Bug 1266458

Summary: aide can not handle directory name with spaces
Product: Red Hat Enterprise Linux 7 Reporter: Eva Mrakova <emrakova>
Component: aideAssignee: Daniel Kopeček <dkopecek>
Status: CLOSED WORKSFORME QA Contact: Karel Srot <ksrot>
Severity: high Docs Contact:
Priority: high    
Version: 7.2CC: cww, dkopecek, emrakova, kfujii, ksrot, myamazak, pvrabec, qe-baseos-security
Target Milestone: rc   
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: 1180435 Environment:
Last Closed: 2016-10-06 12:25:04 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On:    
Bug Blocks: 1203710    

Description Eva Mrakova 2015-09-25 10:43:48 UTC 
Also happens for
aide-0.15.1-9.el7.x86_64

just aide's message is slightly different (version is included):
----------
AIDE 0.15.1 found differences between database and filesystem!!
<snip>
----------

+++ This bug was initially created as a clone of Bug #1180435 +++

Description of problem:

The customer reported an odd behavior on aid with using space in directory name to indicate negative selection in aide.conf. It's reproducible on RHEL6 but not on RHEL7, so I believe it's a bug.

Package version:
aide-0.14-7.el6.x86_64
It's the latest in RHEL6 at this point.

Version-Release number of selected component (if applicable):

aide-0.14-7.el6.x86_64
(It's the latest in RHEL6 at this point.)

How reproducible:

100%

Steps to reproduce:

1. Edit /etc/aide.conf like:
----------
# tail -n2 /etc/aide.conf
/var/tmp/aidetest	NORMAL
!/var/tmp/aidetest/a\ 123456/x
----------

2. Create directory and file, and initialize db of aide.
# mkdir -p /var/tmp/aidetest/a\ 123456/x
# touch /var/tmp/aidetest/a\ 123456/x/foo
# aide -i && mv -f /var/lib/aide/aide.db.new.gz /var/lib/aide/aide.db.gz 

3. Modify the file.
# echo abc > /var/tmp/aidetest/a\ 123456/x/foo 

4. Check intrusion.
# aide

Actual results:

aide detects differences.
----------
AIDE found differences between database and filesystem!!
<snip>
----------

Expected results:

aide ignores the differences because the modification was described in aide.conf should be ignored.
----------
<snip>
### All files match AIDE database. Looks okay!
<snip>
----------

Additional info:

If you use shorter directory name than 'a\ 123456' or omit sub-directory 'x', it's unlikely the phenomenon is happened.

However, on RHEL7, it works as expected. Also, I found a difference in db on both of RHEL6 and 7.

RHEL6:
# zcat /var/lib/aide/aide.db.gz | grep ^/var | awk '{print $1}' | sort
/var/tmp/aidetest
/var/tmp/aidetest/a%20123456
/var/tmp/aidetest/a%20123456/x
/var/tmp/aidetest/a%20123456/x/foo

RHEL7:
# zcat /var/lib/aide/aide.db.gz | grep ^/var | awk '{print $1}' | sort
/var/tmp/aidetest
/var/tmp/aidetest/a%20123456

I guess that the difference of db contents caused the behavior.


--- Additional comment from Masayoshi Yamazaki on 2015-01-26 04:38:12 CET ---

Here is an upstream patch.
http://sourceforge.net/p/aide/mailman/aide-commits/thread/E1OKuEa-0002VC-M0@sfp-scmshell-3.v30.ch3.sourceforge.com/
commit fe927b27277cbdc2f05fd1373f8d8390754e8c31
Comment 3 Daniel Kopeček 2016-06-22 14:02:44 UTC 
Hi Eva, how did you reproduce this issue? I finally got to processing aide bugs and I found out that the patch from 6.8 is already applied to the 0.15.1 codebase. I tried to reproduce the issue but I don't see it with my setup (testing on rhel-7.2). Did you follow a different steps to reproduce the issue?

This is what I did:

# mkdir -p /var/tmp/aidetest/a\ 123456/x
# touch /var/tmp/aidetest/a\ 123456/x/foo
# aide -i && mv -f /var/lib/aide/aide.db.new.gz /var/lib/aide/aide.db.gz 

AIDE, version 0.15.1

### AIDE database at /var/lib/aide/aide.db.new.gz initialized.

# aide

AIDE, version 0.15.1

### All files match AIDE database. Looks okay!

# echo abc > /var/tmp/aidetest/a\ 123456/x/foo
# aide

AIDE, version 0.15.1

### All files match AIDE database. Looks okay!

# tail -n2 /etc/aide.conf 
/var/tmp/aidetest	NORMAL
!/var/tmp/aidetest/a\ 123456/x
Comment 4 Karel Srot 2016-06-22 14:35:25 UTC 
Hi Dan,
we are able to reproduce the problem and it seems to be quite sensitive on directory names. E.g. if I remember properly, I wasn't able to reproduce it with a directory name where the space was as the 2nd letter. In our test we are using path /tmp/tmp.kds9esUgmy/dir\ bz1180435/subdir/tstfile.
Comment 6 Karel Srot 2016-06-22 14:39:58 UTC 
I will run the test case again to find out the current status and report the result.
Comment 7 Daniel Kopeček 2016-06-22 15:06:55 UTC 
(In reply to Karel Srot from comment #4)
> Hi Dan,
> we are able to reproduce the problem and it seems to be quite sensitive on
> directory names. E.g. if I remember properly, I wasn't able to reproduce it
> with a directory name where the space was as the 2nd letter. In our test we
> are using path /tmp/tmp.kds9esUgmy/dir\ bz1180435/subdir/tstfile.

Hmm. So I tested it with the space at position 4.

# mkdir -p /var/tmp/aidetest/abc\ 123456/x
# touch /var/tmp/aidetest/abc\ 123456/x/foo
# aide -i && mv -f /var/lib/aide/aide.db.new.gz /var/lib/aide/aide.db.gz

AIDE, version 0.15.1

### AIDE database at /var/lib/aide/aide.db.new.gz initialized.

# aide

AIDE, version 0.15.1

### All files match AIDE database. Looks okay!

# echo abc > /var/tmp/aidetest/abc\ 123456/x/foo
# aide

AIDE, version 0.15.1

### All files match AIDE database. Looks okay!

# tail -n2 /etc/aide.conf 
/var/tmp/aidetest	NORMAL
!/var/tmp/aidetest/abc\ 123456/x


---------- snip -----------

and position 3 (to check some odd numbers too)...:

---------- snip -----------

# mkdir -p /var/tmp/aidetest/ab\ 123456/x
# touch /var/tmp/aidetest/ab\ 123456/x/foo
# aide -i && mv -f /var/lib/aide/aide.db.new.gz /var/lib/aide/aide.db.gz

AIDE, version 0.15.1

### AIDE database at /var/lib/aide/aide.db.new.gz initialized.

# aide

AIDE, version 0.15.1

### All files match AIDE database. Looks okay!

# echo abc > /var/tmp/aidetest/ab\ 123456/x/foo
# aide

AIDE, version 0.15.1

### All files match AIDE database. Looks okay!

# tail -n2 /etc/aide.conf 
/var/tmp/aidetest	NORMAL
!/var/tmp/aidetest/ab\ 123456/x

---------- snip -----------

If you could compile some clear steps to reproduce, that would be great!
Comment 13 Karel Srot 2016-10-06 12:25:04 UTC 
I am closing the bug as the fix is already present and we cannot reproduce the issue on recent RHEL releases.