[Pkg-aide-maintainers] Bug#442214: Bug#442214: aide: Aide issues false alarms
Marc Haber
mh+debian-packages at zugschlus.de
Sun Jul 27 20:26:34 UTC 2008
On Sun, Jul 27, 2008 at 08:42:14AM -0700, Bill Wohler wrote:
> Marc Haber <mh+debian-packages at zugschlus.de> wrote:
> > On Sun, Jul 27, 2008 at 08:21:31AM -0700, Bill Wohler wrote:
> > > Marc Haber <mh+debian-packages at zugschlus.de> wrote:
> > > > This might be necessary for the ANF/ARF feature to properly
> > > > +handle logs that have been rotated multiple times. COPYNEWDB="no" is
> > > > +the default because automatically copying the database unconditionally
> > > > +(COPYNEWDB="yes") might be dangerous since detected changes are only
> > > > +reported once. Additionally, if you do not manually increase the
> > > > +verbosity level by setting (for example) AIDEARGE="-V5" in
> > > > +/etc/default/aide, you lose the possibility of inspecting the changes
> > > > +more closely.
> > >
> > > Since COPYNEWDB="yes" was parenthetical, that last sentence seems more
> > > associated with the subject of the previous subject, namely,
> > > COPYNEWDB="no". What do you think of this?
> >
> > I do not understand clearly. COPYNEWDB="no" always allows you to
> > inspect the changes more closely by re-running aide.
>
> It seems the warning (beginning with Additionally) applies if
> COPYNEWDB="no".
Ah. now I understand. How about this:
Index: debian/aide-common.README.Debian
===================================================================
--- debian/aide-common.README.Debian (revision 758)
+++ debian/aide-common.README.Debian (working copy)
@@ -106,11 +106,14 @@
handle logs that have been rotated multiple times. COPYNEWDB="no" is
the default because automatically copying the database unconditionally
(COPYNEWDB="yes") might be dangerous since detected changes are only
-reported once. Additionally, if you do not manually increase the
-verbosity level by setting (for example) AIDEARGE="-V5" in
+reported once. If you use COPYNEWDB="yes" and do not manually increase
+the verbosity level by setting (for example) AIDEARGE="-V5" in
/etc/default/aide, you lose the possibility of inspecting the changes
more closely. A third option, COPYNEWDB="ifnochange" only copies the
-new database over the old one if aide has not detected any changes.
+new database over the old one if aide has not detected any changes. In
+this case, you need to manually copy over the databases after the
+first report showing changes, or your ANF+ARF rules (including rotated
+log files etc) are going to stop working.
The cron job then mails aide's output to the address configured as
MAILTO if either
Greetings
Marc
--
-----------------------------------------------------------------------------
Marc Haber | "I don't trust Computers. They | Mailadresse im Header
Mannheim, Germany | lose things." Winona Ryder | Fon: *49 621 72739834
Nordisch by Nature | How to make an American Quilt | Fax: *49 3221 2323190
More information about the Pkg-aide-maintainers
mailing list