[Aide] Experimenting with exclusion rules

Hannes von Haugwitz hannes at vonhaugwitz.com
Fri Dec 18 18:16:44 EET 2020 

Hello,

On Wed, Dec 16, 2020 at 04:28:09PM -0300, Andreas Hasenack wrote:
> Why did the exclusion regexp "!/check/ignore$" ignore the new file
> /check/ignore/andreas-was-here? Shouldn't it match just
> "/check/ignore" exactly? What am I missing?

This is expected behaviour, as children of directories matching negative
selection lines are also ignored. I adjusted the description for
negative selection lines in aide.conf.5 as follows in 5fd96b2[0]:

   Negative selection line:

      !<regex>

      Files and directories matching the regular expression are ignored
      and not added to the database.

For a better understanding (and as a sneak preview for the new logging
feature currently in development) you can see the rule tree and the rule
processing for '/check/ignore' below:

   RULE: rule tree:
   RULE: + /:
   RULE: |  '/check (none) l+p+u+g+s+c+m+i+n+md5+ftype' (aide.conf:13: '/check R')
   RULE: |
   RULE: +  /check:
   RULE: |    '!/check/ignore$ (none)' (aide.conf:12: '!/check/ignore$')

   RULE: process '/check/ignore' (filetype: d)
   RULE: check '/check/ignore'
   RULE:  node: '/check': skip equal list (reason: list is empty)
   RULE:  node: '/check': skip selective list (reason: list is empty)
   RULE:   node: '/' skip equal list (reason: not on top level)
   RULE:   node: '/': check selective list
   RULE:     '/check/ignore' matches regex '/check' and restriction '(none)' of selective rule (aide.conf:13: '/check R')
   RULE:   selective match for '/check/ignore' (node: '/')
   RULE:   node: '/': skip negative list (reason: list is empty)
   RULE:  node: '/check': check negative list (reason: previous positive match)
   RULE:   '/check/ignore' matches regex '/check/ignore$' and restriction '(none)' of negative rule (aide.conf:12: '!/check/ignore$')
   RULE: negative match for '/check/ignore'
   RULE: do NOT add '/check/ignore' to the tree


> If I change the exclusion rule to "!/check/ignore/", then the new file
> is still ignored, but the "/check/ignore" directory modification is
> caught with "d >.... mc.. .. .: /check/ignore "

If you add a trailing slash to the rule '/check/ignore' is no longer
matched by your rule, but the childrens of the directory are:

   RULE: rule tree:
   RULE: + /:
   RULE: |  '/check (none) l+p+u+g+s+c+m+i+n+md5+ftype' (aide.conf:13: '/check R')
   RULE: |
   RULE: +  /check:
   RULE: +    /check/ignore:
   RULE: |      '!/check/ignore/ (none)' (aide.conf:12: '!/check/ignore/')
   RULE: |

   RULE: process '/check/ignore' (filetype: d)
   RULE: check '/check/ignore'
   RULE:  node: '/check': skip equal list (reason: list is empty)
   RULE:  node: '/check': skip selective list (reason: list is empty)
   RULE:   node: '/' skip equal list (reason: not on top level)
   RULE:   node: '/': check selective list
   RULE:     '/check/ignore' matches regex '/check' and restriction '(none)' of selective rule (aide.conf:13: '/check R')
   RULE:   selective match for '/check/ignore' (node: '/')
   RULE:   node: '/': skip negative list (reason: list is empty)
   RULE:  node: '/check': skip negative list (reason: list is empty)
   RULE: ADD '/check/ignore' to the tree (attr: 'l+p+u+g+s+c+m+i+n+md5+ftype')
   RULE: process '/check/ignore/should-be-ignored' (filetype: f)
   RULE: check '/check/ignore/should-be-ignored'
   RULE:  node: '/check/ignore': skip equal list (reason: list is empty)
   RULE:  node: '/check/ignore': skip selective list (reason: list is empty)
   RULE:   node: '/check' skip equal list (reason: not on top level)
   RULE:   node: '/check': skip selective list (reason: list is empty)
   RULE:     node: '/' skip equal list (reason: not on top level)
   RULE:     node: '/': check selective list
   RULE:       '/check/ignore/should-be-ignored' matches regex '/check' and restriction '(none)' of selective rule (aide.conf:13: '/check R')
   RULE:     selective match for '/check/ignore/should-be-ignored' (node: '/')
   RULE:     node: '/': skip negative list (reason: list is empty)
   RULE:   node: '/check': skip negative list (reason: list is empty)
   RULE:  node: '/check/ignore': check negative list (reason: previous positive match)
   RULE:   '/check/ignore/should-be-ignored' matches regex '/check/ignore/' and restriction '(none)' of negative rule (aide.conf:12: '!/check/ignore/')
   RULE: negative match for '/check/ignore/should-be-ignored'
   RULE: do NOT add '/check/ignore/should-be-ignored' to the tree

Best regards

Hannes

PS.: Please refrain from opening issues at github.com[1] when you asked
the very same question here on the AIDE mailing list 2 days ago.

[0] https://github.com/aide/aide/commit/5fd96b2fab486264799415ebd818b02ad83dc276
[1] https://github.com/aide/aide/issues/82

More information about the Aide mailing list