FreeBSD Manual Pages
AIDE.CONF(5) AIDE AIDE.CONF(5) NAME aide.conf - The configuration file for Advanced Intrusion Detection En- vironment SYNOPSIS aide.conf is the configuration file for Advanced Intrusion Detection Environment. aide.conf contains the runtime configuration aide uses to initialize or check the AIDE database. FILE FORMAT aide.conf is case-sensitive. Leading and trailing white spaces are ig- nored. Each config lines must end with new line. AIDE uses the backslash character (\) as escape character for ' ' (space), '@' and '\' (backslash) (e.g. '\ ' or '\@'). To literally match a '\' in a file path with a regular expression you have to escape the backslash twice (i.e. '\\\\'). There are three types of lines in aide.conf. First there are the con- figuration options which are used to set configuration parameters and define groups. Second, there are (restricted) rules that are used to indicate which files are added to the database. Third, macro lines de- fine or undefine variables within the config file. Lines beginning with # are ignored as comments. CONFIG OPTIONS These lines have the format parameter=value. See URLS for a list of valid urls. database_in (type: URL, default: see --version output, added in AIDE v0.17) database (DEPRECATED since AIDE v0.17, will be removed in AIDE v0.19) The url from which database is read. There can only be one of these lines. If there are multiple database lines then the first is used. Examples: database_in=file:/var/lib/aide/aide.db Read database locally from /var/lib/aide/aide.db. database_in=stdin Read database from stdin. database_in=https://example.com/aide.db Read database remotely from https://example.com/aide.db. database_out (type: URL, default: see --version output) The url to which the new database is written to. There can only be one of these lines. If there are multiple database_out lines then the first is used. database_new (type: URL, default: <none>) The url from which the other database for --compare is read. database_attrs (type: attribute expression, default: H, added in AIDE v0.16) The attributes of the (uncompressed) database files which are to be added to the reports in report level >= database_attributes . Only checksum attributes are supported. To disable set data- base_attrs to 'E'. database_add_metadata (type: bool, default: true, added in AIDE v0.16) Whether to add the AIDE version and the time of database genera- tion as comments to the database file or not. This option may be set to false by default in a future release. log_level (type: log level, default: warning, added in AIDE v0.17) The log level to use. Log messages are written to stderr. If there are multiple log_level lines then the first one is used. The --log-level or -L command line option overwrites this op- tion. The following log levels are available: error: show unrecoverable issues that have to be handled by the user. Errors are fatal to the AIDE process. warning: additionally show recoverable issues that most likely lead to unexpected behaviour and should be handled by the user notice: additionally show recoverable issues that some- times lead to unexpected behaviour and might be handled by the user. info: additionally show informational messages rule: additionally show messages to help to debug the path rule matching compare: additionally show messages to help to debug file comparison and (special) attribute handling config: additionally show messages to help to debug con- fig and rule parsing debug: additionally show messages that are useful to de- bug the application (very verbose) thread: additionally show messages about thread process- ing (e.g. broadcast events) trace: detailed information about the flow of the appli- cation (e.g. in-loop logging) (even more verbose) verbose (type: number, range: 0 - 255, default: 5, REMOVED in AIDE v0.17) Removed, use log_level and report_level options instead. gzip_dbout (type: bool, default: false) Whether the output to the database is gzipped or not. This op- tion is available only if zlib support is compiled in. root_prefix (type: path, default: <empty>, added in AIDE v0.16) The prefix to strip from each file name in the file system be- fore applying the rules and writing to database. AIDE removes a trailing slash from the prefix. If there are multiple root_pre- fix lines then the first one is used. This option has no effect in compare mode. acl_no_symlink_follow (type: bool, default: false) Whether to check ACLs for symlinks or not. This option is avail- able only if acl support is compiled in. warn_dead_symlinks (type: path, default: false) Whether to warn about dead symlinks or not. config_version (type: string, default: <empty>) The value of config_version is printed in the report and also printed to the database. This is for informational purposes only. It has no other functionality. config_check_warn_unrestricted_rules (type: bool, default: false, added in AIDE v0.18) Whether to warn on unrestricted rules during config check. To explicitly define unrestricted rules use 0 (zero) as restriction character. num_workers (type: number|percentage, default: 1, added in AIDE v0.18) Specifies the number of simultaneous workers (threads) for file attribute processing (i.a. hashsum calculation). The number of workers can be a positive integer (e.g. '4') or the percentage of the available processors (e.g. '60%'). The re- sulting number of workers is rounded up to the next integer (e.g. '60%' of 8 processors results in 5 workers). If there are multiple num_workers lines then the first one is used. Use 0 (zero) to disable multi-threading. The default value 1 (single worker thread) may be changed in a future release. REPORT OPTIONS report_url (type: URL, default: stdout) The URL that the output is written to. Multiple instances of the report_url option are supported. Examples: report_url=file:/var/log/aide.log Write report to /var/log/aide.log. report_url=stdout Write report to stdout. report_url=syslog:<LOG_FACILITY> Write report to syslog using LOG_FACILITY. The following report options are available (to take effect they have to be set before report_url): report_level (type: report level, default: changed_attributes, added in AIDE v0.17) The report level to use. The available report levels are as fol- lows: minimal: print single line whether AIDE found differences to the database summary: additionally print number of added, removed and changed files database_attributes: additionally print database checksums list_entries: additionally print lists of added, removed and changed entries changed_attributes: additionally print details about changed en- tries Example: File: /var/lib/apt/extended_states Perm : -rw-r--r-- | -rw------- Uid : 0 | 106 The left column shows the old value (e.g. from the data- base_in database) and the right column shows the new value (e.g. from the file system). added_removed_attributes: additionally print details about added and removed attributes added_removed_entries: additionally print details about added and removed entries report_format (type: report format, default: plain, added in AIDE v0.18) The report format to use. The available report formats are as follows: plain: Print report in plain human-readable format. json: Print report in json machine-readable format. report_base16 (type: bool, default: false, added in AIDE v0.17) Base16 encode the checksums in the report. The default is to re- port checksums in base64 encoding. report_detailed_init (type: bool, default: false, added in AIDE v0.16) Report added files (report level >= list_entries) and their de- tails (report level >= added_removed_entries) in initialization mode. report_quiet (type: bool, default: false, added in AIDE v0.16) Suppress report output if no differences to the database have been found. report_append (type: bool, default: false, added in AIDE v0.17) Append to the report URL. report_grouped (type: bool, default: true, added in AIDE v0.17) grouped (DEPRECATED since AIDE v0.17, will be removed in AIDE v0.19) Group the files in the report by added, removed and changed files. report_summarize_changes (type: bool, default: true, added in AIDE v0.17) summarize_changes (DEPRECATED since AIDE v0.17, will be removed in AIDE v0.19) Summarize changes in the added, removed and changed files sec- tions of the report. The general format is like the string YlZbpugamcinHAXSEC, where Y is replaced by the file-type ('f' for a regular file, 'd' for a directory, 'l' for a symbolic link, 'c' for a character de- vice, 'b' for a block device, 'p' for a FIFO, 's' for a unix socket, 'D' for a Solaris door, 'P' for a Solaris event port, '!' if file type has changed and '?' otherwise). The Z is replaced as follows: A '=' means that the size has not changed, a '<' reports a shrinked size and a '>' reports a grown size. The other letters in the string are the actual letters that will be output if the associated attribute for the item has been changed or a '.' for no change. Otherwise a '+' is shown if the attribute has been added, a '-' if it has been removed, a ':' if the attribute is ignored (but not forced) or a ' ' if the attribute has not been checked. The exceptions to this are: (1) a newly created file replaces each letter with a '+', and (2) a removed file replaces each letter with a '-'. The attribute that is associated with each letter is as follows: o A l means that the link name has changed. o A b means that the block count has changed. o A p means that the permissions have changed. o An u means that the uid has changed. o A g means that the gid has changed. o An a means that the access time has changed. o A m means that the modification time has changed. o A c means that the change time has changed. o An i means that the inode has changed. o A n means that the link count has changed. o A H means that one or more message digests have changed. The following letters are only available when explicitly enabled using configure: o A A means that the access control list has changed. o A X means that the extended attributes have changed. o A S means that the SELinux attributes have changed. o A E means that the file attributes on a second extended file system have changed. o A C means that the file capabilities have changed. report_ignore_added_attrs (type: attribute expression, default: empty, added in AIDE v0.16) Attributes whose addition is to be ignored in the report. report_ignore_removed_attrs (type: attribute expression, default: empty, added in AIDE v0.16) Attributes whose removal is to be ignored in the report. report_ignore_changed_attrs (type: attribute expression, default: empty, added in AIDE v0.16) ignore_list (REMOVED in AIDE v0.17) Attributes whose change is to be ignored in the report. report_force_attrs (type: attribute expression, default: empty, added in AIDE v0.16) report_attributes (REMOVED in AIDE v0.17) Attributes which are always printed in the report for changed files. If an attribute is both ignored and forced the attribute is not considered for file change but printed in the final re- port as long as the file has been otherwise changed. report_ignore_e2fsattrs (type: string, default: 0, added in AIDE v0.16) List (no delimiter) of ext2 file attributes which are to be ig- nored in the report. See chattr(1) for the available attrib- utes. Use 0 (zero) to not ignore any attribute. Ignored attrib- utes are represented by a ':' in the report. By default AIDE also reports changes of the read-only attributes mentioned in chattr(1) (see example below how to ignore those changes). Example: Ignore changes of the read-only ext2 file attributes verify (V), inline data (N), indexed directory (I) and encrypted (E): report_ignore_e2fsattrs=VNIE GROUPS Groups are aggregations of attributes. Group definitions have the format <group name> = <attribute expres- sion>. Group names are limited to alphanumeric characters (A-Za-z0-9). See ATTRIBUTES for a description of all available attributes. Default groups R p+ftype+i+l+n+u+g+s+m+c+md5+X L p+ftype+i+l+n+u+g+X > Growing file p+ftype+l+u+g+i+n+s+growing+X H all compiled in hashsums (added in AIDE v0.17) X acl+selinux+xattrs+e2fsattrs+caps (if attributes are compiled in, added in AIDE v0.16) E Empty group Use 'aide --version' to list the default compound groups. RULES AIDE supports three types of rules: Regular rule: <regex> <attribute expression> Files and directories matching the regular expression are added to the database. Negative rule: !<regex> Files and directories matching the regular expression are ig- nored and not added to the database. The children of matching directories are also ignored. Equals rule: =<regex> <attribute expression> Files and directories matching the regular expression are added to the database. The children of directories are only added if the regular expression ends with a "/". The children of sub-di- rectories are not added at all. Every regular expression has to start with an explicit "/". An im- plicit ^ is added in front of each regular expression. In other words, the regular expressions are matched at the first position against the complete path. Special characters can be escaped using two-digit URL encoding (for example, %20 to represent a space). AIDE uses a deepest-match algorithm to find the tree node to search, but a first-match algorithm inside the node. (see also rule log level). See EXAMPLES for examples. More in-depth discussion of the selection algorithm can be found in the AIDE manual. RESTRICTED RULES Restricted rules are like normal rules but can be restricted to file types (added in AIDE v0.16). The following file types are supported: f restrict rule to regular files d restrict rule to directories l restrict rule to symbolic links c restrict rule to character devices b restrict rule to block devices p restrict rule to FIFO files s restrict rule to UNIX sockets D restrict rule to Solaris doors P restrict rule to Solaris event ports 0 empty restriction, i.e. don't restrict rule (added in AIDE v0.18) Multiple restrictions can be given as a comma-separated list. The syntax of restricted rules is as follows: Restricted regular rule <regex> <file types> <attribute expression> Restricted negative rule !<regex> <file types> Restricted equals rule =<regex> <file types> <attribute expression> MACRO LINES @@define VAR val Define variable VAR to value val. @@undef VAR Undefine variable VAR. @@if boolean_expression (added in AIDE v0.18) @@else @@endif @@if begins an if statement. It must be terminated with an @@en- dif statement. The lines between @@if and @@endif are used if the boolean_expression evaluates to true. If there is an @@else statement then the part between @@if and @@else is used if boolean_expression evaluates to true otherwise the part between @@else and @@endif is used. Available operators and functions in boolean expressions: not boolean_expression Evaluates to true if the boolean_expression is false, and false if the boolean_expression is true. defined VARIABLE Evaluates to true if VARIABLE is defined. hostname HOSTNAME Evaluates to true if HOSTNAME equals the hostname of the machine that AIDE is running on. hostname is the name of the host without the domainname (ie 'hostname', not 'host- name.example.com'). exists PATH Evaluates to true if PATH exists. @@ifdef VARIABLE (DEPRECATED since AIDE v0.18, will be removed in AIDE v0.20) same as @@if defined VARIABLE @@ifndef VARIABLE (DEPRECATED since AIDE v0.18, will be removed in AIDE v0.20) same as @@if not defined VARIABLE @@ifhost HOSTNAME (DEPRECATED since AIDE v0.18, will be removed in AIDE v0.20) same as @@if hostname HOSTNAME @@ifnhost HOSTNAME (DEPRECATED since AIDE v0.18, will be removed in AIDE v0.20) same as @@if not hostname HOSTNAME @@{VAR} @@{VAR} is replaced with the value of the variable VAR. If variable VAR is not defined an empty string is used. Variables are supported in strings and in regular expressions of selection lines. Pre-defined marco variables: @@{HOSTNAME}: hostname of the current system @@include FILE Include FILE. The content of the file is used as if it were inserted in this part of the config file. The maximum depth of nested includes is 16. @@include DIRECTORY REGEX [RULE_PREFIX] (added in AIDE v0.17) Include all (regular) files found in DIRECTORY matching regular expression REGEX (sub-directories are ignored). The file are in- cluded in lexical sort order. If RULE_PREFIX is set, all rules included by the statement are prefixed with given RULE_PREFIX (added in AIDE v0.18). Prefixes from nested include statements are concatenated. The content of the files is used as if it were inserted in this part of the config file. @@x_include FILE (added in AIDE v0.17) @@x_include DIRECTORY REGEX [RULE_PREFIX] (added in AIDE v0.17) @x_include is identical to @@include, except that if a config file is executable is is run and the output is used as config. If the executable file exits with status greater than zero or writes to stderr aide stops with an error. For security reasons DIRECTORY and each executable config file must be owned by the current user or root. They must not be group- or world-writable. @@x_include_setenv VAR VALUE (added in AIDE v0.17) Adds the variable VAR with the value VALUE to the environment used for config file execution. Environment variable names are limited to alphanumeric charac- ters (A-Za-z0-9) and the underscore '_' and must not begin with a digit. TYPES bool Valid values are yes, true, no or false. attribute expression An attribute expression is of the following form: <attribute/group> | <expr> + <attribute/group> | <expr> - <attribute/group> URLS Urls can be one of the following. Input urls cannot be used as out- puts and vice versa. stdout stderr Output is sent to stdout, stderr respectively. stdin Input is read from stdin. file:/path Input is read from path or output is written to path. fd:number Input is read from filedescriptor number or output is written to number. syslog:LOG_FACILITY Output is written to syslog using LOG_FACILITY. ATTRIBUTES File attributes ftype file type (added in AIDE v0.15) p permissions i inode l link name n number of links u user g group s size b block count m mtime a atime c ctime acl access control list (requires libacl) selinux selinux attributes (requires libselinux) xattrs extended attributes (requires libattr) e2fsattrs file attributes on a second extended file system, see also re- port_ignore_e2fsattrs option (requires libext2fs, added in AIDE v0.15) caps file capabilities (requires libcap2, added in AIDE v0.17) Use 'aide --version' to show which compiled-in attributes are avail- able. Special attributes S check for growing size (DEPRECATED since AIDE v0.18, will be re- moved in AIDE v0.20) Use growing+s attributes instead I ignore changed filename When I is used, the inode of the old file is used to search for a moved file in the new database. Source and target file have to be located in the same directory and must share the same attributes (except for special attrib- utes ANF, ARF, I, growing, and compressed). For moved entries a change of the ctime attribute is ignored. growing ignore growing file (added in AIDE v0.18) When growing is used, changes of the following attributes are ignored: size: if new size is greater than old size bcount: if new bcount is greater than old bcount atime: if new atime is greater than old atime mtime: if new mtime is greater than old mtime ctime: if new ctime is greater than old ctime hashsums: if the hashsum of the new file restricted to the old size equals the hashsums of the old file For hashsum attributes the growing attribute is ignored in com- pare mode. compressed ignore compressed file (added in AIDE v0.18) When compressed is used, the uncompressed hashsums of the new compressed file (supported compressions: gzip) are used to search for the uncompressed file in the old database. The old uncompressed and the new compressed file have to be lo- cated in the same directory and must share the same attributes (except for special attributes ANF, ARF, I, growing, and com- pressed) including at least one hashsum. Changes of the inode, size, bcount and ctime attributes are ig- nored. The growing attribute (i.e. the old file size) is not considered for compressed files during the calculation of the uncompressed hashsums. The compressed attribute is ignored in compare mode. ANF allow new files When 'ANF' is used, new files are added to the new database, but are ignored in the report. ARF allow removed files When 'ARF' is used, files missing on disk are omitted from the new database, but are ignored in the report. Hashsums attributes md5 MD5 checksum (not in libgcrypt FIPS mode) sha1 SHA-1 checksum sha256 SHA-256 checksum sha512 SHA-512 checksum rmd160 RIPEMD-160 checksum tiger tiger checksum haval haval256 checksum (libmhash only) crc32 crc32 checksum crc32b crc32 checksum (libmhash only) gost GOST R 34.11-94 checksum whirlpool whirlpool checksum stribog256 GOST R 34.11-2012, 256 bit checksum (libgcrypt only, added in AIDE v0.17) stribog512 GOST R 34.11-2012, 512 bit checksum (libgcrypt only, added in AIDE v0.17) Use 'aide --version' to show which hashsums are available. EXAMPLES / R This adds all files on your machine to the database. This one line is a fully qualified configuration file. !/dev$ This ignores the /dev directory structure. =/foo R Only /foo and /foobar are taken into the database. None of their children are added. =/foo/ R Only /foo and its children (e.g. /foo/file and /foo/directory) are taken into the database. The children of sub-directories (e.g. /foo/directory/bar) are not added. / d,f R Only add directories and files to the database !/run d /run R Add all but directory entries to the database /run d R-m-c-i /run R Use specific rule for directories Suggested Groups OwnerMode = p+u+g+ftype Check permissions, owner, group and file type Size = s+b Check size and block count InodeData = OwnerMode+n+i+Size+l+X StaticFile = m+c+Checksums Files that stay static Full = InodeData+StaticFile Full = ftype+p+l+u+g+s+m+c+a+i+b+n+H+X / 0 Full This line defines group Full. It has all attributes, all com- piled in hashsums (H) and all compiled in extra file attributes (X). See '--version' output for the compiled in hashsums and extra groups. The example rule is the typical catch-all rule at the end of the rule list. VarTime = InodeData+Checksums /etc/ssl/certs/ca-certificates\\.crt$ VarTime Files that change their mtimes or ctimes but not their contents. VarInode = VarTime-i /var/lib/nfs/etab$ f VarInode Files that are recreated regularly but do not change their con- tents VarFile = OwnerMode+n+l+X /etc/resolv\\.conf$ f VarFile Files that change their contents during system operation VarDir = OwnerMode+n+i+X /var/lib/snmp$ d VarDir Directories that change their contents during system operation RecreatedDir = OwnerMode+n+X /run/samba$ d RecreatedDir Directories that are recreated regularly and change their con- tents Log Handling Logs pose a number of special challenges to AIDE. An active log is nearly constantly being written to. The process of log rotation changes file names for files that are supposed to have unaltered con- tents. To save space, Logs are compressed in the process of their ro- tation, and finally, they get deleted. AIDE is supposed to handle all those cases without generating reports, and it is still expected to flag the cases when an attacker tampers with logs. The following examples suggest a way to handle the common case of log rotation with the logrotate(8) program, with its options compress, de- laycompress and nocopytruncate set. The vast majority of logs are ro- tated this way on most Linux systems. ActLog=Full+growing+ANF+I /var/log/foo\\.log$ f ActLog An Active Log is typically named foo.log. It is constanty being written to. The file does neither change its mode nor its inode number. The size only increases, and what is written to the file is not supposed to change (growing). During log rotation, foo.log is typically renamed to foo.log.1 (or foo.log.0) and the process is instructed to write to a new foo.log. Log content is written to a new file (ANF) and will eventually be renamed to foo.log.1 (I). The growing attribute suppresses reports for files that just had content appended when compared to the data- base. A change of the old content is still reported! RotLog=Full /var/log/foo\\.log\\.1$ f RogLog foo.log.0 or foo.log.1 is called the Rotated Log, the previously active log renamed to the first name of the Log Series that is formed by the rotation mechanism. Right after rotation, the file might still being written to by the daemon. To aide, this looks like the Active Log's size decreases and its inode and timestamps change. The Rotated Log is not supposed to change its attributes once the process has stopped writing to it. Re- ports might be generated if aide runs while the process still writes to the Rotated Log, but this is quite unlikely to happen. Some log rotation mechanisms rename foo.log to foo.log.0 to foo.log.1.gz, others rename foo.log to foo.log.1 to foo.2.log.gz. CompSerLog=Full+I+compressed /var/log/foo\\.log\\.2\\.gz$ f CompSerLog In the next rotation step, foo.log.1 gets compressed to foo.log.2.gz, becoming the Compressed Log in the Log Series. With this rule, AIDE does not report this step because it uncom- presses the contents of the file and takes the checksum of the uncompressed content. The contents strictly doesn't change, but some attribute changes are ignored (compressed). MidlSerLog=Full+I /var/log/foo\\.log\\.[345]\\.gz$ f MidlSerLog In the next log rotation, all foo.log.{x} get renamed to foo.log.{x+1}. The other attributes are not supposed to change. LastSerLog=Full+ARF /var/log/foo\\.log\\.6\\.gz$ f LastSerLog The configuration of the log rotation process specifies a number of log generations to keep. The last log in the series is there- fore removed from the disk (ARF). aide 0.18 does not yet support the following cases of log rotation: empty files It might be the case that a log is actually created, but never written to. This commonly happens on rarely used web servers that use the log rotation as a method to cater for data protec- tion regulation. In result, all files in a series are identi- cal, breaking the heuristics that aide uses to detect log rota- tion. A possible workaround is to begin a newly rotated log with a timestamp. With logrotate, this can be done in a postro- tate scriptlet. nodelaycompress With logrotate's nodelaycompress option, a log is immediately compressed after renaming it from the Active Log name. For the time being, it is recommended to always use the delaycompress option to avoid this behavior. copytruncate With logrotate's copytruncate option, the Active Log is not re- named and newly created but copied to the new file name. After the copy operation, the old file is truncated to zero size, al- lowing the daemon to continuously write to the already open file handle. aide uses the Inode number to detect the rotation process. That doesn't work with copytruncate because the Inode stays with the Active Log. For the time being, it is recom- mended to avoid the copytruncate option to avoid this behavior. HINTS In the following, the first is not allowed in AIDE. Use the latter in- stead. /foo epug /foo e+p+u+g SEE ALSO aide(1) DISCLAIMER All trademarks are the property of their respective owners. No animals were harmed while making this webpage or this piece of software. aide v0.18.6 2023-08-01 AIDE.CONF(5)
NAME | SYNOPSIS | FILE FORMAT | CONFIG OPTIONS | REPORT OPTIONS | GROUPS | RULES | RESTRICTED RULES | MACRO LINES | TYPES | ATTRIBUTES | EXAMPLES | HINTS | SEE ALSO | DISCLAIMER
Want to link to this manual page? Use this URL:
<https://man.freebsd.org/cgi/man.cgi?query=aide.conf&sektion=5&manpath=FreeBSD+14.3-RELEASE+and+Ports>