Home / server / Questions / 583987
Accepted
Alastair Irvine
Asked: 2014-03-24 07:12:59 +0800 CST

How do I interpret aide.log change summary

  • 772

In the Changed files section of /var/log/aide/aide.log there are prefixes on each line starting with f or d. These signify what aspects of the file has changed, but I can't seem to track down what they mean. (Obviously I could look at the detailed data for the file further down the log file, but a definitive reference for the summary lines is important for grepping.)

Here are some examples:

f >.p.. mci.CA. .: /etc/passwd-
d =.... mc.. .. .: /bin
f =.... mci.C.. .: /bin/ip
d =.... mc.n A. .: /u1/home
linux

1 Answers

  1. Best Answer

    This is detailed in the aide.conf manual page, reproduced here for completeness, and is a configurable attribute of the generated reports:

    summarize_changes

    Whether to summarize changes in the added, removed and changed files sections of the report or not. Valid values are yes,true,no and false. The default is not to summarize the changes.

    The general format is like the string YlZbpugamcinCAXS, where Y is replaced by the file-type (f for a regular file, d for a directory, L for a symbolic link, D for a character device, B for a block device, F for a FIFO, s for a unix socket and ? otherwise).

    The Z is replaced as follows: A = means that the size has not changed, a < reports a shrinked size and a > reports a grown size.

    The other letters in the string are the actual letters that will be output if the associated attribute for the item has been changed or a "." for no change, a "+" if the attribute has been added, a "-" if it has been removed, a ":" if the attribute is listed in ignore_list or a " " if the attribute has not been checked. The exceptions to this are: (1) a newly created file replaces each letter with a "+", and (2) a removed file replaces each letter with a "-".

    The attribute that is associated with each letter is as follows:

    • A l means that the link name has changed.
    • A b means that the block count has changed.
    • A p means that the permissions have changed.
    • An u means that the uid has changed.
    • A g means that the gid has changed.
    • An a means that the access time has changed.
    • A m means that the modification time has changed.
    • A c means that the change time has changed.
    • An i means that the inode has changed.
    • A n means that the link count has changed.
    • A C means that one or more checksums have changed.
    • A A means that the access control list has changed.
    • A X means that the extended attributes have changed.
    • A S means that the SELinux attributes have changed.
    • 4