Thanks for the quick reply.
> So you are saying that sometimes aide reports these files as added, and
> sometimes it doesn't? At the very least, aide should be consistent with
> respect to this. Are you sure that your database or config file don't
> get changed over time? You can check (manually) that the files in /bin
> and /sbin are actually in the database (it is plain text) right after
> you see this happening.
I know that the config file hasn't been changed when this happened, but it probably did occur after I did a --update to bring the database up to date after some files were changed. When this problem happens, it is consistent. The files will show up as being added every time a --check is run until I do another --update, which seems to fix it. I've already updated the database since the last time this happened, but next time I'll save a copy so I can take a closer look at it.
> Also, when you change your config file, always run "aide --init" or
> "aide --update" before running "aide --check".
Yeah, I figured that out after I had some other weird database problems. It would be nice if this was mentioned in the documentation somewhere (or maybe it is and I just missed it).
> > Also, I find the documentation a little confusing. What exactly does
> > putting an = at the first of the line change about a rule?
> It means that the filepath should match as a whole, not just the
> beginning of it. For example:
> /tmp in aide.conf will match directory /tmp and file /tmp/foo
> =/tmp in aide.conf will match directory /tmp but not file /tmp/foo
Okay, so basically =/tmp has the same effect as /tmp$. If a line starts with = is it still interpretted as a regular expression? Because I didn't really understand what was going on, I've been putting in rules like =/dev$ Would this have caused any strange side effects?