Control: tags -1 confirmed
thanks
Hi,
thanks for spotting this and for taking your time to report this.
On Thu, Feb 12, 2026 at 04:30:22PM +0100, Thomas Dorner wrote:
> after adding a bad entry to my /etc/aide/aide.conf.d/80_aide_local_defs
> the aide job immediately finished with:
>
> "AIDE returned with exit code 17. Invalid configuration"
> and
> "ERROR: /etc/aide/aide.conf.d/80_aide_local_defs:147: syntax error"
>
> That was correct of course.
> But the systemd job did not fail, here the journald entries:
>
> Feb 12 08:32:49 XXX systemd[1]: Starting dailyaidecheck.service - daily AIDE
> check...
> Feb 12 08:32:50 XXX dailyaidecheck[29126]: WARN: it is not possible to use
> mail(1) unless aide is run as root or as non-root with added capabilities
> (either via systemd or via capsh). See /usr/share/doc/aide->
> Feb 12 08:32:50 XXX systemd[1]: dailyaidecheck.service: Deactivated
> successfully.
> Feb 12 08:32:50 umbra systemd[1]: Finished dailyaidecheck.service - daily
> AIDE check.
>
> This made the restart after the fix a bit tricky (several systemctl
> commands needed), as it already had been run "successfully" once today.
>
> I would expect a failing service in this case.
Please try the attached patches against your installed package. This
should
- make the dailyaidecheck service fail if aide returns a failure code
- allow the dailyaidecheck.service to not be restarted automatically
while
- allowing the dailyaidecheck.service to be restarted manually
automatically.
I am not sure why I set the StartLimitIntervalSec to 7200, I guess that
i did that as a safety measure just in case the timer fires twice (maybe
in DST night?).
Greetings
Marc
/usr/lib/systemd/system/dailyaidecheck-buildcache.service
--- a/debian/aide-common.dailyaidecheck-buildcache.service
+++ b/debian/aide-common.dailyaidecheck-buildcache.service
@@ -1,10 +1,11 @@
[Unit]
Description=build cache for daily AIDE check
Documentation=file:/usr/share/doc/aide/README.Debian.gz
-StartLimitIntervalSec=60
-StartLimitBurst=1
+#StartLimitIntervalSec=60
+#StartLimitBurst=1
[Service]
Type=oneshot
+Restart=no
ExecStart=/usr/share/aide/bin/buildcache
RemainAfterExit=no
/usr/lib/systemd/system/dailyaidecheck.service
--- a/debian/aide-common.dailyaidecheck.service
+++ b/debian/aide-common.dailyaidecheck.service
@@ -1,13 +1,15 @@
[Unit]
Description=daily AIDE check
Documentation=file:/usr/share/doc/aide/README.Debian.gz
-StartLimitIntervalSec=7200
-StartLimitBurst=1
+#StartLimitIntervalSec=7200
+#StartLimitBurst=1
Requires=dailyaidecheck-buildcache.service
After=dailyaidecheck-buildcache.service
[Service]
Type=oneshot
+RemainAfterExit=no
+Restart=no
User=_aide
Group=_aide
AmbientCapabilities=CAP_DAC_READ_SEARCH CAP_AUDIT_WRITE
/usr/share/aide/bin/dailyaidecheck
--- a/debian/bin/dailyaidecheck
+++ b/debian/bin/dailyaidecheck
@@ -322,6 +322,7 @@ onexit() {
PRINTED=""
FIGLETTEXT=""
+ SCRIPTRETVAL="0"
if [ -n "${ARETVAL:-}" ]; then
ARETEXPL=""
ARETERR=""
@@ -331,6 +332,7 @@ onexit() {
PREFIX=""
ARETERR="the daily aide check was interrupted before AIDE could return an exit code."
FIGLETTEXT="${CRONJOBERR:-interrupt}"
+ SCRIPTRETVAL="1"
;;
0)
PREFIX="AIDE returned with a zero exit code."
@@ -368,34 +370,42 @@ onexit() {
14)
ARETERR="Error writing!"
FIGLETTEXT="$ARETERR"
+ SCRIPTRETVAL="1"
;;
15)
ARETERR="Invalid Argument!"
FIGLETTEXT="EINVAL"
+ SCRIPTRETVAL="1"
;;
16)
ARETERR="Unimplemented function!"
FIGLETTEXT="unimplemented"
+ SCRIPTRETVAL="1"
;;
17|255)
ARETERR="Invalid configuration!"
FIGLETTEXT="invalid config"
+ SCRIPTRETVAL="1"
;;
18)
ARETERR="Input/Output error!"
FIGLETTEXT="EIO"
+ SCRIPTRETVAL="1"
;;
21)
ARETERR="cannot obtain lock"
FIGLETTEXT="no lock"
+ SCRIPTRETVAL="1"
;;
250)
ARETERR="executable aide not found"
FIGLETTEXT="no executable"
+ SCRIPTRETVAL="1"
;;
*)
ARETERR="$(printf "unknown non-zero exit value %d\\n\\n" "$ARETVAL")"
FIGLETTEXT="unknown error"
+ SCRIPTRETVAL="1"
;;
esac
if [ -n "$ARETEXPL" ]; then
@@ -770,7 +780,7 @@ onexit() {
fi
unset LOCKED
- return 0
+ return ${SCRIPTRETVAL}
}
BEGINTIME="$(date +%s)"
