[Aide] AIDE equals matching broken after 0.10

Brian De Wolf bldewolf at csupomona.edu
Thu Dec 20 03:54:45 EET 2007


Greetings,

We were recently upgrading packages and we moved from 0.10 to 0.13.1 of AIDE. 
Unfortunately, our matching stopped working correctly after this upgrade.  The 
equals matches would not match, leaving us with directories and files that 
reported changes that we were not concerned about.

I have tracked this issue down to a patch that was applied for a bug that didn't 
fix the issue it encountered correctly.  This was between CVS revisions 1.6 and 
1.7.  The bug that is related is at 
http://sourceforge.net/tracker/index.php?func=detail&aid=984424&group_id=86976&atid=581581 
also known as bug 984424.

Now, the original issue certainly is an actual bug.  During the 
check_node_for_match recursion, the equals list was checked for every parent 
node, rather than being checked only on the first node.  However, Zhi Wen Wong's 
fix did not remove these checks.  Instead, when one was matched as a regex, he 
made it also do a string comparison of the file and the regex, without the '^'. 
  Of course, as is in all of the examples, equal matches are recommended to have 
'$' at the end.  Since it seemed like a good idea we did this for all of our 
equal matches and, as you can guess, all of our equal matches failed to match 
after we upgraded.

Basically, instead of removing the erroneous checks, he converted equal checks 
into string comparisons which causes all equal checks in parent nodes to fail. 
(it is impossible for a match in /var to pass a string comparison with a file in 
/var/log/, since if it would match a string comparison it should have been in 
the /var/log/ node.)

I have written a patch that removes the string comparison code (so equal matches 
can be regexes like they're supposed to be) and fixes the check_node_for_match 
functionality to match that of the pseudo-code listed in the 0.13 manual.  This 
allows equal matches to work correctly.  I have attached this patch.

Should I also make a bug in the sourceforge tracker?

Thanks!
Brian De Wolf
-------------- next part --------------
An embedded and charset-unspecified text was scrubbed...
Name: aide-equ-matching.patch
Url: https://mailman.cs.tut.fi/pipermail/aide/attachments/20071219/6813d253/attachment.ksh 


More information about the Aide mailing list