On Sun, Feb 12, 2006 at 10:30:18PM +0100, Richard van den Berg wrote: > Marc Haber wrote: > > So, the ANF does seem to suppress the new .1.gz files from being > > reported as new, and the ARF does seem to suppress the removed .6.gz > > files from being reported as removed, but I don't understand what > > happens with the _not_ new .2.gz files (they come from mv .1.gz .2.gz) > > are reported as new, and why the _not_ removed .5.gz files (they go to > > mv .5.gz to .6.gz) are reported as removed. > > What I think is happening, is that when the aide.db is created, a > point-in-time snapshot (A) of your files is made:
<snip> > Now, the next day when aide is run, error.log has become error.log.0, > and error.log.1.gz is a new file. error.log.6.gz is removed. This looks > like (B): <snip> > Again the next day, this will look like (C): <snip> > So when comparing C with A, error.log.2.gz is a new file and the > original error.log.5.gz was removed. Yes, that explanation makes sense. > I think for your ruleset to work, you need to update your aide.db every > day (so at point B). So C gets compared to B and not A. How would you handle this in a daily cron job? I am thinking about using --update always, and copying the new database to the old database if aide output parses ### All files match AIDE database. Looks okay! What do you think about that idea? Greetings Marc -- ----------------------------------------------------------------------------- Marc Haber | "I don't trust Computers. They | Mailadresse im Header Mannheim, Germany | lose things." Winona Ryder | Fon: *49 621 72739834 Nordisch by Nature | How to make an American Quilt | Fax: *49 621 72739835 _______________________________________________ Aide mailing list [email protected] https://mailman.cs.tut.fi/mailman/listinfo/aide
