[Aide] --compare wierdness

Vincent Danen Sat, 21 Jan 2006 15:37:26 -0800

How does --compare work?  I'm trying to compare aide.db and aide.db.new
just to see how it works and can't make it do what I think it should do.


[EMAIL PROTECTED] aide]# ls -l aide.db*
-rw-------  1 root root 2547792 Jan 21 15:30 aide.db
-rw-------  1 root root 2589161 Jan 21 12:35 aide.db.new

[EMAIL PROTECTED] aide]# grep database /etc/aide.conf |grep -v "^#"
database=file:@@{DBDIR}/aide.db
database_out=file:@@{DBDIR}/aide.db.new

[EMAIL PROTECTED] aide]# aide --compare
Rule at line 188 has c and I flags enabled at the same time. If same inode is 
found, flag c is ignored
Rule at line 189 has c and I flags enabled at the same time. If same inode is 
found, flag c is ignored
Rule at line 190 has c and I flags enabled at the same time. If same inode is 
found, flag c is ignored
Must have both input databases defined for database compare.
[EMAIL PROTECTED] aide]# aide --compare aide.db.new aide.db
Extra parameters given
[EMAIL PROTECTED] aide]# aide --compare aide.db
Extra parameters given


This isn't overly intuitive and the man pages tell next to nothing.
What does it mean to have both input databases defined?  Reading the man
page, I can only have one "database" clause.  But for kicks, I tried
adding another one:

[EMAIL PROTECTED] aide]# grep database /etc/aide.conf |grep -v "^#"
database=file:@@{DBDIR}/aide.db
database=file:@@{DBDIR}/aide.db.new
database_out=file:@@{DBDIR}/aide.db.new
[EMAIL PROTECTED] aide]# aide --compare
Rule at line 189 has c and I flags enabled at the same time. If same inode is 
found, flag c is ignored
Rule at line 190 has c and I flags enabled at the same time. If same inode is 
found, flag c is ignored
Rule at line 191 has c and I flags enabled at the same time. If same inode is 
found, flag c is ignored
Must have both input databases defined for database compare.

So I can't figure out how to compare two databases.  Regardless, this
seems odd to me.  Why should a compare be restricted to a configuration
file definition?  Shouldn't I be able to just do:

aide --compare old.db new.db

?

That would be most logical.  I shouldn't have to have any of this
defined, and aide shouldn't care if I'm comparing something new or
old... I should be allowed to compare two database files from last year
if I want without changing my aide configuration file, right?

-- 
Annvix - Secure Linux Server: http://annvix.org/
"lynx -source http://linsec.ca/vdanen.asc | gpg --import"
{FEE30AD4 : 7F6C A60C 06C2 4811 FA1C  A2BC 2EBC 5E32 FEE3 0AD4}
Wasting time like it was free...

pgpsjdfBEB9bf.pgp
Description: PGP signature

_______________________________________________
Aide mailing list
Aide@cs.tut.fi
https://mailman.cs.tut.fi/mailman/listinfo/aide

[Aide] --compare wierdness

Reply via email to