[Change] docs: ignore_inotify ERE + literal: prefix across 3 surfaces; issue #484

[Change] files/ignore_inotify: header rewrite — ERE default, literal: opt-in,
      mixed examples (regex + literal + plain)
[Change] README.md §7 Monitor Mode: Ignore files paragraph corrected
[Change] files/maldet.1 FILES section: ignore_inotify description aligned
[Change] CHANGELOG, CHANGELOG.RELEASE: v2.0.1 [Change] entry

Author: rfxn

CHANGELOG

@@ -94,6 +94,8 @@ v2.0.1 | Mar 25 2026:
 [Change] tests/48-monitor-ignore-regex.bats: integration coverage for
       ignore_inotify ERE + literal: prefix + ignore_paths monitor-mode
       consistency + malformed-regex symmetry; issue #484
+[Change] docs: ignore_inotify ERE-default + literal: prefix semantics
+      across ignore_inotify header, README §7, maldet.1 FILES; issue #484
 [Change] tests: prune two tautological assertions — the
          "uninstall.sh delegates service removal to pkg_service_uninstall"
          grep-for-token check in 01-install-cli.bats (string presence, not

CHANGELOG.RELEASE

@@ -94,6 +94,8 @@ v2.0.1 | Mar 25 2026:
 [Change] tests/48-monitor-ignore-regex.bats: integration coverage for
       ignore_inotify ERE + literal: prefix + ignore_paths monitor-mode
       consistency + malformed-regex symmetry; issue #484
+[Change] docs: ignore_inotify ERE-default + literal: prefix semantics
+      across ignore_inotify header, README §7, maldet.1 FILES; issue #484
 [Change] tests: prune two tautological assertions — the
          "uninstall.sh delegates service removal to pkg_service_uninstall"
          grep-for-token check in 01-install-cli.bats (string presence, not

README.md

@@ -669,7 +669,7 @@ maldet -k
 
 When using the `users` mode, only subdirectories matching `inotify_docroot` (default: `public_html,public_ftp`) are monitored, plus the system temp directories `/tmp`, `/var/tmp`, and `/dev/shm`.
 
-**Ignore files (inotify):** Monitor exclusions union two files — the user-owned `/usr/local/maldetect/ignore_inotify` and the LMD-managed `/usr/local/maldetect/internals/ignore_inotify.defaults`. Both are line-separated, substring-matched against the full event path, and support `#` comments + blank lines. ERE metacharacters are auto-escaped — do not use anchors (`^`, `$`) or wildcards (`*`, `+`, `.`). The defaults file is overwritten on every LMD upgrade; add site-specific exclusions to `ignore_inotify` only.
+**Ignore files (inotify):** Monitor exclusions union two files — the user-owned `/usr/local/maldetect/ignore_inotify` and the LMD-managed `/usr/local/maldetect/internals/ignore_inotify.defaults`. Both are line-separated and support `#` comments + blank lines. The user-owned `ignore_inotify` accepts POSIX ERE (extended regex) by default — anchors (`^`, `$`) and wildcards (`.*`, `.+`) work. To exclude a literal path containing regex metacharacters, prefix the entry with `literal:` (e.g. `literal:/tmp/app.cache`). The LMD-managed `ignore_inotify.defaults` is treated as literal substrings — its curated entries are auto-escaped at load time. The defaults file is overwritten on every LMD upgrade; add site-specific exclusions to `ignore_inotify` only.
 
 ---
 

files/ignore_inotify

@@ -3,12 +3,16 @@
 # Site-specific inotify exclusions. Consulted IN ADDITION TO
 # $inspath/internals/ignore_inotify.defaults (LMD-managed).
 #
-# Format: one substring per line. ERE metacharacters are auto-escaped
-# at load time — do NOT use anchors (^ $) or wildcards (* + .).
+# Format: one entry per line. Entries are POSIX ERE (extended regex)
+# by default — anchors (^ $) and wildcards (.* .+) work as expected.
+# To exclude a literal path containing regex metacharacters, prefix
+# the entry with "literal:" (lowercase, 8 chars).
+#
 # Lines beginning with # are comments. Blank lines are ignored.
 #
 # Examples:
-#   /home/user/public_html/cache/
-#   backup-
-#   .tmp
+#   ^/tmp/.*scantem.*                         # regex: ClamAV scan-temp noise
+#   ^/var/www/vhosts/.*/logs/.*$              # regex: Plesk per-vhost logs
+#   literal:/home/user/public_html/._app.cache   # literal path with dots
+#   /home/user/public_html/cache/             # plain path (no metachars — still ERE-safe)
 

files/maldet.1

@@ -872,14 +872,23 @@ Monitor exclusions union two files:
 (LMD\-managed under
 .IR $inspath/internals/ ,
 refreshed on every upgrade).
-Entries in both files are line\-separated, substring\-matched against the full event path, and support
+Entries in both files are line\-separated and support
 .B #
 comments plus blank lines.
-ERE metacharacters
-.RI ( . ,
-.IR * ,
-.IR + ,
-etc.) are automatically escaped \(em do not use anchors or wildcards.
+The user\-owned
+.B ignore_inotify
+accepts POSIX ERE (extended regular expressions) by default \(em anchors
+.RB ( ^ ,
+.BR $ )
+and wildcards
+.RB ( .* ,
+.BR .+ )
+work as expected.
+To exclude a literal path containing regex metacharacters, prefix the entry with
+.BR literal: .
+The LMD\-managed
+.B ignore_inotify.defaults
+is treated as literal substrings \(em its curated entries are auto\-escaped at load time.
 The defaults file ships curated exclusions for
 .BR systemd-private
 tmpdirs, MariaDB temp tables, PostgreSQL, Redis, ClamAV runtime, and common backup agents.