On Sat, Jul 19, 2008 at 11:48:37AM -0700, Bill Wohler wrote: > Marc Haber <[EMAIL PROTECTED]> wrote: > > On Sat, Nov 24, 2007 at 07:56:29PM -0800, Bill Wohler wrote: > > > Hi Marc, I think I'm seeing the same thing here. It appears that the ARF > > > rule isn't working as advertised. > > > > > > For example, the following line appeared in the report: > > > > > > removed: /var/log/aide/aide.log.6.gz > > > > > > However, in /etc/aide/aide.conf.local.d/31_aide_aide [1], I see: > > > > > > /var/log/aide/aide\.log\.6\.gz$ RotatedLogs+ARF > > > > > > which should be suppressing this message. Right? > > > > In a nutshell: The ANF/ARF rules will only work if COPYNEWDB=yes is > > set in /etc/default/aide _OR_ COPYNEWDB=ifnochange in > > /etc/default/aide _AND_ no other changes were detected in an aide run. > > As soon as the first change is detected, the next run is going to > > report rotated logs despite the ANF/ARF rules. > > Bingo! That was it. I don't think I ever saw those changes on their own. > > I've updated the documentation in /etc/default/aide which might make > this more clear. I've included a patch for your consideration.
I am not comfortable at all with the idea of documenting things in the actual configuration file since this encourages people to ignore the README file even more. I have instead committed the following patch to the README file which will hopefully make things a lot more clearer than they were explained in the previous README file. I'd appreciate your comments. @@ -106,10 +140,23 @@ dangerous since detected changes are only reported once. This is the reason for COPYNEWDB="no" being the default. A third option, COPYNEWDB="ifnochange" only copies the new database over the old one -if aide has not detected any changes. This might be necessary for the -ANF/ARF feature to properly handle logs that have been rotated -multiple times. +if aide has not detected any changes. +ANF/ARF rules are only going to work if an updated database is copied +over the old reference database before the next database update. Since +ANF/ARF rules are part of the default install, it will be necessary to +either + - manually run aide --update daily and copy over the databases + after manual inspection manually _each_ day, + - set COMMAND="update" and copy the newly generated database over + the old reference database after manual inspection _each_ _day_, + - set COMMAND="update" and COPYNEWDB="ifnochange" and copy + the newly generated database over the old reference database + after manual inspection if changes were reported or + - set COMMAND="update" and COPYNEWDB="yes" and live with the fact + that changes to the filesystem will only be reported once and never + again. + The cron job then mails aide's output to the address configured as MAILTO if either - reportable changes have been found or Greetings Marc -- ----------------------------------------------------------------------------- Marc Haber | "I don't trust Computers. They | Mailadresse im Header Mannheim, Germany | lose things." Winona Ryder | Fon: *49 621 72739834 Nordisch by Nature | How to make an American Quilt | Fax: *49 3221 2323190 -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
