[Pkg-aide-maintainers] Bug#442214: aide: Aide issues false alarms
wohler at newt.com
Fri Jul 25 16:38:47 UTC 2008
Marc Haber <mh+debian-packages at zugschlus.de> wrote:
> On Wed, Jul 23, 2008 at 01:45:05PM -0700, Bill Wohler wrote:
> > Marc Haber <mh+debian-packages at zugschlus.de> wrote:
> > I also found that because this setting trashes the old database, you
> > don't have a chance to later run aide --compare to see how a particular
> > file changed. I therefore added AIDEARGS="-V5" to /etc/default/aide.
> The default, -V4, gives at least a list about which files changed, and
> if one wants more verbose reports, he is free to refer to the manpage
> to change the verbosity level.
> > I think it would be good to mention that issue in the COMMAND="update"
> > and COPYNEWDB="yes" item.
> I do not think that it is a good idea to re-iterate every possible
> outcome of every configuration option in every possible place.
Of course not, but this is important. If you used the defaults, and you
set COPYNEWDB to yes and the first message you get had some files which
might have indicated a break-in, you'd want to see the specific changes.
Or, more likely, you might not realize the unintended consequences of
the setting until later. I was truly shocked when I realized it.
It's your call, of course, but I like it when documentation discusses
more than just the options and the settings and goes into the
justifications, ramifications, and best practices. Just because you can
do something doesn't mean you should. I think this is an important
aspect to point out. Somewhere. Thanks!
Bill Wohler <wohler at newt.com> http://www.newt.com/wohler/ GnuPG ID:610BD9AD
More information about the Pkg-aide-maintainers