[Pkg-aide-maintainers] Bug#442214: aide: Aide issues false alarms
Bill Wohler
wohler at newt.com
Sat Jul 19 18:48:37 UTC 2008
Marc Haber <mh+debian-packages at zugschlus.de> wrote:
> On Sat, Nov 24, 2007 at 07:56:29PM -0800, Bill Wohler wrote:
> > Hi Marc, I think I'm seeing the same thing here. It appears that the ARF
> > rule isn't working as advertised.
> >
> > For example, the following line appeared in the report:
> >
> > removed: /var/log/aide/aide.log.6.gz
> >
> > However, in /etc/aide/aide.conf.local.d/31_aide_aide [1], I see:
> >
> > /var/log/aide/aide\.log\.6\.gz$ RotatedLogs+ARF
> >
> > which should be suppressing this message. Right?
>
> In a nutshell: The ANF/ARF rules will only work if COPYNEWDB=yes is
> set in /etc/default/aide _OR_ COPYNEWDB=ifnochange in
> /etc/default/aide _AND_ no other changes were detected in an aide run.
> As soon as the first change is detected, the next run is going to
> report rotated logs despite the ANF/ARF rules.
Bingo! That was it. I don't think I ever saw those changes on their own.
I've updated the documentation in /etc/default/aide which might make
this more clear. I've included a patch for your consideration. I think
you can now close this bug. Thanks!
Index: aide
===================================================================
--- aide (revision 9249)
+++ aide (working copy)
@@ -35,9 +35,12 @@
# COMMAND=update. It is ignored if COMMAND!=update.
# no: Do not copy new database to old database. This is the default.
# yes: Copy new database to old database. This means that changes to the
-# file system are only reported once. Possibly dangerous.
+# file system are only reported once. Possibly dangerous. However, the
+# ANF/ARF rules are always guaranteed to work with this setting.
# ifnochange: Copy new database to old database if no changes have
-# been reported. This is needed for ANF/ARF to work reliably.
+# been reported. This is needed for ANF/ARF to work reliably. Note, however,
+# that once there is a change which prevents the copying of the database,
+# the ANF/ARF rules will appear to stop working in the next run.
COPYNEWDB=ifnochange
# This parameter defines how many lines to return per e-mail. Output longer
--
Bill Wohler <wohler at newt.com> http://www.newt.com/wohler/ GnuPG ID:610BD9AD
More information about the Pkg-aide-maintainers
mailing list