Provided by: aide_0.19.1-2_amd64 
NAME
aide.conf - The configuration file for Advanced Intrusion Detection Environment
SYNOPSIS
aide.conf is the configuration file for Advanced Intrusion Detection Environment. aide.conf contains the
runtime configuration aide uses to initialize or check the AIDE database.
FILE FORMAT
aide.conf is case-sensitive. Leading and trailing white spaces are ignored. Each config line must end
with new line.
AIDE uses the backslash character (\) as escape character for ' ' (space), '@' and '\' (backslash) (e.g.
'\ ' or '\@'). To literally match a '\' in a file path with a regular expression you have to escape the
backslash twice (i.e. '\\\\').
There are three types of lines in aide.conf. First there are the configuration options which are used to
set configuration parameters and define groups. Second, there are (restricted) rules that are used to
indicate which files/directoires from the file system are added to the database. Third, macro lines
define or undefine variables within the config file. Lines beginning with # are ignored as comments.
CONFIG OPTIONS
These lines have the format parameter=value. See URLS for a list of valid urls.
database_in (type: URL, default: see --version output, added in AIDE v0.17)
database (REMOVED in AIDE v0.19)
The url from which database is read. There can only be one of these lines. If there are multiple
database lines then the first is used.
Examples:
database_in=file:/var/lib/aide/aide.db
Read database locally from /var/lib/aide/aide.db.
database_in=stdin
Read database from stdin.
database_in=https://example.com/aide.db
Read database remotely from https://example.com/aide.db.
database_out (type: URL, default: see --version output)
The url to which the new database is written to. There can only be one of these lines. If there
are multiple database_out lines then the first is used.
database_new (type: URL, default: <none>)
The url from which the other database for --compare is read.
database_attrs (type: attribute expression, default: H, added in AIDE v0.16)
The attributes of the (uncompressed) database files which are to be added to the reports in report
level >= database_attributes . Only checksum attributes are supported. To disable set
database_attrs to 'E'.
database_add_metadata (type: bool, default: true, added in AIDE v0.16)
Whether to add the AIDE version and the time of database generation as comments to the database
file or not. This option may be set to false by default in a future release.
log_level (type: log level, default: warning, added in AIDE v0.17)
The log level to use. Log messages are written to stderr. If there are multiple log_level lines
then the first one is used. The --log-level or -L command line option overwrites this option.
The following log levels are available:
error: show unrecoverable issues that have to be handled by the user. Errors are fatal to
the AIDE process.
warning: additionally show recoverable issues that most likely lead to unexpected behaviour
and should be handled by the user
notice: additionally show recoverable issues that sometimes lead to unexpected behaviour
and might be handled by the user.
info: additionally show informational messages
compare: additionally show messages to help to debug file comparison and (special)
attribute handling
The log levels below are very verbose and can easily generate multiple gigabytes of log
data (depending on the number of processed files and the size of the rule tree). For
debugging it is recommended to use these log levels together with the --limit parameter
(see aide (1) for details).
rule: additionally show messages to help to debug the path rule matching
config: additionally show messages to help to debug config and rule parsing
debug: additionally show messages that are useful to debug the application
limit: additionally show messages about skipped entries due to limit match
thread: additionally show messages about thread processing (e.g. broadcast events)
trace: additionallyt show messages about the internal data structures and the flow of the
application (e.g. in-loop logging) (extremely verbose)
verbose (type: number, range: 0 - 255, default: 5, REMOVED in AIDE v0.17)
Removed, use log_level and report_level options instead.
gzip_dbout (type: bool, default: false)
Whether the output to the database is gzipped or not. This option is available only if zlib
support is compiled in.
root_prefix (type: path, default: <empty>, added in AIDE v0.16)
The prefix to strip from each file name in the file system before applying the rules and writing
to database. AIDE removes a trailing slash from the prefix. If there are multiple root_prefix
lines then the first one is used. This option has no effect in compare mode.
acl_no_symlink_follow (type: bool, default: false)
Whether to check ACLs for symlinks or not. This option is available only if acl support is
compiled in.
warn_dead_symlinks (type: path, default: false)
Whether to warn about dead symlinks or not.
config_version (type: string, default: <empty>)
The value of config_version is printed in the report and also printed to the database. This is for
informational purposes only. It has no other functionality.
config_check_warn_unrestricted_rules (type: bool, default: false, added in AIDE v0.18)
Whether to warn on unrestricted rules during config check. To explicitly define unrestricted rules
use 0 (zero) as restriction character.
num_workers (type: number|percentage, default: 1, added in AIDE v0.18)
Specifies the number of simultaneous workers (threads) for file attribute processing (i.a. hashsum
calculation).
The number of workers can be a positive integer (e.g. '4') or the percentage of the available
processors (e.g. '60%'). The resulting number of workers is rounded up to the next integer (e.g.
'60%' of 8 processors results in 5 workers).
If there are multiple num_workers lines then the first one is used.
Use 0 (zero) to disable (multi-threaded) workers.
The default value 1 (single worker thread) may be changed in a future release.
REPORT OPTIONS
report_url (type: URL, default: stdout)
The URL that the output is written to.
Multiple instances of the report_url option are supported.
Examples:
report_url=file:/var/log/aide.log
Write report to /var/log/aide.log.
report_url=stdout
Write report to stdout.
report_url=syslog:<LOG_FACILITY>
Write report to syslog using LOG_FACILITY.
The following report options are available (to take effect they have to be set before report_url):
report_level (type: report level, default: changed_attributes, added in AIDE v0.17)
The report level to use. The available report levels are as follows:
minimal: print single line whether AIDE found differences to the database
summary: additionally print number of added, removed and changed files
database_attributes: additionally print database checksums
list_entries: additionally print lists of added, removed and changed entries
changed_attributes: additionally print details about changed entries
Example:
File: /var/lib/apt/extended_states
Perm : -rw-r--r-- | -rw-------
Uid : 0 | 106
The left column shows the old value (e.g. from the database_in database) and the right
column shows the new value (e.g. from the file system).
added_removed_attributes: additionally print details about added and removed attributes
added_removed_entries: additionally print details about added and removed entries
report_format (type: report format, default: plain, added in AIDE v0.18)
The report format to use. The available report formats are as follows:
plain: Print report in plain human-readable format.
json: Print report in json machine-readable format.
report_base16 (type: bool, default: false, added in AIDE v0.17)
Base16 encode the checksums in the report. The default is to report checksums in base64 encoding.
report_detailed_init (type: bool, default: false, added in AIDE v0.16)
Report added files (report level >= list_entries) and their details (report level >=
added_removed_entries) in initialization mode.
report_quiet (type: bool, default: false, added in AIDE v0.16)
Suppress report output if no differences to the database have been found.
report_append (type: bool, default: false, added in AIDE v0.17)
Append to the report URL.
report_grouped (type: bool, default: true, added in AIDE v0.17)
grouped (REMOVED in AIDE v0.19)
Group the files in the report by added, removed and changed files.
report_summarize_changes (type: bool, default: true, added in AIDE v0.17)
summarize_changes (REMOVED in AIDE v0.19)
Summarize changes in the added, removed and changed files sections of the report.
The general format is like the string YlZbpugamcinHAXSECF, where Y is replaced by the file-type
('f' for a regular file, 'd' for a directory, 'l' for a symbolic link, 'c' for a character device,
'b' for a block device, 'p' for a FIFO, 's' for a unix socket, 'D' for a Solaris door, 'P' for a
Solaris event port, '!' if file type has changed and '?' otherwise).
The Z is replaced as follows: A '=' means that the size has not changed, a '<' reports a shrinked
size and a '>' reports a grown size. The other letters in the string are the actual letters that
will be output if the associated attribute for the item has been changed or a '.' for no change.
Otherwise a '+' is shown if the attribute has been added, a '-' if it has been removed, a ':' if
the attribute is ignored (but not forced) or a ' ' if the attribute has not been checked.
The exceptions to this are: (1) a newly created file replaces each letter with a '+', and (2) a
removed file replaces each letter with a '-'.
The attribute that is associated with each letter is as follows:
o An l means that the link name has changed.
o A b means that the block count has changed.
o A p means that the permissions have changed.
o A u means that the uid has changed.
o A g means that the gid has changed.
o An a means that the access time has changed.
o An m means that the modification time has changed.
o A c means that the change time has changed.
o An i means that the inode has changed.
o An n means that the link count has changed.
o An H means that one or more message digests have changed.
o An F means that one file system type has changed (Linux only).
The following letters are only available when explicitly enabled using configure:
o An A means that the access control list has changed.
o An X means that the extended attributes have changed.
o An S means that the SELinux attributes have changed.
o An E means that the file attributes on a second extended file system have changed.
o A C means that the file capabilities have changed.
report_ignore_added_attrs (type: attribute expression, default: empty, added in AIDE v0.16)
Attributes whose addition is to be ignored in the report.
report_ignore_removed_attrs (type: attribute expression, default: empty, added in AIDE v0.16)
Attributes whose removal is to be ignored in the report.
report_ignore_changed_attrs (type: attribute expression, default: empty, added in AIDE v0.16)
ignore_list (REMOVED in AIDE v0.17)
Attributes whose change is to be ignored in the report.
report_force_attrs (type: attribute expression, default: empty, added in AIDE v0.16)
report_attributes (REMOVED in AIDE v0.17)
Attributes which are always printed in the report for changed files. If an attribute is both
ignored and forced the attribute is not considered for file change but printed in the final report
as long as the file has been otherwise changed.
report_ignore_e2fsattrs (type: string, default: 0, added in AIDE v0.16)
List (no delimiter) of ext2 file attributes which are to be ignored in the report. See chattr(1)
for the available attributes. Use 0 (zero) to not ignore any attribute. Ignored attributes are
represented by a ':' in the report.
By default AIDE also reports changes of the read-only attributes mentioned in chattr(1) (see
example below how to ignore those changes).
Example:
Ignore changes of the read-only ext2 file attributes verify (V), inline data (N), indexed
directory (I) and encrypted (E):
report_ignore_e2fsattrs=VNIE
GROUPS
Groups are aggregations of attributes.
Group definitions have the format <group name> = <attribute expression>.
Group names are limited to alphanumeric characters (A-Za-z0-9).
See ATTRIBUTES for a description of all available attributes.
Default groups
R p+ftype+i+l+n+u+g+s+m+c+sha3_256+X
L p+ftype+i+l+n+u+g+X
> Growing file p+ftype+l+u+g+i+n+s+growing+X
H all compiled in (and not deprecated) hashsums (added in AIDE v0.17)
X acl+selinux+xattrs+e2fsattrs+caps (if attributes are compiled in, added in AIDE v0.16)
E Empty group
Use 'aide --version' to list the default compound groups.
RULES
AIDE supports three types of rules:
Regular rule:
<regex> <attribute expression>
Files and directories matching the regular expression are added to the database.
Recursive negative rule:
!<regex>
Files and directories matching the regular expression are excluded and NOT added to the database.
The children of directories and sub-directories are recursed into and only not added to the
database if they also match the regular expression.
Non-recursive negative rule (added in AIDE v0.19)
-<regex>
Files and directories matching the regular expression are excluded and NOT added the database. The
children of directories and sub-directories are not recursed into and hence not added to the
database by any means.
Equals rule:
=<regex> <attribute expression>
Files and directories matching the regular expression are added to the database. The children of
directories are only added if the regular expression ends with a "/". The children of sub-
directories are not added to the database.
Every regular expression has to start with an explicit "/". An implicit ^ is added in front of each
regular expression. In other words, the regular expressions are matched at the first position against
the complete path. Special characters can be escaped using two-digit URL encoding (for example, %20 to
represent a space).
AIDE uses a deepest-match algorithm to find the tree node to search, but a first-match algorithm inside
the node. (see also rule log level).
See EXAMPLES for examples.
More in-depth discussion of the selection algorithm can be found in the AIDE manual.
RESTRICTED RULES
Restricted rules are like normal rules but can be restricted to file types (added in AIDE v0.16) and/or
file system types (added in AIDE v0.19, Linux only).
The syntax of restricted rules is as follows:
Restricted regular rule
<regex> <restriction expression> <attribute expression>
Files and directories matching both the regular expression and the restriction expression are added
the database.
Restricted recursive negative rule
!<regex> <restriction expression>
Files and directories matching both the regular expression and the restriction expression are excluded
and NOT added the database. The children of directories and sub-directories are recursed into and only
excluded if they also match the regular expression as well as the restriction.
Restricted non-recursive negative rule (added in AIDE v0.19)
-<regex> <restriction expression>
Files and directories matching both the regular expression and the restriction expression are excluded
and NOT added the database. The children of directories and sub-directories are not recursed into and
hence not added to the database by any means.
Restricted equals rule
=<regex> <restriction expression> <attribute expression>
Files and directories matching both the regular expression and the restriction expression are added
the database. The children of directories are only added if the regular expression ends with a "/".
The children of sub-directories are not added to the database.
Restriction expression
An restriction expression is of the following form:
<restriction expression>: <file types>
| =<file system type>
| <file types>=<file system type>
File types
The following file types are supported:
f restrict rule to regular files
d restrict rule to directories
l restrict rule to symbolic links
c restrict rule to character devices
b restrict rule to block devices
p restrict rule to FIFO files
s restrict rule to UNIX sockets
D restrict rule to Solaris doors
P restrict rule to Solaris event ports
Multiple file type restrictions can be given as a comma-separated list.
File system types (Linux only)
The file system type restriction can be specified by file system types magic number (e.g. '0x01021994'
for tmpfs) or by its name (use 'aide --version' to list the available file system type names). The
magic number must start with '0x' and be formatted in hexdecimal format.
Empty restriction
To explicitly don't restrict a rule use 0 (added in AIDE v0.18).
Examples:
/ d,f R
Only add directories and files to the database.
/boot/efi$ d=vfat R
Only add /boot/efi to the database if it is a directory and mounted on vfat.
!/dev =0x01021994
Exclude /dev and any children that are mounted on tmpfs (tmpfs magic number: 0x01021994).
-/dev =tmpfs
Exclude /dev and all children, if /dev is mounted on tmpfs.
MACRO LINES
@@define VAR val
Define variable VAR to value val.
@@undef VAR
Undefine variable VAR.
@@if boolean_expression (added in AIDE v0.18)
@@else
@@endif
@@if begins an if statement. It must be terminated with an @@endif statement. The lines between
@@if and @@endif are used if the boolean_expression evaluates to true. If there is an @@else
statement then the part between @@if and @@else is used if boolean_expression evaluates to true
otherwise the part between @@else and @@endif is used.
Available operators and functions in boolean expressions:
not boolean_expression
Evaluates to true if the boolean_expression is false, and false if the boolean_expression is
true.
defined VARIABLE
Evaluates to true if VARIABLE is defined.
hostname HOSTNAME
Evaluates to true if HOSTNAME equals the hostname of the machine that AIDE is running on.
hostname is the name of the host without the domainname (ie 'hostname', not
'hostname.example.com').
exists PATH
Evaluates to true if PATH exists.
VERSION_STRING1 version_ge VERSION_STRING2 (added in AIDE v0.19)
Evaluates to true if VERSION_STRING1 is greater than or equal to VERSION_STRING2 (e.g.
0.19.1 version_ge 0.18 evaluates to true and 2.17 version_ge 1.1 to false). The version
strings must be in the formaat MAJOR.MINOR.PATCH (minor and patch version can be omitted,
any version suffix (e.g. for pre-release) will be truncated).
@@ifdef VARIABLE (DEPRECATED since AIDE v0.18, will be removed in AIDE v0.20)
same as @@if defined VARIABLE
@@ifndef VARIABLE (DEPRECATED since AIDE v0.18, will be removed in AIDE v0.20)
same as @@if not defined VARIABLE
@@ifhost HOSTNAME (DEPRECATED since AIDE v0.18, will be removed in AIDE v0.20)
same as @@if hostname HOSTNAME
@@ifnhost HOSTNAME (DEPRECATED since AIDE v0.18, will be removed in AIDE v0.20)
same as @@if not hostname HOSTNAME
@@{VAR}
@@{VAR} is replaced with the value of the variable VAR. If variable VAR is not defined an empty
string is used.
Variables are supported in strings and in regular expressions of rules.
Pre-defined marco variables:
@@{AIDE_VERSION}: the version of AIDE
@@{HOSTNAME}: the hostname of the current system
@@include FILE
Include FILE.
The content of the file is used as if it were inserted in this part of the config file.
The maximum depth of nested includes is 16.
@@include DIRECTORY REGEX [RULE_PREFIX] (added in AIDE v0.17)
Include all (regular) files found in DIRECTORY matching regular expression REGEX (sub-directories
are ignored). The file are included in lexical sort order.
If RULE_PREFIX (added in AIDE v0.18) is set, all rules included by the statement are prefixed with
given RULE_PREFIX. Prefixes from nested include statements are concatenated.
The content of the files is used as if it were inserted in this part of the config file.
@@x_include FILE (added in AIDE v0.17)
@@x_include DIRECTORY REGEX [RULE_PREFIX] (added in AIDE v0.17)
@x_include is identical to @@include, except that if a config file is executable is is run and the
output is used as config.
If the executable file exits with status greater than zero or writes to stderr aide stops with an
error.
For security reasons DIRECTORY and each executable config file must be owned by the current user
or root. They must not be group- or world-writable.
@@x_include_setenv VAR VALUE (added in AIDE v0.17)
Adds the variable VAR with the value VALUE to the environment used for config file execution.
Environment variable names are limited to alphanumeric characters (A-Za-z0-9) and the underscore
'_' and must not begin with a digit.
TYPES
bool
Valid values are yes, true, no or false.
attribute expression
An attribute expression is of the following form:
<attribute expression>: <attribute/group>
| <attribute expression> + <attribute/group>
| <attribute expression> - <attribute/group>
URLS
Urls can be one of the following. Input urls cannot be used as outputs and vice versa.
stdout
stderr Output is sent to stdout, stderr respectively.
stdin Input is read from stdin.
file:/path
Input is read from path or output is written to path.
fd:number
Input is read from filedescriptor number or output is written to number.
syslog:LOG_FACILITY
Output is written to syslog using LOG_FACILITY.
ATTRIBUTES
File attributes
ftype file type (added in AIDE v0.15)
fstype file system type (Linux-only, added in AIDE v0.19)
p permissions
i inode
l link name (symbolic links only)
n number of links
u user
g group
s size
b block count
m mtime
a atime
c ctime
acl access control list (requires libacl, Linux-only)
selinux
selinux attributes (requires libselinux, Linux-only)
xattrs extended attributes (requires libattr, Linux-only)
e2fsattrs
file attributes on a Linux file system, see also report_ignore_e2fsattrs option (requires
libext2fs, added in AIDE v0.15)
caps file capabilities (regular files only) (requires libcap, Linux-only, added in AIDE v0.17)
Use 'aide --version' to show which compiled-in attributes are available.
Special attributes
S check for growing size (DEPRECATED since AIDE v0.18, will be removed in AIDE v0.20)
Use growing+s attributes instead
I ignore changed filename
When I is used, the inode of the new file is used to search for a moved source file in the old
database.
Source and target file have to be located in the same directory and must share the same attributes
(except for special attributes ANF, ARF, I, growing, and compressed).
For moved entries a change of the ctime attribute is ignored.
growing
ignore growing file (added in AIDE v0.18)
When growing is used, changes of the following attributes are ignored:
size: if new size is greater than old size
bcount: if new bcount is greater than old bcount
atime: if new atime is greater than old atime
mtime: if new mtime is greater than old mtime
ctime: if new ctime is greater than old ctime
hashsums: if the hashsum of the new file restricted to the old size equals the hashsums of the old
file
For hashsum attributes the growing attribute is ignored in compare mode.
compressed
ignore compressed file (added in AIDE v0.18)
When compressed is used, the uncompressed hashsums of the new compressed file (supported
compressions: gzip) are used to search for the uncompressed file in the old database.
The old uncompressed and the new compressed file have to be located in the same directory and must
share the same attributes (except for special attributes ANF, ARF, I, growing, and compressed)
including at least one common hashsum.
Changes of the inode, size, bcount and ctime attributes are ignored.
The growing attribute (i.e. the old file size) is not considered for compressed files during the
calculation of the uncompressed hashsums.
The compressed attribute is ignored in compare mode.
ANF allow new files
When 'ANF' is used, new files are added to the new database, but are ignored in the report.
ARF allow removed files
When 'ARF' is used, files missing on disk are omitted from the new database, but are ignored in
the report.
Hashsums attributes (regular files only)
sha256 SHA-256 checksum
sha512 SHA-512 checksum
sha512_256 (added in AIDE v0.19)
SHA-512 checksum truncated to 256 output bits
sha3_256 (added in AIDE v0.19)
SHA3-256 checksum
sha3_512 (added in AIDE v0.19)
SHA3-512 checksum
stribog256 (added in AIDE v0.17)
GOST R 34.11-2012, 256 bit checksum
stribog512 (added in AIDE v0.17)
GOST R 34.11-2012, 512 bit checksum
md5 (DEPRECATED since AIDE v0.19, will be removed in AIDE v0.21)
MD5 checksum (not in libgcrypt FIPS mode)
sha1 (DEPRECATED since AIDE v0.19, will be removed in AIDE v0.21)
SHA-1 checksum
rmd160 (DEPRECATED since AIDE v0.19, will be removed in AIDE v0.21)
RIPEMD-160 checksum
gost (DEPRECATED since AIDE v0.19, will be removed in AIDE v0.21)
GOST R 34.11-94 checksum
crc32 (REMOVED in AIDE v0.19)
crc32 checksum
crc32b (REMOVED in AIDE v0.19)
crc32 checksum
haval (REMOVED in AIDE v0.19)
haval256 checksum
tiger (REMOVED in AIDE v0.19)
tiger checksum
whirlpool (REMOVED in AIDE v0.19)
whirlpool checksum
Use 'aide --version' to show which hashsums are available.
Hashsum transitions (since AIDE v0.19):
AIDE has limited support for hashsum transitions (i.e. ensuring hashsum validation when hashsums are
added/removed from existing entries). If both the old and the new entry do mot share common hashsum(s)
AIDE tries to additionally calculate the removed hashsum(s) also for the new entry (this is
especieally not supported for moved (I attribute) and compressed (compressed attribute) entries).
EXAMPLES
/ R This adds all files on your machine to the database. This one line is a fully qualified
configuration file.
!/dev$ This ignores the /dev directory structure.
=/foo R
Only /foo and /foobar are taken into the database. None of their children are added.
=/foo/ R
Only /foo and its children (e.g. /foo/file and /foo/directory) are taken into the database. The
children of sub-directories (e.g. /foo/directory/bar) are not added.
/ d,f R
Only add directories and files to the database
!/run d
/run R Add all but directory entries to the database
/run d R-m-c-i
/run R Use specific rule for directories
Suggested Groups
OwnerMode = p+u+g+ftype
Check permissions, owner, group and file type
Size = s+b
Check size and block count
InodeData = OwnerMode+n+i+Size+l+X
StaticFile = m+c+Checksums
Files that stay static
Full = InodeData+StaticFile
Full = ftype+p+l+u+g+s+m+c+a+i+b+n+H+X
/ 0 Full
This line defines group Full. It has all attributes, all compiled in hashsums (H) and all
compiled in extra file attributes (X). See '--version' output for the compiled in hashsums and
extra groups. The example rule is the typical catch-all rule at the end of the rule list.
VarTime = InodeData+Checksums
/etc/ssl/certs/ca-certificates\\.crt$ VarTime
Files that change their mtimes or ctimes but not their contents.
VarInode = VarTime-i
/var/lib/nfs/etab$ f VarInode
Files that are recreated regularly but do not change their contents
VarFile = OwnerMode+n+l+X
/etc/resolv\\.conf$ f VarFile
Files that change their contents during system operation
VarDir = OwnerMode+n+i+X
/var/lib/snmp$ d VarDir
Directories that change their contents during system operation
RecreatedDir = OwnerMode+n+X
/run/samba$ d RecreatedDir
Directories that are recreated regularly and change their contents
Log Handling
Logs pose a number of special challenges to AIDE. An active log is nearly constantly being written to.
The process of log rotation changes file names for files that are supposed to have unaltered contents.
To save space, Logs are compressed in the process of their rotation, and finally, they get deleted. AIDE
is supposed to handle all those cases without generating reports, and it is still expected to flag the
cases when an attacker tampers with logs.
The following examples suggest a way to handle the common case of log rotation with the logrotate(8)
program, with its options compress, delaycompress and nocopytruncate set. The vast majority of logs are
rotated this way on most Linux systems.
ActLog=Full+growing+ANF+I
/var/log/foo\\.log$ f ActLog
An Active Log is typically named foo.log. It is constanty being written to. The file does
neither change its mode nor its inode number. The size only increases, and what is written to the
file is not supposed to change (growing). During log rotation, foo.log is typically renamed to
foo.log.1 (or foo.log.0) and the process is instructed to write to a new foo.log. Log content is
written to a new file (ANF) and will eventually be renamed to foo.log.1 (I). The growing
attribute suppresses reports for files that just had content appended when compared to the
database. A change of the old content is still reported!
RotLog=Full
/var/log/foo\\.log\\.1$ f RotLog
foo.log.0 or foo.log.1 is called the Rotated Log, the previously active log renamed to the first
name of the Log Series that is formed by the rotation mechanism. Right after rotation, the file
might still being written to by the daemon. To aide, this looks like the Active Log's size
decreases and its inode and timestamps change. The Rotated Log is not supposed to change its
attributes once the process has stopped writing to it. Reports might be generated if aide runs
while the process still writes to the Rotated Log, but this is quite unlikely to happen. Some log
rotation mechanisms rename foo.log to foo.log.0 to foo.log.1.gz, others rename foo.log to
foo.log.1 to foo.2.log.gz.
CompSerLog=Full+I+compressed
/var/log/foo\\.log\\.2\\.gz$ f CompSerLog
In the next rotation step, foo.log.1 gets compressed to foo.log.2.gz, becoming the Compressed Log
in the Log Series. With this rule, AIDE does not report this step because it uncompresses the
contents of the file and takes the checksum of the uncompressed content. The contents strictly
doesn't change, but some attribute changes are ignored (compressed).
MidlSerLog=Full+I
/var/log/foo\\.log\\.[345]\\.gz$ f MidlSerLog
In the next log rotation, all foo.log.{x} get renamed to foo.log.{x+1}. The other attributes are
not supposed to change.
LastSerLog=Full+ARF
/var/log/foo\\.log\\.6\\.gz$ f LastSerLog
The configuration of the log rotation process specifies a number of log generations to keep. The
last log in the series is therefore removed from the disk (ARF).
aide 0.18 does not yet support the following cases of log rotation:
empty files
It might be the case that a log is actually created, but never written to. This commonly happens
on rarely used web servers that use the log rotation as a method to cater for data protection
regulation. In result, all files in a series are identical, breaking the heuristics that aide
uses to detect log rotation. A possible workaround is to begin a newly rotated log with a
timestamp. With logrotate, this can be done in a postrotate scriptlet.
nodelaycompress
With logrotate's nodelaycompress option, a log is immediately compressed after renaming it from
the Active Log name. For the time being, it is recommended to always use the delaycompress option
to avoid this behavior.
copytruncate
With logrotate's copytruncate option, the Active Log is not renamed and newly created but copied
to the new file name. After the copy operation, the old file is truncated to zero size, allowing
the daemon to continuously write to the already open file handle. aide uses the Inode number to
detect the rotation process. That doesn't work with copytruncate because the Inode stays with the
Active Log. For the time being, it is recommended to avoid the copytruncate option to avoid this
behavior.
HINTS
In the following, the first is not allowed in AIDE. Use the latter instead.
/foo epug
/foo e+p+u+g
SEE ALSO
aide(1)
DISCLAIMER
All trademarks are the property of their respective owners. No animals were harmed while making this
webpage or this piece of software.
aide v0.19.1 2025-07-06 AIDE.CONF(5)