Host based Intrusion Detection System mit AIDE unter Arch

Dies ist eine alte Version des Dokuments!

Die Absicherung von Systemen ist eine der Grund- und Pflichtaufgaben eines jeden verantwortungsbewussten Systemadministrators und Administratorin. Dass dies ist kein einmaliger sondern stetig sich wiederholende Vorgang ist, versteht sich in aller Regel von selbst, so ist es unter anderem wichtig, dass regelmässig Systemüberprüfungen und Überwachung von Logmeldungen auf verdächtige und ungewöhnliche Ereignisse durchgeführt werden müssen. Zur Absicherung von Computersystem existieren unterschiedliche Ansätze. TLS-Transportverschlüsselung, SecureShell, oder Firewalls wird hier jedem interessierten Admin sofort in den Sinn kommen. Dabei gibt es zwei unterschiedliche Betrachungsweisen/-richtungen bei den einzelnen Lösungen. Betrachtet und analysiert man in erster Linie Netzwerkverkehr in Netzwerken und/oder Zonengrenzen einzelner Netzwerke und bewertet hierzu entsprechende Protokolle von Netzwerkgeräten wie Switche, Router und Firewalls spricht man von einem NIDS, einem Netzwerk based Intrusion Detection System. Im Gegensatz dazu spricht man von einem HIDS Host based Intrusion Detection System, wenn der Blick primär auf einem Host selbst erfolgt und man mit Hilfe lokaler Informationen Bewertungen über zulässige Änderungen am betreffenden System selbst Entscheidungen über (un)zulässige Änderungen treffen muss und möchte. Ein HIDS konzentriert sich dabei auf detailliertere und interne Angriffe, indem es die Überwachung auf Host-Aktivitäten konzentriert. Dabei versucht ein HIDS wie AIDE lediglich, Systemanomalien und somit Eindringlinge zu erkennen und hat nicht zur Aufgabe aktiv mögliche Angreifer und Bedrohungen zu blockieren! Ein Intrusion Detection System (wie AIDE) versucht lediglich, Eindringlinge zu erkennen, arbeitet aber nicht aktiv daran, ihren Zugang von vornherein zu blockieren. Im Gegensatz dazu arbeitet ein IPS ein Intrusion Prevention System aktiv daran, Bedrohungen zu blockieren und den Benutzerzugriff zu überprüfen.

Weiterführende Informationen rund um Intrusion-Detection-Systeme findet man im BSI-Leitfaden zur Einführung von Intrusion-Detection-Systemen bzz im Orientation Guide to Using Intrusion Detection Systems (IDS).

Eine der Herausforderungen bei der Verwendung von HIDS besteht darin, dass es auf jedem einzelnen Host installiert, konfiguriert und entsprechende Berichte bzw. Logdateien dann auch bewertet werden muss, der vor Eindringlingen geschützt werden soll. Dies kann je nach zur Verfügung stehender Ressourcen zu einer Verlangsamung der Leistung des Hosts und eines eingesetzten HIDS führen. Wir werden uns später daher die Installation und Konfiguration mit Hilfe von Ansible vornehmen. Zur Auswertung der Logmeldungen greifen wir in unserer Umgebung auf graylog zurück.

AIDE (Advanced Intrusion Detection Environment) ist ein HIDS, ein Programm zur Erkennung von Eindringlingen, indem es die Integrität von Verzeichnissen und Dateien überwacht.

Hierzu erstellt AIDE auf Basis seiner Konfiguration bei der Erstinitialisierung oder bewusst nach Änderungen am System durch einen entsprechenden Programmaufruf, eine Datenbank des aktuellen Systems. In dieser AIDE-Datenbank werden verschiedene Verzeichnis- und Dateiattribute gespeichert, darunter:

Berechtigungen
Inode-Nummern
Benutzer
Gruppen
Dateigrössen
mtime
ctime
atime
wachsende Grösse
Anzahl von Links
Linknamen

AIDE erstellt ausserdem eine kryptografische Prüfsumme oder einen Hash jeder Datei unter Verwendung eines oder einer Kombination der folgenden Message-Digest-Algorithmen:

sha1
sha256
sha512
md5
rmd160
tiger
gost und whirlpool können kompiliert werden, sofern mhash-Unterstützung verfügbar ist.

Darüber hinaus können die erweiterten Attribute verwendet werden, sofern sie während der Kompilierung explizit aktiviert werden:

acl
xattr
selinux

Wichtig
AIDE führt auf dem System selbst nur Dateiintegritätsprüfungen durch! Es sucht nicht nach rootkits oder analysiert Protokolldateien auf verdächtige Aktivitäten!

AIDE ist ein Fork des bekannten HIDS Tripwire welches ursprünglich von Rami Lehti und Pablo Virolainen 1999 als freie Alternative zum kommerziellen Produkt Tripwire entwickelt wurde. Zwischen 2003 und 2010 wurde es von Richard van den Berg betreut. Seit Oktober 2010 übernahm Hannes von Haugwitz das Projekt. Die Homepage von AIDE ist hier zu finden. Die aktuelle Version von AIDE wird derzeit auf GitHub verwaltet.

In aller Regel wird ein Admin, nachdem ein neuer Host erstellt wurde, initial eine AIDE-Datenbank auf dem neuen System erstellen, bestenfalls bevor der neue Host produktiv mit dem Netzwerk verbunden wird. Diese initiale AIDE-Datenbank ist eine Momentaufnahme des Systems in seinem Normalzustand und ist der Massstab, an dem alle nachfolgenden Aktualisierungen und Änderungen gemessen werden. Diese Datenbank sollte Informationen über die wichtigsten Systembinärdateien, Bibliotheken, Header-Dateien und alle Verzeichnisse sowie Dateien enthalten, die im Laufe der Zeit unverändert bleiben sollten. Dateien, welche sich häufig ändern, wie z.B. Log- und Protokolldateien Mail-Spools, proc-Dateisysteme, Home-Verzeichnisse von Benutzern oder temporäre Verzeichnisse, nimmt man in aller Regel nicht in die AIDE-Datenbank auf, das sonst später die Meldungen unnötig durch viele unerwünschte und erwartbare Meldungen überflutet werden würde.

Durch erneutes Ausführen von AIDE zur Systemüberprüfung kann ein Systemadministrator Änderungen an systemrelevanten Verzeichnissen und Dateien schnell erkennen und sich ziemlich sicher sein, dass die protokollierten Ergebnisse korrekt sind.

ACHTUNG:
Ein Admin muss sich aber auch im Klaren sein, dass auch mit AIDE keine absulute Sicherheit gewährleistet werden kann, denn wie alle anderen Systemdateien können auch die Binär- und/oder Datenbankdateien von AIDE komprommitiert werden können!

Ebenso ist vor allem in orchestrierten Umgebungen (Puppet) darauf zu achten, dass nicht etwa ein gerade initiierter Datenbank-Update durch einen Puppet-Agent Lauf abgebrochen wird. So stünde im Extremfall keine aktuelle und valide Datenbank für spätere Systemchecks zur Verfügung, was zu unzähligen false-positive Meldungen führen würde. Die Reputation des HIDS bei den Administratoren wäre in einem solch einem Fall dahin und der erhoffte bzw. geforderte Erfolg mehr als fraglich!

AIDE kann unter Arch Linux nicht einfach aus dem Core- oder Extras-Repository mit Hilfe des Paketverwaltungswerkzeugs pacman installiert werden. Jedoch gibt es aus dem Arch User Repository kurz AUR, dem Community verwaltetes Repository für Benutzer von Arch Linux, eine Paketbeschreibungen (PKGBUILDs), mit denen Sie ein Paket aus dem Quellcode mit makepkg kompilieren und dann über pacman installieren kann. Möchte man auf den entsprechenden Zielsystemen die hierzu nötigen Kompilierungswerkzeuge nicht vorhalten, so kann man das Paket auch auf einem entsprechenden geschützten Buildhost erstellen und dann lokal, auf dem entsprechendem Zielsystem mit Hilfe von pacman installieren!

Da bei der Installation bzw. beim Kompilieren die Integrität des Quell-Archives an Hand dessen PGP-Signatur geprüft wird, ist es notwendig dass der PGP-Schlüssel mit der Key-ID F6947DAB68E7B931 von Hannes von Haugwitz in unserem Keyring vorhanden ist. Hierzu importieren wir zuerst den betreffenden Public-Key von Hannes:

 $ gpg --recv-key 18EE86386022EF57

gpg: key F6947DAB68E7B931: public key "Hannes von Haugwitz <hannes@vonhaugwitz.com>" imported
gpg: Total number processed: 1
gpg:               imported: 1

Mit Hilfe von $ gpg --list-keys können wir uns bei Bedarf vergewissern, ob der Schlüssel von Hannes vorliegt:

 $ gpg --list-keys

...

pub   rsa4096 2011-06-28 [C] [expires: 2026-06-27]
      2BBBD30FAAB29B3253BCFBA6F6947DAB68E7B931
uid           [ unknown] Hannes von Haugwitz <hannes@vonhaugwitz.com>
uid           [ unknown] Hannes von Haugwitz <hvhaugwitz@debian.org>
sub   rsa3072 2011-06-28 [E] [expires: 2025-06-27]
sub   rsa3072 2011-06-28 [A] [expires: 2025-06-27]
sub   rsa3072 2011-06-28 [S] [expires: 2025-06-27]

Installation von AIDE mit Hilfe von Pikaur

 $ pikaur -S aide

[sudo] password for django: 
Reading repository package databases...
Reading local package database...
Resolving AUR dependencies...

🛴 AUR package will be installed:
 aide                                                       -> 0.18.8-1

🛴 Proceed with installation? [Y/n] 
🛴 [v]iew package details   [m]anually select packages
🛴 [r] show if packages are required by already installed packages
>> 
looking for conflicting AUR packages...
🛴 warning: Not showing diff for aide package (installing for the first time)
Do you want to edit PKGBUILD for aide package? [Y/n] n
Do you want to edit aide.install for aide package? [Y/n] n

Reading local package database...

🛴 Starting the build:
==> Making package: aide 0.18.8-1 (Sun 09 Feb 2025 01:15:33 PM CET)
==> Checking runtime dependencies...
==> Checking buildtime dependencies...
==> Retrieving sources...
  -> Downloading aide-0.18.8.tar.gz...
  % Total    % Received % Xferd  Average Speed   Time    Time     Time  Current
                                 Dload  Upload   Total   Spent    Left  Speed
  0     0    0     0    0     0      0      0 --:--:-- --:--:-- --:--:--     0
100  374k  100  374k    0     0   454k      0 --:--:-- --:--:-- --:--:-- 5329k
  -> Downloading aide-0.18.8.tar.gz.asc...
  % Total    % Received % Xferd  Average Speed   Time    Time     Time  Current
                                 Dload  Upload   Total   Spent    Left  Speed
  0     0    0     0    0     0      0      0 --:--:-- --:--:-- --:--:--     0
100   659  100   659    0     0    786      0 --:--:-- --:--:-- --:--:--     0
  -> Found aide.conf
  -> Found aidecheck.service
  -> Found aidecheck.timer
==> Validating source files with b2sums...
    aide-0.18.8.tar.gz ... Passed
    aide-0.18.8.tar.gz.asc ... Skipped
    aide.conf ... Passed
    aidecheck.service ... Passed
    aidecheck.timer ... Passed
==> Verifying source file signatures with gpg...
    aide-0.18.8.tar.gz ... Passed
==> Extracting sources...
  -> Extracting aide-0.18.8.tar.gz with bsdtar
==> Starting build()...
checking build system type... x86_64-pc-linux-gnu
checking host system type... x86_64-pc-linux-gnu
checking target system type... x86_64-pc-linux-gnu
checking for a BSD-compatible install... /usr/bin/install -c
checking whether build environment is sane... yes
checking for a race-free mkdir -p... /usr/bin/mkdir -p
checking for gawk... gawk
checking whether make sets $(MAKE)... yes
checking whether make supports nested variables... yes
checking for gcc... gcc
checking whether the C compiler works... yes
checking for C compiler default output file name... a.out
checking for suffix of executables... 
checking whether we are cross compiling... no
checking for suffix of object files... o
checking whether the compiler supports GNU C... yes
checking whether gcc accepts -g... yes
checking for gcc option to enable C11 features... none needed
checking whether gcc understands -c and -o together... yes
checking whether make supports the include directive... yes (GNU style)
checking dependency style of gcc... gcc3
checking whether make sets $(MAKE)... (cached) yes
checking for ranlib... ranlib
checking for bison... bison -y
checking for flex... flex
checking for lex output file root... lex.yy
checking for lex library... none needed
checking whether yytext is a pointer... yes
checking for ld... ld
checking for pkg-config... /usr/bin/pkg-config
checking for special C compiler options needed for large files... no
checking for _FILE_OFFSET_BITS value needed for large files... no
checking whether ld supports "-z,relro"... egrep: warning: egrep is obsolescent; using grep -E
yes
checking whether ld supports "-z,now"... egrep: warning: egrep is obsolescent; using grep -E
yes
checking whether gcc supports "-fPIE-DPIE"... yes
checking whether gcc supports "-Wundef"... yes
checking whether gcc supports "-Wmissing-format-attribute"... yes
checking whether gcc supports "-Wshadow"... yes
checking whether gcc supports "-Wlogical-op"... yes
checking for library containing syslog... none required
checking for vsyslog... yes
checking for stdio.h... yes
checking for stdlib.h... yes
checking for string.h... yes
checking for inttypes.h... yes
checking for stdint.h... yes
checking for strings.h... yes
checking for sys/stat.h... yes
checking for sys/types.h... yes
checking for unistd.h... yes
checking whether byte ordering is bigendian... no
checking for byte... no
checking for ushort... yes
checking for ulong... yes
checking for u16... no
checking for u32... no
checking for u64... no
checking size of unsigned short... 2
checking size of unsigned int... 4
checking size of unsigned long... 8
checking size of unsigned long long... 8
checking size of int... 4
checking size of long long... 8
checking size of uid_t... 4
checking size of gid_t... 4
checking size of ino_t... 8
checking size of nlink_t... 8
checking size of off_t... 8
checking size of blkcnt_t... 8
checking for strtoll... yes
checking for strtoimax... yes
checking for readdir... yes
checking for stricmp... no
checking for strnstr... no
checking for strnlen... yes
checking for fcntl... yes
checking for ftruncate... yes
checking for posix_fadvise... yes
checking for asprintf... yes
checking for snprintf... yes
checking for vasprintf... yes
checking for vsnprintf... yes
checking for va_copy... no
checking for __va_copy... no
checking for sigabbrev_np... yes
checking for sys/prctl.h... yes
checking for open/O_NOATIME... no
checking for syslog.h... yes
checking for inttypes.h... (cached) yes
checking for fcntl.h... yes
checking for ctype.h... yes
checking for pkg-config... (cached) /usr/bin/pkg-config
checking pkg-config is at least version 0.9.0... yes
checking for libpcre2-8... yes
checking for pthread for multithreading... yes
checking for a sed that does not truncate output... /usr/bin/sed
checking how to run the C preprocessor... gcc -E
checking for grep that handles long lines and -e... /usr/bin/grep
checking for egrep... /usr/bin/grep -E
checking whether gcc is Clang... no
checking whether pthreads work with "-pthread" and "-lpthread"... yes
checking for joinable pthread attribute... PTHREAD_CREATE_JOINABLE
checking whether more special flags are required for pthreads... no
checking for PTHREAD_PRIO_INHERIT... yes
checking for zlib compression... yes
checking for zlib... yes
checking for POSIX ACLs... yes
checking for libacl... yes
checking for SELinux... no
checking for xattr... yes
checking for libattr... yes
checking for POSIX 1003.1e capabilities... no
checking for e2fsattrs... yes
checking for e2p... yes
checking for cURL... no
checking for Mhash... check
checking for GNU crypto library... check
checking for mhash... no
checking for libgcrypt... yes
checking for Linux Auditing Framework... no
checking for locale... no
checking for syslog ident... aide
checking for syslog logopt... LOG_CONS
checking for syslog priority... LOG_NOTICE
checking for default syslog facility... LOG_LOCAL0
checking for check >= 0.9.4... no
Check not found (testing via 'make check' disabled)
checking that generated files are newer than configure... done
configure: creating ./config.status
config.status: creating Makefile
config.status: creating include/config.h
config.status: executing depfiles commands
make  all-am
make[1]: Entering directory '/home/django/.cache/pikaur/build/aide/src/aide-0.18.8'
gcc -DHAVE_CONFIG_H -I. -I./include  -I. -I./include -I./src -I./src  -D_GNU_SOURCE -W -Wall -g    -I/usr/include/e2p      -pthread    -march=x86-64 -mtune=generic -O2 -pipe -fno-plt -fexceptions         -Wp,-D_FORTIFY_SOURCE=3 -Wformat -Werror=format-security         -fstack-clash-protection -fcf-protection         -fno-omit-frame-pointer -mno-omit-leaf-frame-pointer -g -ffile-prefix-map=/home/django/.cache/pikaur/build/aide/src=/usr/src/debug/aide -flto=auto  -fPIE -DPIE -Wundef -Wmissing-format-attribute -Wshadow -Wlogical-op -MT src/aide-aide.o -MD -MP -MF src/.deps/aide-aide.Tpo -c -o src/aide-aide.o `test -f 'src/aide.c' || echo './'`src/aide.c
mv -f src/.deps/aide-aide.Tpo src/.deps/aide-aide.Po
gcc -DHAVE_CONFIG_H -I. -I./include  -I. -I./include -I./src -I./src  -D_GNU_SOURCE -W -Wall -g    -I/usr/include/e2p      -pthread    -march=x86-64 -mtune=generic -O2 -pipe -fno-plt -fexceptions         -Wp,-D_FORTIFY_SOURCE=3 -Wformat -Werror=format-security         -fstack-clash-protection -fcf-protection         -fno-omit-frame-pointer -mno-omit-leaf-frame-pointer -g -ffile-prefix-map=/home/django/.cache/pikaur/build/aide/src=/usr/src/debug/aide -flto=auto  -fPIE -DPIE -Wundef -Wmissing-format-attribute -Wshadow -Wlogical-op -MT src/aide-base64.o -MD -MP -MF src/.deps/aide-base64.Tpo -c -o src/aide-base64.o `test -f 'src/base64.c' || echo './'`src/base64.c
mv -f src/.deps/aide-base64.Tpo src/.deps/aide-base64.Po
gcc -DHAVE_CONFIG_H -I. -I./include  -I. -I./include -I./src -I./src  -D_GNU_SOURCE -W -Wall -g    -I/usr/include/e2p      -pthread    -march=x86-64 -mtune=generic -O2 -pipe -fno-plt -fexceptions         -Wp,-D_FORTIFY_SOURCE=3 -Wformat -Werror=format-security         -fstack-clash-protection -fcf-protection         -fno-omit-frame-pointer -mno-omit-leaf-frame-pointer -g -ffile-prefix-map=/home/django/.cache/pikaur/build/aide/src=/usr/src/debug/aide -flto=auto  -fPIE -DPIE -Wundef -Wmissing-format-attribute -Wshadow -Wlogical-op -MT src/aide-be.o -MD -MP -MF src/.deps/aide-be.Tpo -c -o src/aide-be.o `test -f 'src/be.c' || echo './'`src/be.c
mv -f src/.deps/aide-be.Tpo src/.deps/aide-be.Po
gcc -DHAVE_CONFIG_H -I. -I./include  -I. -I./include -I./src -I./src  -D_GNU_SOURCE -W -Wall -g    -I/usr/include/e2p      -pthread    -march=x86-64 -mtune=generic -O2 -pipe -fno-plt -fexceptions         -Wp,-D_FORTIFY_SOURCE=3 -Wformat -Werror=format-security         -fstack-clash-protection -fcf-protection         -fno-omit-frame-pointer -mno-omit-leaf-frame-pointer -g -ffile-prefix-map=/home/django/.cache/pikaur/build/aide/src=/usr/src/debug/aide -flto=auto  -fPIE -DPIE -Wundef -Wmissing-format-attribute -Wshadow -Wlogical-op -MT src/aide-commandconf.o -MD -MP -MF src/.deps/aide-commandconf.Tpo -c -o src/aide-commandconf.o `test -f 'src/commandconf.c' || echo './'`src/commandconf.c
mv -f src/.deps/aide-commandconf.Tpo src/.deps/aide-commandconf.Po
gcc -DHAVE_CONFIG_H -I. -I./include  -I. -I./include -I./src -I./src  -D_GNU_SOURCE -W -Wall -g    -I/usr/include/e2p      -pthread    -march=x86-64 -mtune=generic -O2 -pipe -fno-plt -fexceptions         -Wp,-D_FORTIFY_SOURCE=3 -Wformat -Werror=format-security         -fstack-clash-protection -fcf-protection         -fno-omit-frame-pointer -mno-omit-leaf-frame-pointer -g -ffile-prefix-map=/home/django/.cache/pikaur/build/aide/src=/usr/src/debug/aide -flto=auto  -fPIE -DPIE -Wundef -Wmissing-format-attribute -Wshadow -Wlogical-op -MT src/aide-attributes.o -MD -MP -MF src/.deps/aide-attributes.Tpo -c -o src/aide-attributes.o `test -f 'src/attributes.c' || echo './'`src/attributes.c
mv -f src/.deps/aide-attributes.Tpo src/.deps/aide-attributes.Po
gcc -DHAVE_CONFIG_H -I. -I./include  -I. -I./include -I./src -I./src  -D_GNU_SOURCE -W -Wall -g    -I/usr/include/e2p      -pthread    -march=x86-64 -mtune=generic -O2 -pipe -fno-plt -fexceptions         -Wp,-D_FORTIFY_SOURCE=3 -Wformat -Werror=format-security         -fstack-clash-protection -fcf-protection         -fno-omit-frame-pointer -mno-omit-leaf-frame-pointer -g -ffile-prefix-map=/home/django/.cache/pikaur/build/aide/src=/usr/src/debug/aide -flto=auto  -fPIE -DPIE -Wundef -Wmissing-format-attribute -Wshadow -Wlogical-op -MT src/aide-report.o -MD -MP -MF src/.deps/aide-report.Tpo -c -o src/aide-report.o `test -f 'src/report.c' || echo './'`src/report.c
mv -f src/.deps/aide-report.Tpo src/.deps/aide-report.Po
gcc -DHAVE_CONFIG_H -I. -I./include  -I. -I./include -I./src -I./src  -D_GNU_SOURCE -W -Wall -g    -I/usr/include/e2p      -pthread    -march=x86-64 -mtune=generic -O2 -pipe -fno-plt -fexceptions         -Wp,-D_FORTIFY_SOURCE=3 -Wformat -Werror=format-security         -fstack-clash-protection -fcf-protection         -fno-omit-frame-pointer -mno-omit-leaf-frame-pointer -g -ffile-prefix-map=/home/django/.cache/pikaur/build/aide/src=/usr/src/debug/aide -flto=auto  -fPIE -DPIE -Wundef -Wmissing-format-attribute -Wshadow -Wlogical-op -MT src/aide-report_plain.o -MD -MP -MF src/.deps/aide-report_plain.Tpo -c -o src/aide-report_plain.o `test -f 'src/report_plain.c' || echo './'`src/report_plain.c
mv -f src/.deps/aide-report_plain.Tpo src/.deps/aide-report_plain.Po
gcc -DHAVE_CONFIG_H -I. -I./include  -I. -I./include -I./src -I./src  -D_GNU_SOURCE -W -Wall -g    -I/usr/include/e2p      -pthread    -march=x86-64 -mtune=generic -O2 -pipe -fno-plt -fexceptions         -Wp,-D_FORTIFY_SOURCE=3 -Wformat -Werror=format-security         -fstack-clash-protection -fcf-protection         -fno-omit-frame-pointer -mno-omit-leaf-frame-pointer -g -ffile-prefix-map=/home/django/.cache/pikaur/build/aide/src=/usr/src/debug/aide -flto=auto  -fPIE -DPIE -Wundef -Wmissing-format-attribute -Wshadow -Wlogical-op -MT src/aide-report_json.o -MD -MP -MF src/.deps/aide-report_json.Tpo -c -o src/aide-report_json.o `test -f 'src/report_json.c' || echo './'`src/report_json.c
mv -f src/.deps/aide-report_json.Tpo src/.deps/aide-report_json.Po
gcc -DHAVE_CONFIG_H -I. -I./include  -I. -I./include -I./src -I./src  -D_GNU_SOURCE -W -Wall -g    -I/usr/include/e2p      -pthread    -march=x86-64 -mtune=generic -O2 -pipe -fno-plt -fexceptions         -Wp,-D_FORTIFY_SOURCE=3 -Wformat -Werror=format-security         -fstack-clash-protection -fcf-protection         -fno-omit-frame-pointer -mno-omit-leaf-frame-pointer -g -ffile-prefix-map=/home/django/.cache/pikaur/build/aide/src=/usr/src/debug/aide -flto=auto  -fPIE -DPIE -Wundef -Wmissing-format-attribute -Wshadow -Wlogical-op -MT src/aide-conf_ast.o -MD -MP -MF src/.deps/aide-conf_ast.Tpo -c -o src/aide-conf_ast.o `test -f 'src/conf_ast.c' || echo './'`src/conf_ast.c
mv -f src/.deps/aide-conf_ast.Tpo src/.deps/aide-conf_ast.Po
gcc -DHAVE_CONFIG_H -I. -I./include  -I. -I./include -I./src -I./src  -D_GNU_SOURCE -W -Wall -g    -I/usr/include/e2p      -pthread    -march=x86-64 -mtune=generic -O2 -pipe -fno-plt -fexceptions         -Wp,-D_FORTIFY_SOURCE=3 -Wformat -Werror=format-security         -fstack-clash-protection -fcf-protection         -fno-omit-frame-pointer -mno-omit-leaf-frame-pointer -g -ffile-prefix-map=/home/django/.cache/pikaur/build/aide/src=/usr/src/debug/aide -flto=auto  -fPIE -DPIE -Wundef -Wmissing-format-attribute -Wshadow -Wlogical-op -MT src/aide-conf_eval.o -MD -MP -MF src/.deps/aide-conf_eval.Tpo -c -o src/aide-conf_eval.o `test -f 'src/conf_eval.c' || echo './'`src/conf_eval.c
mv -f src/.deps/aide-conf_eval.Tpo src/.deps/aide-conf_eval.Po
gcc -DHAVE_CONFIG_H -I. -I./include  -I. -I./include -I./src -I./src  -D_GNU_SOURCE -W -Wall -g    -I/usr/include/e2p      -pthread    -march=x86-64 -mtune=generic -O2 -pipe -fno-plt -fexceptions         -Wp,-D_FORTIFY_SOURCE=3 -Wformat -Werror=format-security         -fstack-clash-protection -fcf-protection         -fno-omit-frame-pointer -mno-omit-leaf-frame-pointer -g -ffile-prefix-map=/home/django/.cache/pikaur/build/aide/src=/usr/src/debug/aide -flto=auto  -fPIE -DPIE -Wundef -Wmissing-format-attribute -Wshadow -Wlogical-op -MT src/aide-conf_lex.o -MD -MP -MF src/.deps/aide-conf_lex.Tpo -c -o src/aide-conf_lex.o `test -f 'src/conf_lex.c' || echo './'`src/conf_lex.c
mv -f src/.deps/aide-conf_lex.Tpo src/.deps/aide-conf_lex.Po
gcc -DHAVE_CONFIG_H -I. -I./include  -I. -I./include -I./src -I./src  -D_GNU_SOURCE -W -Wall -g    -I/usr/include/e2p      -pthread    -march=x86-64 -mtune=generic -O2 -pipe -fno-plt -fexceptions         -Wp,-D_FORTIFY_SOURCE=3 -Wformat -Werror=format-security         -fstack-clash-protection -fcf-protection         -fno-omit-frame-pointer -mno-omit-leaf-frame-pointer -g -ffile-prefix-map=/home/django/.cache/pikaur/build/aide/src=/usr/src/debug/aide -flto=auto  -fPIE -DPIE -Wundef -Wmissing-format-attribute -Wshadow -Wlogical-op -MT src/aide-conf_yacc.o -MD -MP -MF src/.deps/aide-conf_yacc.Tpo -c -o src/aide-conf_yacc.o `test -f 'src/conf_yacc.c' || echo './'`src/conf_yacc.c
mv -f src/.deps/aide-conf_yacc.Tpo src/.deps/aide-conf_yacc.Po
gcc -DHAVE_CONFIG_H -I. -I./include  -I. -I./include -I./src -I./src  -D_GNU_SOURCE -W -Wall -g    -I/usr/include/e2p      -pthread    -march=x86-64 -mtune=generic -O2 -pipe -fno-plt -fexceptions         -Wp,-D_FORTIFY_SOURCE=3 -Wformat -Werror=format-security         -fstack-clash-protection -fcf-protection         -fno-omit-frame-pointer -mno-omit-leaf-frame-pointer -g -ffile-prefix-map=/home/django/.cache/pikaur/build/aide/src=/usr/src/debug/aide -flto=auto  -fPIE -DPIE -Wundef -Wmissing-format-attribute -Wshadow -Wlogical-op -MT src/aide-db.o -MD -MP -MF src/.deps/aide-db.Tpo -c -o src/aide-db.o `test -f 'src/db.c' || echo './'`src/db.c
mv -f src/.deps/aide-db.Tpo src/.deps/aide-db.Po
gcc -DHAVE_CONFIG_H -I. -I./include  -I. -I./include -I./src -I./src  -D_GNU_SOURCE -W -Wall -g    -I/usr/include/e2p      -pthread    -march=x86-64 -mtune=generic -O2 -pipe -fno-plt -fexceptions         -Wp,-D_FORTIFY_SOURCE=3 -Wformat -Werror=format-security         -fstack-clash-protection -fcf-protection         -fno-omit-frame-pointer -mno-omit-leaf-frame-pointer -g -ffile-prefix-map=/home/django/.cache/pikaur/build/aide/src=/usr/src/debug/aide -flto=auto  -fPIE -DPIE -Wundef -Wmissing-format-attribute -Wshadow -Wlogical-op -MT src/aide-db_disk.o -MD -MP -MF src/.deps/aide-db_disk.Tpo -c -o src/aide-db_disk.o `test -f 'src/db_disk.c' || echo './'`src/db_disk.c
mv -f src/.deps/aide-db_disk.Tpo src/.deps/aide-db_disk.Po
gcc -DHAVE_CONFIG_H -I. -I./include  -I. -I./include -I./src -I./src  -D_GNU_SOURCE -W -Wall -g    -I/usr/include/e2p      -pthread    -march=x86-64 -mtune=generic -O2 -pipe -fno-plt -fexceptions         -Wp,-D_FORTIFY_SOURCE=3 -Wformat -Werror=format-security         -fstack-clash-protection -fcf-protection         -fno-omit-frame-pointer -mno-omit-leaf-frame-pointer -g -ffile-prefix-map=/home/django/.cache/pikaur/build/aide/src=/usr/src/debug/aide -flto=auto  -fPIE -DPIE -Wundef -Wmissing-format-attribute -Wshadow -Wlogical-op -MT src/aide-db_file.o -MD -MP -MF src/.deps/aide-db_file.Tpo -c -o src/aide-db_file.o `test -f 'src/db_file.c' || echo './'`src/db_file.c
mv -f src/.deps/aide-db_file.Tpo src/.deps/aide-db_file.Po
gcc -DHAVE_CONFIG_H -I. -I./include  -I. -I./include -I./src -I./src  -D_GNU_SOURCE -W -Wall -g    -I/usr/include/e2p      -pthread    -march=x86-64 -mtune=generic -O2 -pipe -fno-plt -fexceptions         -Wp,-D_FORTIFY_SOURCE=3 -Wformat -Werror=format-security         -fstack-clash-protection -fcf-protection         -fno-omit-frame-pointer -mno-omit-leaf-frame-pointer -g -ffile-prefix-map=/home/django/.cache/pikaur/build/aide/src=/usr/src/debug/aide -flto=auto  -fPIE -DPIE -Wundef -Wmissing-format-attribute -Wshadow -Wlogical-op -MT src/aide-db_lex.o -MD -MP -MF src/.deps/aide-db_lex.Tpo -c -o src/aide-db_lex.o `test -f 'src/db_lex.c' || echo './'`src/db_lex.c
mv -f src/.deps/aide-db_lex.Tpo src/.deps/aide-db_lex.Po
gcc -DHAVE_CONFIG_H -I. -I./include  -I. -I./include -I./src -I./src  -D_GNU_SOURCE -W -Wall -g    -I/usr/include/e2p      -pthread    -march=x86-64 -mtune=generic -O2 -pipe -fno-plt -fexceptions         -Wp,-D_FORTIFY_SOURCE=3 -Wformat -Werror=format-security         -fstack-clash-protection -fcf-protection         -fno-omit-frame-pointer -mno-omit-leaf-frame-pointer -g -ffile-prefix-map=/home/django/.cache/pikaur/build/aide/src=/usr/src/debug/aide -flto=auto  -fPIE -DPIE -Wundef -Wmissing-format-attribute -Wshadow -Wlogical-op -MT src/aide-db_list.o -MD -MP -MF src/.deps/aide-db_list.Tpo -c -o src/aide-db_list.o `test -f 'src/db_list.c' || echo './'`src/db_list.c
mv -f src/.deps/aide-db_list.Tpo src/.deps/aide-db_list.Po
gcc -DHAVE_CONFIG_H -I. -I./include  -I. -I./include -I./src -I./src  -D_GNU_SOURCE -W -Wall -g    -I/usr/include/e2p      -pthread    -march=x86-64 -mtune=generic -O2 -pipe -fno-plt -fexceptions         -Wp,-D_FORTIFY_SOURCE=3 -Wformat -Werror=format-security         -fstack-clash-protection -fcf-protection         -fno-omit-frame-pointer -mno-omit-leaf-frame-pointer -g -ffile-prefix-map=/home/django/.cache/pikaur/build/aide/src=/usr/src/debug/aide -flto=auto  -fPIE -DPIE -Wundef -Wmissing-format-attribute -Wshadow -Wlogical-op -MT src/aide-do_md.o -MD -MP -MF src/.deps/aide-do_md.Tpo -c -o src/aide-do_md.o `test -f 'src/do_md.c' || echo './'`src/do_md.c
mv -f src/.deps/aide-do_md.Tpo src/.deps/aide-do_md.Po
gcc -DHAVE_CONFIG_H -I. -I./include  -I. -I./include -I./src -I./src  -D_GNU_SOURCE -W -Wall -g    -I/usr/include/e2p      -pthread    -march=x86-64 -mtune=generic -O2 -pipe -fno-plt -fexceptions         -Wp,-D_FORTIFY_SOURCE=3 -Wformat -Werror=format-security         -fstack-clash-protection -fcf-protection         -fno-omit-frame-pointer -mno-omit-leaf-frame-pointer -g -ffile-prefix-map=/home/django/.cache/pikaur/build/aide/src=/usr/src/debug/aide -flto=auto  -fPIE -DPIE -Wundef -Wmissing-format-attribute -Wshadow -Wlogical-op -MT src/aide-gen_list.o -MD -MP -MF src/.deps/aide-gen_list.Tpo -c -o src/aide-gen_list.o `test -f 'src/gen_list.c' || echo './'`src/gen_list.c
mv -f src/.deps/aide-gen_list.Tpo src/.deps/aide-gen_list.Po
gcc -DHAVE_CONFIG_H -I. -I./include  -I. -I./include -I./src -I./src  -D_GNU_SOURCE -W -Wall -g    -I/usr/include/e2p      -pthread    -march=x86-64 -mtune=generic -O2 -pipe -fno-plt -fexceptions         -Wp,-D_FORTIFY_SOURCE=3 -Wformat -Werror=format-security         -fstack-clash-protection -fcf-protection         -fno-omit-frame-pointer -mno-omit-leaf-frame-pointer -g -ffile-prefix-map=/home/django/.cache/pikaur/build/aide/src=/usr/src/debug/aide -flto=auto  -fPIE -DPIE -Wundef -Wmissing-format-attribute -Wshadow -Wlogical-op -MT src/aide-getopt1.o -MD -MP -MF src/.deps/aide-getopt1.Tpo -c -o src/aide-getopt1.o `test -f 'src/getopt1.c' || echo './'`src/getopt1.c
mv -f src/.deps/aide-getopt1.Tpo src/.deps/aide-getopt1.Po
gcc -DHAVE_CONFIG_H -I. -I./include  -I. -I./include -I./src -I./src  -D_GNU_SOURCE -W -Wall -g    -I/usr/include/e2p      -pthread    -march=x86-64 -mtune=generic -O2 -pipe -fno-plt -fexceptions         -Wp,-D_FORTIFY_SOURCE=3 -Wformat -Werror=format-security         -fstack-clash-protection -fcf-protection         -fno-omit-frame-pointer -mno-omit-leaf-frame-pointer -g -ffile-prefix-map=/home/django/.cache/pikaur/build/aide/src=/usr/src/debug/aide -flto=auto  -fPIE -DPIE -Wundef -Wmissing-format-attribute -Wshadow -Wlogical-op -MT src/aide-getopt.o -MD -MP -MF src/.deps/aide-getopt.Tpo -c -o src/aide-getopt.o `test -f 'src/getopt.c' || echo './'`src/getopt.c
mv -f src/.deps/aide-getopt.Tpo src/.deps/aide-getopt.Po
gcc -DHAVE_CONFIG_H -I. -I./include  -I. -I./include -I./src -I./src  -D_GNU_SOURCE -W -Wall -g    -I/usr/include/e2p      -pthread    -march=x86-64 -mtune=generic -O2 -pipe -fno-plt -fexceptions         -Wp,-D_FORTIFY_SOURCE=3 -Wformat -Werror=format-security         -fstack-clash-protection -fcf-protection         -fno-omit-frame-pointer -mno-omit-leaf-frame-pointer -g -ffile-prefix-map=/home/django/.cache/pikaur/build/aide/src=/usr/src/debug/aide -flto=auto  -fPIE -DPIE -Wundef -Wmissing-format-attribute -Wshadow -Wlogical-op -MT src/aide-hashsum.o -MD -MP -MF src/.deps/aide-hashsum.Tpo -c -o src/aide-hashsum.o `test -f 'src/hashsum.c' || echo './'`src/hashsum.c
mv -f src/.deps/aide-hashsum.Tpo src/.deps/aide-hashsum.Po
gcc -DHAVE_CONFIG_H -I. -I./include  -I. -I./include -I./src -I./src  -D_GNU_SOURCE -W -Wall -g    -I/usr/include/e2p      -pthread    -march=x86-64 -mtune=generic -O2 -pipe -fno-plt -fexceptions         -Wp,-D_FORTIFY_SOURCE=3 -Wformat -Werror=format-security         -fstack-clash-protection -fcf-protection         -fno-omit-frame-pointer -mno-omit-leaf-frame-pointer -g -ffile-prefix-map=/home/django/.cache/pikaur/build/aide/src=/usr/src/debug/aide -flto=auto  -fPIE -DPIE -Wundef -Wmissing-format-attribute -Wshadow -Wlogical-op -MT src/aide-rx_rule.o -MD -MP -MF src/.deps/aide-rx_rule.Tpo -c -o src/aide-rx_rule.o `test -f 'src/rx_rule.c' || echo './'`src/rx_rule.c
mv -f src/.deps/aide-rx_rule.Tpo src/.deps/aide-rx_rule.Po
gcc -DHAVE_CONFIG_H -I. -I./include  -I. -I./include -I./src -I./src  -D_GNU_SOURCE -W -Wall -g    -I/usr/include/e2p      -pthread    -march=x86-64 -mtune=generic -O2 -pipe -fno-plt -fexceptions         -Wp,-D_FORTIFY_SOURCE=3 -Wformat -Werror=format-security         -fstack-clash-protection -fcf-protection         -fno-omit-frame-pointer -mno-omit-leaf-frame-pointer -g -ffile-prefix-map=/home/django/.cache/pikaur/build/aide/src=/usr/src/debug/aide -flto=auto  -fPIE -DPIE -Wundef -Wmissing-format-attribute -Wshadow -Wlogical-op -MT src/aide-list.o -MD -MP -MF src/.deps/aide-list.Tpo -c -o src/aide-list.o `test -f 'src/list.c' || echo './'`src/list.c
mv -f src/.deps/aide-list.Tpo src/.deps/aide-list.Po
gcc -DHAVE_CONFIG_H -I. -I./include  -I. -I./include -I./src -I./src  -D_GNU_SOURCE -W -Wall -g    -I/usr/include/e2p      -pthread    -march=x86-64 -mtune=generic -O2 -pipe -fno-plt -fexceptions         -Wp,-D_FORTIFY_SOURCE=3 -Wformat -Werror=format-security         -fstack-clash-protection -fcf-protection         -fno-omit-frame-pointer -mno-omit-leaf-frame-pointer -g -ffile-prefix-map=/home/django/.cache/pikaur/build/aide/src=/usr/src/debug/aide -flto=auto  -fPIE -DPIE -Wundef -Wmissing-format-attribute -Wshadow -Wlogical-op -MT src/aide-log.o -MD -MP -MF src/.deps/aide-log.Tpo -c -o src/aide-log.o `test -f 'src/log.c' || echo './'`src/log.c
mv -f src/.deps/aide-log.Tpo src/.deps/aide-log.Po
gcc -DHAVE_CONFIG_H -I. -I./include  -I. -I./include -I./src -I./src  -D_GNU_SOURCE -W -Wall -g    -I/usr/include/e2p      -pthread    -march=x86-64 -mtune=generic -O2 -pipe -fno-plt -fexceptions         -Wp,-D_FORTIFY_SOURCE=3 -Wformat -Werror=format-security         -fstack-clash-protection -fcf-protection         -fno-omit-frame-pointer -mno-omit-leaf-frame-pointer -g -ffile-prefix-map=/home/django/.cache/pikaur/build/aide/src=/usr/src/debug/aide -flto=auto  -fPIE -DPIE -Wundef -Wmissing-format-attribute -Wshadow -Wlogical-op -MT src/aide-md.o -MD -MP -MF src/.deps/aide-md.Tpo -c -o src/aide-md.o `test -f 'src/md.c' || echo './'`src/md.c
mv -f src/.deps/aide-md.Tpo src/.deps/aide-md.Po
gcc -DHAVE_CONFIG_H -I. -I./include  -I. -I./include -I./src -I./src  -D_GNU_SOURCE -W -Wall -g    -I/usr/include/e2p      -pthread    -march=x86-64 -mtune=generic -O2 -pipe -fno-plt -fexceptions         -Wp,-D_FORTIFY_SOURCE=3 -Wformat -Werror=format-security         -fstack-clash-protection -fcf-protection         -fno-omit-frame-pointer -mno-omit-leaf-frame-pointer -g -ffile-prefix-map=/home/django/.cache/pikaur/build/aide/src=/usr/src/debug/aide -flto=auto  -fPIE -DPIE -Wundef -Wmissing-format-attribute -Wshadow -Wlogical-op -MT src/aide-queue.o -MD -MP -MF src/.deps/aide-queue.Tpo -c -o src/aide-queue.o `test -f 'src/queue.c' || echo './'`src/queue.c
mv -f src/.deps/aide-queue.Tpo src/.deps/aide-queue.Po
gcc -DHAVE_CONFIG_H -I. -I./include  -I. -I./include -I./src -I./src  -D_GNU_SOURCE -W -Wall -g    -I/usr/include/e2p      -pthread    -march=x86-64 -mtune=generic -O2 -pipe -fno-plt -fexceptions         -Wp,-D_FORTIFY_SOURCE=3 -Wformat -Werror=format-security         -fstack-clash-protection -fcf-protection         -fno-omit-frame-pointer -mno-omit-leaf-frame-pointer -g -ffile-prefix-map=/home/django/.cache/pikaur/build/aide/src=/usr/src/debug/aide -flto=auto  -fPIE -DPIE -Wundef -Wmissing-format-attribute -Wshadow -Wlogical-op -MT src/aide-seltree.o -MD -MP -MF src/.deps/aide-seltree.Tpo -c -o src/aide-seltree.o `test -f 'src/seltree.c' || echo './'`src/seltree.c
mv -f src/.deps/aide-seltree.Tpo src/.deps/aide-seltree.Po
gcc -DHAVE_CONFIG_H -I. -I./include  -I. -I./include -I./src -I./src  -D_GNU_SOURCE -W -Wall -g    -I/usr/include/e2p      -pthread    -march=x86-64 -mtune=generic -O2 -pipe -fno-plt -fexceptions         -Wp,-D_FORTIFY_SOURCE=3 -Wformat -Werror=format-security         -fstack-clash-protection -fcf-protection         -fno-omit-frame-pointer -mno-omit-leaf-frame-pointer -g -ffile-prefix-map=/home/django/.cache/pikaur/build/aide/src=/usr/src/debug/aide -flto=auto  -fPIE -DPIE -Wundef -Wmissing-format-attribute -Wshadow -Wlogical-op -MT src/aide-symboltable.o -MD -MP -MF src/.deps/aide-symboltable.Tpo -c -o src/aide-symboltable.o `test -f 'src/symboltable.c' || echo './'`src/symboltable.c
mv -f src/.deps/aide-symboltable.Tpo src/.deps/aide-symboltable.Po
gcc -DHAVE_CONFIG_H -I. -I./include  -I. -I./include -I./src -I./src  -D_GNU_SOURCE -W -Wall -g    -I/usr/include/e2p      -pthread    -march=x86-64 -mtune=generic -O2 -pipe -fno-plt -fexceptions         -Wp,-D_FORTIFY_SOURCE=3 -Wformat -Werror=format-security         -fstack-clash-protection -fcf-protection         -fno-omit-frame-pointer -mno-omit-leaf-frame-pointer -g -ffile-prefix-map=/home/django/.cache/pikaur/build/aide/src=/usr/src/debug/aide -flto=auto  -fPIE -DPIE -Wundef -Wmissing-format-attribute -Wshadow -Wlogical-op -MT src/aide-url.o -MD -MP -MF src/.deps/aide-url.Tpo -c -o src/aide-url.o `test -f 'src/url.c' || echo './'`src/url.c
mv -f src/.deps/aide-url.Tpo src/.deps/aide-url.Po
gcc -DHAVE_CONFIG_H -I. -I./include  -I. -I./include -I./src -I./src  -D_GNU_SOURCE -W -Wall -g    -I/usr/include/e2p      -pthread    -march=x86-64 -mtune=generic -O2 -pipe -fno-plt -fexceptions         -Wp,-D_FORTIFY_SOURCE=3 -Wformat -Werror=format-security         -fstack-clash-protection -fcf-protection         -fno-omit-frame-pointer -mno-omit-leaf-frame-pointer -g -ffile-prefix-map=/home/django/.cache/pikaur/build/aide/src=/usr/src/debug/aide -flto=auto  -fPIE -DPIE -Wundef -Wmissing-format-attribute -Wshadow -Wlogical-op -MT src/aide-util.o -MD -MP -MF src/.deps/aide-util.Tpo -c -o src/aide-util.o `test -f 'src/util.c' || echo './'`src/util.c
mv -f src/.deps/aide-util.Tpo src/.deps/aide-util.Po
gcc -DHAVE_CONFIG_H -I. -I./include  -I. -I./include -I./src -I./src  -D_GNU_SOURCE -W -Wall -g    -I/usr/include/e2p      -pthread    -march=x86-64 -mtune=generic -O2 -pipe -fno-plt -fexceptions         -Wp,-D_FORTIFY_SOURCE=3 -Wformat -Werror=format-security         -fstack-clash-protection -fcf-protection         -fno-omit-frame-pointer -mno-omit-leaf-frame-pointer -g -ffile-prefix-map=/home/django/.cache/pikaur/build/aide/src=/usr/src/debug/aide -flto=auto  -fPIE -DPIE -Wundef -Wmissing-format-attribute -Wshadow -Wlogical-op -MT src/aide-e2fsattrs.o -MD -MP -MF src/.deps/aide-e2fsattrs.Tpo -c -o src/aide-e2fsattrs.o `test -f 'src/e2fsattrs.c' || echo './'`src/e2fsattrs.c
mv -f src/.deps/aide-e2fsattrs.Tpo src/.deps/aide-e2fsattrs.Po
gcc -D_GNU_SOURCE -W -Wall -g    -I/usr/include/e2p      -pthread    -march=x86-64 -mtune=generic -O2 -pipe -fno-plt -fexceptions         -Wp,-D_FORTIFY_SOURCE=3 -Wformat -Werror=format-security         -fstack-clash-protection -fcf-protection         -fno-omit-frame-pointer -mno-omit-leaf-frame-pointer -g -ffile-prefix-map=/home/django/.cache/pikaur/build/aide/src=/usr/src/debug/aide -flto=auto  -fPIE -DPIE -Wundef -Wmissing-format-attribute -Wshadow -Wlogical-op  -Wl,-O1 -Wl,--sort-common -Wl,--as-needed -Wl,-z,relro -Wl,-z,now          -Wl,-z,pack-relative-relocs -flto=auto   -Wl,-z,relro -Wl,-z,now -pie -o aide src/aide-aide.o src/aide-base64.o src/aide-be.o src/aide-commandconf.o src/aide-attributes.o src/aide-report.o src/aide-report_plain.o src/aide-report_json.o src/aide-conf_ast.o src/aide-conf_eval.o src/aide-conf_lex.o src/aide-conf_yacc.o src/aide-db.o src/aide-db_disk.o src/aide-db_file.o src/aide-db_lex.o src/aide-db_list.o src/aide-do_md.o src/aide-gen_list.o src/aide-getopt1.o src/aide-getopt.o src/aide-hashsum.o src/aide-rx_rule.o src/aide-list.o src/aide-log.o src/aide-md.o src/aide-queue.o src/aide-seltree.o src/aide-symboltable.o src/aide-url.o src/aide-util.o src/aide-e2fsattrs.o  -lm    -le2p  -lgcrypt  -lpcre2-8 -lacl -lpthread  -lattr -lz 
make[1]: Leaving directory '/home/django/.cache/pikaur/build/aide/src/aide-0.18.8'
==> Entering fakeroot environment...
==> Starting package()...
make  install-am
make[1]: Entering directory '/home/django/.cache/pikaur/build/aide/src/aide-0.18.8'
make[2]: Entering directory '/home/django/.cache/pikaur/build/aide/src/aide-0.18.8'
 /usr/bin/mkdir -p '/home/django/.cache/pikaur/build/aide/pkg/aide/usr/bin'
  /usr/bin/install -c aide '/home/django/.cache/pikaur/build/aide/pkg/aide/usr/bin'
 /usr/bin/mkdir -p '/home/django/.cache/pikaur/build/aide/pkg/aide/usr/share/man/man1'
 /usr/bin/install -c -m 644 doc/aide.1 '/home/django/.cache/pikaur/build/aide/pkg/aide/usr/share/man/man1'
 /usr/bin/mkdir -p '/home/django/.cache/pikaur/build/aide/pkg/aide/usr/share/man/man5'
 /usr/bin/install -c -m 644 doc/aide.conf.5 '/home/django/.cache/pikaur/build/aide/pkg/aide/usr/share/man/man5'
make[2]: Leaving directory '/home/django/.cache/pikaur/build/aide/src/aide-0.18.8'
make[1]: Leaving directory '/home/django/.cache/pikaur/build/aide/src/aide-0.18.8'
==> Tidying install...
  -> Removing libtool files...
  -> Purging unwanted files...
  -> Removing static library files...
  -> Stripping unneeded symbols from binaries and libraries...
  -> Compressing man and info pages...
==> Checking for packaging issues...
==> Creating package "aide"...
  -> Generating .PKGINFO file...
  -> Generating .BUILDINFO file...
  -> Adding install file...
  -> Generating .MTREE file...
  -> Compressing package...
==> Creating package "aide-debug"...
  -> Generating .PKGINFO file...
  -> Generating .BUILDINFO file...
  -> Generating .MTREE file...
  -> Compressing package...
==> Leaving fakeroot environment.
==> Finished making: aide 0.18.8-1 (Sun 09 Feb 2025 01:15:51 PM CET)

loading packages...
resolving dependencies...
looking for conflicting packages...

Packages (1) aide-0.18.8-1

Total Installed Size:  0.22 MiB

:: Proceed with installation? [Y/n] Y
(1/1) checking keys in keyring                                                                                         [########################################################################] 100%
(1/1) checking package integrity                                                                                       [########################################################################] 100%
(1/1) loading package files                                                                                            [########################################################################] 100%
(1/1) checking for file conflicts                                                                                      [########################################################################] 100%
(1/1) checking available disk space                                                                                    [########################################################################] 100%
:: Processing package changes...
(1/1) installing aide                                                                                                  [########################################################################] 100%

To complete the installation of aide, edit the configuration
file /etc/aide.conf, and check the syntax with

    sudo aide -D

Then create the database with

    sudo aide --init
    
Note that this process will take long (12 min for 600k files),
will not not output anything, and /var/lib/aide/aide.db.new.gz
will appear empty until the process completes.

To update this database, run

    sudo aide --update

To enable a daily check against the database, run

    sudo systemctl enable --now aidecheck.timer
    
You can check the results from /var/log/aide.log or by running

    sudo journalctl -abu aidecheck

:: Running post-transaction hooks...
(1/2) Reloading system manager configuration...
(2/2) Arming ConditionNeedsUpdate...

Darf man aus Sicherheitsgründen auf allen Zielsystemen keine Kompilierwerkzeuge vorhalten, so holt man sich das vom eigenen Maintainer erstellen Paketes vom eigenen internen Repo-Server und installiert das Paket mit Hilfe von pacman lokal wie folgt:

Lokale Installation von AIDE mit Hilfe von Pacman

Hier in dem folgenden Beispiel wird das zuvor vom eigenen Repository vorgehaltenen Paketes in der Version 0.18.8-1 installiert.

 # pacman -U aide-0.18.8-1-x86_64.pkg.tar.zst

Bevor das Programm AIDE gestartet werden kann muss es allerdings konfiguriert werden!

Die Dokumentation von AIDE findet man in der Datei README im Git Repository.

Paketinfo

Was uns das Paket alles ins System gebracht hat finden wir am einfachsten mit Hilfe von pacman -Qil heraus.

Ausgabe der Befehls pacman -Qil aide

Name            : aide
Version         : 0.18.8-1
Description     : A file integrity checker and intrusion detection program
Architecture    : x86_64
URL             : https://aide.github.io/
Licenses        : GPL
Groups          : None
Provides        : None
Depends On      : acl  e2fsprogs  libelf  mhash  pcre
Optional Deps   : None
Required By     : None
Optional For    : None
Conflicts With  : None
Replaces        : None
Installed Size  : 227.09 KiB
Packager        : Unknown Packager
Build Date      : Fri 28 Feb 2025 04:25:53 PM CET
Install Date    : Fri 28 Feb 2025 04:26:08 PM CET
Install Reason  : Explicitly installed
Install Script  : Yes
Validated By    : None

aide /etc/
aide /etc/aide.conf
aide /usr/
aide /usr/bin/
aide /usr/bin/aide
aide /usr/lib/
aide /usr/lib/systemd/
aide /usr/lib/systemd/system/
aide /usr/lib/systemd/system/aidecheck.service
aide /usr/lib/systemd/system/aidecheck.timer
aide /usr/share/
aide /usr/share/man/
aide /usr/share/man/man1/
aide /usr/share/man/man1/aide.1.gz
aide /usr/share/man/man5/
aide /usr/share/man/man5/aide.conf.5.gz
aide /var/
aide /var/lib/
aide /var/lib/aide/
aide /var/log/
aide /var/log/aide/

Programminfo

Bei Bedarf können wir uns alle Optionen mit denen das AIDE-Binary gebaut wurde zusammen mit den Default Konfuigurationsparametern, den verfügbaren einkompilierten Attributen, den verfügbaren Hass-Attributen sowie den defaultmässigen Compound Groups uns anzeigen lassen.

Ausgabe der Befehls aide -v

# aide -v

AIDE 0.18.8

Compile-time options:
use pcre2: mandatory
use pthread: yes
use zlib compression: yes
use POSIX ACLs: yes
use SELinux: no
use xattr: yes
use POSIX 1003.1e capabilities: no
use e2fsattrs: yes
use cURL: yes
use Mhash: no
use GNU crypto library: yes
use Linux Auditing Framework: no
use locale: no
syslog ident: aide
syslog logopt: LOG_CONS
syslog priority: LOG_NOTICE
default syslog facility: LOG_LOCAL0

Default config values:
config file: /etc/aide.conf
database_in: file:/etc/aide.db
database_out: file:/etc/aide.db.new

Available compiled-in attributes:
acl: yes
xattrs: yes
selinux: no
e2fsattrs: yes
caps: no

Available hashsum attributes:
md5: yes
sha1: yes
sha256: yes
sha512: yes
rmd160: yes
tiger: yes
crc32: yes
crc32b: no
haval: no
whirlpool: yes
gost: yes
stribog256: yes
stribog512: yes

Default compound groups:
R: l+p+u+g+s+c+m+i+n+md5+acl+xattrs+ftype+e2fsattrs
L: l+p+u+g+i+n+acl+xattrs+ftype+e2fsattrs
>: l+p+u+g+s+i+n+acl+xattrs+ftype+e2fsattrs+growing
H: md5+sha1+rmd160+tiger+crc32+gost+sha256+sha512+whirlpool+stribog256+stribog512
X: acl+xattrs+e2fsattrs

Manpages

Manual-Page aide

 # man aide

AIDE(1) User Commands AIDE(1)

NAME
aide - Advanced Intrusion Detection Environment

SYNOPSIS
aide [parameters] command

DESCRIPTION
AIDE is an intrusion detection system for checking the integrity of files.

COMMANDS
--check, -C
Checks the database for inconsistencies. You must have an initialized database
to do this. This is also the default command. Without any command aide does a
check.

--init, -i
Initialize the database. You must initialize a database and move it to the ap‐
propriate place (see database_in config option) before you can use the --check
command.

--dry-init, -n (added in AIDE v0.17)
Traverse the file system, match each file against the rule tree and report to
stdout.

Neither reports nor the database are written in this mode.

To change the log level in this mode please use the --log-level command line pa‐
rameter.

In this mode aide exits with status 0.

--update, -u
Checks the database and updates the database non-interactively. The input and
output databases must be different.

--compare, -E
Compares two databases. They must be defined in config file with database=<url>
and database_new=<url>.

--config-check, -D
Stops after reading in the configuration file. Any errors will be reported. To
change the log level in this mode please use the --log-level command line para‐
meter.

--path-check=file_type:path, -p file_type:path (added in AIDE v0.17)
Read configuration and match provided file_type and path against rule tree. The
path is independent of what is in the actual file system and needs to be ab‐
solute. See RESTRICTED RULES section in aide.conf (5) for supported file types.

To change the log level in this mode please use the --log-level command line pa‐
rameter.

In this mode aide exits with status 0 if the file would be added to the tree, 1
if not and 2 if the file does not match a specified limit.

PARAMETERS
--config=configfile , -c configfile
Configuration is read from file configfile (see --version output for default
value). Use '-' for stdin.

--limit=REGEX , -l REGEX (added in AIDE v0.16)
Limit command to entries matching REGEX. Note that the REGEX only matches at the
first position.

Example
Only check and update the database entries matching /etc (i.e. the /etc di‐
rectory) while leaving all other entries unchecked and unchanged:

aide --update --limit /etc

--before="configparameters" , -B "configparameters"
These configparameters are handled before the reading of the configuration file.
See aide.conf (5) for more details on what to put here.

--after="configparameters" , -A "configparameters"
These configparameters are handled after the reading of the configuration file.
See aide.conf (5) for more details on what to put here.

--log-level=log_level,-Llog_level (added in AIDE v0.17)
The log level to use (see aide.conf (5) for available log levels and more de‐
tails). This overwrites the log_level value set in any configuration file.

--verbose=verbosity_level,-Vverbosity_level (REMOVED in AIDE v0.17)
Removed, use log_level and report_level config options instead (see aide.conf
(5) for details).

--report=reporter,-r reporter (REMOVED in AIDE v0.17)
Removed, use report_url config option instead (see aide.conf (5) for details).

--workers=WORKERS , -W WORKERS (added in AIDE v0.18)
Specifies the number of workers (see aide.conf (5) for details). This overwrites
the num_workers value set in any configuration file.

--version,-v
Print version information and exit.

--help,-h
Prints out the standard help message.

EXIT STATUS
Normally, the exit status is 0 if no errors occurred. Except when the --check, --com‐
pare or --update command was requested, in which case the exit status is defined as:

1 * (new files reported?) +

2 * (removed files reported?) +

4 * (changed files reported?)

Since those three cases can occur together, the respective error codes are added. For
example, if there are new files and removed files reported, the exit status will be 1 +
2 = 3.

Additionally, the following exit codes are defined for generic error conditions:

14 Writing error

15 Invalid argument error

16 Unimplemented function error

17 Configuration error

18 IO error

19 Version mismatch error

18 IO error

19 Version mismatch error

20 EXEC error

21 File lock error

22 Memory allocation error

23 Thread error

SIGNAL HANDLING
SIGTERM is ignored, use SIGKILL to terminate aide.

SIGHUP is also ignored.

SIGUSR1 toggles the log_level between current and debug level.

NOTES
The checksums in the database and in the output are by default base64 encoded (see also
report_base16 option). To decode them you can use the following shell command:

echo <encoded_checksum> | base64 -d | hexdump -v -e '32/1 "%02x" "\n"'

FILES
See --version output for the default config file and the default database_in and data‐
base_out config values.

SEE ALSO
aide.conf(5)

BUGS
There are probably bugs in this release. Please report them at
https://github.com/aide/aide/issues .

DISCLAIMER
All trademarks are the property of their respective owners. No animals were harmed
while making this webpage or this piece of software. Although some pizza delivery guy's
feelings were hurt.

aide v0.18.8 2024-05-09 AIDE(1)

Manual-Page aide.conf

 # man aide.conf

AIDE.CONF(5) AIDE AIDE.CONF(5)

NAME
aide.conf - The configuration file for Advanced Intrusion Detection Environment

SYNOPSIS
aide.conf is the configuration file for Advanced Intrusion Detection Environment.
aide.conf contains the runtime configuration aide uses to initialize or check the AIDE
database.

FILE FORMAT
aide.conf is case-sensitive. Leading and trailing white spaces are ignored. Each config
lines must end with new line.

AIDE uses the backslash character (\) as escape character for ' ' (space), '@' and '\'
(backslash) (e.g. '\ ' or '\@'). To literally match a '\' in a file path with a regular
expression you have to escape the backslash twice (i.e. '\\\\').

There are three types of lines in aide.conf. First there are the configuration options
which are used to set configuration parameters and define groups. Second, there are
(restricted) rules that are used to indicate which files are added to the database.
Third, macro lines define or undefine variables within the config file. Lines beginning
with # are ignored as comments.

CONFIG OPTIONS
These lines have the format parameter=value. See URLS for a list of valid urls.

database_in (type: URL, default: see --version output, added in AIDE v0.17)
database (DEPRECATED since AIDE v0.17, will be removed in AIDE v0.19)
The url from which database is read. There can only be one of these lines. If
there are multiple database lines then the first is used.

Examples:

database_in=file:/var/lib/aide/aide.db

Read database locally from /var/lib/aide/aide.db.

database_in=stdin

Read database from stdin.

database_in=https://example.com/aide.db

Read database remotely from https://example.com/aide.db.

database_out (type: URL, default: see --version output)
The url to which the new database is written to. There can only be one of these
lines. If there are multiple database_out lines then the first is used.

database_new (type: URL, default: <none>)
The url from which the other database for --compare is read.

database_attrs (type: attribute expression, default: H, added in AIDE v0.16)
The attributes of the (uncompressed) database files which are to be added to the
reports in report level >= database_attributes . Only checksum attributes are
supported. To disable set database_attrs to 'E'.

database_add_metadata (type: bool, default: true, added in AIDE v0.16)
Whether to add the AIDE version and the time of database generation as comments
to the database file or not. This option may be set to false by default in a fu‐
ture release.

log_level (type: log level, default: warning, added in AIDE v0.17)
The log level to use. Log messages are written to stderr. If there are multiple
log_level lines then the first one is used. The --log-level or -L command line
option overwrites this option.

The following log levels are available:

error: show unrecoverable issues that have to be handled by the user. Er‐
rors are fatal to the AIDE process.

warning: additionally show recoverable issues that most likely lead to
unexpected behaviour and should be handled by the user

notice: additionally show recoverable issues that sometimes lead to unex‐
pected behaviour and might be handled by the user.

info: additionally show informational messages

rule: additionally show messages to help to debug the path rule matching

compare: additionally show messages to help to debug file comparison and
(special) attribute handling

config: additionally show messages to help to debug config and rule pars‐
ing

debug: additionally show messages that are useful to debug the applica‐
tion (very verbose)

thread: additionally show messages about thread processing (e.g. broad‐
cast events)

trace: detailed information about the flow of the application (e.g. in-
loop logging) (even more verbose)

verbose (type: number, range: 0 - 255, default: 5, REMOVED in AIDE v0.17)
Removed, use log_level and report_level options instead.

gzip_dbout (type: bool, default: false)
Whether the output to the database is gzipped or not. This option is available
only if zlib support is compiled in.

root_prefix (type: path, default: <empty>, added in AIDE v0.16)
The prefix to strip from each file name in the file system before applying the
rules and writing to database. AIDE removes a trailing slash from the prefix.
If there are multiple root_prefix lines then the first one is used. This option
has no effect in compare mode.

acl_no_symlink_follow (type: bool, default: false)
Whether to check ACLs for symlinks or not. This option is available only if acl
support is compiled in.

warn_dead_symlinks (type: path, default: false)
Whether to warn about dead symlinks or not.

config_version (type: string, default: <empty>)
The value of config_version is printed in the report and also printed to the
database. This is for informational purposes only. It has no other functional‐
ity.

config_check_warn_unrestricted_rules (type: bool, default: false, added in AIDE v0.18)
Whether to warn on unrestricted rules during config check. To explicitly define
unrestricted rules use 0 (zero) as restriction character.

num_workers (type: number|percentage, default: 1, added in AIDE v0.18)
Specifies the number of simultaneous workers (threads) for file attribute pro‐
cessing (i.a. hashsum calculation).

The number of workers can be a positive integer (e.g. '4') or the percentage of
the available processors (e.g. '60%'). The resulting number of workers is
rounded up to the next integer (e.g. '60%' of 8 processors results in 5 work‐
ers).

If there are multiple num_workers lines then the first one is used.

Use 0 (zero) to disable multi-threading.

The default value 1 (single worker thread) may be changed in a future release.

REPORT OPTIONS
report_url (type: URL, default: stdout)

The URL that the output is written to.

Multiple instances of the report_url option are supported.

Examples:

report_url=file:/var/log/aide.log

Write report to /var/log/aide.log.

report_url=stdout

Write report to stdout.

report_url=syslog:<LOG_FACILITY>

Write report to syslog using LOG_FACILITY.

The following report options are available (to take effect they have to be set before
report_url):

report_level (type: report level, default: changed_attributes, added in AIDE v0.17)

The report level to use. The available report levels are as follows:

minimal: print single line whether AIDE found differences to the database

summary: additionally print number of added, removed and changed files

database_attributes: additionally print database checksums

list_entries: additionally print lists of added, removed and changed entries

changed_attributes: additionally print details about changed entries

Example:

File: /var/lib/apt/extended_states
Perm : -rw-r--r-- | -rw-------
Uid : 0 | 106

The left column shows the old value (e.g. from the database_in database)
and the right column shows the new value (e.g. from the file system).

added_removed_attributes: additionally print details about added and removed at‐
tributes

added_removed_entries: additionally print details about added and removed en‐
tries

report_format (type: report format, default: plain, added in AIDE v0.18)
The report format to use. The available report formats are as follows:

plain: Print report in plain human-readable format.

json: Print report in json machine-readable format.

report_base16 (type: bool, default: false, added in AIDE v0.17)
Base16 encode the checksums in the report. The default is to report checksums in
base64 encoding.

report_detailed_init (type: bool, default: false, added in AIDE v0.16)
Report added files (report level >= list_entries) and their details (report
level >= added_removed_entries) in initialization mode.

report_quiet (type: bool, default: false, added in AIDE v0.16)
Suppress report output if no differences to the database have been found.

report_append (type: bool, default: false, added in AIDE v0.17)
Append to the report URL.

report_grouped (type: bool, default: true, added in AIDE v0.17)
grouped (DEPRECATED since AIDE v0.17, will be removed in AIDE v0.19)
Group the files in the report by added, removed and changed files.

report_summarize_changes (type: bool, default: true, added in AIDE v0.17)
summarize_changes (DEPRECATED since AIDE v0.17, will be removed in AIDE v0.19)
Summarize changes in the added, removed and changed files sections of the re‐
port.

The general format is like the string YlZbpugamcinHAXSEC, where Y is replaced by
the file-type ('f' for a regular file, 'd' for a directory, 'l' for a symbolic
link, 'c' for a character device, 'b' for a block device, 'p' for a FIFO, 's'
for a unix socket, 'D' for a Solaris door, 'P' for a Solaris event port, '!' if
file type has changed and '?' otherwise).

The Z is replaced as follows: A '=' means that the size has not changed, a '<'
reports a shrinked size and a '>' reports a grown size. The other letters in
the string are the actual letters that will be output if the associated at‐
tribute for the item has been changed or a '.' for no change.

Otherwise a '+' is shown if the attribute has been added, a '-' if it has been
removed, a ':' if the attribute is ignored (but not forced) or a ' ' if the at‐
tribute has not been checked.

The exceptions to this are: (1) a newly created file replaces each letter with a
'+', and (2) a removed file replaces each letter with a '-'.

The attribute that is associated with each letter is as follows:

o A l means that the link name has changed.

o A b means that the block count has changed.

o A p means that the permissions have changed.

o An u means that the uid has changed.

o A g means that the gid has changed.

o An a means that the access time has changed.

o A m means that the modification time has changed.

o A c means that the change time has changed.

o An i means that the inode has changed.

o A n means that the link count has changed.

o A H means that one or more message digests have changed.

The following letters are only available when explicitly enabled using config‐
ure:

o A A means that the access control list has changed.

o A X means that the extended attributes have changed.

o A S means that the SELinux attributes have changed.

o A E means that the file attributes on a second extended file system have
changed.

o A C means that the file capabilities have changed.

report_ignore_added_attrs (type: attribute expression, default: empty, added in AIDE
v0.16)
Attributes whose addition is to be ignored in the report.

report_ignore_removed_attrs (type: attribute expression, default: empty, added in AIDE
v0.16)
Attributes whose removal is to be ignored in the report.

report_ignore_changed_attrs (type: attribute expression, default: empty, added in AIDE
v0.16)
ignore_list (REMOVED in AIDE v0.17)
Attributes whose change is to be ignored in the report.

report_force_attrs (type: attribute expression, default: empty, added in AIDE v0.16)
report_attributes (REMOVED in AIDE v0.17)
Attributes which are always printed in the report for changed files. If an at‐
tribute is both ignored and forced the attribute is not considered for file
change but printed in the final report as long as the file has been otherwise
changed.

report_ignore_e2fsattrs (type: string, default: 0, added in AIDE v0.16)
List (no delimiter) of ext2 file attributes which are to be ignored in the re‐
port. See chattr(1) for the available attributes. Use 0 (zero) to not ignore
any attribute. Ignored attributes are represented by a ':' in the report.

By default AIDE also reports changes of the read-only attributes mentioned in
chattr(1) (see example below how to ignore those changes).

Example:

Ignore changes of the read-only ext2 file attributes verify (V), inline data
(N), indexed directory (I) and encrypted (E):

report_ignore_e2fsattrs=VNIE

GROUPS
Groups are aggregations of attributes.

Group definitions have the format <group name> = <attribute expression>.

Group names are limited to alphanumeric characters (A-Za-z0-9).

See ATTRIBUTES for a description of all available attributes.

Default groups

R p+ftype+i+l+n+u+g+s+m+c+md5+X

L p+ftype+i+l+n+u+g+X

> Growing file p+ftype+l+u+g+i+n+s+growing+X

H all compiled in hashsums (added in AIDE v0.17)

X acl+selinux+xattrs+e2fsattrs+caps (if attributes are compiled in, added in AIDE
v0.16)

E Empty group

Use 'aide --version' to list the default compound groups.

RULES
AIDE supports three types of rules:

Regular rule:
<regex> <attribute expression>

Files and directories matching the regular expression are added to the database.

Negative rule:
!<regex>

Files and directories matching the regular expression are ignored and not added
to the database. The children of matching directories are also ignored.

Equals rule:
=<regex> <attribute expression>

Files and directories matching the regular expression are added to the database.
The children of directories are only added if the regular expression ends with a
"/". The children of sub-directories are not added at all.

Every regular expression has to start with an explicit "/". An implicit ^ is added in
front of each regular expression. In other words, the regular expressions are matched
at the first position against the complete path. Special characters can be escaped us‐
ing two-digit URL encoding (for example, %20 to represent a space).

AIDE uses a deepest-match algorithm to find the tree node to search, but a first-match
algorithm inside the node. (see also rule log level).

See EXAMPLES for examples.

More in-depth discussion of the selection algorithm can be found in the AIDE manual.

RESTRICTED RULES
Restricted rules are like normal rules but can be restricted to file types (added in
AIDE v0.16). The following file types are supported:

f restrict rule to regular files

d restrict rule to directories

l restrict rule to symbolic links

c restrict rule to character devices

b restrict rule to block devices

p restrict rule to FIFO files

s restrict rule to UNIX sockets

D restrict rule to Solaris doors

P restrict rule to Solaris event ports

0 empty restriction, i.e. don't restrict rule (added in AIDE v0.18)

Multiple restrictions can be given as a comma-separated list.

The syntax of restricted rules is as follows:

Restricted regular rule
<regex> <file types> <attribute expression>

Restricted negative rule
!<regex> <file types>

Restricted equals rule
=<regex> <file types> <attribute expression>

MACRO LINES
@@define VAR val
Define variable VAR to value val.

@@undef VAR
Undefine variable VAR.

@@if boolean_expression (added in AIDE v0.18)
@@else
@@endif
@@if begins an if statement. It must be terminated with an @@endif statement.
The lines between @@if and @@endif are used if the boolean_expression evaluates
to true. If there is an @@else statement then the part between @@if and @@else
is used if boolean_expression evaluates to true otherwise the part between
@@else and @@endif is used.

Available operators and functions in boolean expressions:

not boolean_expression
Evaluates to true if the boolean_expression is false, and false if the
boolean_expression is true.

defined VARIABLE

Evaluates to true if VARIABLE is defined.

hostname HOSTNAME

Evaluates to true if HOSTNAME equals the hostname of the machine that AIDE
is running on. hostname is the name of the host without the domainname (ie
'hostname', not 'hostname.example.com').

exists PATH

Evaluates to true if PATH exists.

@@ifdef VARIABLE (DEPRECATED since AIDE v0.18, will be removed in AIDE v0.20)
same as @@if defined VARIABLE

@@ifndef VARIABLE (DEPRECATED since AIDE v0.18, will be removed in AIDE v0.20)
same as @@if not defined VARIABLE

@@ifhost HOSTNAME (DEPRECATED since AIDE v0.18, will be removed in AIDE v0.20)
same as @@if hostname HOSTNAME

@@ifnhost HOSTNAME (DEPRECATED since AIDE v0.18, will be removed in AIDE v0.20)
same as @@if not hostname HOSTNAME

@@{VAR}
@@{VAR} is replaced with the value of the variable VAR. If variable VAR is not
defined an empty string is used.

Variables are supported in strings and in regular expressions of selection
lines.

Pre-defined marco variables:

@@{HOSTNAME}: hostname of the current system

@@include FILE
Include FILE.
The content of the file is used as if it were inserted in this part of the con‐
fig file.

The maximum depth of nested includes is 16.

@@include DIRECTORY REGEX [RULE_PREFIX] (added in AIDE v0.17)
Include all (regular) files found in DIRECTORY matching regular expression REGEX
(sub-directories are ignored). The file are included in lexical sort order.

If RULE_PREFIX is set, all rules included by the statement are prefixed with
given RULE_PREFIX (added in AIDE v0.18). Prefixes from nested include statements
are concatenated.

The content of the files is used as if it were inserted in this part of the con‐
fig file.

@@x_include FILE (added in AIDE v0.17)
@@x_include DIRECTORY REGEX [RULE_PREFIX] (added in AIDE v0.17)
@x_include is identical to @@include, except that if a config file is executable
is is run and the output is used as config.

If the executable file exits with status greater than zero or writes to stderr
aide stops with an error.

For security reasons DIRECTORY and each executable config file must be owned by
the current user or root. They must not be group- or world-writable.

@@x_include_setenv VAR VALUE (added in AIDE v0.17)

Adds the variable VAR with the value VALUE to the environment used for config
file execution.

Environment variable names are limited to alphanumeric characters (A-Za-z0-9)
and the underscore '_' and must not begin with a digit.

TYPES
bool
Valid values are yes, true, no or false.

attribute expression

An attribute expression is of the following form:

URLS
Urls can be one of the following. Input urls cannot be used as outputs and vice
versa.

stdout

stderr Output is sent to stdout, stderr respectively.

stdin Input is read from stdin.

file:/path
Input is read from path or output is written to path.

fd:number
Input is read from filedescriptor number or output is written to num‐
ber.

syslog:LOG_FACILITY
Output is written to syslog using LOG_FACILITY.

ATTRIBUTES
File attributes

ftype file type (added in AIDE v0.15)

p permissions

i inode

l link name

n number of links

u user

g group

s size

b block count

m mtime

a atime

c ctime

acl access control list (requires libacl)

selinux
selinux attributes (requires libselinux)

xattrs extended attributes (requires libattr)

e2fsattrs
file attributes on a second extended file system, see also report_ig‐
nore_e2fsattrs option (requires libext2fs, added in AIDE v0.15)

caps file capabilities (requires libcap2, added in AIDE v0.17)

Use 'aide --version' to show which compiled-in attributes are available.

Special attributes

S check for growing size (DEPRECATED since AIDE v0.18, will be removed in AIDE
v0.20)

Use growing+s attributes instead

I ignore changed filename

When I is used, the inode of the old file is used to search for a moved file in
the new database.

Source and target file have to be located in the same directory and must share
the same attributes (except for special attributes ANF, ARF, I, growing, and
compressed).

For moved entries a change of the ctime attribute is ignored.

growing
ignore growing file (added in AIDE v0.18)

When growing is used, changes of the following attributes are ignored:

size: if new size is greater than old size

bcount: if new bcount is greater than old bcount

atime: if new atime is greater than old atime

mtime: if new mtime is greater than old mtime

ctime: if new ctime is greater than old ctime

hashsums: if the hashsum of the new file restricted to the old size equals the
hashsums of the old file

For hashsum attributes the growing attribute is ignored in compare mode.

compressed
ignore compressed file (added in AIDE v0.18)

When compressed is used, the uncompressed hashsums of the new compressed file
(supported compressions: gzip) are used to search for the uncompressed file in
the old database.

The old uncompressed and the new compressed file have to be located in the same
directory and must share the same attributes (except for special attributes ANF,
ARF, I, growing, and compressed) including at least one hashsum.

Changes of the inode, size, bcount and ctime attributes are ignored.

The growing attribute (i.e. the old file size) is not considered for compressed
files during the calculation of the uncompressed hashsums.

The compressed attribute is ignored in compare mode.

ANF allow new files

When 'ANF' is used, new files are added to the new database, but are ignored in
the report.

ARF allow removed files

When 'ARF' is used, files missing on disk are omitted from the new database, but
are ignored in the report.

Hashsums attributes

md5 MD5 checksum (not in libgcrypt FIPS mode)

sha1 SHA-1 checksum

sha256 SHA-256 checksum

sha512 SHA-512 checksum

rmd160 RIPEMD-160 checksum

tiger tiger checksum

haval haval256 checksum (libmhash only)

crc32 crc32 checksum

crc32b crc32 checksum (libmhash only)

gost GOST R 34.11-94 checksum

whirlpool
whirlpool checksum

stribog256
GOST R 34.11-2012, 256 bit checksum (libgcrypt only, added in AIDE v0.17)

stribog512
GOST R 34.11-2012, 512 bit checksum (libgcrypt only, added in AIDE v0.17)

Use 'aide --version' to show which hashsums are available.

EXAMPLES
/ R This adds all files on your machine to the database. This one line is a fully
qualified configuration file.

!/dev$ This ignores the /dev directory structure.

=/foo R
Only /foo and /foobar are taken into the database. None of their children are
added.

=/foo/ R
Only /foo and its children (e.g. /foo/file and /foo/directory) are taken into
the database. The children of sub-directories (e.g. /foo/directory/bar) are not
added.

/ d,f R
Only add directories and files to the database

!/run d
/run R Add all but directory entries to the database

/run d R-m-c-i
/run R Use specific rule for directories

Suggested Groups

OwnerMode = p+u+g+ftype
Check permissions, owner, group and file type

Size = s+b
Check size and block count

InodeData = OwnerMode+n+i+Size+l+X
StaticFile = m+c+Checksums
Files that stay static

Full = InodeData+StaticFile
Full = ftype+p+l+u+g+s+m+c+a+i+b+n+H+X
/ 0 Full
This line defines group Full. It has all attributes, all compiled in hashsums
(H) and all compiled in extra file attributes (X). See '--version' output for
the compiled in hashsums and extra groups. The example rule is the typical
catch-all rule at the end of the rule list.

VarTime = InodeData+Checksums
/etc/ssl/certs/ca-certificates\\.crt$ VarTime
Files that change their mtimes or ctimes but not their contents.

VarInode = VarTime-i
/var/lib/nfs/etab$ f VarInode
Files that are recreated regularly but do not change their contents

VarFile = OwnerMode+n+l+X
/etc/resolv\\.conf$ f VarFile
Files that change their contents during system operation

VarDir = OwnerMode+n+i+X
/var/lib/snmp$ d VarDir
Directories that change their contents during system operation

RecreatedDir = OwnerMode+n+X
/run/samba$ d RecreatedDir
Directories that are recreated regularly and change their contents

Log Handling

Logs pose a number of special challenges to AIDE. An active log is nearly constantly
being written to. The process of log rotation changes file names for files that are
supposed to have unaltered contents. To save space, Logs are compressed in the process
of their rotation, and finally, they get deleted. AIDE is supposed to handle all those
cases without generating reports, and it is still expected to flag the cases when an
attacker tampers with logs.

The following examples suggest a way to handle the common case of log rotation with the
logrotate(8) program, with its options compress, delaycompress and nocopytruncate set.
The vast majority of logs are rotated this way on most Linux systems.

ActLog=Full+growing+ANF+I
/var/log/foo\\.log$ f ActLog
An Active Log is typically named foo.log. It is constanty being written to.
The file does neither change its mode nor its inode number. The size only in‐
creases, and what is written to the file is not supposed to change (growing).
During log rotation, foo.log is typically renamed to foo.log.1 (or foo.log.0)
and the process is instructed to write to a new foo.log. Log content is written
to a new file (ANF) and will eventually be renamed to foo.log.1 (I). The grow‐
ing attribute suppresses reports for files that just had content appended when
compared to the database. A change of the old content is still reported!

RotLog=Full
/var/log/foo\\.log\\.1$ f RotLog
foo.log.0 or foo.log.1 is called the Rotated Log, the previously active log re‐
named to the first name of the Log Series that is formed by the rotation mecha‐
nism. Right after rotation, the file might still being written to by the dae‐
mon. To aide, this looks like the Active Log's size decreases and its inode and
timestamps change. The Rotated Log is not supposed to change its attributes
once the process has stopped writing to it. Reports might be generated if aide
runs while the process still writes to the Rotated Log, but this is quite un‐
likely to happen. Some log rotation mechanisms rename foo.log to foo.log.0 to
foo.log.1.gz, others rename foo.log to foo.log.1 to foo.2.log.gz.

CompSerLog=Full+I+compressed
/var/log/foo\\.log\\.2\\.gz$ f CompSerLog
In the next rotation step, foo.log.1 gets compressed to foo.log.2.gz, becoming
the Compressed Log in the Log Series. With this rule, AIDE does not report this
step because it uncompresses the contents of the file and takes the checksum of
the uncompressed content. The contents strictly doesn't change, but some at‐
tribute changes are ignored (compressed).

MidlSerLog=Full+I
/var/log/foo\\.log\\.[345]\\.gz$ f MidlSerLog
In the next log rotation, all foo.log.{x} get renamed to foo.log.{x+1}. The
other attributes are not supposed to change.

LastSerLog=Full+ARF
/var/log/foo\\.log\\.6\\.gz$ f LastSerLog
The configuration of the log rotation process specifies a number of log genera‐
tions to keep. The last log in the series is therefore removed from the disk
(ARF).

aide 0.18 does not yet support the following cases of log rotation:

empty files
It might be the case that a log is actually created, but never written to. This
commonly happens on rarely used web servers that use the log rotation as a
method to cater for data protection regulation. In result, all files in a se‐
ries are identical, breaking the heuristics that aide uses to detect log rota‐
tion. A possible workaround is to begin a newly rotated log with a timestamp.
With logrotate, this can be done in a postrotate scriptlet.

nodelaycompress
With logrotate's nodelaycompress option, a log is immediately compressed after
renaming it from the Active Log name. For the time being, it is recommended to
always use the delaycompress option to avoid this behavior.

copytruncate
tions to keep. The last log in the series is therefore removed from the disk
(ARF).

aide 0.18 does not yet support the following cases of log rotation:

empty files
It might be the case that a log is actually created, but never written to. This
commonly happens on rarely used web servers that use the log rotation as a
method to cater for data protection regulation. In result, all files in a se‐
ries are identical, breaking the heuristics that aide uses to detect log rota‐
tion. A possible workaround is to begin a newly rotated log with a timestamp.
With logrotate, this can be done in a postrotate scriptlet.

nodelaycompress
With logrotate's nodelaycompress option, a log is immediately compressed after
renaming it from the Active Log name. For the time being, it is recommended to
always use the delaycompress option to avoid this behavior.

copytruncate
With logrotate's copytruncate option, the Active Log is not renamed and newly
created but copied to the new file name. After the copy operation, the old file
is truncated to zero size, allowing the daemon to continuously write to the al‐
ready open file handle. aide uses the Inode number to detect the rotation
process. That doesn't work with copytruncate because the Inode stays with the
Active Log. For the time being, it is recommended to avoid the copytruncate op‐
tion to avoid this behavior.

HINTS
In the following, the first is not allowed in AIDE. Use the latter instead.

/foo epug

/foo e+p+u+g