[Aide] aide.conf: exclude directory *except* one file

[M]

Hello Hannes,

I wanted to express a huge *thank you* for your help! Your solutions of
upgrading to aide 0.17.3 and the configuration you provided has worked for
me. I see that 0.17.3 is a big improvement.

Thanks again!

On Thu, Mar 25, 2021 at 2:25 PM Hannes von Haugwitz <hannes at vonhaugwitz.com>
wrote:

> Hello,
>
> On Wed, Mar 24, 2021 at 11:00:38AM -0700, M wrote:
> > Is there any advantage to upgrading to the latest AIDE version (I am
> > on 0.15.1)?
>
> AIDE 0.15.1 has been released over 10 years ago. Please check the NEWS
> file[0] for the changes since then.
>
> > > On Wed, 24 Mar 2021 at 11:44, M <linuxntwrk at gmail.com> wrote:
> > >> I've found some other discussions about this (
> > >> https://www.ipi.fi/pipermail/aide/2015-November/001504.html) but I
> can't
> > >> seem to get it working with PCREs in AIDE either (negative
> lookahead?).
>
> PCRE support has been added in AIDE 0.16.
>
> > >> Goal is: to recursively include all subdirectories, exclude one
> > >> directory, but *include* a specific file only from the excluded
> > >> subdirectory.
>
> The difficulty here is that directories matching negative rules are
> completely ignored.
>
> To achieve your goal please try the following rules (AIDE >= 0.16):
>
> !/dir/sub/(?!file)
> !/dir/sub$ d
> /dir R
>
> Assuming the following files in the filesytem:
>
> /
> /dir
> /dir/file
> /dir/sub
> /dir/sub/not
> /dir/sub/file
>
> You can now use `--dry-init` to see which entries would be added to the
> database:
>
> $ aide --config aide.conf --dry-init
> [ ] d '/': no matching rule
> [X] d '/dir': selective rule: '/dir (none)
> l+p+u+g+s+c+m+i+n+md5+acl+selinux+xattrs+ftype+e2fsattrs+caps'
> (aide.conf:3: '/dir R')
> [X] f '/dir/file': selective rule: '/dir (none)
> l+p+u+g+s+c+m+i+n+md5+acl+selinux+xattrs+ftype+e2fsattrs+caps'
> (aide.conf:3: '/dir R')
> [ ] d '/dir/sub': negative rule: '!/dir/sub$ d' (aide.conf:2: '!/dir/sub$
> d')
> [ ] f '/dir/sub/not': negative rule: '!/dir/sub/(?!file) (none)'
> (aide.conf:1: '!/dir/sub/(?!file)')
> [X] f '/dir/sub/file': selective rule: '/dir (none)
> l+p+u+g+s+c+m+i+n+md5+acl+selinux+xattrs+ftype+e2fsattrs+caps'
> (aide.conf:3: '/dir R')
>
> You can also use `--path-check` to test your rules:
>
> $ aide --config aide.conf --path-check f:/dir/sub/another-file
> [ ] f '/dir/sub/another-file': negative rule: '!/dir/sub/(?!file) (none)'
> (aide.conf:1: '!/dir/sub/(?!file)')
>
> Both `--dry-init` and `--path-check` have been added in AIDE 0.17.
>
> Best regards
>
> Hannes
>
> [0] https://github.com/aide/aide/blob/master/NEWS
> _______________________________________________
> Aide mailing list
> Aide at ipi.fi
> https://www.ipi.fi/mailman/listinfo/aide
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://www.ipi.fi/pipermail/aide/attachments/20210409/86c28f2b/attachment.html>