Thanks for the quick reply.

> So you are saying that sometimes aide reports these files as added, and
> sometimes it doesn't? At the very least, aide should be consistent with
> respect to this. Are you sure that your database or config file don't
> get changed over time? You can check (manually) that the files in /bin
> and /sbin are actually in the database (it is plain text) right after
> you see this happening.
I know that the config file hasn't been changed when this happened, but it probably did occur after I did a --update to bring the database up to date after some files were changed.  When this problem happens, it is consistent. The files will show up as being added every time a --check is run until I do another --update, which seems to fix it.  I've already updated the database since the last time this happened, but next time I'll save a copy so I can take a closer look at it.

> Also, when you change your config file, always run "aide --init" or
> "aide --update" before running "aide --check".
 
Yeah, I figured that out after I had some other weird database problems.  It would be nice if this was mentioned in the documentation somewhere (or maybe it is and I just missed it).

> > Also, I find the documentation a little confusing.  What exactly does
> > putting an = at the first of the line change about a rule?
>
> It means that the filepath should match as a whole, not just the
> beginning of it. For example:
>
> /tmp in aide.conf will match directory /tmp and file /tmp/foo
> =/tmp in aide.conf will match directory /tmp but not file /tmp/foo
Okay, so basically =/tmp has the same effect as /tmp$.  If a line starts with = is it still interpretted as a regular expression?  Because I didn't really understand what was going on, I've been putting in rules like =/dev$  Would this have caused any strange side effects?
 
Thanks!
 
Curtis H.