Linux and UNIX Man Pages

Linux & Unix Commands - Search Man Pages

aide(1) [centos man page]

aide(1) 						      General Commands Manual							   aide(1)

NAME
aide - Advanced Intrusion Detection Environment SYNOPSIS
aide [parameters] command DESCRIPTION
aide is an intrusion detection system for checking the integrity of files. COMMANDS
--check, -C Checks the database for inconsistencies. You must have an initialized database to do this. This is also the default command. Without any command aide does a check. --init, -i Initialize the database. You must initialize a database and move it to the appropriate place before you can use the --check command. --update, -u Checks the database and updates the database non-interactively. The input and output databases must be different. --compare Compares two databases. They must be defined in configfile with database=<url> and database_new=<url>. --config-check, -D Stops after reading in the configuration file. Any errors will be reported. If aide was compiled with the "--with-dbhmackey" option, a hash for the config file will be calculated. See the aide manual for more information. PARAMETERS
--config=configfile , -c configfile Configuration is read from file configfile instead of "./aide.conf". Use '-' for stdin. --before="configparameters" , -B "configparameters" These configparameters are handled before the reading of the configuration file. See aide.conf (5) for more details on what to put here. --after="configparameters" , -A "configparameters" These configparameters are handled after the reading of the configuration file. See aide.conf (5) for more details on what to put here. --verbose=verbosity_level,-Vverbosity_level Controls how verbose aide is. Value must [0-255]. The default is 5. With no argument Value is set to 20. This parameter overrides the value set in a configuration file. --report=reporter,-r reporter reporter is a URL which tells aide where to send it's output. See aide.conf (5) section URLS for available values. --version,-v aide prints out its version number --help,-h Prints out the standard help message. DIAGNOSTICS
Normally, the exit status is 0 if no errors occurred. Except when the --check command was requested, in which case the exit status is defined as: 1 * (new files detected?) + 2 * (removed files detected?) + 4 * (changed files detected?) Additionally, the following exit codes are defined for generic error conditions: 14 Error writing error 15 Invalid argument error 16 Unimplemented function error 17 Invalid configureline error 18 IO error 19 Version mismatch error NOTES
Please note that due to mmap issues, aide cannot be terminated with SIGTERM. Use SIGKILL to terminate. FILES
/etc/aide.conf Default aide configuration file. /var/lib/aide.db Default aide database. /var/lib/aide.db.new Default aide output data- base. SEE ALSO
aide.conf(5) http://www.cs.tut.fi/~rammer/aide/manual.html BUGS
There are probably bugs in this release. Please report them at http://sourceforge.net/projects/aide . Bug fixes are more than welcome. Unified diffs are preferred. DISCLAIMER
All trademarks are the property of their respective owners. No animals were harmed while making this webpage or this piece of software. Although some pizza delivery guy's feelings were hurt. aide(1)

Check Out this Related Man Page

aide.conf(5)							File Formats Manual						      aide.conf(5)

NAME
aide.conf - The configuration file for Advanced Intrusion Detection Environment SYNOPSIS
aide.conf is the configuration file for Advanced Intrusion Detection Environment. aide.conf contains the runtime configuration aide uses to initiailize or check the aide database. FILE FORMAT
aide.conf is similar in to Tripwire(tm)'s configuration file. With little effort tw.conf can be converted to aide.conf. aide.conf is case-sensitive. Leading and trailing whitespaces are ignored. There are three types of lines in aide.conf. First there are the configuration lines which are used to set configuration parameters and define/undefine variables. Second, there are selection lines that are used to indicate which files are added to the database. Third, macro lines define or undefine variables within the config file. Lines beginning with # are ignored as comments. CONFIG LINES
These lines have the format parameter=value. See URLS for a list of valid urls. database The url from which database is read. There can only be one of these lines. If there are multiple database lines then the first is used. The default value is "/usr/etc/aide.db". database_out The url to which the new database is written to. There can only be one of these lines. If there are multiple database_out lines then the first is used. The default value is "/usr/etc/aide.db.new". database_new The url from which the other database for --compare is read. There is no default for this one. verbose The level of messages that is output. This value can be 0-255 inclusive. This parameter can only be given once. Value from the first occurence is used. If --verbose or -V is used then the value from that is used. The default is 5. If verbosity is 20 then additional report output is written when doing --check, --update or --compare. report_url The url that the output is written to. There can be multiple instances of this parameter. Output is written to all of them. The default is stdout. gzip_dbout Whether the output to the database is gzipped or not. Valid values are yes,true,no and false. The default is no. This option is available only if zlib support is compiled in. acl_no_symlink_follow Whether to check ACLs for symlinks or not. Valid values are yes,true,no and false. The default is to follow symlinks. This option is available only if acl support is compiled in. warn_dead_symlinks Whether to warn about dead symlinks or not. Valid values are yes,true,no and false. The default is not to warn about dead symlinks. grouped Whether to group the files in the report by added, removed and changed files or not. Valid values are yes, true, no and false. The default is to group the files in the report. summarize_changes Whether to summarize changes in the added, removed and changed files sections of the report or not. Valid values are yes,true,no and false. The default is not to summarize the changes. The general format is like the string YlZbpugamcinCAXSE, where Y is replaced by the file-type (f for a regular file, d for a direc- tory, L for a symbolic link, D for a character device, B for a block device, F for a FIFO, s for a unix socket, | for a Solaris door, ! if file type has changed and ? otherwise). The Z is replaced as follows: A = means that the size has not changed, a < reports a shrinked size and a > reports a grown size. The other letters in the string are the actual letters that will be output if the associated attribute for the item has been changed or a "." for no change, a "+" if the attribute has been added, a "-" if it has been removed, a ":" if the attribute is listed in ignore_list or a " " if the attribute has not been checked. The exceptions to this are: (1) a newly created file replaces each let- ter with a "+", and (2) a removed file replaces each letter with a "-". The attribute that is associated with each letter is as follows: o A l means that the link name has changed. o A b means that the block count has changed. o A p means that the permissions have changed. o An u means that the uid has changed. o A g means that the gid has changed. o An a means that the access time has changed. o A m means that the modification time has changed. o A c means that the change time has changed. o An i means that the inode has changed. o A n means that the link count has changed. o A C means that one or more checksums have changed. The following letters are only available when explicitly enabled using configure: o A A means that the access control list has changed. o A X means that the extended attributes have changed. o A S means that the SELinux attributes have changed. o A E means that the file attributes on a second extended file system have changed. report_attributes Special group definition that lists parameters which are always printed in the final report for changed files. ignore_list Special group definition that lists parameters which are to be ignored from the final report. config_version The value of config_version is printed in the report and also printed to the database. This is for informational purposes only. It has no other functionality. Group definitions If the parameter is not one of the previous parameters then it is regarded as a group definition. Value is then regarded as an expression. Expression is of the following form. <predefined group>| <expr> + <predefined group> | <expr> - <predifined group> See DEFAULT GROUPS for an explanation of default predefined groups. Note that this is different from the way Tripwire(tm) does it. There is also a special group named "ignore_list". The predefined -groups listed in it are NOT displayed in the final report. SELECTION LINES
aide supports three types of selection lines (regular, negative, equals) Lines beginning with "/" are regular selection lines. Lines begin- ning with "=" are equals selection lines. And lines beginning with "!" are negative selection lines. The string following the first char- acter is taken as a regular expression matching to a complete filename, including the path. In a regular selection rule the "/" is included in the regular expression. Special characters in your filenames can be escaped using two-digit URL encoding (for example, %20 to represent a space). Following the regular expression is a group definition as explained above. See EXAMPLES and doc/aide.conf for examples. More in-depth discussion of the selection algorithm can be found in the aide manual. MACRO LINES
@@define VAR val Define variable VAR to value val. @@undef VAR Undefine variable VAR. @@ifdef VAR, @@ifndef VAR @@ifdef begins an if statement. It must be terminated with an @@endif statement. The lines between @@ifdef and @@endif are used if variable VAR is defined. If there is an @@else statement then the part between @@ifdef and @@else is used is VAR is defined other- wise the part between @@else and @@endif is used. @@ifndef reverses the logic of @@ifdef statement but otherwise works similarly. @@ifhost hostname, @@ifnhost hostname @@ifhost works like @@ifdef only difference is that it checks whether hostname equals the name of the host that aide is running on. hostname is the name of the host without the domainname (hostname, not hostname.aide.org). @@{VAR} @@{VAR} is replaced with the value of the variable VAR. If variable VAR is not defined an empty string is used. Unlike Tripwire(tm) @@VAR is NOT supported. One special VAR is @@{HOSTNAME} which is substituted for the hostname of the current system. @@else Begins the else part of an if statement. @@endif Ends an if statement. @@include VAR Includes the file VAR. The content of the file is used as if it were inserted in this part of the config file. URLS
Urls can be one of the following. Input urls cannot be used as outputs and vice versa. stdout stderr Output is sent to stdout,stderr respectively. stdin Input is read from stdin. file://filename Input is read from filename or output is written to filename. fd:number Input is read from filedescriptor number or output is written to number. DEFAULT GROUPS
p: permissions ftype: file type i: inode l: link name n: number of links u: user g: group s: size b: block count m: mtime a: atime c: ctime S: check for growing size I: ignore changed filename ANF: allow new files ARF: allow removed files md5: md5 checksum sha1: sha1 checksum sha256: sha256 checksum sha512: sha512 checksum rmd160: rmd160 checksum tiger: tiger checksum haval: haval checksum crc32: crc32 checksum R: p+ftype+i+l+n+u+g+s+m+c+md5 L: p+ftype+i+l+n+u+g E: Empty group >: Growing logfile p+ftype+l+u+g+i+n+S And also the following if you have mhash support enabled gost: gost checksum whirlpool: whirlpool checksum The following are available and added to the default groups R, L and > only when explicitly enabled using configure acl: access control list selinux: selinux attributes xattrs: extended attributes e2fsattrs: file attributes on a second extended file system Please note that 'I' and 'c' are incompatible. When the name of a file is changed, it's ctime is updated as well. When you put 'c' and 'I' in the same rule the, a changed ctime is silently ignored. When 'ANF' is used, new files are added to the new database, but are ignored in the report. When 'ARF' is used, files missing on disk are omitted from the new database, but are ignored in the report. EXAMPLES
/ R This adds all files on your machine to the database. This is one line is a fully qualified configuration file. !/dev This ignores the /dev directory structure. =/tmp Only /tmp is taken into the database. None of its children are added. All=p+i+n+u+g+s+m+c+a+md5+sha1+tiger+rmd160 This line defines group All. It has all attributes and all md checksum functions. If you absolutely want all digest functions then you should enable mhash support and add +crc32+haval+gost to the end of the definition for All. Mhash support can only be enabled at compile- time. HINTS
=/foo p+i+l+n+u+g+s+m+c+md5 /foo/bar p+i+l+n+u+g+s+m+c+md5 This config adds all files under /foo because they match to regex /foo, which is equivalent to /foo.* . What you probably want is: =/foo$ p+i+l+n+u+g+s+m+c+md5 /foo/bar p+i+l+n+u+g+s+m+c+md5 Note that the following still works as expected because =/foo$ stop recuring of directory /foo. =/foo p+i+l+n+u+g+s+m+c+md5 In the following, the first is not allowed in AIDE. Use the latter instead. /foo epug /foo e+p+u+g SEE ALSO
aide(1) http://www.cs.tut.fi/~rammer/aide/manual.html DISCLAIMER
All trademarks are the property of their respective owners. No animals were harmed while making this webpage or this piece of software. aide.conf(5)
Man Page

Featured Tech Videos