[Aide] Experimenting with exclusion rules

[Andreas Hasenack]

Hi,

I thought I had a grasp of aide's rules, but this simple experiment is
confusing me:

aide 0.16.2-1 from debian experimental

I have these configs only:
root at b1-aide:/etc/aide/aide.conf.d# cat *
!/check/ignore$
/check Full

And this directory structure:
root at b1-aide:/etc/aide/aide.conf.d# tree /check/
/check/
├── ignore
│   └── should-be-ignored
└── ignorenot
    └── hello-must-appear

2 directories, 2 files

I initialize the db in this state, and then make this change:
root at b1-aide:/etc/aide/aide.conf.d# touch /check/ignore/andreas-was-here


To my surprise, aide.wrapper -C is clear:

root at b1-aide:/etc/aide/aide.conf.d# aide.wrapper -C
Start timestamp: 2020-12-16 19:22:12 +0000 (AIDE 0.16.2)
AIDE found NO differences between database and filesystem. Looks okay!!
Verbose level: 6

Number of entries:      3

---------------------------------------------------
The attributes of the (uncompressed) database(s):
---------------------------------------------------

/var/lib/aide/aide.db
  SHA256   : VK30tpFOag5VATsTVNpJi5xXMm0qkEnh
             GfovUQvFoFw=


End timestamp: 2020-12-16 19:22:12 +0000 (run time: 0m 0s)


Why did the exclusion regexp "!/check/ignore$" ignore the new file
/check/ignore/andreas-was-here? Shouldn't it match just
"/check/ignore" exactly? What am I missing?

If I change the exclusion rule to "!/check/ignore/", then the new file
is still ignored, but the "/check/ignore" directory modification is
caught with "d >.... mc.. .. .: /check/ignore "