SH URLS
|
|
Packit Service |
5e8d2a |
Urls can be one of the following. Input urls cannot be used as outputs
|
|
Packit Service |
5e8d2a |
and vice versa.
|
|
Packit Service |
5e8d2a |
.IP "stdout"
|
|
Packit Service |
5e8d2a |
.IP "stderr"
|
|
Packit Service |
5e8d2a |
Output is sent to stdout,stderr respectively.
|
|
Packit Service |
5e8d2a |
.IP "stdin"
|
|
Packit Service |
5e8d2a |
Input is read from stdin.
|
|
Packit Service |
5e8d2a |
.IP "file://\fBfilename\fR"
|
|
Packit Service |
5e8d2a |
Input is read from \fBfilename\fR or output is written to
|
|
Packit Service |
5e8d2a |
\fBfilename\fR.
|
|
Packit Service |
5e8d2a |
.IP "fd:\fBnumber\fR"
|
|
Packit Service |
5e8d2a |
Input is read from filedescriptor \fBnumber\fR or output is written to
|
|
Packit Service |
5e8d2a |
\fBnumber\fR.
|
|
Packit Service |
5e8d2a |
.PP
|
|
Packit Service |
5e8d2a |
.SH "DEFAULT GROUPS"
|
|
Packit Service |
5e8d2a |
.PP
|
|
Packit Service |
5e8d2a |
.IP "p: permissions"
|
|
Packit Service |
5e8d2a |
.IP "ftype: file type"
|
|
Packit Service |
5e8d2a |
.IP "i: inode"
|
|
Packit Service |
5e8d2a |
.IP "l: link name"
|
|
Packit Service |
5e8d2a |
.IP "n: number of links"
|
|
Packit Service |
5e8d2a |
.IP "u: user"
|
|
Packit Service |
5e8d2a |
.IP "g: group"
|
|
Packit Service |
5e8d2a |
.IP "s: size"
|
|
Packit Service |
5e8d2a |
.IP "b: block count"
|
|
Packit Service |
5e8d2a |
.IP "m: mtime"
|
|
Packit Service |
5e8d2a |
.IP "a: atime"
|
|
Packit Service |
5e8d2a |
.IP "c: ctime"
|
|
Packit Service |
5e8d2a |
.IP "S: check for growing size"
|
|
Packit Service |
5e8d2a |
.IP "I: ignore changed filename"
|
|
Packit Service |
5e8d2a |
.IP "ANF: allow new files
|
|
Packit Service |
5e8d2a |
.IP "ARF: allow removed files
|
|
Packit Service |
5e8d2a |
.IP "md5: md5 checksum"
|
|
Packit Service |
5e8d2a |
.IP "sha1: sha1 checksum"
|
|
Packit Service |
5e8d2a |
.IP "sha256: sha256 checksum"
|
|
Packit Service |
5e8d2a |
.IP "sha512: sha512 checksum"
|
|
Packit Service |
5e8d2a |
.IP "rmd160: rmd160 checksum"
|
|
Packit Service |
5e8d2a |
.IP "tiger: tiger checksum"
|
|
Packit Service |
5e8d2a |
.IP "haval: haval checksum"
|
|
Packit Service |
5e8d2a |
.IP "crc32: crc32 checksum"
|
|
Packit Service |
5e8d2a |
.IP "R: p+ftype+i+l+n+u+g+s+m+c+md5+X"
|
|
Packit Service |
5e8d2a |
.IP "L: p+ftype+i+l+n+u+g+X"
|
|
Packit Service |
5e8d2a |
.IP "E: Empty group"
|
|
Packit Service |
5e8d2a |
.IP "X: acl+selinux+xattrs+e2fsattrs (if groups are explicitly enabled)"
|
|
Packit Service |
5e8d2a |
.IP ">: Growing file p+ftype+l+u+g+i+n+S+X"
|
|
Packit Service |
5e8d2a |
.LP
|
|
Packit Service |
5e8d2a |
And also the following if you have mhash support enabled
|
|
Packit Service |
5e8d2a |
.IP "gost: gost checksum"
|
|
Packit Service |
5e8d2a |
.IP "whirlpool: whirlpool checksum"
|
|
Packit Service |
5e8d2a |
.LP
|
|
Packit Service |
5e8d2a |
The following are available only when explicitly enabled using configure
|
|
Packit Service |
5e8d2a |
.IP "acl: access control list"
|
|
Packit Service |
5e8d2a |
.IP "selinux: selinux attributes"
|
|
Packit Service |
5e8d2a |
.IP "xattrs: extended attributes"
|
|
Packit Service |
5e8d2a |
.IP "e2fsattrs: file attributes on a second extended file system
|
|
Packit Service |
5e8d2a |
.LP
|
|
Packit Service |
5e8d2a |
Please note that 'I' and 'c' are incompatible. When the name of a file
|
|
Packit Service |
5e8d2a |
is changed, it's ctime is updated as well. When you put 'c' and 'I' in
|
|
Packit Service |
5e8d2a |
the same rule the, a changed ctime is silently ignored.
|
|
Packit Service |
5e8d2a |
.LP
|
|
Packit Service |
5e8d2a |
When 'ANF' is used, new files are added to the new database, but are
|
|
Packit Service |
5e8d2a |
ignored in the report.
|
|
Packit Service |
5e8d2a |
.LP
|
|
Packit Service |
5e8d2a |
When 'ARF' is used, files missing on disk are omitted from the new database,
|
|
Packit Service |
5e8d2a |
but are ignored in the report.
|
|
Packit Service |
5e8d2a |
.PP
|
|
Packit Service |
5e8d2a |
.SH EXAMPLES
|
|
Packit Service |
5e8d2a |
.IP
|
|
Packit Service |
5e8d2a |
.B "/ R"
|
|
Packit Service |
5e8d2a |
.LP
|
|
Packit Service |
5e8d2a |
This adds all files on your machine to the database. This one line
|
|
Packit Service |
5e8d2a |
is a fully qualified configuration file.
|
|
Packit Service |
5e8d2a |
.IP
|
|
Packit Service |
5e8d2a |
.B "!/dev"
|
|
Packit Service |
5e8d2a |
.LP
|
|
Packit Service |
5e8d2a |
This ignores the /dev directory structure.
|
|
Packit Service |
5e8d2a |
.IP
|
|
Packit Service |
5e8d2a |
.B "=/foo R"
|
|
Packit Service |
5e8d2a |
.LP
|
|
Packit Service |
5e8d2a |
Only /foo and /foobar are taken into the database. None of their children are
|
|
Packit Service |
5e8d2a |
added.
|
|
Packit Service |
5e8d2a |
.IP
|
|
Packit Service |
5e8d2a |
.B "=/foo/ R"
|
|
Packit Service |
5e8d2a |
.LP
|
|
Packit Service |
5e8d2a |
Only /foo and its children (e.g. /foo/file and /foo/directory) are taken into
|
|
Packit Service |
5e8d2a |
the database. The children of sub-directories (e.g. /foo/directory/bar) are not
|
|
Packit Service |
5e8d2a |
added.
|
|
Packit Service |
5e8d2a |
.IP
|
|
Packit Service |
5e8d2a |
.B "\fBAll\fR=p+i+n+u+g+s+m+c+a+md5+sha1+tiger+rmd160"
|
|
Packit Service |
5e8d2a |
.LP
|
|
Packit Service |
5e8d2a |
This line defines group \fBAll\fR. It has all attributes and all
|
|
Packit Service |
5e8d2a |
md checksum functions. If you absolutely want all digest functions
|
|
Packit Service |
5e8d2a |
then you should enable mhash support and add
|
|
Packit Service |
5e8d2a |
+crc32+haval+gost to the end of the definition for
|
|
Packit Service |
5e8d2a |
\fBAll\fR. Mhash support can only be enabled at compile-time.
|
|
Packit Service |
5e8d2a |
.PP
|
|
Packit Service |
5e8d2a |
.SH HINTS
|
|
Packit Service |
5e8d2a |
In the following, the first is not allowed in AIDE. Use the latter instead.
|
|
Packit Service |
5e8d2a |
.IP
|
|
Packit Service |
5e8d2a |
.B "/foo epug"
|
|
Packit Service |
5e8d2a |
.IP
|
|
Packit Service |
5e8d2a |
.B "/foo e+p+u+g"
|
|
Packit Service |
5e8d2a |
.PP
|
|
Packit Service |
5e8d2a |
.SH "SEE ALSO"
|
|
Packit Service |
5e8d2a |
.BR aide (1)
|
|
Packit Service |
5e8d2a |
.BR manual.html
|
|
Packit Service |
5e8d2a |
.SH DISCLAIMER
|
|
Packit Service |
5e8d2a |
All trademarks are the property of their respective owners.
|
|
Packit Service |
5e8d2a |
No animals were harmed while making this webpage or this piece of
|
|
Packit Service |
5e8d2a |
software.
|
|
Packit Service |
5e8d2a |
|
|
Packit Service |
5e8d2a |
|