[Pkg-aide-maintainers] Bug#442214: aide: Aide issues false alarms
Marc Haber
mh+debian-packages at zugschlus.de
Mon Dec 3 22:29:24 UTC 2007
Hi,
On Sat, Nov 24, 2007 at 07:56:29PM -0800, Bill Wohler wrote:
> Hi Marc, I think I'm seeing the same thing here. It appears that the ARF
> rule isn't working as advertised.
>
> For example, the following line appeared in the report:
>
> removed: /var/log/aide/aide.log.6.gz
>
> However, in /etc/aide/aide.conf.local.d/31_aide_aide [1], I see:
>
> /var/log/aide/aide\.log\.6\.gz$ RotatedLogs+ARF
>
> which should be suppressing this message. Right?
I have seen this happening when the database was not "activated" after
aide didn't find any changes.
The ANF/ARF rules will only work if aide.db.new is copied over aide.db
even after an aide run with return code 0. They are best imagined as
"run normally, but ignore this certain kind of change", which will of
course not hold if aide.db still holds the previous state of affairs.
To hopefully make things clearer, grab
https://ivanova.notwork.de/~mh/stuff/aidetest.tar.gz, untar and run
./runtests. This will "rotate" a log five times, with aide runs in
between (which will also copy aide.db.new over aide.db). Only in the
last iteration, rotation happens twice, and _this_ causes the change
to be reported.
In a nutshell: The ANF/ARF rules will only work if COPYNEWDB=yes is
set in /etc/default/aide _OR_ COPYNEWDB=ifnochange in
/etc/default/aide _AND_ no other changes were detected in an aide run.
As soon as the first change is detected, the next run is going to
report rotated logs despite the ANF/ARF rules.
To enable me to see your bug, please try to reduce your setup to
something as minimal as in my aidetest.tar.gz and send me the
directory along with instructions about how to reproduce the issue.
Greetings
Marc
--
-----------------------------------------------------------------------------
Marc Haber | "I don't trust Computers. They | Mailadresse im Header
Mannheim, Germany | lose things." Winona Ryder | Fon: *49 621 72739834
Nordisch by Nature | How to make an American Quilt | Fax: *49 3221 2323190
More information about the Pkg-aide-maintainers
mailing list