[Fix] ignore_inotify.defaults: sentinel guard against user-file false positives; issue #480

rfxn · rfxn · commit 984c0b184135 · 2026-04-17T14:23:19.000-05:00
- [Fix] files/internals/ignore_inotify.defaults:
  * Replace bare 'sql_' with '/var/tmp/#sql_' + '/tmp/#sql_' — bare substring
    matched legitimate user paths (/home/user/public_html/sql_backup.php);
    scoped path prefix preserves legacy MySQL #sql_*.MYD coverage without
    false positives
  * Drop bare 'scantemp' — same issue (/home/user/scantemplate.php); install-
    path entries (/usr/local/maldetect/, new /var/lib/maldet/) cover LMD
    scan temp files transitively
  * Add /var/lib/maldet/ under "LMD install paths" for FHS scan-temp coverage
- [New] tests/47-ignore-inotify-defaults.bats: 3 new regression cases asserting
  that user PHP files with 'sql_' / 'scantemp' substrings do NOT match defaults,
  and that FHS /var/lib/maldet/tmp/scantemp.* still matches
- [Change] CHANGELOG, CHANGELOG.RELEASE: v2.0.1 [Fix] entry
diff --git a/CHANGELOG b/CHANGELOG
@@ -77,6 +77,7 @@ v2.0.1 | Mar 25 2026:
 [Fix] monitor: union-load ignore_inotify + ignore_inotify.defaults; new _monitor_load_ignore_inotify_union helper skips blanks+comments, dedupes across both files; issue #480
 [New] packaging: ship ignore_inotify.defaults in RPM spec, DEB rules, links, symlink-manifest; non-conffile under /usr/lib/maldet/internals/ so upgrades refresh the file; override_dh_fixperms preserves 640 mode on DEB; issue #480
 [Change] docs: document ignore_inotify.defaults two-file union model in README §5/§7 and maldet.1 MONITOR MODE; issue #480
+[Fix] ignore_inotify.defaults: scope 'sql_' to /tmp/#sql_ + /var/tmp/#sql_ and drop bare 'scantemp' to prevent matching user files like sql_backup.php and scantemplate.php; add /var/lib/maldet/ for FHS scan-temp coverage; sentinel remediation for issue #480
 
   -- Changes --
 
diff --git a/CHANGELOG.RELEASE b/CHANGELOG.RELEASE
@@ -77,6 +77,7 @@ v2.0.1 | Mar 25 2026:
 [Fix] monitor: union-load ignore_inotify + ignore_inotify.defaults; new _monitor_load_ignore_inotify_union helper skips blanks+comments, dedupes across both files; issue #480
 [New] packaging: ship ignore_inotify.defaults in RPM spec, DEB rules, links, symlink-manifest; non-conffile under /usr/lib/maldet/internals/ so upgrades refresh the file; override_dh_fixperms preserves 640 mode on DEB; issue #480
 [Change] docs: document ignore_inotify.defaults two-file union model in README §5/§7 and maldet.1 MONITOR MODE; issue #480
+[Fix] ignore_inotify.defaults: scope 'sql_' to /tmp/#sql_ + /var/tmp/#sql_ and drop bare 'scantemp' to prevent matching user files like sql_backup.php and scantemplate.php; add /var/lib/maldet/ for FHS scan-temp coverage; sentinel remediation for issue #480
 
   -- Changes --
 
diff --git a/files/internals/ignore_inotify.defaults b/files/internals/ignore_inotify.defaults
@@ -13,7 +13,8 @@
 /var/run/mysqld/
 /run/mysqld/
 sql-temptable-
-sql_
+/var/tmp/#sql_
+/tmp/#sql_
 .MYD
 .MYI
 .MAD
@@ -41,17 +42,15 @@ memcached.sock
 /var/tmp/clamav-
 /tmp/clamav-
 
-# LMD itself
+# LMD install paths (legacy + FHS) — covers scan temp workspaces transitively
 /usr/local/maldetect/
 /usr/local/sbin/maldet
+/var/lib/maldet/
 
 # Device pseudo-fs (non-regular files)
 /dev/pts/
 /dev/null
 
-# LMD scan temp workspaces
-scantemp
-
 # systemd journal + per-user runtime dirs
 /run/systemd/
 /var/log/journal/
diff --git a/tests/47-ignore-inotify-defaults.bats b/tests/47-ignore-inotify-defaults.bats
@@ -167,3 +167,47 @@ _source_lmd_stack() {
     done < "$LMD_INSTALL/internals/ignore_inotify.defaults"
     [ "$hit" -ge 1 ]
 }
+
+# bats test_tags=monitor,integration,false-positive
+@test "defaults: user PHP file with 'sql_' substring does NOT match defaults (sentinel guard)" {
+    # Regression: bare 'sql_' substring would have matched /home/user/public_html/sql_backup.php
+    # and suppressed legitimate scan events. Scoped defaults use /tmp/#sql_ and /var/tmp/#sql_.
+    local sample='/home/user/public_html/sql_backup.php'
+    local hit=0
+    while IFS= read -r _line; do
+        case "$_line" in ''|\#*) continue ;; esac
+        if [[ "$sample" == *"$_line"* ]]; then
+            hit=$((hit + 1))
+        fi
+    done < "$LMD_INSTALL/internals/ignore_inotify.defaults"
+    [ "$hit" -eq 0 ]
+}
+
+# bats test_tags=monitor,integration,false-positive
+@test "defaults: user PHP file with 'scantemp' substring does NOT match defaults (sentinel guard)" {
+    # Regression: bare 'scantemp' substring would have matched /home/user/public_html/scantemplate.php.
+    # Scan temps live under install paths (/usr/local/maldetect/, /var/lib/maldet/) which are scoped entries.
+    local sample='/home/user/public_html/scantemplate.php'
+    local hit=0
+    while IFS= read -r _line; do
+        case "$_line" in ''|\#*) continue ;; esac
+        if [[ "$sample" == *"$_line"* ]]; then
+            hit=$((hit + 1))
+        fi
+    done < "$LMD_INSTALL/internals/ignore_inotify.defaults"
+    [ "$hit" -eq 0 ]
+}
+
+# bats test_tags=monitor,integration,false-positive
+@test "defaults: install-path scan temp still matches (FHS /var/lib/maldet/)" {
+    # When scan workers write scantemp files under the FHS state dir, defaults must still cover them.
+    local sample='/var/lib/maldet/tmp/scantemp.12345'
+    local hit=0
+    while IFS= read -r _line; do
+        case "$_line" in ''|\#*) continue ;; esac
+        if [[ "$sample" == *"$_line"* ]]; then
+            hit=$((hit + 1))
+        fi
+    done < "$LMD_INSTALL/internals/ignore_inotify.defaults"
+    [ "$hit" -ge 1 ]
+}
