Marc Haber wrote: > So, the ANF does seem to suppress the new .1.gz files from being > reported as new, and the ARF does seem to suppress the removed .6.gz > files from being reported as removed, but I don't understand what > happens with the _not_ new .2.gz files (they come from mv .1.gz .2.gz) > are reported as new, and why the _not_ removed .5.gz files (they go to > mv .5.gz to .6.gz) are reported as removed.
What I think is happening, is that when the aide.db is created, a point-in-time snapshot (A) of your files is made: inode filename 10001 error.log 10002 error.log.0 10003 error.log.1.gz 10004 error.log.2.gz 10005 error.log.3.gz 10006 error.log.4.gz 10007 error.log.5.gz 10008 error.log.6.gz Now, the next day when aide is run, error.log has become error.log.0, and error.log.1.gz is a new file. error.log.6.gz is removed. This looks like (B): inode filename 10010 error.log 10001 error.log.0 10011 error.log.1.gz 10003 error.log.2.gz 10004 error.log.3.gz 10005 error.log.4.gz 10006 error.log.5.gz 10007 error.log.6.gz Again the next day, this will look like (C): inode filename 10020 error.log 10010 error.log.0 10021 error.log.1.gz 10011 error.log.2.gz 10003 error.log.3.gz 10004 error.log.4.gz 10005 error.log.5.gz 10006 error.log.6.gz So when comparing C with A, error.log.2.gz is a new file and the original error.log.5.gz was removed. I think for your ruleset to work, you need to update your aide.db every day (so at point B). So C gets compared to B and not A. Sincerely, Richard van den Berg _______________________________________________ Aide mailing list [email protected] https://mailman.cs.tut.fi/mailman/listinfo/aide
