Hi, On Sat, Nov 24, 2007 at 07:56:29PM -0800, Bill Wohler wrote: > Hi Marc, I think I'm seeing the same thing here. It appears that the ARF > rule isn't working as advertised. > > For example, the following line appeared in the report: > > removed: /var/log/aide/aide.log.6.gz > > However, in /etc/aide/aide.conf.local.d/31_aide_aide [1], I see: > > /var/log/aide/aide\.log\.6\.gz$ RotatedLogs+ARF > > which should be suppressing this message. Right?
I have seen this happening when the database was not "activated" after aide didn't find any changes. The ANF/ARF rules will only work if aide.db.new is copied over aide.db even after an aide run with return code 0. They are best imagined as "run normally, but ignore this certain kind of change", which will of course not hold if aide.db still holds the previous state of affairs. To hopefully make things clearer, grab https://ivanova.notwork.de/~mh/stuff/aidetest.tar.gz, untar and run ./runtests. This will "rotate" a log five times, with aide runs in between (which will also copy aide.db.new over aide.db). Only in the last iteration, rotation happens twice, and _this_ causes the change to be reported. In a nutshell: The ANF/ARF rules will only work if COPYNEWDB=yes is set in /etc/default/aide _OR_ COPYNEWDB=ifnochange in /etc/default/aide _AND_ no other changes were detected in an aide run. As soon as the first change is detected, the next run is going to report rotated logs despite the ANF/ARF rules. To enable me to see your bug, please try to reduce your setup to something as minimal as in my aidetest.tar.gz and send me the directory along with instructions about how to reproduce the issue. Greetings Marc -- ----------------------------------------------------------------------------- Marc Haber | "I don't trust Computers. They | Mailadresse im Header Mannheim, Germany | lose things." Winona Ryder | Fon: *49 621 72739834 Nordisch by Nature | How to make an American Quilt | Fax: *49 3221 2323190 -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
