[Pkg-aide-maintainers] Bug#442214: Bug#442214: aide: Aide issues false alarms

[Marc Haber]

On Mon, Mar 03, 2008 at 11:37:49PM +0100, Francois Gouget wrote:
> Marc Haber wrote:
> > In a previous run, aide detected changes (most probably the zope log
> > file), and thus the newly generated database was not copied over the
> > old one. After the next log rotation, the log-related rules didn't
> > apply any more and you got the report quoted above.
> 
> So it's necessary to get a clean run to not get things to degenerate. 
> Ouch. That's going to be pretty hard given how incomplete the default 
> aide configuration files are.

Which is why the AIDE documentation asks people to submit their rules
either to aide or to the maintainers of the other packages for
inclusion in either package. The support scheme supports either.

Unfortunately, users and other maintainers are quite reluctant to do
so, and I do not have the time to build rules for packages that I do
not use myself. Frankly, I _must_ rely on other doing this work.

> I also don't understand why ifnochange is not the default since, as it 
> is and with the rules that aide ships with, using anything else will 
> result in the administrator being deluged with false positives 
> (essentially every single Debian package's log files will be reported in 
> short order).

Ifnochange basically accepts a certain set of changes automatically,
which is, IMO, unacceptable as a default configuration.

Since interpretation of an aide log needs considerable experience and
expertise, and manual tweaking is needed in the vast majority of cases
anyway, it is reasonable to ask administrators to activate this
feature if it is locally wanted.

Greetings
Marc

-- 
-----------------------------------------------------------------------------
Marc Haber         | "I don't trust Computers. They | Mailadresse im Header
Mannheim, Germany  |  lose things."    Winona Ryder | Fon: *49 621 72739834
Nordisch by Nature |  How to make an American Quilt | Fax: *49 3221 2323190