[Pkg-aide-maintainers] Bug#442214: aide: Aide issues false alarms

Marc Haber mh+debian-packages at zugschlus.de
Sun Jul 27 09:28:56 UTC 2008 

On Fri, Jul 25, 2008 at 09:38:47AM -0700, Bill Wohler wrote:
> Marc Haber <mh+debian-packages at zugschlus.de> wrote:
> > On Wed, Jul 23, 2008 at 01:45:05PM -0700, Bill Wohler wrote:
> > > I think it would be good to mention that issue in the COMMAND="update"
> > > and COPYNEWDB="yes" item.
> > 
> > I do not think that it is a good idea to re-iterate every possible
> > outcome of every configuration option in every possible place.
> 
> Of course not, but this is important. If you used the defaults, and you
> set COPYNEWDB to yes and the first message you get had some files which
> might have indicated a break-in, you'd want to see the specific changes.
> Or, more likely, you might not realize the unintended consequences of
> the setting until later. I was truly shocked when I realized it.

You have a point here, I have included this in README.Debian:

--- debian/aide-common.README.Debian    (revision 754)
+++ debian/aide-common.README.Debian    (working copy)
@@ -102,13 +102,15 @@

 After running aide, the newly generated database which was created
 with COMMAND="update" is optionally copied over the old reference
-database. Doing this unconditionally (COPYNEWDB="yes") might be
-dangerous since detected changes are only reported once. This is the
-reason for COPYNEWDB="no" being the default. A third option,
-COPYNEWDB="ifnochange" only copies the new database over the old one
-if aide has not detected any changes. This might be necessary for the
-ANF/ARF feature to properly handle logs that have been rotated
-multiple times.
+database. This might be necessary for the ANF/ARF feature to properly
+handle logs that have been rotated multiple times. COPYNEWDB="no" is
+the default because automatically copying the database unconditionally
+(COPYNEWDB="yes") might be dangerous since detected changes are only
+reported once. Additionally, if you do not manually increase the
+verbosity level by setting (for example) AIDEARGE="-V5" in
+/etc/default/aide, you lose the possibility of inspecting the changes
+more closely. A third option, COPYNEWDB="ifnochange" only copies the
+new database over the old one if aide has not detected any changes.

Greetings
Marc

-- 
-----------------------------------------------------------------------------
Marc Haber         | "I don't trust Computers. They | Mailadresse im Header
Mannheim, Germany  |  lose things."    Winona Ryder | Fon: *49 621 72739834
Nordisch by Nature |  How to make an American Quilt | Fax: *49 3221 2323190

More information about the Pkg-aide-maintainers mailing list