[Aide] config changes between 0.17.3 and 0.18.3

Paul B. Henson henson at acm.org
Mon Jun 26 23:55:06 EEST 2023 

I recently updated a Debian box from 11 to 12, and correspondingly from
aide 0.17.3 to 0.18.3 and discovered the config seems to work quite
differently.

Historically, I would specify the most general stuff at the top and
override going down, for example:

/ Default
=/etc$ L

With 17, this did what I wanted, /etc itself matched the L rule:

[X] d '/etc': equal rule: '=/etc$ (none)
l+p+u+g+i+n+acl+selinux+xattrs+ftype+e2fsattrs+caps'
(/etc/aide/aide.conf:29: '=/etc$ L')

and everything else in /etc matched the default:

[X] d '/etc/udev': selective rule: '/ (none)
l+p+u+g+s+c+m+i+n+md5+sha1+acl+selinux+xattrs+ftype+e2fsattrs+caps'
(/etc/aide/aide.conf:18: '/ Default')
[X] d '/etc/tenshi': selective rule: '/ (none)
l+p+u+g+s+c+m+i+n+md5+sha1+acl+selinux+xattrs+ftype+e2fsattrs+caps'
(/etc/aide/aide.conf:18: '/ Default')
[X] f '/etc/services': selective rule: '/ (none)
l+p+u+g+s+c+m+i+n+md5+sha1+acl+selinux+xattrs+ftype+e2fsattrs+caps'
(/etc/aide/aide.conf:18: '/ Default')
[X] f '/etc/mail.rc': selective rule: '/ (none)
l+p+u+g+s+c+m+i+n+md5+sha1+acl+selinux+xattrs+ftype+e2fsattrs+caps'
(/etc/aide/aide.conf:18: '/ Default')

However, with 18, this only includes /etc in the db and everything else
is skipped:

[X] d '/etc': equal rule: '=/etc$ (none)
l+p+u+g+i+n+acl+selinux+xattrs+ftype+e2fsattrs+caps'
(/etc/aide/aide.conf:29: '=/etc$ L')
<nothing else from /etc included>


Interestingly, when I went to look at the man page, both 17 and 18 say:

       Equals rule:
              =<regex> <attribute expression>

              Files and directories matching the regular expression are added to the database.   The  chil‐
              dren  of  directories are only added if the regular expression ends with a "/".  The children
              of sub-directories are not added at all.

So the behavior of 18 matches the docs and that of 17 does not.

I've been doing this type of config for well over a decade and it's always
worked. I haven't gone back to see when the docs changed (or if they
changed?) but the behavior from 17 to 18 definitely has.


What's the recommended way to do this then? I tried:

/ Default
/etc$ L

but that doesn't work, /etc gets the top level default:

[X] d '/etc': selective rule: '/ (none) l+p+u+g+s+c+m+i+n+md5+sha1+acl+selinux+xattrs+ftype+e2fsattrs+caps' (/etc/aide/aide.conf:18: '/ Default')

I tried changing the order:

/etc$ L
/ Default

and that seems to work? Do I need to not use = rules now, and put more
specific stuff first?

Thanks...

More information about the Aide mailing list