From 324b6d210fa3306cbf86081de9ac22b2d49cda3e Mon Sep 17 00:00:00 2001
From: Cropi <alakatos@redhat.com>
Date: Wed, 15 Oct 2025 14:22:55 +0200
Subject: [PATCH] Adjust default config to avoid false positives in /etc

Resolves: RHEL-39970
---
 aide.conf | 6 ++++--
 aide.spec | 6 +++++-
 2 files changed, 9 insertions(+), 3 deletions(-)

diff --git a/aide.conf b/aide.conf
index a65963e..35f40bf 100644
--- a/aide.conf
+++ b/aide.conf
@@ -126,7 +126,7 @@ CONTENT = ftype+sha512
 DIR = ftype+p+i+l+n+u+g+acl+selinux+xattrs
 
 # Access control only - added file type and link name
-PERMS = ftype+p+i+l+u+g+acl+selinux
+PERMS = ftype+p+u+g+acl+selinux+xattrs
 
 # Logfiles are special, in that they often change due to log rotation
 # Track only: permissions, file type, user, group, number of links, SELinux context, extended attributes
@@ -159,7 +159,6 @@ DATAONLY = ftype+p+l+n+u+g+s+acl+selinux+xattrs+sha256
 
 # Check only permissions, inode, user and group for /etc, but
 # cover some important files closely.
-/etc    PERMS
 !/etc/mtab
 # Ignore backup files
 !/etc/.*~
@@ -352,6 +351,9 @@ DATAONLY = ftype+p+l+n+u+g+s+acl+selinux+xattrs+sha256
 # USBGuard
 /etc/usbguard NORMAL
 
+# Now everything else
+/etc    PERMS
+
 # This gets new/removes-old filenames daily
 !/var/log/sa
 # As we are checking it, we've truncated yesterdays size to zero.
diff --git a/aide.spec b/aide.spec
index 76d4d06..4165e6d 100644
--- a/aide.spec
+++ b/aide.spec
@@ -1,7 +1,7 @@
 Summary:        Intrusion detection environment
 Name:           aide
 Version:        0.19.2
-Release:        3%{?dist}
+Release:        4%{?dist}
 URL:            https://github.com/aide/aide
 License:        GPL-2.0-or-later
 Source0:        %{url}/releases/download/v%{version}/%{name}-%{version}.tar.gz
@@ -79,6 +79,10 @@ install -Dpm0644 %{SOURCE6} %{buildroot}%{_tmpfilesdir}/aide.conf
 %{_tmpfilesdir}/aide.conf
 
 %changelog
+* Wed Oct 15 2025 Attila Lakatos <alakatos@redhat.com> - 0.19.2-4
+- Adjust default config to avoid false positives in /etc
+Resolves: RHEL-39970
+
 * Thu Oct 09 2025 Attila Lakatos <alakatos@redhat.com> - 0.19.2-3
 - /boot/grub2/grubenv is excluded from check due to boot_success implementation
 - Do not monitor link count in /var/log/journal