>>> Richard van den Berg <richard@vdberg.org> 8/13/2004 10:29:19 AM >>>
> So the problem is with --update. Are you positive you did not change the
> aide.conf between the first --update (after which the added files are
> reported) and the 2nd --update (which makes the problem go away)?

> I'm suspecting a problem with your config file.
Yes, the last two times it happened, I'm sure I did not change my configuration file.

> Um, ok. It is confusing. =/tmp just means that it will not recurse into
> subdirs of /tmp because of that rule. Forget what I said about whole
> file matching. Like the manpage for aide.conf says:
> =/tmp will only match /tmp and not /tmp/foo but if you would put 2 lines:
> =/tmp R
> /tmp/bar R
> /tmp/foo would match =/tmp because aide recurses into /tmp because of
> the 2nd line, which /tmp/foo matches the 1st line ("/tmp" == "/tmp/foo"
> when it comes to regex). So you would want:
> =/tmp$ R
> /tmp/bar
> Now when aide recurses into /tmp and encounters /tmp/foo it will not
> match. Inside aide it works like this (IIRC):
> A) build a list of directories to parse from the config entries
> B) browse the list of step A looking for files that match config entries
> So basically, putting = before a config entry influences step A but not B.
Wow, that is fairly confusing :-)
My strategy for my config file is to include everything by default and then exclude the things I don't need to check.  The first rule I have is "/ Binlib" where Binlib stands for "p+i+n+u+g+s+b+m+c+md5+sha1".  If I'm understanding what you wrote correctly, entries starting with = won't really have any special effect for my setup because AIDE will already be looking in all directories.  Then, when I want to exclude certain directories, I just need to do something like:
/proc$ StaticDir
Curtis H.