Marc Haber <[EMAIL PROTECTED]> wrote: > On Sat, Nov 24, 2007 at 07:56:29PM -0800, Bill Wohler wrote: > > Hi Marc, I think I'm seeing the same thing here. It appears that the ARF > > rule isn't working as advertised. > > > > For example, the following line appeared in the report: > > > > removed: /var/log/aide/aide.log.6.gz > > > > However, in /etc/aide/aide.conf.local.d/31_aide_aide [1], I see: > > > > /var/log/aide/aide\.log\.6\.gz$ RotatedLogs+ARF > > > > which should be suppressing this message. Right? > > In a nutshell: The ANF/ARF rules will only work if COPYNEWDB=yes is > set in /etc/default/aide _OR_ COPYNEWDB=ifnochange in > /etc/default/aide _AND_ no other changes were detected in an aide run. > As soon as the first change is detected, the next run is going to > report rotated logs despite the ANF/ARF rules.
Bingo! That was it. I don't think I ever saw those changes on their own. I've updated the documentation in /etc/default/aide which might make this more clear. I've included a patch for your consideration. I think you can now close this bug. Thanks! Index: aide =================================================================== --- aide (revision 9249) +++ aide (working copy) @@ -35,9 +35,12 @@ # COMMAND=update. It is ignored if COMMAND!=update. # no: Do not copy new database to old database. This is the default. # yes: Copy new database to old database. This means that changes to the -# file system are only reported once. Possibly dangerous. +# file system are only reported once. Possibly dangerous. However, the +# ANF/ARF rules are always guaranteed to work with this setting. # ifnochange: Copy new database to old database if no changes have -# been reported. This is needed for ANF/ARF to work reliably. +# been reported. This is needed for ANF/ARF to work reliably. Note, however, +# that once there is a change which prevents the copying of the database, +# the ANF/ARF rules will appear to stop working in the next run. COPYNEWDB=ifnochange # This parameter defines how many lines to return per e-mail. Output longer -- Bill Wohler <[EMAIL PROTECTED]> http://www.newt.com/wohler/ GnuPG ID:610BD9AD -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
