Interpreting flags in AIDE daily report

Question

My questions is about the flags displayed by AIDE for each file in daily email reports. For example for new files its shows as follows:

f++++++++++++++++: /var/cache/apt/archives/squashfs-tools_1%3a4.4-1ubuntu0.1_amd64.deb

I can deduce that f stands for file and I have seen d which stands for directory. But what other flags can possibly come here? What about the ++++++++++++++++, does it signify anything?

Now things are more interesting for modified files:

d =.... mc.. ..  : /run/motd.d/fwupd
f =.... mci....  : /run/motd.d/fwupd/85-fwupd
f >b... mc..C.. .: /var/cache/apt/pkgcache.bin
f <.... mc..C.. .: /var/cache/apt/srcpkgcache.bin
f =.... .c..... .: /var/lib/PackageKit/transactions.db

I could not find any documentation with details of what these means. Any help to understand this is much appreciated.

Answer 1

The flags are described in the aide.conf manual page (see man 5 aide.conf):

       report_summarize_changes (type: bool, default: true)
       summarize_changes (DEPRECATED, will be removed in a future release)
              Summarize changes in the added, removed and changed files sections of the report.

              The general format is like the string YlZbpugamcinHAXSEC, where Y is replaced by the file-type (f for a regular file, d for a directory, l for a symbolic link, c for a character device, b for a block device, p for a FIFO, s for a unix socket, D for  a
              Solaris door, P for a Solaris event port, !  if file type has changed and ? otherwise).

              The Z is replaced as follows: A = means that the size has not changed, a < reports a shrinked size and a > reports a grown size.

              The other letters in the string are the actual letters that will be output if the associated attribute for the item has been changed or a "." for no change, a "+" if the attribute has been added, a "-" if it has been removed, a ":" if the attribute is
              ignored (but not forced) or a " " if the attribute has not been checked. The exceptions to this are: (1) a newly created file replaces each letter with a "+", and (2) a removed file replaces each letter with a "-".

              The attribute that is associated with each letter is as follows:

              o      A l means that the link name has changed.

              o      A b means that the block count has changed.

              o      A p means that the permissions have changed.

              o      An u means that the uid has changed.

              o      A g means that the gid has changed.

              o      An a means that the access time has changed.

              o      A m means that the modification time has changed.

              o      A c means that the change time has changed.

              o      An i means that the inode has changed.

              o      A n means that the link count has changed.

              o      A H means that one or more message digests have changed.

              The following letters are only available when explicitly enabled using configure:

              o      A A means that the access control list has changed.

              o      A X means that the extended attributes have changed.

              o      A S means that the SELinux attributes have changed.

              o      A E means that the file attributes on a second extended file system have changed.

              o      A C means that the file capabilities have changed.

(aide v0.17.3)