Discussion:
[Aide] Rules to exclude all files except one
Shirkdog
2015-11-18 21:47:17 UTC
Permalink
What if you do the specific include/exclude?

/opt/app/dir2/.* NORMAL
!/opt/app/dir1
!/opt/app/dir3


---
Michael Shirk


On Wed, Nov 18, 2015 at 12:23 PM, Brian Mathis
I'm trying to setup some rules that exclude all files/dirs in a subdirectory
except for one, without itemizing every file to exclude.
/opt/app/dir1 --> exclude
/opt/app/dir2 --> include
/opt/app/dir3 --> exclude
/opt/app/dir2/.* NORMAL
!/opt/app/
/ EVERYTHING
The ! rule always seems to override the dir2 rule.
Is there any way to accomplish this with aide?
~ Brian Mathis
@orev
_______________________________________________
Aide mailing list
https://mailman.cs.tut.fi/mailman/listinfo/aide
Jobst Schmalenbach
2015-11-19 11:07:05 UTC
Permalink
Wouldn't it be

!/opt/app/dir
/opt/app/dir/onefile

Jobst
--
Sent from my Mobile.
Thanks for the reply (glad this list isn't completely dead), but I
think
it's pretty clear that I said "all files/dirs in a subdirectory" and
"without itemizing every file to exclude". This indicates that a
specific
include/exclude is explicitly not what I'm looking for, as the list of
things to exclude is not known beforehand.
~ Brian Mathis
@orev
Post by Shirkdog
What if you do the specific include/exclude?
/opt/app/dir2/.* NORMAL
!/opt/app/dir1
!/opt/app/dir3
---
Michael Shirk
On Wed, Nov 18, 2015 at 12:23 PM, Brian Mathis
I'm trying to setup some rules that exclude all files/dirs in a
subdirectory
except for one, without itemizing every file to exclude.
/opt/app/dir1 --> exclude
/opt/app/dir2 --> include
/opt/app/dir3 --> exclude
/opt/app/dir2/.* NORMAL
!/opt/app/
/ EVERYTHING
The ! rule always seems to override the dir2 rule.
Is there any way to accomplish this with aide?
~ Brian Mathis
@orev
_______________________________________________
Aide mailing list
https://mailman.cs.tut.fi/mailman/listinfo/aide
_______________________________________________
Aide mailing list
https://mailman.cs.tut.fi/mailman/listinfo/aide
------------------------------------------------------------------------
_______________________________________________
Aide mailing list
https://mailman.cs.tut.fi/mailman/listinfo/aide
Shirkdog
2015-11-19 16:11:55 UTC
Permalink
That was the reason for my response, pretty sure your issue has come
up before, and I have worked around it by automating that process
outside of aide.

It is something it should be able to handle, a global white-list of
some kind for the values you do not want to check.

---
Michael Shirk


On Thu, Nov 19, 2015 at 9:40 AM, Brian Mathis
No, that doesn't work because the ! rule still matches the onefile rule, so
"/opt/app/dir" matches rule from line #131: ^/opt/app/dir
/opt/app/dir match=0, tree=0x7fc395d8f780, attr=0
^/opt/app/dir/onefile
"/opt/app/dir/onefile" matches rule from line #131: ^/opt/app/dir
/opt/app/dir/onefile match=0, tree=0x7fc395d8f780, attr=0
~ Brian Mathis
@orev
Post by Jobst Schmalenbach
Wouldn't it be
!/opt/app/dir
/opt/app/dir/onefile NORMAL
Jobst
--
Sent from my Mobile.
On 19 November 2015 7:29:46 PM AEDT, Brian Mathis
Thanks for the reply (glad this list isn't completely dead), but I think
it's pretty clear that I said "all files/dirs in a subdirectory" and
"without itemizing every file to exclude". This indicates that a specific
include/exclude is explicitly not what I'm looking for, as the list of
things to exclude is not known beforehand.
~ Brian Mathis
@orev
Post by Shirkdog
What if you do the specific include/exclude?
/opt/app/dir2/.* NORMAL
!/opt/app/dir1
!/opt/app/dir3
---
Michael Shirk
On Wed, Nov 18, 2015 at 12:23 PM, Brian Mathis
I'm trying to setup some rules that exclude all files/dirs in a subdirectory
except for one, without itemizing every file to exclude.
/opt/app/dir1 --> exclude
/opt/app/dir2 --> include
/opt/app/dir3 --> exclude
/opt/app/dir2/.* NORMAL
!/opt/app/
/ EVERYTHING
The ! rule always seems to override the dir2 rule.
Is there any way to accomplish this with aide?
~ Brian Mathis
@orev
_______________________________________________
Aide mailing list
https://mailman.cs.tut.fi/mailman/listinfo/aide
_______________________________________________
Aide mailing list
https://mailman.cs.tut.fi/mailman/listinfo/aide
________________________________
Aide mailing list
https://mailman.cs.tut.fi/mailman/listinfo/aide
_______________________________________________
Aide mailing list
https://mailman.cs.tut.fi/mailman/listinfo/aide
Richard Dupuy
2015-11-19 21:52:15 UTC
Permalink
I've done something like this with some success:

!/opt/app/dir/[^o][^n][^e][^d][^i][^r][^/]

You might play around with find and grep/egrep to find the "just right" regular expression... I've played this game of "exclude all but..." with regular expressions before. It's very ugly, but there's *usually a way*, at least with extended regular expression syntax.

--Rich Dupuy
IT Technical Support Consultant
Office of Technology Services
225-219-6026


-----Original Message-----
From: Aide [mailto:aide-***@cs.tut.fi] On Behalf Of Shirkdog
Sent: Thursday, November 19, 2015 10:12 AM
To: Aide user mailinglist
Subject: Re: [Aide] Rules to exclude all files except one

That was the reason for my response, pretty sure your issue has come up before, and I have worked around it by automating that process outside of aide.

It is something it should be able to handle, a global white-list of some kind for the values you do not want to check.

---
Michael Shirk
No, that doesn't work because the ! rule still matches the onefile
"/opt/app/dir" matches rule from line #131: ^/opt/app/dir
/opt/app/dir match=0, tree=0x7fc395d8f780, attr=0
^/opt/app/dir/onefile
"/opt/app/dir/onefile" matches rule from line #131: ^/opt/app/dir
/opt/app/dir/onefile match=0, tree=0x7fc395d8f780, attr=0
~ Brian Mathis
@orev
On Thu, Nov 19, 2015 at 12:07 PM, Jobst Schmalenbach
Post by Jobst Schmalenbach
Wouldn't it be
!/opt/app/dir
/opt/app/dir/onefile NORMAL
Jobst
--
Sent from my Mobile.
On 19 November 2015 7:29:46 PM AEDT, Brian Mathis
Thanks for the reply (glad this list isn't completely dead), but I
think it's pretty clear that I said "all files/dirs in a
subdirectory" and "without itemizing every file to exclude". This
indicates that a specific include/exclude is explicitly not what I'm
looking for, as the list of things to exclude is not known beforehand.
~ Brian Mathis
@orev
Post by Shirkdog
What if you do the specific include/exclude?
/opt/app/dir2/.* NORMAL
!/opt/app/dir1
!/opt/app/dir3
---
Michael Shirk
On Wed, Nov 18, 2015 at 12:23 PM, Brian Mathis
I'm trying to setup some rules that exclude all files/dirs in a
subdirectory except for one, without itemizing every file to
exclude.
/opt/app/dir1 --> exclude
/opt/app/dir2 --> include
/opt/app/dir3 --> exclude
/opt/app/dir2/.* NORMAL
!/opt/app/
/ EVERYTHING
The ! rule always seems to override the dir2 rule.
Is there any way to accomplish this with aide?
~ Brian Mathis
@orev
_______________________________________________
Aide mailing list
https://mailman.cs.tut.fi/mailman/listinfo/aide
_______________________________________________
Aide mailing list
https://mailman.cs.tut.fi/mailman/listinfo/aide
________________________________
Aide mailing list
https://mailman.cs.tut.fi/mailman/listinfo/aide
_______________________________________________
Aide mailing list
https://mailman.cs.tut.fi/mailman/listinfo/aide
Richard Dupuy
2015-11-19 21:59:42 UTC
Permalink
The more I looked, this might be necessary:

!/opt/app/dir/[^o]
!/opt/app/dir/[^o][^n]
!/opt/app/dir/[^o][^n][^e]
!/opt/app/dir/[^o][^n][^e][^d]
!/opt/app/dir/[^o][^n][^e][^d][^i]
!/opt/app/dir/[^o][^n][^e][^d][^i][^r]
!/opt/app/dir/[^o][^n][^e][^d][^i][^r][^/]

--Rich Dupuy
IT Technical Support Consultant
State of Louisiana
-Division of Administration
-Office of Technology Services


-----Original Message-----
From: Aide [mailto:aide-***@cs.tut.fi] On Behalf Of Richard Dupuy
Sent: Thursday, November 19, 2015 3:52 PM
To: Aide user mailinglist
Subject: Re: [Aide] Rules to exclude all files except one

I've done something like this with some success:

!/opt/app/dir/[^o][^n][^e][^d][^i][^r][^/]

You might play around with find and grep/egrep to find the "just right" regular expression... I've played this game of "exclude all but..." with regular expressions before. It's very ugly, but there's *usually a way*, at least with extended regular expression syntax.

--Rich Dupuy
IT Technical Support Consultant
Office of Technology Services


-----Original Message-----
From: Aide [mailto:aide-***@cs.tut.fi] On Behalf Of Shirkdog
Sent: Thursday, November 19, 2015 10:12 AM
To: Aide user mailinglist
Subject: Re: [Aide] Rules to exclude all files except one

That was the reason for my response, pretty sure your issue has come up before, and I have worked around it by automating that process outside of aide.

It is something it should be able to handle, a global white-list of some kind for the values you do not want to check.

---
Michael Shirk
No, that doesn't work because the ! rule still matches the onefile
"/opt/app/dir" matches rule from line #131: ^/opt/app/dir
/opt/app/dir match=0, tree=0x7fc395d8f780, attr=0
^/opt/app/dir/onefile
"/opt/app/dir/onefile" matches rule from line #131: ^/opt/app/dir
/opt/app/dir/onefile match=0, tree=0x7fc395d8f780, attr=0
~ Brian Mathis
@orev
On Thu, Nov 19, 2015 at 12:07 PM, Jobst Schmalenbach
Post by Jobst Schmalenbach
Wouldn't it be
!/opt/app/dir
/opt/app/dir/onefile NORMAL
Jobst
--
Sent from my Mobile.
On 19 November 2015 7:29:46 PM AEDT, Brian Mathis
Thanks for the reply (glad this list isn't completely dead), but I
think it's pretty clear that I said "all files/dirs in a
subdirectory" and "without itemizing every file to exclude". This
indicates that a specific include/exclude is explicitly not what I'm
looking for, as the list of things to exclude is not known beforehand.
~ Brian Mathis
@orev
Post by Shirkdog
What if you do the specific include/exclude?
/opt/app/dir2/.* NORMAL
!/opt/app/dir1
!/opt/app/dir3
---
Michael Shirk
On Wed, Nov 18, 2015 at 12:23 PM, Brian Mathis
I'm trying to setup some rules that exclude all files/dirs in a
subdirectory except for one, without itemizing every file to
exclude.
/opt/app/dir1 --> exclude
/opt/app/dir2 --> include
/opt/app/dir3 --> exclude
/opt/app/dir2/.* NORMAL
!/opt/app/
/ EVERYTHING
The ! rule always seems to override the dir2 rule.
Is there any way to accomplish this with aide?
~ Brian Mathis
@orev
_______________________________________________
Aide mailing list
https://mailman.cs.tut.fi/mailman/listinfo/aide
_______________________________________________
Aide mailing list
https://mailman.cs.tut.fi/mailman/listinfo/aide
________________________________
Aide mailing list
https://mailman.cs.tut.fi/mailman/listinfo/aide
_______________________________________________
Aide mailing list
https://mailman.cs.tut.fi/mailman/listinfo/aide
_______________________________________________
Aide mailing list
***@cs.tut.fi
https://mailman.cs.tut.fi/mailman/listinfo/aide
Richard Dupuy
2015-11-19 22:03:09 UTC
Permalink
OK, to be thorough:

!/opt/app/dir/[^o]
!/opt/app/dir/[^o][^n]
!/opt/app/dir/[^o][^n][^e]
!/opt/app/dir/[^o][^n][^e][^d]
!/opt/app/dir/[^o][^n][^e][^d][^i]
!/opt/app/dir/[^o][^n][^e][^d][^i][^r]
!/opt/app/dir/[^o][^n][^e][^d][^i][^r][^/].*

--Rich Dupuy
IT Technical Support Consultant
Office of Technology Services
225-219-6026


-----Original Message-----
From: Aide [mailto:aide-***@cs.tut.fi] On Behalf Of Richard Dupuy
Sent: Thursday, November 19, 2015 4:00 PM
To: Aide user mailinglist
Subject: Re: [Aide] Rules to exclude all files except one

The more I looked, this might be necessary:

!/opt/app/dir/[^o]
!/opt/app/dir/[^o][^n]
!/opt/app/dir/[^o][^n][^e]
!/opt/app/dir/[^o][^n][^e][^d]
!/opt/app/dir/[^o][^n][^e][^d][^i]
!/opt/app/dir/[^o][^n][^e][^d][^i][^r]
!/opt/app/dir/[^o][^n][^e][^d][^i][^r][^/]

--Rich Dupuy
IT Technical Support Consultant
State of Louisiana
-Division of Administration
-Office of Technology Services


-----Original Message-----
From: Aide [mailto:aide-***@cs.tut.fi] On Behalf Of Richard Dupuy
Sent: Thursday, November 19, 2015 3:52 PM
To: Aide user mailinglist
Subject: Re: [Aide] Rules to exclude all files except one

I've done something like this with some success:

!/opt/app/dir/[^o][^n][^e][^d][^i][^r][^/]

You might play around with find and grep/egrep to find the "just right" regular expression... I've played this game of "exclude all but..." with regular expressions before. It's very ugly, but there's *usually a way*, at least with extended regular expression syntax.

--Rich Dupuy
IT Technical Support Consultant
Office of Technology Services


-----Original Message-----
From: Aide [mailto:aide-***@cs.tut.fi] On Behalf Of Shirkdog
Sent: Thursday, November 19, 2015 10:12 AM
To: Aide user mailinglist
Subject: Re: [Aide] Rules to exclude all files except one

That was the reason for my response, pretty sure your issue has come up before, and I have worked around it by automating that process outside of aide.

It is something it should be able to handle, a global white-list of some kind for the values you do not want to check.

---
Michael Shirk
No, that doesn't work because the ! rule still matches the onefile
"/opt/app/dir" matches rule from line #131: ^/opt/app/dir
/opt/app/dir match=0, tree=0x7fc395d8f780, attr=0
^/opt/app/dir/onefile
"/opt/app/dir/onefile" matches rule from line #131: ^/opt/app/dir
/opt/app/dir/onefile match=0, tree=0x7fc395d8f780, attr=0
~ Brian Mathis
@orev
On Thu, Nov 19, 2015 at 12:07 PM, Jobst Schmalenbach
Post by Jobst Schmalenbach
Wouldn't it be
!/opt/app/dir
/opt/app/dir/onefile NORMAL
Jobst
--
Sent from my Mobile.
On 19 November 2015 7:29:46 PM AEDT, Brian Mathis
Thanks for the reply (glad this list isn't completely dead), but I
think it's pretty clear that I said "all files/dirs in a
subdirectory" and "without itemizing every file to exclude". This
indicates that a specific include/exclude is explicitly not what I'm
looking for, as the list of things to exclude is not known beforehand.
~ Brian Mathis
@orev
Post by Shirkdog
What if you do the specific include/exclude?
/opt/app/dir2/.* NORMAL
!/opt/app/dir1
!/opt/app/dir3
---
Michael Shirk
On Wed, Nov 18, 2015 at 12:23 PM, Brian Mathis
I'm trying to setup some rules that exclude all files/dirs in a
subdirectory except for one, without itemizing every file to
exclude.
/opt/app/dir1 --> exclude
/opt/app/dir2 --> include
/opt/app/dir3 --> exclude
/opt/app/dir2/.* NORMAL
!/opt/app/
/ EVERYTHING
The ! rule always seems to override the dir2 rule.
Is there any way to accomplish this with aide?
~ Brian Mathis
@orev
_______________________________________________
Aide mailing list
https://mailman.cs.tut.fi/mailman/listinfo/aide
_______________________________________________
Aide mailing list
https://mailman.cs.tut.fi/mailman/listinfo/aide
________________________________
Aide mailing list
https://mailman.cs.tut.fi/mailman/listinfo/aide
_______________________________________________
Aide mailing list
https://mailman.cs.tut.fi/mailman/listinfo/aide
_______________________________________________
Aide mailing list
***@cs.tut.fi
https://mailman.cs.tut.fi/mailman/listinfo/aide
_______________________________________________
Aide mailing list
***@cs.tut.fi
https://mailman.cs.tut.fi/mailman/listinfo/aide
Hannes von Haugwitz
2015-11-19 19:08:15 UTC
Permalink
Hi,
I'm trying to setup some rules that exclude all files/dirs in a
subdirectory except for one, without itemizing every file to exclude.
/opt/app/dir1 --> exclude
/opt/app/dir2 --> include
/opt/app/dir3 --> exclude
/opt/app/dir2/.* NORMAL
!/opt/app/
/ EVERYTHING
The ! rule always seems to override the dir2 rule.
Is there any way to accomplish this with aide?
I'm pretty sure that this is not possible with the current version of
AIDE.

Currently I'm working on the rule handling of AIDE and I'll keep your
use case in mind. Perhaps there is a simple solution to fix this
issue.

Best regards

Hannes
Hannes von Haugwitz
2015-11-20 16:15:50 UTC
Permalink
Hi,
I noticed that the aide binary (on centos 7) is linked with libpcre, but
perlish regexes don't seem to work. A negative look-ahead assertion would
!/opt/app/dir/(?!onedir).*
Maybe full PCREs would be nice for the next version of AIDE.
I currently evaluate this for the next alpha version.

Best regards

Hannes
Hannes von Haugwitz
2016-02-27 20:50:00 UTC
Permalink
Hi,
Post by Hannes von Haugwitz
Maybe full PCREs would be nice for the next version of AIDE.
I currently evaluate this for the next alpha version.
The latest git commit[0] now adds full PCREs to AIDE.

Best regards

Hannes

[0] https://sourceforge.net/p/aide/code/ci/a6e3e0

Continue reading on narkive:
Loading...