Skip to content

Changing regex for aide.db file to support absolute path#13915

Merged
jan-cerny merged 4 commits into
ComplianceAsCode:masterfrom
Arden97:build_aide_absolute_path
Sep 24, 2025
Merged

Changing regex for aide.db file to support absolute path#13915
jan-cerny merged 4 commits into
ComplianceAsCode:masterfrom
Arden97:build_aide_absolute_path

Conversation

@Arden97
Copy link
Copy Markdown
Contributor

@Arden97 Arden97 commented Sep 22, 2025
edited
Loading

Description:

Rationale:

  • The regular expression in the OVAL tag, which is responsible for creating an object to collect the file name for the Aide build database, needs to be extended. At the customer's request, the path to the Aide database must also be acceptable via an absolute path.

  • Fixes "Build and Test AIDE Database" should accept an absolute path name in aide.conf #13801 : extending a matching range for object_aide_operational_database_filename to match an absolute path to file as well as via DBDIR variable

Review Hints:

Some examples of file paths that MATCH the new regular expression:

  • database_in=file:@@{DBDIR}/aide.db.gz
  • database=file:/etc/aide/aide.db.gz
  • database=file:@@{DBDIR}/aide/aide.db.gz

Some examples of file paths that DO NOT MATCH the new regular expression:

  • database_in=file:@@{DBDIR}/Aide.db.gz
  • database=file:/etc/aide_dir/aide.db.gz
  • database=file:@@{DBDIR}/aide/
  • database=file:/etc/aide_dir/

NOTE: In my opinion, we should not expect Aide file and directory names to contain only lowercase letters. But these changes go beyond the scope of the issue.

@openshift-ci openshift-ci Bot added the needs-ok-to-test Used by openshift-ci bot. label Sep 22, 2025
@openshift-ci
Copy link
Copy Markdown

openshift-ci Bot commented Sep 22, 2025

Hi @Arden97. Thanks for your PR.

I'm waiting for a ComplianceAsCode member to verify that this patch is reasonable to test. If it is, they should reply with /ok-to-test on its own line. Until that is done, I will not automatically test new commits in this PR, but the usual testing commands by org members will still work. Regular contributors should join the org to skip this step.

Once the patch is verified, the new status will be reflected by the ok-to-test label.

I understand the commands that are listed here.

Details

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository.

@jan-cerny jan-cerny self-assigned this Sep 22, 2025
@jan-cerny jan-cerny added this to the 0.1.79 milestone Sep 24, 2025
@jan-cerny jan-cerny added the OVAL OVAL update. Related to the systems assessments. label Sep 24, 2025
jan-cerny
jan-cerny approved these changes Sep 24, 2025
View reviewed changes
Copy link
Copy Markdown
Collaborator

@jan-cerny jan-cerny left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I have verified the test scenarios passed locally on RHEL 9.

jcerny@fedora:~/work/git/scap-security-guide (pr/13915)$ python3 tests/automatus.py rule --libvirt qemu:///system ssgts_rhel9 aide_build_database 
Setting console output to log level INFO
INFO - The base image option has not been specified, choosing libvirt-based test environment.
INFO - Logging into /home/jcerny/work/git/scap-security-guide/logs/rule-custom-2025-09-24-1433/test_suite.log
INFO - xccdf_org.ssgproject.content_rule_aide_build_database
INFO - Script db_not_present.fail.sh using profile (all) OK
INFO - Script new_db_not_present.pass.sh using profile (all) OK
INFO - Script get_db_path_absolute.pass.sh using profile (all) OK
INFO - Script get_db_path_dbdir.pass.sh using profile (all) OK
jcerny@fedora:~/work/git/scap-security-guide (pr/13915)$ python3 tests/automatus.py rule --libvirt qemu:///system ssgts_rhel9 --remediate-using ansible aide_build_database 
Setting console output to log level INFO
INFO - The base image option has not been specified, choosing libvirt-based test environment.
INFO - Logging into /home/jcerny/work/git/scap-security-guide/logs/rule-custom-2025-09-24-1437/test_suite.log
INFO - xccdf_org.ssgproject.content_rule_aide_build_database
INFO - Script db_not_present.fail.sh using profile (all) OK
INFO - Script new_db_not_present.pass.sh using profile (all) OK
INFO - Script get_db_path_absolute.pass.sh using profile (all) OK
INFO - Script get_db_path_dbdir.pass.sh using profile (all) OK

@jan-cerny jan-cerny merged commit 2f00dcc into ComplianceAsCode:master Sep 24, 2025
124 of 126 checks passed
@Arden97 Arden97 deleted the build_aide_absolute_path branch September 24, 2025 13:08
@Arden97 Arden97 mentioned this pull request Nov 20, 2025
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@jan-cerny jan-cerny jan-cerny approved these changes

@matusmarhefka matusmarhefka Awaiting requested review from matusmarhefka matusmarhefka is a code owner

@Mab879 Mab879 Awaiting requested review from Mab879 Mab879 is a code owner

@vojtapolasek vojtapolasek Awaiting requested review from vojtapolasek vojtapolasek is a code owner

Assignees

@jan-cerny jan-cerny

Labels

needs-ok-to-test Used by openshift-ci bot. OVAL OVAL update. Related to the systems assessments.

Projects

None yet

Milestone

0.1.79

Development

Successfully merging this pull request may close these issues.

"Build and Test AIDE Database" should accept an absolute path name in aide.conf

2 participants

@Arden97 @jan-cerny