[Aide] Experimenting with exclusion rules
Hannes von Haugwitz
hannes at vonhaugwitz.com
Fri Dec 18 18:16:44 EET 2020
Hello,
On Wed, Dec 16, 2020 at 04:28:09PM -0300, Andreas Hasenack wrote:
> Why did the exclusion regexp "!/check/ignore$" ignore the new file
> /check/ignore/andreas-was-here? Shouldn't it match just
> "/check/ignore" exactly? What am I missing?
This is expected behaviour, as children of directories matching negative
selection lines are also ignored. I adjusted the description for
negative selection lines in aide.conf.5 as follows in 5fd96b2[0]:
Negative selection line:
!<regex>
Files and directories matching the regular expression are ignored
and not added to the database.
For a better understanding (and as a sneak preview for the new logging
feature currently in development) you can see the rule tree and the rule
processing for '/check/ignore' below:
RULE: rule tree:
RULE: + /:
RULE: | '/check (none) l+p+u+g+s+c+m+i+n+md5+ftype' (aide.conf:13: '/check R')
RULE: |
RULE: + /check:
RULE: | '!/check/ignore$ (none)' (aide.conf:12: '!/check/ignore$')
RULE: process '/check/ignore' (filetype: d)
RULE: check '/check/ignore'
RULE: node: '/check': skip equal list (reason: list is empty)
RULE: node: '/check': skip selective list (reason: list is empty)
RULE: node: '/' skip equal list (reason: not on top level)
RULE: node: '/': check selective list
RULE: '/check/ignore' matches regex '/check' and restriction '(none)' of selective rule (aide.conf:13: '/check R')
RULE: selective match for '/check/ignore' (node: '/')
RULE: node: '/': skip negative list (reason: list is empty)
RULE: node: '/check': check negative list (reason: previous positive match)
RULE: '/check/ignore' matches regex '/check/ignore$' and restriction '(none)' of negative rule (aide.conf:12: '!/check/ignore$')
RULE: negative match for '/check/ignore'
RULE: do NOT add '/check/ignore' to the tree
> If I change the exclusion rule to "!/check/ignore/", then the new file
> is still ignored, but the "/check/ignore" directory modification is
> caught with "d >.... mc.. .. .: /check/ignore "
If you add a trailing slash to the rule '/check/ignore' is no longer
matched by your rule, but the childrens of the directory are:
RULE: rule tree:
RULE: + /:
RULE: | '/check (none) l+p+u+g+s+c+m+i+n+md5+ftype' (aide.conf:13: '/check R')
RULE: |
RULE: + /check:
RULE: + /check/ignore:
RULE: | '!/check/ignore/ (none)' (aide.conf:12: '!/check/ignore/')
RULE: |
RULE: process '/check/ignore' (filetype: d)
RULE: check '/check/ignore'
RULE: node: '/check': skip equal list (reason: list is empty)
RULE: node: '/check': skip selective list (reason: list is empty)
RULE: node: '/' skip equal list (reason: not on top level)
RULE: node: '/': check selective list
RULE: '/check/ignore' matches regex '/check' and restriction '(none)' of selective rule (aide.conf:13: '/check R')
RULE: selective match for '/check/ignore' (node: '/')
RULE: node: '/': skip negative list (reason: list is empty)
RULE: node: '/check': skip negative list (reason: list is empty)
RULE: ADD '/check/ignore' to the tree (attr: 'l+p+u+g+s+c+m+i+n+md5+ftype')
RULE: process '/check/ignore/should-be-ignored' (filetype: f)
RULE: check '/check/ignore/should-be-ignored'
RULE: node: '/check/ignore': skip equal list (reason: list is empty)
RULE: node: '/check/ignore': skip selective list (reason: list is empty)
RULE: node: '/check' skip equal list (reason: not on top level)
RULE: node: '/check': skip selective list (reason: list is empty)
RULE: node: '/' skip equal list (reason: not on top level)
RULE: node: '/': check selective list
RULE: '/check/ignore/should-be-ignored' matches regex '/check' and restriction '(none)' of selective rule (aide.conf:13: '/check R')
RULE: selective match for '/check/ignore/should-be-ignored' (node: '/')
RULE: node: '/': skip negative list (reason: list is empty)
RULE: node: '/check': skip negative list (reason: list is empty)
RULE: node: '/check/ignore': check negative list (reason: previous positive match)
RULE: '/check/ignore/should-be-ignored' matches regex '/check/ignore/' and restriction '(none)' of negative rule (aide.conf:12: '!/check/ignore/')
RULE: negative match for '/check/ignore/should-be-ignored'
RULE: do NOT add '/check/ignore/should-be-ignored' to the tree
Best regards
Hannes
PS.: Please refrain from opening issues at github.com[1] when you asked
the very same question here on the AIDE mailing list 2 days ago.
[0] https://github.com/aide/aide/commit/5fd96b2fab486264799415ebd818b02ad83dc276
[1] https://github.com/aide/aide/issues/82
More information about the Aide
mailing list