[Pkg-aide-maintainers] Bug#442214: aide: Aide issues false alarms

Bill Wohler wohler at newt.com
Sat Jul 19 18:48:37 UTC 2008


Marc Haber <mh+debian-packages at zugschlus.de> wrote:

> On Sat, Nov 24, 2007 at 07:56:29PM -0800, Bill Wohler wrote:
> > Hi Marc, I think I'm seeing the same thing here. It appears that the ARF
> > rule isn't working as advertised.
> > 
> > For example, the following line appeared in the report:
> > 
> >   removed: /var/log/aide/aide.log.6.gz
> > 
> > However, in /etc/aide/aide.conf.local.d/31_aide_aide [1], I see: 
> > 
> >   /var/log/aide/aide\.log\.6\.gz$ RotatedLogs+ARF
> > 
> > which should be suppressing this message. Right?
> 
> In a nutshell: The ANF/ARF rules will only work if COPYNEWDB=yes is
> set in /etc/default/aide _OR_ COPYNEWDB=ifnochange in
> /etc/default/aide _AND_ no other changes were detected in an aide run.
> As soon as the first change is detected, the next run is going to
> report rotated logs despite the ANF/ARF rules.

Bingo! That was it. I don't think I ever saw those changes on their own.

I've updated the documentation in /etc/default/aide which might make
this more clear. I've included a patch for your consideration. I think
you can now close this bug. Thanks!

Index: aide
===================================================================
--- aide	(revision 9249)
+++ aide	(working copy)
@@ -35,9 +35,12 @@
 # COMMAND=update. It is ignored if COMMAND!=update.
 # no: Do not copy new database to old database. This is the default.
 # yes: Copy new database to old database. This means that changes to the
-#   file system are only reported once. Possibly dangerous.
+#   file system are only reported once. Possibly dangerous. However, the
+#   ANF/ARF rules are always guaranteed to work with this setting.
 # ifnochange: Copy new database to old database if no changes have
-#   been reported. This is needed for ANF/ARF to work reliably.
+#   been reported. This is needed for ANF/ARF to work reliably. Note, however,
+#   that once there is a change which prevents the copying of the database,
+#   the ANF/ARF rules will appear to stop working in the next run.
 COPYNEWDB=ifnochange
 
 # This parameter defines how many lines to return per e-mail. Output longer

-- 
Bill Wohler <wohler at newt.com>  http://www.newt.com/wohler/  GnuPG ID:610BD9AD





More information about the Pkg-aide-maintainers mailing list