As you noticed from a previous email, I'm finally working on aide again. Marc Haber <[EMAIL PROTECTED]> wrote:
> On Mon, Sep 17, 2007 at 08:23:03AM -0700, Bill Wohler wrote: > > I reinstalled aide and used the Debian configuration per your suggestion. > > > > MAILSUBJ="Daily AIDE report for $FQDN" > > MAILTO=root > > QUIETREPORTS=yes > > COMMAND=update > > COPYNEWDB=ifnochange > > LINES=1000 > > NOISE="" > > AIDEARGS="-V3" > > UPAC_CONFDIR="/etc/aide" > > UPAC_CONFD="$UPAC_CONFDIR/aide.conf.local.d" > > > > After spending many hours suppressing output of transient postfix and > > mailman files and other nominal activities, I finally got aide not to > > report any changes in a 5 minute period. > > Care to submit your rules for inclusion in the aide packages? I will be glad to do so once I stop editing them :-). > > However, I still got an email, appended below, so it appears that > > QUIETREPORTS=yes is not working as advertised. > > Hmm. > > > In addition, I would have expected the COPYNEWDB=ifnochange to update my > > database in this case, but as you can see, it didn't: > > > > [EMAIL PROTECTED]:505]# l -tr > > total 10296 > > -rw------- 1 root root 5250884 Sep 17 07:46 aide.db > > -rw------- 1 root root 15823 Sep 17 07:51 aide.conf.autogenerated > > -rw------- 1 root root 5250869 Sep 17 07:57 aide.db.new > > This looks like the aide cron job on your system does not properly > detected that there were no changes. aide in etch does not give > meaningful return values, so the cron job has to parse aide's output. > > This has been changed since then, so you might find lenny's aide > backported to etch helpful. I've just installed 0.13.1-8 with apt-get source. Unfortunately, as reported in #442214, I always get the following report: removed: /var/log/aide/aide.log.6.gz Once that message goes away, I'll be able to determine if this upgrade closed this issue for me. -- Bill Wohler <[EMAIL PROTECTED]> http://www.newt.com/wohler/ GnuPG ID:610BD9AD -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
