[Aide] aide.conf: exclude directory *except* one file

Hannes von Haugwitz hannes at vonhaugwitz.com
Thu Mar 25 23:24:48 EET 2021 

Hello,

On Wed, Mar 24, 2021 at 11:00:38AM -0700, M wrote:
> Is there any advantage to upgrading to the latest AIDE version (I am
> on 0.15.1)?

AIDE 0.15.1 has been released over 10 years ago. Please check the NEWS
file[0] for the changes since then.

> > On Wed, 24 Mar 2021 at 11:44, M <linuxntwrk at gmail.com> wrote:
> >> I've found some other discussions about this (
> >> https://www.ipi.fi/pipermail/aide/2015-November/001504.html) but I can't
> >> seem to get it working with PCREs in AIDE either (negative lookahead?).

PCRE support has been added in AIDE 0.16.

> >> Goal is: to recursively include all subdirectories, exclude one
> >> directory, but *include* a specific file only from the excluded
> >> subdirectory.

The difficulty here is that directories matching negative rules are
completely ignored.

To achieve your goal please try the following rules (AIDE >= 0.16):

!/dir/sub/(?!file)
!/dir/sub$ d
/dir R

Assuming the following files in the filesytem:

/
/dir
/dir/file
/dir/sub
/dir/sub/not
/dir/sub/file

You can now use `--dry-init` to see which entries would be added to the
database:

$ aide --config aide.conf --dry-init
[ ] d '/': no matching rule
[X] d '/dir': selective rule: '/dir (none) l+p+u+g+s+c+m+i+n+md5+acl+selinux+xattrs+ftype+e2fsattrs+caps' (aide.conf:3: '/dir R')
[X] f '/dir/file': selective rule: '/dir (none) l+p+u+g+s+c+m+i+n+md5+acl+selinux+xattrs+ftype+e2fsattrs+caps' (aide.conf:3: '/dir R')
[ ] d '/dir/sub': negative rule: '!/dir/sub$ d' (aide.conf:2: '!/dir/sub$ d')
[ ] f '/dir/sub/not': negative rule: '!/dir/sub/(?!file) (none)' (aide.conf:1: '!/dir/sub/(?!file)')
[X] f '/dir/sub/file': selective rule: '/dir (none) l+p+u+g+s+c+m+i+n+md5+acl+selinux+xattrs+ftype+e2fsattrs+caps' (aide.conf:3: '/dir R')

You can also use `--path-check` to test your rules:

$ aide --config aide.conf --path-check f:/dir/sub/another-file
[ ] f '/dir/sub/another-file': negative rule: '!/dir/sub/(?!file) (none)' (aide.conf:1: '!/dir/sub/(?!file)')

Both `--dry-init` and `--path-check` have been added in AIDE 0.17.

Best regards

Hannes

[0] https://github.com/aide/aide/blob/master/NEWS

More information about the Aide mailing list