Ubuntu Feisty 7.04 manual page repository

Ubuntu is a free computer operating system based on the Linux kernel. Many IT companies, like DeployIS is using it to provide an up-to-date, stable operating system.

Provided by: aide_0.13.1-2_i386

 

NAME

        aide.conf  -  The  configuration  file for Advanced Intrusion Detection
        Environment
 

SYNOPSIS

        aide.conf is the configuration file for  Advanced  Intrusion  Detection
        Environment.  aide.conf contains the runtime configuration aide uses to
        initiailize or check the aide database.
        aide.conf is similar in to Tripwire(tm)’s configuration file. With lit‐
        tle effort tw.conf can be converted to aide.conf.
 
        aide.conf  is  case-sensitive.  Leading  and  trailing  whitespaces are
        ignored.
 
        There are three types of lines in aide.conf. First there are  the  con‐
        figuration  lines  which  are  used to set configuration parameters and
        define/undefine variables. Second, there are selection lines  that  are
        used  to  indicate  which files are added to the database. Third, macro
        lines define or undefine variables within the config file. Lines begin‐
        ning with # are ignored as comments.
        These  lines  have  the  format parameter=value. See URLS for a list of
        valid urls.
 
        database
               The url from which database is read. There can only  be  one  of
               these lines. If there are multiple database lines then the first
               is used.  There is no valid default value in  the  Debian  pack‐
               ages!
 
        database_out
               The  url to which the new database is written to. There can only
               be one of these lines. If there are multiple database_out  lines
               then  the  first is used. There is no valid default value in the
               Debian packages!
 
        database_new
               The url from which the other database  for  --compare  is  read.
               There is no default for this one.
 
        verbose
               The  level  of  messages that is output. This value can be 0-255
               inclusive. This parameter can only be given once. Value from the
               first  occurence  is  used.  If --verbose or -V is used then the
               value from that is used. The default is 5. If  verbosity  is  20
               then  additional  report  output  is written when doing --check,
               --update or --compare.
 
        report_url
               The url that the output is written to.  There  can  be  multiple
               instances  of  this parameter. Output is written to all of them.
               The default is stdout.
 
        gzip_dbout
               Whether the output to the database is gzipped or not. Valid val‐
               ues are yes,true,no and false. The default is no. This option is
               available only if zlib support is compiled in.
 
        acl_no_symlink_follow
               Whether to check ACLs for symlinks  or  not.  Valid  values  are
               yes,true,no  and  false. The default is to follow symlinks. This
               option is available only if acl support is compiled in.
 
        warn_dead_symlinks
               Whether to warn about dead symlinks or  not.  Valid  values  are
               yes,true,no  and  false.  The  default is not to warn about dead
               symlinks.
 
        report_attributes
               Special group definition that lists parameters which are  always
               printed in the final report for changed files.
 
        ignore_list
               Special  group  definition that lists parameters which are to be
               ignored from the final report.
 
        config_version
               The value of config_version is printed in the  report  and  also
               printed  to  the  database.  This  is for informational purposes
               only. It has no other functionality.
 
        Group definitions
               If the parameter is not one of the previous parameters  then  it
               is  regarded as a group definition. Value is then regarded as an
               expression. Expression is of the following form.
 
                   <predefined group>| <expr> + <predefined group>
                                     | <expr> - <predifined group>
 
               See DEFAULT GROUPS for  an  explanation  of  default  predefined
               groups.   Note  that this is different from the way Tripwire(tm)
               does it.
 
               There is also a special group named  "ignore_list".  The  prede‐
               fined  -groups  listed  in  it  are  NOT  displayed in the final
               report.
        aide supports  three  types  of  selection  lines  (regular,  negative,
        equals)  Lines  beginning  with  "/" are regular selection lines. Lines
        beginning with "=" are equals selection lines. And lines beginning with
        "!"  are negative selection lines. The string following the first char‐
        acter is taken as a regular expression matching to a complete filename,
        including  the path. In a regular selection rule the "/" is included in
        the regular expression. Following the regular  expression  is  a  group
        definition as explained above. See EXAMPLES and doc/aide.conf for exam‐
        ples.
 
        More in-depth discussion of the selection algorithm can be found in the
        aide manual.
        @@define VAR val
               Define variable VAR to value val.
 
        @@undef VAR
               Undefine variable VAR.
 
        @@ifdef VAR, @@ifndef VAR
               @@ifdef  begins  an  if statement. It must be terminated with an
               @@endif statement. The lines between  @@ifdef  and  @@endif  are
               used if variable VAR is defined. If there is an @@else statement
               then the part between @@ifdef and  @@else  is  used  is  VAR  is
               defined  otherwise  the part between @@else and @@endif is used.
               @@ifndef reverses the logic of @@ifdef statement  but  otherwise
               works similarly.
 
        @@ifhost hostname, @@ifnhost hostname
               @@ifhost  works  like  @@ifdef only difference is that it checks
               whether hostname equals the name of the host that aide  is  run‐
               ning  on.   hostname is the name of the host without the domain‐
               name (hostname, not hostname.aide.org).
 
        @@{VAR}
               @@{VAR} is replaced with the value  of  the  variable  VAR.   If
               variable  VAR  is  not  defined  an empty string is used. Unlike
               Tripwire(tm) @@VAR is NOT supported. One special VAR is @@{HOST‐
               NAME}  which is substituted for the hostname of the current sys‐
               tem.
 
        @@else Begins the else part of an if statement.
 
        @@endif
               Ends an if statement.
 
        @@include VAR
               Includes the file VAR. The content of the file is used as if  it
               were inserted in this part of the config file.
 

URLS

        Urls  can be one of the following. Input urls cannot be used as outputs
        and vice versa.
 
        stdout
 
        stderr Output is sent to stdout,stderr respectively.
 
        stdin  Input is read from stdin.
 
file://filename
               Input is read from filename or output is written to filename.
 
        fd:number
               Input is read from filedescriptor number or output is written to
               number.
        p:   permissions
 
        i:   inode
 
        l:   link name
 
        n:   number of links
 
        u:   user
 
        g:   group
 
        s:   size
 
        m:   mtime
 
        a:   atime
 
        c:   ctime
 
        S:   check for growing size
 
        I:   ignore changed filename
 
        ANF: allow new files
 
        ARF: allow removed files
 
        md5: md5 checksum
 
        sha1: sha1 checksum
 
        sha256: sha256 checksum
 
        sha512: sha512 checksum
 
        rmd160: rmd160 checksum
 
        tiger: tiger checksum
 
        haval: haval checksum
 
        crc32:    crc32 checksum
 
        R:   p+i+l+n+u+g+s+m+c+md5
 
        L:   p+i+l+n+u+g
 
        E:   Empty group
 
        >:   Growing logfile p+l+u+g+i+n+S
 
        And also the following if you have mhash support enabled
 
        gost: gost checksum
 
        whirlpool: whirlpool checksum
 
        The followingg is available when explicitly enabled using configure
 
        acl: access control list
 
        selinux: selinux attributes
 
        xattr: extended attributes
 
        Please  note that ’I’ and ’c’ are incompatible. When the name of a file
        is changed, it’s ctime is updated as well. When you put ’c’ and ’I’  in
        the same rule the, a changed ctime is silently ignored.
 
        When  ’ANF’  is  used, new files are added to the new database, but are
        ignored in the report.
 
        When ’ARF’ is used, files missing on disk  are  omitted  from  the  new
        database, but are ignored in the report.
 

EXAMPLES

               /    R
 
        This  adds  all files on your machine to the database. This is one line
        is a fully qualified configuration file.
 
               !/dev
 
        This ignores the /dev directory structure.
 
               =/tmp
 
        Only /tmp is taken into the database. None of its children are added.
 
               All=p+i+n+u+g+s+m+c+a+md5+sha1+tiger+rmd160
 
        This line defines group All. It has all attributes and all md  checksum
        functions.  If you absolutely want all digest functions then you should
        enable mhash support and add +crc32+haval+gost to the end of the  defi‐
        nition for All. Mhash support can only be enabled at compile-time.
 

HINTS

               =/foo p+i+l+n+u+g+s+m+c+md5
 
               /foo/bar p+i+l+n+u+g+s+m+c+md5
 
        This config adds all files under /foo because they match to regex /foo,
        which is equivalent to /foo.* . What you probably want is:
 
               =/foo$ p+i+l+n+u+g+s+m+c+md5
 
               /foo/bar p+i+l+n+u+g+s+m+c+md5
 
        Note that the following still works as  expected  because  =/foo$  stop
        recuring of directory /foo.
 
               =/foo p+i+l+n+u+g+s+m+c+md5
 
        In  the  following,  the  first  is not allowed in AIDE. Use the latter
        instead.
 
               /foo epug
 
               /foo e+p+u+g
http://www.cs.tut.fi/~rammer/aide/manual.html
 

DISCLAIMER

        All trademarks are the property of their respective owners.  No animals
        were harmed while making this webpage or this piece of software.
 
aide.conf(5)
 

Sections

What does Ubuntu mean?
Ubuntu is an African word meaning 'Humanity to others', or 'I am what I am because of who we all are'. The Ubuntu distribution brings the spirit of Ubuntu to the software world.