Bug#1103432: Bug report for aide

Mon, 05 May 2025 11:33:13 -0700 

Dear Maintainer,

Thanks a lot for your support. I have used the rule you mentioned in your 
previous reply i.e. `/(usr/)?lib R` which would match both the symlink /lib and 
the target /usr/lib.

So, I initialized the database using the following command,

# aide --before "/(usr/)?lib R" --config <(printf 
"database_in=file:/var/lib/aide/aide.db\ndatabase_out=file:/var/lib/aide/aide.db.new\ndatabase_in=file:/var/lib/aide/aide.db.new\nroot_prefix=./lib\nreport_detailed_init=true\nreport_level=added_removed_entries\n/
 s\n") --init

Then, I observed that a sample file (testing.log) I have created in symlink 
/lib has been taken as part of database entry.

Then, I explicitly changed the contents of that file and used the following 
command to run an aide check to see if aide is able to detect the integrity 
failure.

# aide -c <(printf 
"database_in=file:/var/lib/aide/aide.db\ndatabase_out=file:/var/lib/aide/aide.db.new\ndatabase_in=file:/var/lib/aide/aide.db.new\nroot_prefix=./lib\nreport_detailed_init=true\nreport_level=added_removed_entries\n/
 s\n") -C | cat

And I got the following output,

---------------------------------------------------
Changed entries:
---------------------------------------------------

f >               : /testing.log

---------------------------------------------------
Detailed information about changes:
---------------------------------------------------

File: /testing.log
 Size      : 0                                | 12


---------------------------------------------------
The attributes of the (uncompressed) database(s):
---------------------------------------------------

/var/lib/aide/aide.db
 MD5       : ADJRIYHvODII3WZx/g2yLA==
 SHA1      : 6udutnCV0tDjjuCyXaUbPG/qHCM=
 SHA256    : 5ei1zvwTTPdTcYKfxtu+9wMTD3vrFyyH
             yHilF5kbjTU=
 SHA512    : YhKb9/iz7k29/7IgLKZghc3LXwh6cx3R
             1ICyekDBW4ZFnkG8jP3xArmFzGEW9+6d
             dYj3PXJv0sfoNc3iixPk1A==
 RMD160    : UREGEa1n2lMi2RojuIrsbMCUJY8=
 TIGER     : bjI+b86ImZ4Zb2GdQpapIm98RZDyof0q
 CRC32     : BbCDHw==
 CRC32B    : vzaqaQ==
 HAVAL     : 8BmciX62SafDPWwbG4bJLnMTN3HQXkCt
             ODmsnr2yx7E=
 WHIRLPOOL : hNuam1lHOyNC1hqCCHjbGJG+B83z5l1X
             nwV8+yCrPJOPuInRa9/BzkSUMPWWiTHu
             /jpMe4918vUQhDopTAG5yA==
 GOST      : dLpRNm7FvZVJuDzJCyEJddvqwF6gNq5l
             BhY3FNa1O9w=


End timestamp: 2025-05-05 18:08:48 +0000 (run time: 0m 0s)

So, based on our discussion I think we can conclude that aide is able to follow 
the symlinks and the contents in it but we need to use the right rule to match 
both the symlink as well its target directory.

This issue can be closed if you agree with the above observations and 
conclusion. In case of any concerns, please provide your opinion.

Thanks and regards,
Sai Ashrith

Reply via email to