[Pkg-aide-maintainers] Bug#442214: aide: Aide issues false alarms

Marc Haber mh+debian-packages at zugschlus.de
Wed Jul 23 12:37:07 UTC 2008 

On Sat, Jul 19, 2008 at 11:48:37AM -0700, Bill Wohler wrote:
> Marc Haber <mh+debian-packages at zugschlus.de> wrote:
> > On Sat, Nov 24, 2007 at 07:56:29PM -0800, Bill Wohler wrote:
> > > Hi Marc, I think I'm seeing the same thing here. It appears that the ARF
> > > rule isn't working as advertised.
> > > 
> > > For example, the following line appeared in the report:
> > > 
> > >   removed: /var/log/aide/aide.log.6.gz
> > > 
> > > However, in /etc/aide/aide.conf.local.d/31_aide_aide [1], I see: 
> > > 
> > >   /var/log/aide/aide\.log\.6\.gz$ RotatedLogs+ARF
> > > 
> > > which should be suppressing this message. Right?
> > 
> > In a nutshell: The ANF/ARF rules will only work if COPYNEWDB=yes is
> > set in /etc/default/aide _OR_ COPYNEWDB=ifnochange in
> > /etc/default/aide _AND_ no other changes were detected in an aide run.
> > As soon as the first change is detected, the next run is going to
> > report rotated logs despite the ANF/ARF rules.
> 
> Bingo! That was it. I don't think I ever saw those changes on their own.
> 
> I've updated the documentation in /etc/default/aide which might make
> this more clear. I've included a patch for your consideration.

I am not comfortable at all with the idea of documenting things in the
actual configuration file since this encourages people to ignore the
README file even more.

I have instead committed the following patch to the README file which
will hopefully make things a lot more clearer than they were explained
in the previous README file. I'd appreciate your comments.

@@ -106,10 +140,23 @@
 dangerous since detected changes are only reported once. This is the
 reason for COPYNEWDB="no" being the default. A third option,
 COPYNEWDB="ifnochange" only copies the new database over the old one
-if aide has not detected any changes. This might be necessary for the
-ANF/ARF feature to properly handle logs that have been rotated
-multiple times.
+if aide has not detected any changes.

+ANF/ARF rules are only going to work if an updated database is copied
+over the old reference database before the next database update. Since
+ANF/ARF rules are part of the default install, it will be necessary to
+either
+   - manually run aide --update daily and copy over the databases
+     after manual inspection manually _each_ day,
+   - set COMMAND="update" and copy the newly generated database over
+     the old reference database after manual inspection _each_ _day_,
+   - set COMMAND="update" and COPYNEWDB="ifnochange" and copy
+     the newly generated database over the old reference database
+     after manual inspection if changes were reported or
+   - set COMMAND="update" and COPYNEWDB="yes" and live with the fact
+     that changes to the filesystem will only be reported once and never
+     again.
+
 The cron job then mails aide's output to the address configured as
 MAILTO if either
   - reportable changes have been found or

Greetings
Marc

-- 
-----------------------------------------------------------------------------
Marc Haber         | "I don't trust Computers. They | Mailadresse im Header
Mannheim, Germany  |  lose things."    Winona Ryder | Fon: *49 621 72739834
Nordisch by Nature |  How to make an American Quilt | Fax: *49 3221 2323190

More information about the Pkg-aide-maintainers mailing list