Debian Bug report logs - #442214
aide: Aide issues false alarms

Toggle useless messages

Message #5 received at submit@bugs.debian.org (full text, mbox, reply):

From: Andreas Tille <tillea@rki.de>

To: submit@bugs.debian.org

Subject: aide: Aide issues false alarms

Date: Fri, 14 Sep 2007 08:33:28 +0200 (CEST)

Package: aide
Version: 0.13.1-2
Severity: normal

Hi,

I havn't changed the files in /etc/aide/aide.conf.d (just added a view
ones for my own application) but Aide reports things like

---------------------------------------------------
Added files:
---------------------------------------------------

added: /var/log/exim4/mainlog.2.gz

---------------------------------------------------
Removed files:
---------------------------------------------------

removed: /var/log/exim4/mainlog.10.gz
removed: /var/log/daemon.log.6.gz
removed: /var/log/syslog.6.gz

---------------------------------------------------
Changed files:
---------------------------------------------------

changed: /var/log/exim4/mainlog
changed: /var/log/exim4/mainlog.1
changed: /var/log/syslog
changed: /var/log/daemon.log


which perfectly should be suppressed by the configuration shipped with aide.

Please feel free to to ask for further information if needed besides
the auto generated config file which I include at the end of this bug report.

Kind regards

         Andreas.


-- System Information:
Debian Release: 4.0
  APT prefers stable
  APT policy: (500, 'stable')
Architecture: i386 (i686)
Shell:  /bin/sh linked to /bin/bash
Kernel: Linux 2.6.18-at4
Locale: LANG=de_DE@euro, LC_CTYPE=de_DE@euro (charmap=ISO-8859-15)

Versions of packages aide depends on:
ii  debconf [debconf 1.5.11                  Debian configuration management sy
ii  liblockfile1     1.06.1                  NFS-safe locking library, includes
ii  mailx            1:8.1.2-0.20050715cvs-1 A simple mail user agent
ii  ucf              2.0020                  Update Configuration File: preserv

Versions of packages aide recommends:
ii  cron                          3.0pl1-100 management of regular background p

-- debconf information:
  aide/aideinit: false
  aideinit/copynew: false
  aideinit/overwritenew: true
  aide/newlibdir: false

-- content of /var/lib/aide/aide.conf.autogenerated

#########
# WARNING WARNING WARNING
# WARNING WARNING WARNING
# WARNING WARNING WARNING
# WARNING WARNING WARNING
# WARNING WARNING WARNING
# this file is generated dynamically from /etc/aide/aide.conf and the files
# in /etc/aide/aide.conf.d
# Any changes you make here will be lost.
# WARNING WARNING WARNING
# WARNING WARNING WARNING
# WARNING WARNING WARNING
# WARNING WARNING WARNING
# WARNING WARNING WARNING
#########

database=file:/var/lib/aide/aide.db
database_out=file:/var/lib/aide/aide.db.new

Checksums     = md5+sha1+rmd160+haval+gost+crc32+tiger+whirlpool
OwnerMode     = p+u+g
Size          = s+b
InodeData     = OwnerMode+n+i+Size
RamdiskData   = InodeData-i
StaticFile    = m+c+Checksums

Full          = InodeData+StaticFile
VarFile       = OwnerMode+n
VarDir        = OwnerMode+n+i
RotatedLogs   = Full+I
Logs          = OwnerMode+n+S
LowLogs       = Logs-S
LinkedLogs    = Logs-n
@@define FQDN seinfluenza01\.rki\.ivbb\.bund\.de
@@define HOSTNAME seinfluenza01
@@define DNSDOMAINNAME rki\.ivbb\.bund\.de

/var/log/acpid$ Logs
/var/log/acpid\.1$ RotatedLogs
/var/log/acpid\.2\.gz$ RotatedLogs+ANF
/var/log/acpid\.3\.gz$ RotatedLogs
/var/log/acpid\.4\.gz$ RotatedLogs+ARF
/var/run/acpid\.socket$ VarFile

/etc/adjtime$ VarFile

/var/lib/aide/aide\.db(\.new)?$ VarFile
!/var/lib/aide/aide\.conf\.autogenerated$
/var/lib/aide$ VarDir
/var/log/aide/aide\.log(\.0)?$ LowLogs
/var/log/aide/aide\.log\.1\.gz$ RotatedLogs+ANF
/var/log/aide/aide\.log\.[2345]\.gz$ RotatedLogs
/var/log/aide/aide\.log\.6\.gz$ RotatedLogs+ARF
/var/log/aide$ VarDir
!/var/run/aide$
!/var/run/aide\.lock$
!/var/run/aide/cron\.daily\.lock$
!/var/run/aide/cron\.daily$
!/var/run/aide/cron\.daily/((error|a(run|err))log|mailfile)$

!/tmp/amanda/(amandad|killpgrp|selfcheck|send(backup|size)).200[0-9]{11}.debug$
!/tmp/amanda/(amandad).200[0-9]{14}.debug$
!/tmp/amanda/runtar.200[0-9]{11,14}.debug$
/tmp/amanda$ VarDir
/var/lib/dumpdates$ VarFile

/var/spool/anacron/cron\.(monthly|weekly|daily)$ VarFile

/var/log/apache/(access|error)\.log\.1$ LowLogs
/var/log/apache/(access|error)\.log\.2\.gz$ RotatedLogs+ANF
/var/log/apache/(access|error)\.log\.[0-9]+\.gz$ RotatedLogs
/var/log/apache/(access|error)\.log$ Logs
/var/log/apache$ VarDir
/var/run/apache\.pid$ VarFile

/var/log/apache2/(access|error)\.log\.1$ LowLogs
/var/log/apache2/(access|error)\.log\.2\.gz$ RotatedLogs+ANF
/var/log/apache2/(access|error)\.log\.[0-9]+\.gz$ RotatedLogs
/var/log/apache2/(access|error)\.log$ Logs
/var/run/apache2\.pid$ VarFile
/var/run/apache2/ssl_scache$ VarFile
/var/(log|run)/apache2$ VarDir
@@ifdef APACHE2_SUEXEC
/var/log/apache2/suexec\.log\.1$ LowLogs
/var/log/apache2/suexec\.log\.2\.gz$ RotatedLogs+ANF
/var/log/apache2/suexec\.log\.[0-9]+\.gz$ RotatedLogs
/var/log/apache2/suexec\.log$ Logs
@@endif

!/var/cache/apt-listbugs/%2Findices%2Findex.db-(critical|grave|serious)\.gz$
/var/cache/apt-listbugs$ VarDir

/var/lib/apt/listchanges\.db$ VarFile

/var/cache/apt/archives(/partial|/lock)?$ VarDir
/var/cache/apt/(src)?pkgcache\.bin$ VarFile
/var/cache/apt$ VarDir

/var/lib/apt/lists/(debian\.debian\.zugschlus\.de_debian(-security|-non-US)?|security\.debian\.org|volatile\.debian\.zugschlus\.de_debian-volatile|zg\.debian\.zugschlus\.de_zg)_dists_(sarge(_updates|_volatile|_non-US)?|zg_(test)?sarge|sid|experimental)_(contrib|main|non-free)_(binary-i386|source)_((Packages|Sources)\.IndexDiff)?|Release)$ VarFile
/var/lib/apt/lists/(debian\.debian\.zugschlus\.de_debian(-security|-non-US)?|security\.debian\.org|volatile\.debian\.zugschlus\.de_debian-volatile|zg\.debian\.zugschlus\.de_zg)_dists_(sarge(_updates|_volatile|_non-US)?|zg_(test)?sarge|sid|experimental)_Release(\.gpg)?$ VarFile
/var/lib/apt/lists/(lock|partial)$ VarFile
/var/lib/apt/lists$ VarDir

/var/lib/apt/lists/(debian\.debian\.zugschlus\.de_debian(-security|-non-US)?|security\.debian\.org|volatile\.debian\.zugschlus\.de_debian-volatile|zg\.debian\.zugschlus\.de_zg)_dists_(sarge(_updates|_volatile|_non-US)?|zg_((test)?sarge|sid)|sid|experimental)_(contrib|main|non-free)_(binary-i386|source)_((Packages|Sources)\.IndexDiff)?|Release)$ VarFile
/var/lib/apt/lists/(debian\.debian\.zugschlus\.de_debian(-security|-non-US)?|security\.debian\.org|volatile\.debian\.zugschlus\.de_debian-volatile|zg\.debian\.zugschlus\.de_zg)_dists_(sarge(_updates|_volatile|_non-US)?|zg_(test)?sarge|sid|experimental)_Release(\.gpg)?$ VarFile
/var/lib/apt/lists/(lock|partial)$ VarFile
/var/lib/apt/lists$ VarDir
!/var/cache/apt/archives/[-a-zA-Z0-9%\._+]+_(i386|all)\.deb$

/var/backups/aptitude\.pkgstates\.0$ LowLogs
/var/backups/aptitude\.pkgstates\.1\.gz$ RotatedLogs+ANF
/var/backups/aptitude\.pkgstates\.[2345]\.gz$ RotatedLogs
/var/backups/aptitude\.pkgstates\.6\.gz$ RotatedLogs+ARF
/var/log/aptitude$ VarDir

/var/lib/aptitude/pkgstates(\.old)?$ VarFile
/var/(lib|lock)/aptitude$ VarDir

@@ifdef BINDCHROOT
/var/local/bind/var/log/bind/queries\.log$ Logs
/var/local/bind/var/log/bind/queries\.log\.[0-8]$ RotatedLogs
/var/local/bind/var/log/bind/queries\.log\.9$ RotatedLogs+ARF
/var/local/bind/var/run/bind/named\.pid$ VarFile
/var/local/bind/var/run/bind$ VarDir
@@else
/var/log/bind/queries\.log$ Logs
/var/log/bind/queries\.log\.[0-8]$ RotatedLogs
/var/log/bind/queries\.log\.9$ RotatedLogs+ARF
/var/run/bind/run/named\.pid$ VarFile
/var/run/bind$ VarDir
@@endif
/var/run/bind/run$ VarDir

/var/log/clamav/clamav\.log\.0$ LowLogs
/var/log/clamav/clamav\.log\.1\.gz$ RotatedLogs+ANF
/var/log/clamav/clamav\.log\.[0-9]+\.gz$ RotatedLogs
/var/log/clamav/clamav\.log$ Logs
/var/run/clamav/clamd\.(ctl|pid)$ VarFile
/var/(log|run)/clamav$ VarDir

/etc/cron\.daily$ VarDir
!/usr/share/doc/clamav-data/(README\.Debian|copyright|changelog\.gz)$
/usr/share/doc/clamav-data$ VarDir
!/var/lib/dpkg/info/clamav-data\.(config|list|post(inst|rm)|templates|conffiles|md5sums)$
/var/lib/clamav/(daily|main)\.cvd$ VarFile
/var/lib/clamav$ VarDir
/var/lib/clamav-data/warn-on-old-databases$ VarFile
/var/lib/clamav-data$ VarDir
/var/cache/apt/archives/clamav-data_[0-9]{8}\.[0-9]{6}\.[0-9]{4}_all\.deb$ VarFile+ANF+ARF

/var/run/console-log(/Debian-console-log)?$ VarFile
/var/run/console-log/Debian-console-log/(8-_-_var_-_log_-_exim4_-_mainlog|9-_-_var_-_log_-_syslog_-_syslog)$ VarFile

/var/run/crond\.(pid|reboot)$ VarFile

/var/lib/cron-apt/_-_etc_-_cron-apt_-_config/mailchanges/(0-update-update_-o_quiet=2|3-download-dist-upgrade_-d_-y_-o_APT::Get::Show-Upgraded=true|3-download-autoclean_-y)$ VarFile
!/var/lib/cron-apt/lockfile$
/var/lib/cron-apt$ VarDir
!/tmp/cron-apt\.[a-zA-Z0-9]{6}$
!/tmp/cron-apt\.[a-zA-Z0-9]{6}/initlog$
/var/log/cron-apt/log$ Logs
/var/log/cron-apt/log\.1$ LowLogs
/var/log/cron-apt/log\.2\.gz$ RotatedLogs+ANF
/var/log/cron-apt/log\.[0-9]+\.gz$ RotatedLogs
/var/log/cron-apt$ VarDir

/var/cache/debconf/(config|templates)\.dat(-old)?$ VarFile
/var/cache/debconf$ VarDir

/var/lib/debsecan/history$ VarFile
/var/lib/debsecan$ VarDir

/var/run/dhclient\.eth0\.pid$ VarFile
/var/lib/dhcp3/dhclient\.eth0\.leases$ VarFile

/var/lib/dhcp3/dhcpd.leases~?$ VarFile
/var/lib/dhcp3$ VarDir

/var/run/dovecot/(auth-worker\.[0-9]{4}|master\.pid)$ VarFile
/var/run/dovecot/login/(default|ssl-parameters\.dat)$ VarFile
/var/run/dovecot(/login)?$ VarDir

/var/lib/dpkg/(available|status)(-old)?$ VarFile
/var/lib/dpkg/status\.yesterday(\.[0-9]*)?(\.gz)?$ VarFile
/var/lib/dpkg/(info|updates|lock)$ VarDir
/var/lib/dpkg$ VarDir
/var/log/dpkg\.log-[0-9]{8}\.gz$ RotatedLogs+ANF
/var/log/dpkg\.log-[0-9]{8}$ RotatedLogs+ANF+ARF
/var/log/dpkg\.log$ Logs
/var/backups/dpkg\.status\.0$ LowLogs
/var/backups/dpkg\.status\.1\.gz$ RotatedLogs+ANF
/var/backups/dpkg\.status\.[2345]\.gz$ RotatedLogs
/var/backups/dpkg\.status\.6\.gz$ RotatedLogs+ARF

/var/spool/exim4/gnutls-params$ VarFile
!/var/spool/exim4/filee[a-zA-Z0-9]{5}$
/var/spool/exim4/db/(wait-remote_smtp(_smarthost)?|retry|callout)$ VarFile
!/var/spool/exim4/input/[a-zA-Z0-9]{6}-[a-zA-Z0-9]{6}-[a-zA-Z0-9]{2}-[DH]$
!/var/spool/exim4/msglog/[a-zA-Z0-9]{6}-[a-zA-Z0-9]{6}-[a-zA-Z0-9]{2}$
!/var/spool/exim4/gnutls-params$
/var/spool/exim4(/(input|msglog|scan))?$ VarDir
/var/lib/exim4/config.autogenerated$ VarFile
/var/run/exim4/exim.pid$ VarFile
/var/(lib|run)/exim4$ VarDir

/var/log/exim4/(main|reject)log\.0$ LowLogs
/var/log/exim4/(main|reject)log\.1\.gz$ RotatedLogs+ANF
/var/log/exim4/(main|reject)log\.[0-9]+\.gz$ RotatedLogs
/var/log/exim4/(main|reject)log$ Logs
/var/log/exim4$ VarDir

/var/cache/locate/locatedb$ VarFile
/var/cache/locate$ VarDir

/root/.gnupg/random_seed$ VarFile

/etc/network/ifstate$ VarFile
/etc/network$ VarDir

/var/run/inetd\.pid$ VarFile

/var/lib/urandom/random-seed$ VarFile
/var/lib/(urandom|initscripts)$ VarDir
/var/log/dmesg$ VarFile
/var/log/dmesg\.0$ LowLogs
/var/log/dmesg\.1\.gz$ RotatedLogs+ANF
/var/log/dmesg\.[23]\.gz$ RotatedLogs
/var/log/dmesg\.4\.gz$ RotatedLogs+ARF
/var/log/fsck/check(root|fs)$ VarFile
/var/run/motd$ VarFile

@@define NEWSLOGS (errlog|expire\.log|news(\.crit|\.err|\.notice)?|rc\.news|sendsys\.log|unwanted\.log|inn_status\.html|innfeed\.status|expire\.(lastlowmark|list))
@@define OLDLOGS (active|errlog|expire\.log|news(\.crit|\.err|\.notice)?|sendsys\.log|unwanted\.log)

!/var/lib/news/history(\.(dir|hash|index))?$
/var/lib/news/(active(\.old)?|newsgroups|\.news\.daily)$ VarFile

!/var/spool/news/articles(/[-a-z0-9+]+)+$ VarDir
/var/spool/news/overview/group\.index$ VarFile
!/var/spool/news/overview(/[a-z0-9])+/[-\.a-z0-9+]+\.(IDX|DAT)$
/var/spool/news/overview(/[a-z0-9])+$ VarDir
!/var/spool/news/articles/control/(newgroup|checkgroups|rmgroup)/[0-9]*$
/var/spool/news/innfeed/@@{INN2_INNFEED_OUTFEEDS}\.(lock|output|input)$ VarFile
!/var/spool/news/innfeed/innfeed-dropped\.A[0-9]{6}$
/var/spool/news/innfeed$ VarDir
/var/spool/news/incoming(/tmp)?$ VarDir

/var/run/news/(control|(innd|innfeed|innwatch)\.pid|innwatch\.time|LOCK\.innwatch|nntpin)$ VarFile
/var/run/news$ VarDir

/var/log/news/path/inpaths\.[0-9]{10}$ VarFile+ANF
/var/log/news/@@{NEWSLOGS}$ VarFile
/var/log/news/OLD/(expire\.log\.0|unwanted\.log)$ VarFile
/var/log/news/OLD/@@{OLDLOGS}\.1\.gz$ RotatedLogs+ANF
/var/log/news/OLD/@@{OLDLOGS}\.[0-9]+\.gz$ RotatedLogs
/var/log/news(/(path|OLD))?$ VarDir

/var/run/ippl$ VarDir
/var/run/ippl/ippl.(pid|conf)$ VarFile

/var/log/lastlog$ Logs

/var/lib/logrotate/status$ VarFile

/etc/lvm/\.cache$ VarFile

/var/cache/man/(cat[123456789]|local|opt|fsstnd|oldlocal|X11R6)$ VarDir
/var/cache/man/X11R6/(index\.db|cat[17])$ VarFile
/var/cache/man/index\.db$ VarFile
/var/cache/man$ VarDir

/lib/modules/[0-9\.]*/modules\.dep$ VarFile

/etc/mtab$ n+p+u

/var/www/munin/index\.html$ VarFile
@@ifdef DNSDOMAINNAME
@@ifdef FQDN
/var/www/munin/@@{DNSDOMAINNAME}/(index\.html|@@{FQDN}(-.*)?\.(png|html))$ VarFile
/var/lib/munin/@@{DNSDOMAINNAME}/@@{FQDN}-.*\.rrd$ VarFile
/var/run/munin/munin-(update|datafile|@@{DNSDOMAINNAME}-@@{FQDN}|limits)\.lock$ VarFile
@@endif
@@endif
/var/lib/munin/(limits|datafiles|munin-(update|graph)\.stats)$ VarFile
/var/lib/munin/plugin-state/(plugin-exim_mailstats|smart-hda)\.state$ VarFile
/var/lib/munin/datafile$ VarFile
/var/lib/munin$ VarDir
/var/log/munin/munin-(update|limits|node|graph|html)\.log$ Logs
/var/log/munin/munin-(update|limits|node|graph|html)\.log-[0-9]{8}(\.gz)?$ RotatedLogs+ANF
/var/log/munin$ Logs
/var/run/munin$ VarDir

/var/lib/mysql$ VarDir
/var/lib/mysql/(ibdata1|ib_logfile0)$ VarFile
/var/log/mysql$ VarDir
/var/log/mysql/mysql-bin\.index$ VarFile
!/var/log/mysql/mysql-bin\.[0-9]{3}$ Logs
!/var/log/mysql/mysql-bin\.[0-9]{6}$ Logs
/var/run/mysqld$ VarDir
/var/run/mysqld/mysqld\.(sock|pid)$ VarFile

/var/cache/nagios2/(objects\.cache|status\.dat)$ VarFile
/var/lib/nagios2/(comments|retention)\.dat$ VarFile
/var/lib/nagios2/rw/nagios\.cmd$ VarFile
/var/lib/nagios2/rw$ VarDir
/var/log/nagios2/nagios\.log$ Logs
/var/run/nagios2/nagios2\.pid$ VarFile
/var/(cache|lib|log|run)/nagios2$ VarDir

/var/lib/ntp/ntp\.drift$ VarFile
/var/lib/ntp$ VarDir
!/var/log/ntpstats/peerstats(\.[0-9]{8})? LinkedLogs
!/var/log/ntpstats/loopstats(\.[0-9]{8})? LinkedLogs
/var/log/ntpstats$ VarDir
/var/run/ntpd\.pid$ VarFile

/var/run/openvpn\.client\.status$ VarFile

/var/lib/php4$ VarDir
/var/lib/php4/sess_[0-9a-z]{26,32}$ VarFile+ANF+ARF

/var/log/proftpd(_(access|auth|xfer))?\.log$ Logs
/var/run/proftpd/proftpd\.(delay|pid|scoreboard)$ VarFile
/var/(log|run)/proftpd$ VarDir

/etc/resolv\.conf$ VarFile

/var/run/rngd\.pid$ VarFile

/var/run/screen/S-[0-9a-z]+$ VarDir
@@ifdef HOSTNAME
!/var/run/screen/S-[0-9a-z]+/[0-9]{1,5}\.pts-[0-9]\.@@{HOSTNAME}$
@@endif

/var/lib/slrn/newsgroups\.dsc$ VarFile

/var/lib/snmp/snmpd\.conf$ VarFile
/var/lib/snmp$ VarDir
/var/run/snmpd\.pid$ VarFile

/var/spool/spamassassin/bayes/(bayes_(journal|toks|seen)|auto-whitelist)$ VarFile
/var/spool/spamassassin/bayes$ VarDir
/var/run/spamd\.pid$ VarFile

!/var/spool/squid/[0-9A-F]{2}/[0-9A-F]{2}/[0-9A-F]{8}
/var/spool/squid/(netdb_state|swap.state(.last-clean)?) VarFile
/var/spool/squid/[0-9A-F]{2}(/[0-9A-F]{2})?$ VarDir
/var/log/squid/(access|store)\.log$ Logs

!/tmp/ssh-[a-zA-Z0-9]{10}$
!/tmp/ssh-[a-zA-Z0-9]{10}/agent.[0-9]{1,5}$

/var/run/sshd.pid$ VarFile

/var/run/sudo/[a-z0-9]+$ VarDir

@@define LOGFILES (messages|syslog|(auth|daemon|mail)\.log|mail\.info)
/var/log/@@{LOGFILES}\.0$ LowLogs
/var/log/@@{LOGFILES}\.1\.gz$ RotatedLogs+ANF
/var/log/@@{LOGFILES}\.[0-9]+\.gz$ RotatedLogs
/var/log/@@{LOGFILES}$ Logs
/var/log$ VarDir
/var/run/(klogd|syslogd)\.pid$ VarFile

/var/run/utmp$ VarFile

@@ifdef LOC_WEBSITES
@@define LOC_WEBALIZERFILES (index\.html|usage\.png|webalizer\.(hist|current)|(ctry|daily|hourly)_usage_2006(0[1-9]|1[0-2])\.png|usage_2006(0[1-9]|1[0-2])\.html)

/var/www/@@{LOC_WEBSITES}/stats/@@{LOC_WEBALIZERFILES}$ VarFile
@@endif

/var/log/wtmp\.1$ RotatedLogs
/var/log/wtmp\.2\.gz$ RotatedLogs+ANF
/var/log/wtmp\.[345]+\.gz$ RotatedLogs
/var/log/wtmp\.6\.gz$ RotatedLogs+ARF
/var/log/wtmp$ Logs

/tmp/.(ICE|X11)-unix$ VarDir

/var/run/xinetd.pid$ VarFile

!/var/lib/influenza/data

@@define INFLULOGS (VACCUM|(are|bericht|getexcel|import_*|inzidenz|mkgr*|query2*|watch)\.log)
/var/log/influenza/@@{INFLULOGS}\.0$ LowLogs
/var/log/influenza/@@{INFLULOGS}\.1\.gz$ RotatedLogs+ANF
/var/log/influenza/@@{INFLULOGS}\.[0-9]+\.gz$ RotatedLogs
/var/log/influenza/@@{INFLULOGS}$ Logs
/var/log/influenza/import_1.log$ Logs
/var/log/influenza$ VarDir
/var/log/zope*/default/*.log$ Logs
!/var/lib/zope*/instance/default/var/Data.fs*

!/var/lib/postgresql/8.1/main/
/var/log/postgresql/postgresql-8.1-main.log Logs
!/var/run/postgresql/.s.PGSQL.5432
!/var/run/postgresql/.s.PGSQL.5432.lock
!/var/lib/postgres/backup

/var/log/debug Logs
/var/log/kern.log Logs
!/tmp
!/root/.bash_history
!/var/run/apache2
!/home
!/var/tmp

!/var/lib/logcheck
!/var/lock/logcheck

/dev/pts$ VarDir
!/dev/pts/[0-9]{1,2}$
/dev$ RamdiskData
/dev/vcsa6$ RamdiskData
/dev/vcs6$ RamdiskData
/dev/vcsa5$ RamdiskData
/dev/vcs5$ RamdiskData
/dev/vcsa3$ RamdiskData
/dev/vcs3$ RamdiskData
/dev/vcsa4$ RamdiskData
/dev/vcs4$ RamdiskData
/dev/vcsa2$ RamdiskData
/dev/vcs2$ RamdiskData
/dev/log$ RamdiskData
/dev/xconsole$ RamdiskData
/dev/lvm$ RamdiskData
/dev/MAKEDEV$ RamdiskData
/dev/net$ RamdiskData
/dev/net/tun$ RamdiskData
/dev/loop$ RamdiskData
/dev/loop/0$ RamdiskData
/dev/ppp$ RamdiskData
/dev/shm$ RamdiskData
/dev/pts$ RamdiskData
/dev/sndstat$ RamdiskData
/dev/core$ RamdiskData
/dev/stderr$ RamdiskData
/dev/stdout$ RamdiskData
/dev/stdin$ RamdiskData
/dev/fd$ RamdiskData
/dev/initctl$ RamdiskData
/dev/dm-5$ RamdiskData
/dev/dm-4$ RamdiskData
/dev/dm-3$ RamdiskData
/dev/dm-2$ RamdiskData
/dev/dm-1$ RamdiskData
/dev/seinfluenza02$ RamdiskData
/dev/seinfluenza02/home$ RamdiskData
/dev/seinfluenza02/tmp$ RamdiskData
/dev/seinfluenza02/swap_1$ RamdiskData
/dev/seinfluenza02/var$ RamdiskData
/dev/seinfluenza02/usr$ RamdiskData
/dev/seinfluenza02/root$ RamdiskData
/dev/dm-0$ RamdiskData
/dev/sda5$ RamdiskData
/dev/sda1$ RamdiskData
/dev/sda2$ RamdiskData
/dev/disk$ RamdiskData
/dev/disk/by-uuid$ RamdiskData
/dev/disk/by-uuid/e13937c4-a233-4085-b4c5-e272644daff0$ RamdiskData
/dev/disk/by-path$ RamdiskData
/dev/disk/by-path/pci-0000:00:10.0-scsi-0:0:0:0-part5$ RamdiskData
/dev/disk/by-path/pci-0000:00:10.0-scsi-0:0:0:0-part1$ RamdiskData
/dev/disk/by-path/pci-0000:00:10.0-scsi-0:0:0:0-part2$ RamdiskData
/dev/disk/by-path/pci-0000:00:10.0-scsi-0:0:0:0$ RamdiskData
/dev/sda$ RamdiskData
/dev/vcsa1$ RamdiskData
/dev/vcs1$ RamdiskData
/dev/vcsa$ RamdiskData
/dev/ttyS3$ RamdiskData
/dev/vcs$ RamdiskData
/dev/ttyS2$ RamdiskData
/dev/ttyS1$ RamdiskData
/dev/ttyS0$ RamdiskData
/dev/tty9$ RamdiskData
/dev/tty61$ RamdiskData
/dev/tty63$ RamdiskData
/dev/tty62$ RamdiskData
/dev/tty60$ RamdiskData
/dev/tty58$ RamdiskData
/dev/tty57$ RamdiskData
/dev/tty59$ RamdiskData
/dev/tty54$ RamdiskData
/dev/tty55$ RamdiskData
/dev/tty56$ RamdiskData
/dev/tty53$ RamdiskData
/dev/tty49$ RamdiskData
/dev/tty52$ RamdiskData
/dev/tty51$ RamdiskData
/dev/tty50$ RamdiskData
/dev/tty48$ RamdiskData
/dev/tty47$ RamdiskData
/dev/tty46$ RamdiskData
/dev/tty45$ RamdiskData
/dev/tty42$ RamdiskData
/dev/tty43$ RamdiskData
/dev/tty41$ RamdiskData
/dev/tty44$ RamdiskData
/dev/tty26$ RamdiskData
/dev/tty40$ RamdiskData
/dev/tty39$ RamdiskData
/dev/tty38$ RamdiskData
/dev/tty37$ RamdiskData
/dev/tty36$ RamdiskData
/dev/tty35$ RamdiskData
/dev/tty29$ RamdiskData
/dev/tty34$ RamdiskData
/dev/tty33$ RamdiskData
/dev/tty32$ RamdiskData
/dev/tty31$ RamdiskData
/dev/tty30$ RamdiskData
/dev/tty28$ RamdiskData
/dev/tty27$ RamdiskData
/dev/tty25$ RamdiskData
/dev/tty24$ RamdiskData
/dev/tty23$ RamdiskData
/dev/tty22$ RamdiskData
/dev/tty21$ RamdiskData
/dev/tty20$ RamdiskData
/dev/tty19$ RamdiskData
/dev/tty18$ RamdiskData
/dev/tty17$ RamdiskData
/dev/tty16$ RamdiskData
/dev/input$ RamdiskData
/dev/input/mice$ RamdiskData
/dev/tty15$ RamdiskData
/dev/tty14$ RamdiskData
/dev/tty13$ RamdiskData
/dev/tty12$ RamdiskData
/dev/tty11$ RamdiskData
/dev/tty10$ RamdiskData
/dev/tty$ RamdiskData
/dev/ptmx$ RamdiskData
/dev/zero$ RamdiskData
/dev/mapper$ RamdiskData
/dev/mapper/seinfluenza02-home$ RamdiskData
/dev/mapper/seinfluenza02-tmp$ RamdiskData
/dev/mapper/seinfluenza02-swap_1$ RamdiskData
/dev/mapper/seinfluenza02-var$ RamdiskData
/dev/mapper/seinfluenza02-usr$ RamdiskData
/dev/mapper/seinfluenza02-root$ RamdiskData
/dev/mapper/control$ RamdiskData
/dev/urandom$ RamdiskData
/dev/random$ RamdiskData
/dev/port$ RamdiskData
/dev/mem$ RamdiskData
/dev/kmsg$ RamdiskData
/dev/kmem$ RamdiskData
/dev/full$ RamdiskData
/dev/.udev$ RamdiskData
/dev/.udev/failed$ RamdiskData
/dev/.udev/failed/devices@pci0000:00@0000:00:0f.0$ RamdiskData
/dev/.udev/failed/devices@pci0000:00@0000:00:07.3$ RamdiskData
/dev/.udev/failed/devices@pci0000:00@0000:00:10.0$ RamdiskData
/dev/.udev/failed/devices@pci0000:00@0000:00:07.1$ RamdiskData
/dev/.udev/failed/devices@pci0000:00@0000:00:00.0$ RamdiskData
/dev/.udev/failed/devices@pci0000:00@0000:00:07.0$ RamdiskData
/dev/.udev/failed/devices@platform@i8042@serio0$ RamdiskData
/dev/.udev/failed/devices@pci0000:00@0000:00:01.0$ RamdiskData
/dev/.udev/failed/devices@platform@pcspkr$ RamdiskData
/dev/.udev/failed/class@scsi_device@0:0:0:0$ RamdiskData
/dev/.udev/failed/class@input@input0$ RamdiskData
/dev/.udev/uevent_seqnum$ RamdiskData
/dev/.udev/db$ RamdiskData
/dev/.udev/db/class@vc@vcsa6$ RamdiskData
/dev/.udev/db/class@vc@vcs6$ RamdiskData
/dev/.udev/db/class@vc@vcsa5$ RamdiskData
/dev/.udev/db/class@vc@vcs5$ RamdiskData
/dev/.udev/db/class@vc@vcsa3$ RamdiskData
/dev/.udev/db/class@vc@vcs3$ RamdiskData
/dev/.udev/db/class@vc@vcsa4$ RamdiskData
/dev/.udev/db/class@vc@vcs4$ RamdiskData
/dev/.udev/db/class@vc@vcsa2$ RamdiskData
/dev/.udev/db/class@vc@vcs2$ RamdiskData
/dev/.udev/db/block@sda@sda5$ RamdiskData
/dev/.udev/db/block@sda@sda1$ RamdiskData
/dev/.udev/db/block@sda@sda2$ RamdiskData
/dev/.udev/db/block@sda$ RamdiskData
/dev/.udev/db/block@dm-5$ RamdiskData
/dev/.udev/db/block@dm-4$ RamdiskData
/dev/.udev/db/block@dm-3$ RamdiskData
/dev/.udev/db/block@dm-2$ RamdiskData
/dev/.udev/db/block@dm-0$ RamdiskData
/dev/.udev/db/block@dm-1$ RamdiskData
/dev/.udev/db/class@vc@vcsa1$ RamdiskData
/dev/.udev/db/class@vc@vcsa$ RamdiskData
/dev/.udev/db/class@tty@tty9$ RamdiskData
/dev/.udev/db/class@tty@tty8$ RamdiskData
/dev/.udev/db/class@vc@vcs1$ RamdiskData
/dev/.udev/db/class@vc@vcs$ RamdiskData
/dev/.udev/db/class@tty@ttyS3$ RamdiskData
/dev/.udev/db/class@tty@ttyS2$ RamdiskData
/dev/.udev/db/class@tty@ttyS1$ RamdiskData
/dev/.udev/db/class@tty@ttyS0$ RamdiskData
/dev/.udev/db/class@tty@tty7$ RamdiskData
/dev/.udev/db/class@tty@tty63$ RamdiskData
/dev/.udev/db/class@tty@tty62$ RamdiskData
/dev/.udev/db/class@tty@tty61$ RamdiskData
/dev/.udev/db/class@tty@tty60$ RamdiskData
/dev/.udev/db/class@tty@tty59$ RamdiskData
/dev/.udev/db/class@tty@tty56$ RamdiskData
/dev/.udev/db/class@tty@tty55$ RamdiskData
/dev/.udev/db/class@tty@tty6$ RamdiskData
/dev/.udev/db/class@tty@tty54$ RamdiskData
/dev/.udev/db/class@tty@tty58$ RamdiskData
/dev/.udev/db/class@tty@tty53$ RamdiskData
/dev/.udev/db/class@tty@tty57$ RamdiskData
/dev/.udev/db/class@tty@tty52$ RamdiskData
/dev/.udev/db/class@tty@tty51$ RamdiskData
/dev/.udev/db/class@tty@tty50$ RamdiskData
/dev/.udev/db/class@tty@tty5$ RamdiskData
/dev/.udev/db/class@tty@tty47$ RamdiskData
/dev/.udev/db/class@tty@tty49$ RamdiskData
/dev/.udev/db/class@tty@tty48$ RamdiskData
/dev/.udev/db/class@tty@tty41$ RamdiskData
/dev/.udev/db/class@tty@tty46$ RamdiskData
/dev/.udev/db/class@tty@tty45$ RamdiskData
/dev/.udev/db/class@tty@tty44$ RamdiskData
/dev/.udev/db/class@tty@tty43$ RamdiskData
/dev/.udev/db/class@tty@tty42$ RamdiskData
/dev/.udev/db/class@tty@tty40$ RamdiskData
/dev/.udev/db/class@tty@tty35$ RamdiskData
/dev/.udev/db/class@tty@tty4$ RamdiskData
/dev/.udev/db/class@tty@tty39$ RamdiskData
/dev/.udev/db/class@tty@tty38$ RamdiskData
/dev/.udev/db/class@tty@tty37$ RamdiskData
/dev/.udev/db/class@tty@tty36$ RamdiskData
/dev/.udev/db/class@tty@tty3$ RamdiskData
/dev/.udev/db/class@tty@tty34$ RamdiskData
/dev/.udev/db/class@tty@tty33$ RamdiskData
/dev/.udev/db/class@tty@tty32$ RamdiskData
/dev/.udev/db/class@tty@tty31$ RamdiskData
/dev/.udev/db/class@tty@tty30$ RamdiskData
/dev/.udev/db/class@tty@tty29$ RamdiskData
/dev/.udev/db/class@tty@tty28$ RamdiskData
/dev/.udev/db/class@tty@tty27$ RamdiskData
/dev/.udev/db/class@tty@tty26$ RamdiskData
/dev/.udev/db/class@tty@tty25$ RamdiskData
/dev/.udev/db/class@tty@tty24$ RamdiskData
/dev/.udev/db/class@tty@tty23$ RamdiskData
/dev/.udev/db/class@input@mice$ RamdiskData
/dev/.udev/db/class@tty@tty22$ RamdiskData
/dev/.udev/db/class@tty@tty21$ RamdiskData
/dev/.udev/db/class@tty@tty20$ RamdiskData
/dev/.udev/db/class@tty@tty2$ RamdiskData
/dev/.udev/db/class@tty@tty19$ RamdiskData
/dev/.udev/db/class@tty@tty18$ RamdiskData
/dev/.udev/db/class@tty@tty17$ RamdiskData
/dev/.udev/db/class@tty@tty10$ RamdiskData
/dev/.udev/db/class@tty@tty16$ RamdiskData
/dev/.udev/db/class@tty@tty15$ RamdiskData
/dev/.udev/db/class@tty@tty14$ RamdiskData
/dev/.udev/db/class@tty@tty13$ RamdiskData
/dev/.udev/db/class@tty@tty12$ RamdiskData
/dev/.udev/db/class@tty@tty11$ RamdiskData
/dev/.udev/db/class@tty@tty1$ RamdiskData
/dev/.udev/db/class@tty@tty$ RamdiskData
/dev/.udev/db/class@tty@ptmx$ RamdiskData
/dev/.udev/db/class@tty@console$ RamdiskData
/dev/.udev/db/class@tty@tty0$ RamdiskData
/dev/.udev/db/class@misc@device-mapper$ RamdiskData
/dev/.udev/db/class@mem@zero$ RamdiskData
/dev/.udev/db/class@mem@urandom$ RamdiskData
/dev/.udev/db/class@mem@random$ RamdiskData
/dev/.udev/db/class@mem@port$ RamdiskData
/dev/.udev/db/class@mem@null$ RamdiskData
/dev/.udev/db/class@mem@mem$ RamdiskData
/dev/.udev/db/class@mem@kmsg$ RamdiskData
/dev/.udev/db/class@mem@kmem$ RamdiskData
/dev/.udev/db/class@mem@full$ RamdiskData
/dev/tty8$ RamdiskData
/dev/tty7$ RamdiskData
/dev/tty6$ RamdiskData
/dev/tty5$ RamdiskData
/dev/tty4$ RamdiskData
/dev/tty3$ RamdiskData
/dev/tty2$ RamdiskData
/dev/tty1$ RamdiskData
/dev/tty0$ RamdiskData
/dev/fb0$ RamdiskData
/dev/.initramfs$ RamdiskData
/dev/.initramfs/progress_state$ RamdiskData
/dev/.initramfs-tools$ RamdiskData
/dev/null$ RamdiskData
/dev/console$ RamdiskData
/dev/.static$ RamdiskData

/etc$ VarDir

!/proc
!/sys

/var/(backups|lock|log|run|tmp)$ VarDir

/ Full

Message #10 received at 442214@bugs.debian.org (full text, mbox, reply):

From: Marc Haber <mh+debian-packages@zugschlus.de>

To: Andreas Tille <tillea@rki.de>, 442214@bugs.debian.org

Subject: Re: [Pkg-aide-maintainers] Bug#442214: aide: Aide issues false alarms

Date: Sun, 16 Sep 2007 16:14:43 +0200

On Fri, Sep 14, 2007 at 08:33:28AM +0200, Andreas Tille wrote:
> I havn't changed the files in /etc/aide/aide.conf.d (just added a view
> ones for my own application) but Aide reports things like
> 
> ---------------------------------------------------
> Added files:
> ---------------------------------------------------
> 
> added: /var/log/exim4/mainlog.2.gz
> 
> ---------------------------------------------------
> Removed files:
> ---------------------------------------------------
> 
> removed: /var/log/exim4/mainlog.10.gz
> removed: /var/log/daemon.log.6.gz
> removed: /var/log/syslog.6.gz
> 
> ---------------------------------------------------
> Changed files:
> ---------------------------------------------------
> 
> changed: /var/log/exim4/mainlog
> changed: /var/log/exim4/mainlog.1
> changed: /var/log/syslog
> changed: /var/log/daemon.log
> 
> 
> which perfectly should be suppressed by the configuration shipped with aide.

By default, this only works through one rotation of the logs, and
starting with the second rotation, the changes are going to be
reported _until_ you copy the newly generated databases to the old
ones if no changes were found.

Appropriate settings in /etc/default/aide would be
COMMAND=update
COPYNEWDB=ifnochange

Let me know if this helps.

Greetings
Marc

-- 
-----------------------------------------------------------------------------
Marc Haber         | "I don't trust Computers. They | Mailadresse im Header
Mannheim, Germany  |  lose things."    Winona Ryder | Fon: *49 621 72739834
Nordisch by Nature |  How to make an American Quilt | Fax: *49 3221 2323190

Message #15 received at 442214@bugs.debian.org (full text, mbox, reply):

From: Andreas Tille <tillea@rki.de>

To: Marc Haber <mh+debian-packages@zugschlus.de>

Cc: 442214@bugs.debian.org

Subject: Re: [Pkg-aide-maintainers] Bug#442214: aide: Aide issues false alarms

Date: Fri, 21 Sep 2007 07:01:33 +0200 (CEST)

On Sun, 16 Sep 2007, Marc Haber wrote:
> By default, this only works through one rotation of the logs, and
> starting with the second rotation, the changes are going to be
> reported _until_ you copy the newly generated databases to the old
> ones if no changes were found.
>
> Appropriate settings in /etc/default/aide would be
> COMMAND=update
> COPYNEWDB=ifnochange
>
> Let me know if this helps.

Not really.  I have now

# grep "^CO*" /etc/default/aide
COMMAND=update
COPYNEWDB=ifnochange

but ...

---------------------------------------------------
Added files:
---------------------------------------------------

added: /var/log/exim4/mainlog.2.gz

---------------------------------------------------
Removed files:
---------------------------------------------------

removed: /var/log/exim4/mainlog.10.gz
removed: /var/log/daemon.log.6.gz
removed: /var/log/syslog.6.gz

---------------------------------------------------
Changed files:
---------------------------------------------------

changed: /var/log/exim4/mainlog
changed: /var/log/exim4/mainlog.1
changed: /var/log/syslog
changed: /var/log/daemon.log
changed: /var/log/zope2.9/default/Z2.log



So I think this problem is not yet solved.  Or did I missed something?

Kind regards

          Andreas.

Message #20 received at 442214@bugs.debian.org (full text, mbox, reply):

From: Marc Haber <mh+debian-packages@zugschlus.de>

To: Andreas Tille <tillea@rki.de>, 442214@bugs.debian.org

Subject: Re: [Pkg-aide-maintainers] Bug#442214: Bug#442214: aide: Aide issues false alarms

Date: Fri, 21 Sep 2007 14:14:57 +0200

On Fri, Sep 21, 2007 at 07:01:33AM +0200, Andreas Tille wrote:
> On Sun, 16 Sep 2007, Marc Haber wrote:
> > By default, this only works through one rotation of the logs, and
> > starting with the second rotation, the changes are going to be
> > reported _until_ you copy the newly generated databases to the old
> > ones if no changes were found.
> >
> > Appropriate settings in /etc/default/aide would be
> > COMMAND=update
> > COPYNEWDB=ifnochange
> >
> > Let me know if this helps.
> 
> Not really.  I have now
> 
> # grep "^CO*" /etc/default/aide
> COMMAND=update
> COPYNEWDB=ifnochange
> 
> but ...
> 
> ---------------------------------------------------
> Added files:
> ---------------------------------------------------
> 
> added: /var/log/exim4/mainlog.2.gz
> 
> ---------------------------------------------------
> Removed files:
> ---------------------------------------------------
> 
> removed: /var/log/exim4/mainlog.10.gz
> removed: /var/log/daemon.log.6.gz
> removed: /var/log/syslog.6.gz
> 
> ---------------------------------------------------
> Changed files:
> ---------------------------------------------------
> 
> changed: /var/log/exim4/mainlog
> changed: /var/log/exim4/mainlog.1
> changed: /var/log/syslog
> changed: /var/log/daemon.log
> changed: /var/log/zope2.9/default/Z2.log
> 
> 
> 
> So I think this problem is not yet solved.  Or did I missed something?

In a previous run, aide detected changes (most probably the zope log
file), and thus the newly generated database was not copied over the
old one. After the next log rotation, the log-related rules didn't
apply any more and you got the report quoted above.

As a rule, if you once get a report that shows changes, you'll get all
log reported as changed the next day if you don't interfere manually.

Greetings
Marc

-- 
-----------------------------------------------------------------------------
Marc Haber         | "I don't trust Computers. They | Mailadresse im Header
Mannheim, Germany  |  lose things."    Winona Ryder | Fon: *49 621 72739834
Nordisch by Nature |  How to make an American Quilt | Fax: *49 3221 2323190

Message #25 received at 442214@bugs.debian.org (full text, mbox, reply):

From: Andreas Tille <tillea@rki.de>

To: Marc Haber <mh+debian-packages@zugschlus.de>

Cc: 442214@bugs.debian.org

Subject: Re: [Pkg-aide-maintainers] Bug#442214: Bug#442214: aide: Aide issues false alarms

Date: Fri, 21 Sep 2007 14:58:30 +0200 (CEST)

On Fri, 21 Sep 2007, Marc Haber wrote:

> As a rule, if you once get a report that shows changes, you'll get all
> log reported as changed the next day if you don't interfere manually.

Well, is the following procedure:

-----------------------------------------------------------
# /usr/sbin/aideinit
Overwrite existing /var/lib/aide/aide.db.new [Yn]? y
Running aide --init...

AIDE, version 0.13.1

### AIDE database at /var/lib/aide/aide.db.new initialized.

Overwrite /var/lib/aide/aide.db [yN]? y
----------------------------------------------------------

what you would call "interfere manually"?

I did so after changing the aide configuration and I did it again now.

I'm just waiting for monday whether aide will stay quiet (as I expect
it to be) and would come back if something was reported.

Kind regards

         Andreas.

-- 
http://fam-tille.de

Message #30 received at 442214@bugs.debian.org (full text, mbox, reply):

From: Andreas Tille <tillea@rki.de>

To: Marc Haber <mh+debian-packages@zugschlus.de>

Cc: 442214@bugs.debian.org

Subject: Re: [Pkg-aide-maintainers] Bug#442214: Bug#442214: aide: Aide issues false alarms

Date: Mon, 24 Sep 2007 07:27:20 +0200 (CEST)

On Fri, 21 Sep 2007, Marc Haber wrote:

>> ---------------------------------------------------
>> Added files:
>> ---------------------------------------------------
>>
>> added: /var/log/exim4/mainlog.2.gz
>>
>> ---------------------------------------------------
>> Removed files:
>> ---------------------------------------------------
>>
>> removed: /var/log/exim4/mainlog.10.gz
>> removed: /var/log/daemon.log.6.gz
>> removed: /var/log/syslog.6.gz
>>
>> ---------------------------------------------------
>> Changed files:
>> ---------------------------------------------------
>>
>> changed: /var/log/exim4/mainlog
>> changed: /var/log/exim4/mainlog.1
>> changed: /var/log/syslog
>> changed: /var/log/daemon.log
>> changed: /var/log/zope2.9/default/Z2.log
>>
>>
> As a rule, if you once get a report that shows changes, you'll get all
> log reported as changed the next day if you don't interfere manually.

This is what I've got after aideinit on last Friday ...


---------------------------------------------------
Added files:
---------------------------------------------------

added: /var/log/exim4/mainlog.2.gz

---------------------------------------------------
Removed files:
---------------------------------------------------

removed: /var/log/exim4/mainlog.10.gz
removed: /var/log/daemon.log.6.gz
removed: /var/log/syslog.6.gz

---------------------------------------------------
Changed files:
---------------------------------------------------

changed: /var/log/exim4/mainlog.1
changed: /var/log/daemon.log
changed: /var/log/zope2.9/default/Z2.log

--------------------------------------------------
Detailed information about changes:
---------------------------------------------------
...


If this sounds as if I'm doing something wrong please be
patient with me and explein in detail what I should do
differently.

Kind regards

             Andreas.

-- 
http://fam-tille.de

Message #35 received at 442214@bugs.debian.org (full text, mbox, reply):

From: Marc Haber <mh+debian-packages@zugschlus.de>

To: Andreas Tille <tillea@rki.de>, 442214@bugs.debian.org, 442214-submitter@bugs.debian.org

Cc: Marc Haber <mh+debian-packages@zugschlus.de>

Subject: Re: Bug#442214: [Pkg-aide-maintainers] Bug#442214: Bug#442214: aide: Aide issues false alarms

Date: Sat, 6 Oct 2007 19:22:35 +0200

On Fri, Sep 21, 2007 at 02:58:30PM +0200, Andreas Tille wrote:
> On Fri, 21 Sep 2007, Marc Haber wrote:
>> As a rule, if you once get a report that shows changes, you'll get all
>> log reported as changed the next day if you don't interfere manually.
>
> Well, is the following procedure:
>
> -----------------------------------------------------------
> # /usr/sbin/aideinit
> Overwrite existing /var/lib/aide/aide.db.new [Yn]? y
> Running aide --init...
>
> AIDE, version 0.13.1
>
> ### AIDE database at /var/lib/aide/aide.db.new initialized.
>
> Overwrite /var/lib/aide/aide.db [yN]? y
> ----------------------------------------------------------
>
> what you would call "interfere manually"?

Depending on your level of paranoia, it might be sufficient to
manually copy over /var/lib/aide/aide.db.new to /var/lib/aide/aide.db.

Greetings
Marc

-- 
-----------------------------------------------------------------------------
Marc Haber         | "I don't trust Computers. They | Mailadresse im Header
Mannheim, Germany  |  lose things."    Winona Ryder | Fon: *49 621 72739834
Nordisch by Nature |  How to make an American Quilt | Fax: *49 621 72739835

Message #43 received at 442214@bugs.debian.org (full text, mbox, reply):

From: Marc Haber <mh+debian-packages@zugschlus.de>

To: Andreas Tille <tillea@rki.de>, 442214@bugs.debian.org, 442214-submitter@bugs.debian.org

Cc: Marc Haber <mh+debian-packages@zugschlus.de>

Subject: Re: Bug#442214: [Pkg-aide-maintainers] Bug#442214: Bug#442214: aide: Aide issues false alarms

Date: Sat, 6 Oct 2007 19:25:15 +0200

On Mon, Sep 24, 2007 at 07:27:20AM +0200, Andreas Tille wrote:
> This is what I've got after aideinit on last Friday ...
>
>
> ---------------------------------------------------
> Added files:
> ---------------------------------------------------
>
> added: /var/log/exim4/mainlog.2.gz
>
> ---------------------------------------------------
> Removed files:
> ---------------------------------------------------
>
> removed: /var/log/exim4/mainlog.10.gz
> removed: /var/log/daemon.log.6.gz
> removed: /var/log/syslog.6.gz
>
> ---------------------------------------------------
> Changed files:
> ---------------------------------------------------
>
> changed: /var/log/exim4/mainlog.1
> changed: /var/log/daemon.log
> changed: /var/log/zope2.9/default/Z2.log
>
> --------------------------------------------------
> Detailed information about changes:
> ---------------------------------------------------

You ran aideinit on Friday, and this is Monday's report?

If so, I suspect that you got the zope log file in Saturday's or
Sunday's report, which prevented the new database from being copied
over the old one, and which caused the "normal" log file rules not to
apply any more for Monday's report.

The solution will probably be to add appropriate rules for the zope
log files.

Greetings
Marc

-- 
-----------------------------------------------------------------------------
Marc Haber         | "I don't trust Computers. They | Mailadresse im Header
Mannheim, Germany  |  lose things."    Winona Ryder | Fon: *49 621 72739834
Nordisch by Nature |  How to make an American Quilt | Fax: *49 621 72739835

Message #51 received at 442214@bugs.debian.org (full text, mbox, reply):

From: Andreas Tille <tillea@rki.de>

To: Marc Haber <mh+debian-packages@zugschlus.de>

Cc: 442214@bugs.debian.org

Subject: Re: Bug#442214: [Pkg-aide-maintainers] Bug#442214: Bug#442214: aide: Aide issues false alarms

Date: Sat, 6 Oct 2007 23:30:03 +0200 (CEST)

On Sat, 6 Oct 2007, Marc Haber wrote:

> If so, I suspect that you got the zope log file in Saturday's or
> Sunday's report, which prevented the new database from being copied
> over the old one, and which caused the "normal" log file rules not to
> apply any more for Monday's report.

Well, this was by chance.  I get the reports on any next day.

> The solution will probably be to add appropriate rules for the zope
> log files.

I have apropriate rules.

Kind regards

     Andreas.

-- 
http://fam-tille.de

Message #56 received at 442214@bugs.debian.org (full text, mbox, reply):

From: Marc Haber <mh+debian-packages@zugschlus.de>

To: Andreas Tille <tillea@rki.de>

Cc: 442214@bugs.debian.org

Subject: Re: Bug#442214: [Pkg-aide-maintainers] Bug#442214: Bug#442214: aide: Aide issues false alarms

Date: Sun, 7 Oct 2007 07:07:38 +0200

On Sat, Oct 06, 2007 at 11:30:03PM +0200, Andreas Tille wrote:
> On Sat, 6 Oct 2007, Marc Haber wrote:
> >If so, I suspect that you got the zope log file in Saturday's or
> >Sunday's report, which prevented the new database from being copied
> >over the old one, and which caused the "normal" log file rules not to
> >apply any more for Monday's report.
> 
> Well, this was by chance.  I get the reports on any next day.
> 
> >The solution will probably be to add appropriate rules for the zope
> >log files.
> 
> I have apropriate rules.

I feel that I am missing information. Please rebuild your database,
and show me all reports, completely, including detail information,
that were generated until the log files show up as changed. If
possible, generate ls -ali output of the log file and aide database
directories before and after each aide run, and include time stamps
for each action, so that I can find out what happened.

This took me days to get right in the package, it is exceptionally
hard to debug. Even harder without access to the target system.

Greetings
Marc

-- 
-----------------------------------------------------------------------------
Marc Haber         | "I don't trust Computers. They | Mailadresse im Header
Mannheim, Germany  |  lose things."    Winona Ryder | Fon: *49 621 72739834
Nordisch by Nature |  How to make an American Quilt | Fax: *49 3221 2323190

Message #61 received at 442214@bugs.debian.org (full text, mbox, reply):

From: Bill Wohler <wohler@newt.com>

To: Marc Haber <mh+debian-packages@zugschlus.de>

Cc: Andreas Tille <tillea@rki.de>, 442214@bugs.debian.org

Subject: Re: Bug#442214: aide: Aide issues false alarms

Date: Sat, 24 Nov 2007 19:56:29 -0800

Package: aide
Severity: normal
Version: 0.13.1-8

Hi Marc, I think I'm seeing the same thing here. It appears that the ARF
rule isn't working as advertised.

For example, the following line appeared in the report:

  removed: /var/log/aide/aide.log.6.gz

However, in /etc/aide/aide.conf.local.d/31_aide_aide [1], I see: 

  /var/log/aide/aide\.log\.6\.gz$ RotatedLogs+ARF

which should be suppressing this message. Right?

If I run:

  sudo mv /var/lib/aide/aide.db.new /var/lib/aide/aide.db
  sudo /etc/cron.daily/aide

I still get the same report.

1. Yes, I have UPAC_CONFD="$UPAC_CONFDIR/aide.conf.local.d" in
/etc/default/aide.

-- 
Bill Wohler <wohler@newt.com>  http://www.newt.com/wohler/  GnuPG ID:610BD9AD

Message #66 received at 442214@bugs.debian.org (full text, mbox, reply):

From: Marc Haber <mh+debian-packages@zugschlus.de>

To: Bill Wohler <wohler@newt.com>

Cc: Andreas Tille <tillea@rki.de>, 442214@bugs.debian.org

Subject: Re: Bug#442214: aide: Aide issues false alarms

Date: Mon, 3 Dec 2007 23:29:24 +0100

Hi,

On Sat, Nov 24, 2007 at 07:56:29PM -0800, Bill Wohler wrote:
> Hi Marc, I think I'm seeing the same thing here. It appears that the ARF
> rule isn't working as advertised.
> 
> For example, the following line appeared in the report:
> 
>   removed: /var/log/aide/aide.log.6.gz
> 
> However, in /etc/aide/aide.conf.local.d/31_aide_aide [1], I see: 
> 
>   /var/log/aide/aide\.log\.6\.gz$ RotatedLogs+ARF
> 
> which should be suppressing this message. Right?

I have seen this happening when the database was not "activated" after
aide didn't find any changes.

The ANF/ARF rules will only work if aide.db.new is copied over aide.db
even after an aide run with return code 0. They are best imagined as
"run normally, but ignore this certain kind of change", which will of
course not hold if aide.db still holds the previous state of affairs.

To hopefully make things clearer, grab
https://ivanova.notwork.de/~mh/stuff/aidetest.tar.gz, untar and run
./runtests. This will "rotate" a log five times, with aide runs in
between (which will also copy aide.db.new over aide.db). Only in the
last iteration, rotation happens twice, and _this_ causes the change
to be reported.

In a nutshell: The ANF/ARF rules will only work if COPYNEWDB=yes is
set in /etc/default/aide _OR_ COPYNEWDB=ifnochange in
/etc/default/aide _AND_ no other changes were detected in an aide run.
As soon as the first change is detected, the next run is going to
report rotated logs despite the ANF/ARF rules.

To enable me to see your bug, please try to reduce your setup to
something as minimal as in my aidetest.tar.gz and send me the
directory along with instructions about how to reproduce the issue.

Greetings
Marc

-- 
-----------------------------------------------------------------------------
Marc Haber         | "I don't trust Computers. They | Mailadresse im Header
Mannheim, Germany  |  lose things."    Winona Ryder | Fon: *49 621 72739834
Nordisch by Nature |  How to make an American Quilt | Fax: *49 3221 2323190

Message #71 received at 442214@bugs.debian.org (full text, mbox, reply):

From: Bill Wohler <wohler@newt.com>

To: Marc Haber <mh+debian-packages@zugschlus.de>

Cc: Andreas Tille <tillea@rki.de>, 442214@bugs.debian.org

Subject: Re: Bug#442214: aide: Aide issues false alarms

Date: Sat, 09 Feb 2008 22:31:55 -0800

Marc Haber <mh+debian-packages@zugschlus.de> wrote:

> On Sat, Nov 24, 2007 at 08:04:54PM -0800, Bill Wohler wrote:
> > Marc Haber <mh+debian-packages@zugschlus.de> wrote:
> > > Care to submit your rules for inclusion in the aide packages?
> > 
> > I will be glad to do so once I stop editing them :-).
> 
> Great! Looking forward!

Just wanted to let you know that I'm still working on them a little bit
at a time and will let you know when I'm comfortable with them.

> > I've just installed 0.13.1-8 with apt-get source. Unfortunately, as
> > reported in #442214, I always get the following report:
> > 
> >   removed: /var/log/aide/aide.log.6.gz
> > 
> > Once that message goes away, I'll be able to determine if this upgrade
> > closed this issue for me.
> 
> Try changing /etc/aide/aide.conf.d/31_aide_aide to read:
> /var/log/aide/aide\.log(\.0)?$ LowLogs
> /var/log/aide/aide\.log\.1\.gz$ RotatedLogs+ANF
> /var/log/aide/aide\.log\.[2345]\.gz$ RotatedLogs
> /var/log/aide/aide\.log\.6\.gz$ RotatedLogs+ARF

I see the pattern here. I applied these in my files, but I still get
false alarms after a fashion. I'm still looking into it (albeit slowly).
I haven't made a small test case yet in hopes that I'll get the rules
right and because I never have time to set it up, but I may punt and do
so at some point.

Thanks for your patience.

-- 
Bill Wohler <wohler@newt.com>  http://www.newt.com/wohler/  GnuPG ID:610BD9AD

Message #76 received at 442214@bugs.debian.org (full text, mbox, reply):

From: Marc Haber <mh+debian-packages@zugschlus.de>

To: Bill Wohler <wohler@newt.com>

Cc: Marc Haber <mh+debian-packages@zugschlus.de>, Andreas Tille <tillea@rki.de>, 442214@bugs.debian.org

Subject: Re: Bug#442214: aide: Aide issues false alarms

Date: Sun, 10 Feb 2008 09:36:41 +0100

On Sat, Feb 09, 2008 at 10:31:55PM -0800, Bill Wohler wrote:
> I see the pattern here. I applied these in my files, but I still get
> false alarms after a fashion. I'm still looking into it (albeit slowly).
> I haven't made a small test case yet in hopes that I'll get the rules
> right and because I never have time to set it up, but I may punt and do
> so at some point.

Generally, it is a very good idea to try things like that with a
minimal test case so that the turnaround time is only a few seconds.

I am even thinking about including a test case example with the package.

Greetings
Marc

-- 
-----------------------------------------------------------------------------
Marc Haber         | "I don't trust Computers. They | Mailadresse im Header
Mannheim, Germany  |  lose things."    Winona Ryder | Fon: *49 621 72739834
Nordisch by Nature |  How to make an American Quilt | Fax: *49 3221 2323190

Message #81 received at 442214@bugs.debian.org (full text, mbox, reply):

From: Marc Haber <mh+debian-packages@zugschlus.de>

To: Marc Haber <mh+debian-packages@zugschlus.de>, 442214@bugs.debian.org, 442214-submitter@bugs.debian.org

Cc: Bill Wohler <wohler@newt.com>, Andreas Tille <tillea@rki.de>

Subject: Re: Bug#442214: aide: Aide issues false alarms

Date: Mon, 25 Feb 2008 16:08:37 +0100

tags #442214 moreinfo
thanks

On Mon, Dec 03, 2007 at 11:29:24PM +0100, Marc Haber wrote:
> To hopefully make things clearer, grab
> https://ivanova.notwork.de/~mh/stuff/aidetest.tar.gz, untar and run
> ./runtests. This will "rotate" a log five times, with aide runs in
> between (which will also copy aide.db.new over aide.db). Only in the
> last iteration, rotation happens twice, and _this_ causes the change
> to be reported.
> 
> To enable me to see your bug, please try to reduce your setup to
> something as minimal as in my aidetest.tar.gz and send me the
> directory along with instructions about how to reproduce the issue.

May I remind?

Greetings
Marc

-- 
-----------------------------------------------------------------------------
Marc Haber         | "I don't trust Computers. They | Mailadresse im Header
Mannheim, Germany  |  lose things."    Winona Ryder | Fon: *49 621 72739834
Nordisch by Nature |  How to make an American Quilt | Fax: *49 621 72739835

Message #91 received at 442214@bugs.debian.org (full text, mbox, reply):

From: Francois Gouget <fgouget@free.fr>

To: 442214@bugs.debian.org

Subject: Re: aide: Aide issues false alarms

Date: Mon, 3 Mar 2008 23:37:49 +0100 (CET)

Marc Haber wrote:
> In a previous run, aide detected changes (most probably the zope log
> file), and thus the newly generated database was not copied over the
> old one. After the next log rotation, the log-related rules didn't
> apply any more and you got the report quoted above.

So it's necessary to get a clean run to not get things to degenerate. 
Ouch. That's going to be pretty hard given how incomplete the default 
aide configuration files are.

I also don't understand why ifnochange is not the default since, as it 
is and with the rules that aide ships with, using anything else will 
result in the administrator being deluged with false positives 
(essentially every single Debian package's log files will be reported in 
short order).

-- 
Francois Gouget <fgouget@free.fr>              http://fgouget.free.fr/
                              145 = 1! + 4! + 5!

Message #96 received at 442214@bugs.debian.org (full text, mbox, reply):

From: Marc Haber <mh+debian-packages@zugschlus.de>

To: Francois Gouget <fgouget@free.fr>, 442214@bugs.debian.org

Subject: Re: [Pkg-aide-maintainers] Bug#442214: aide: Aide issues false alarms

Date: Wed, 5 Mar 2008 11:11:30 +0100

On Mon, Mar 03, 2008 at 11:37:49PM +0100, Francois Gouget wrote:
> Marc Haber wrote:
> > In a previous run, aide detected changes (most probably the zope log
> > file), and thus the newly generated database was not copied over the
> > old one. After the next log rotation, the log-related rules didn't
> > apply any more and you got the report quoted above.
> 
> So it's necessary to get a clean run to not get things to degenerate. 
> Ouch. That's going to be pretty hard given how incomplete the default 
> aide configuration files are.

Which is why the AIDE documentation asks people to submit their rules
either to aide or to the maintainers of the other packages for
inclusion in either package. The support scheme supports either.

Unfortunately, users and other maintainers are quite reluctant to do
so, and I do not have the time to build rules for packages that I do
not use myself. Frankly, I _must_ rely on other doing this work.

> I also don't understand why ifnochange is not the default since, as it 
> is and with the rules that aide ships with, using anything else will 
> result in the administrator being deluged with false positives 
> (essentially every single Debian package's log files will be reported in 
> short order).

Ifnochange basically accepts a certain set of changes automatically,
which is, IMO, unacceptable as a default configuration.

Since interpretation of an aide log needs considerable experience and
expertise, and manual tweaking is needed in the vast majority of cases
anyway, it is reasonable to ask administrators to activate this
feature if it is locally wanted.

Greetings
Marc

-- 
-----------------------------------------------------------------------------
Marc Haber         | "I don't trust Computers. They | Mailadresse im Header
Mannheim, Germany  |  lose things."    Winona Ryder | Fon: *49 621 72739834
Nordisch by Nature |  How to make an American Quilt | Fax: *49 3221 2323190

Message #101 received at 442214@bugs.debian.org (full text, mbox, reply):

From: Francois Gouget <fgouget@free.fr>

To: Marc Haber <mh+debian-packages@zugschlus.de>

Cc: 442214@bugs.debian.org

Subject: Re: [Pkg-aide-maintainers] Bug#442214: aide: Aide issues false alarms

Date: Wed, 5 Mar 2008 17:30:52 +0100 (CET)

On Wed, 5 Mar 2008, Marc Haber wrote:
[...]
> Which is why the AIDE documentation asks people to submit their rules
> either to aide or to the maintainers of the other packages for
> inclusion in either package. The support scheme supports either.

I have been trying to add the missing rules but this has been pretty 
frustrating. Even more so because some files keep coming back eventhough 
I thought I had them covered. But now I understand it is because 
ifnochange was not set, and even then it's not going to trigger before I 
solve everything :-(

So I've sent you a few of the missing rules. They mostly have to do with 
(rotated) logs. I'm not very confident in the rules I wrote though but 
hopefully with your help I can get them right and accepted in aide. Then 
as the first rules receive your green light I can send you more (there's 
no point burying you in what may be little more than garbage).



> Unfortunately, users and other maintainers are quite reluctant to do
> so, and I do not have the time to build rules for packages that I do
> not use myself. Frankly, I _must_ rely on other doing this work.

I think the aide configuration files and the cruft configuration files 
should be merged (in fact cruft should probably have more than enough 
information in the aide configuration files), and then Debian Policy 
should make it mandatory for every Debian package to provide these 
configuration files.

This would have many benefits:
 * Make it easy to support both cruft and aide
 * Debian systems would become much more auditable as not only the 
   'static' files would be accounted for, but also the dynamic runtime 
   ones.
 * 'dlocate /var/log/syslog' would finally return something sensible
 * By making it part of Debian Policy we'd get much much better coverage 
   and solve what has been the main problem for both cruft and aide.

But of course this is a big change so there will be resistance and as 
I'm not a Debian developer my opinion does not carry much weight :-(



[...]
> > I also don't understand why ifnochange is not the default since, as it 
> > is and with the rules that aide ships with, using anything else will 
> > result in the administrator being deluged with false positives 
> > (essentially every single Debian package's log files will be reported in 
> > short order).
> 
> Ifnochange basically accepts a certain set of changes automatically,
> which is, IMO, unacceptable as a default configuration.

But this set of changes has been explicitly okay-ed by the aide 
configuration files as corresponding to the normal system behavior. So 
I see no reason not to validate them.

Otherwise we have the current situation where after just a couple of 
days you have tons of changed files in the aide reports, which, if you 
don't do what ifnochange would have done in the first place, means the 
aide reports becomes useless because it is filled with false positives.

Do you use ifnochange? If not, how do you deal with all the warnings 
about the logs?


Ideally, in ifnochange mode aide would know how to make partial changes 
to the aide.db file.

For instance on day N /var/log/syslog gets rotated but that's allowed by 
the configuration files so the corresponding entries are updated in 
aide.db. On the same day /usr/bin/perl is modified but that's not 
allowed by the aide rules so that entry is not updated in aide.db.

Then on day N+1 /var/log/syslog gets rotated again. But that's ok 
because it's allowed by the aide rules and the database has been updated 
the day before. /usr/bin/perl has not been modified further but aide 
still reports it because it still does not match what aide.db says it 
should be.

Such a behavior would make it much easier to progressively get the 
aide.log reports under control and finally useful.

-- 
Francois Gouget <fgouget@free.fr>              http://fgouget.free.fr/
 The greatest programming project of all took six days; on the seventh day the
  programmer rested. We've been trying to debug the *&^%$#@ thing ever since.
                      Moral: design before you implement.

Message #106 received at 442214@bugs.debian.org (full text, mbox, reply):

From: Marc Haber <mh+debian-packages@zugschlus.de>

To: Francois Gouget <fgouget@free.fr>, 442214@bugs.debian.org

Subject: Re: [Pkg-aide-maintainers] Bug#442214: Bug#442214: aide: Aide issues false alarms

Date: Tue, 11 Mar 2008 13:55:59 +0100

Hi Francois,

On Wed, Mar 05, 2008 at 05:30:52PM +0100, Francois Gouget wrote:
> On Wed, 5 Mar 2008, Marc Haber wrote:
> > Which is why the AIDE documentation asks people to submit their rules
> > either to aide or to the maintainers of the other packages for
> > inclusion in either package. The support scheme supports either.
> 
> I have been trying to add the missing rules but this has been pretty 
> frustrating. Even more so because some files keep coming back eventhough 
> I thought I had them covered. But now I understand it is because 
> ifnochange was not set, and even then it's not going to trigger before I 
> solve everything :-(

Until then, you can manually copy aide.db.new over aide.db.

> So I've sent you a few of the missing rules. They mostly have to do with 
> (rotated) logs. I'm not very confident in the rules I wrote though but 
> hopefully with your help I can get them right and accepted in aide. Then 
> as the first rules receive your green light I can send you more (there's 
> no point burying you in what may be little more than garbage).

They are already in svn, but have not been tested widely. I will
prepare a new upload of aide maybe this week.

> > Unfortunately, users and other maintainers are quite reluctant to do
> > so, and I do not have the time to build rules for packages that I do
> > not use myself. Frankly, I _must_ rely on other doing this work.
> 
> I think the aide configuration files and the cruft configuration files 
> should be merged (in fact cruft should probably have more than enough 
> information in the aide configuration files), and then Debian Policy 
> should make it mandatory for every Debian package to provide these 
> configuration files.

cruft and aide do quite different things, and merging their
configuration seems like a good idea. But I am totally demotivated to
help with cruft as I have tried to work with cruft's maintainer on a
different package, ifupdown, for years and have found that he is
impossible to work with.

The Debian Policy thing is not going to happen any time soon. The
right way would be submitting aide rules to the other packages by way
of a wishlist bug report, leaving it at the maintainer's discretion to
include the file or not.

Having the aide rule brought with the package that needs them also
eases the problem that an aide installation bringing all rules with
itself would have a lot of unnecessary rules active, giving
more opportunities to attackers to hide their files.

> But of course this is a big change so there will be resistance and as 
> I'm not a Debian developer my opinion does not carry much weight :-(

To me your opinion carries as much weight as a DD's, and nothing keeps
you away from producing code and patches.

> > > I also don't understand why ifnochange is not the default since, as it 
> > > is and with the rules that aide ships with, using anything else will 
> > > result in the administrator being deluged with false positives 
> > > (essentially every single Debian package's log files will be reported in 
> > > short order).
> > 
> > Ifnochange basically accepts a certain set of changes automatically,
> > which is, IMO, unacceptable as a default configuration.
> 
> But this set of changes has been explicitly okay-ed by the aide 
> configuration files as corresponding to the normal system behavior. So 
> I see no reason not to validate them.

Aide configuration may have bugs, and thus a manual inspection is in
order. When the local admin feels sufficiently comfortable with his
configuration, he might give consent to automatically accept the
changes.

> Do you use ifnochange?

Yes, I use it. But my systems rarely have no changes in the aide logs.

> Ideally, in ifnochange mode aide would know how to make partial changes 
> to the aide.db file.

Ifnochange is a Debian extension implemented in the Debian daily cron
job. Upstream doesn't even know about that feature.

> For instance on day N /var/log/syslog gets rotated but that's allowed by 
> the configuration files so the corresponding entries are updated in 
> aide.db. On the same day /usr/bin/perl is modified but that's not 
> allowed by the aide rules so that entry is not updated in aide.db.

If /usr/bin/perl weren't changed, and the rules for /var/log/syslog
were correct, aide wouldn't report any changes here, and the new
database would be copied if ifnochange is set.

> Then on day N+1 /var/log/syslog gets rotated again. But that's ok 
> because it's allowed by the aide rules and the database has been updated 
> the day before. /usr/bin/perl has not been modified further but aide 
> still reports it because it still does not match what aide.db says it 
> should be.

That's the idea, but the I feature of aide doesn't interface very well
with ANF and ARF to allow this transparently. I have to trust upstream
saying that this interface would be awfully hard without a major
design change in aide.

> Such a behavior would make it much easier to progressively get the 
> aide.log reports under control and finally useful.

Yes, but it should be discussed on the upstream mailing list.

Did I point you to the debugging setup published at
https://ivanova.notwork.de/~mh/stuff/aidetest.tar.gz?

Greetings
Marc

-- 
-----------------------------------------------------------------------------
Marc Haber         | "I don't trust Computers. They | Mailadresse im Header
Mannheim, Germany  |  lose things."    Winona Ryder | Fon: *49 621 72739834
Nordisch by Nature |  How to make an American Quilt | Fax: *49 3221 2323190

Message #111 received at 442214@bugs.debian.org (full text, mbox, reply):

From: Bill Wohler <wohler@newt.com>

To: Marc Haber <mh+debian-packages@zugschlus.de>

Cc: Andreas Tille <tillea@rki.de>, 442214@bugs.debian.org

Subject: Re: Bug#442214: aide: Aide issues false alarms

Date: Sat, 19 Jul 2008 11:48:37 -0700

Marc Haber <mh+debian-packages@zugschlus.de> wrote:

> On Sat, Nov 24, 2007 at 07:56:29PM -0800, Bill Wohler wrote:
> > Hi Marc, I think I'm seeing the same thing here. It appears that the ARF
> > rule isn't working as advertised.
> > 
> > For example, the following line appeared in the report:
> > 
> >   removed: /var/log/aide/aide.log.6.gz
> > 
> > However, in /etc/aide/aide.conf.local.d/31_aide_aide [1], I see: 
> > 
> >   /var/log/aide/aide\.log\.6\.gz$ RotatedLogs+ARF
> > 
> > which should be suppressing this message. Right?
> 
> In a nutshell: The ANF/ARF rules will only work if COPYNEWDB=yes is
> set in /etc/default/aide _OR_ COPYNEWDB=ifnochange in
> /etc/default/aide _AND_ no other changes were detected in an aide run.
> As soon as the first change is detected, the next run is going to
> report rotated logs despite the ANF/ARF rules.

Bingo! That was it. I don't think I ever saw those changes on their own.

I've updated the documentation in /etc/default/aide which might make
this more clear. I've included a patch for your consideration. I think
you can now close this bug. Thanks!

Index: aide
===================================================================
--- aide	(revision 9249)
+++ aide	(working copy)
@@ -35,9 +35,12 @@
 # COMMAND=update. It is ignored if COMMAND!=update.
 # no: Do not copy new database to old database. This is the default.
 # yes: Copy new database to old database. This means that changes to the
-#   file system are only reported once. Possibly dangerous.
+#   file system are only reported once. Possibly dangerous. However, the
+#   ANF/ARF rules are always guaranteed to work with this setting.
 # ifnochange: Copy new database to old database if no changes have
-#   been reported. This is needed for ANF/ARF to work reliably.
+#   been reported. This is needed for ANF/ARF to work reliably. Note, however,
+#   that once there is a change which prevents the copying of the database,
+#   the ANF/ARF rules will appear to stop working in the next run.
 COPYNEWDB=ifnochange
 
 # This parameter defines how many lines to return per e-mail. Output longer

-- 
Bill Wohler <wohler@newt.com>  http://www.newt.com/wohler/  GnuPG ID:610BD9AD

Message #116 received at 442214@bugs.debian.org (full text, mbox, reply):

From: Marc Haber <mh+debian-packages@zugschlus.de>

To: Bill Wohler <wohler@newt.com>

Cc: Andreas Tille <tillea@rki.de>, 442214@bugs.debian.org

Subject: Re: Bug#442214: aide: Aide issues false alarms

Date: Wed, 23 Jul 2008 14:37:07 +0200

On Sat, Jul 19, 2008 at 11:48:37AM -0700, Bill Wohler wrote:
> Marc Haber <mh+debian-packages@zugschlus.de> wrote:
> > On Sat, Nov 24, 2007 at 07:56:29PM -0800, Bill Wohler wrote:
> > > Hi Marc, I think I'm seeing the same thing here. It appears that the ARF
> > > rule isn't working as advertised.
> > > 
> > > For example, the following line appeared in the report:
> > > 
> > >   removed: /var/log/aide/aide.log.6.gz
> > > 
> > > However, in /etc/aide/aide.conf.local.d/31_aide_aide [1], I see: 
> > > 
> > >   /var/log/aide/aide\.log\.6\.gz$ RotatedLogs+ARF
> > > 
> > > which should be suppressing this message. Right?
> > 
> > In a nutshell: The ANF/ARF rules will only work if COPYNEWDB=yes is
> > set in /etc/default/aide _OR_ COPYNEWDB=ifnochange in
> > /etc/default/aide _AND_ no other changes were detected in an aide run.
> > As soon as the first change is detected, the next run is going to
> > report rotated logs despite the ANF/ARF rules.
> 
> Bingo! That was it. I don't think I ever saw those changes on their own.
> 
> I've updated the documentation in /etc/default/aide which might make
> this more clear. I've included a patch for your consideration.

I am not comfortable at all with the idea of documenting things in the
actual configuration file since this encourages people to ignore the
README file even more.

I have instead committed the following patch to the README file which
will hopefully make things a lot more clearer than they were explained
in the previous README file. I'd appreciate your comments.

@@ -106,10 +140,23 @@
 dangerous since detected changes are only reported once. This is the
 reason for COPYNEWDB="no" being the default. A third option,
 COPYNEWDB="ifnochange" only copies the new database over the old one
-if aide has not detected any changes. This might be necessary for the
-ANF/ARF feature to properly handle logs that have been rotated
-multiple times.
+if aide has not detected any changes.

+ANF/ARF rules are only going to work if an updated database is copied
+over the old reference database before the next database update. Since
+ANF/ARF rules are part of the default install, it will be necessary to
+either
+   - manually run aide --update daily and copy over the databases
+     after manual inspection manually _each_ day,
+   - set COMMAND="update" and copy the newly generated database over
+     the old reference database after manual inspection _each_ _day_,
+   - set COMMAND="update" and COPYNEWDB="ifnochange" and copy
+     the newly generated database over the old reference database
+     after manual inspection if changes were reported or
+   - set COMMAND="update" and COPYNEWDB="yes" and live with the fact
+     that changes to the filesystem will only be reported once and never
+     again.
+
 The cron job then mails aide's output to the address configured as
 MAILTO if either
   - reportable changes have been found or

Greetings
Marc

-- 
-----------------------------------------------------------------------------
Marc Haber         | "I don't trust Computers. They | Mailadresse im Header
Mannheim, Germany  |  lose things."    Winona Ryder | Fon: *49 621 72739834
Nordisch by Nature |  How to make an American Quilt | Fax: *49 3221 2323190

Message #121 received at 442214@bugs.debian.org (full text, mbox, reply):

From: Bill Wohler <wohler@newt.com>

To: Marc Haber <mh+debian-packages@zugschlus.de>

Cc: Andreas Tille <tillea@rki.de>, 442214@bugs.debian.org

Subject: Re: Bug#442214: aide: Aide issues false alarms

Date: Wed, 23 Jul 2008 13:45:05 -0700

Marc Haber <mh+debian-packages@zugschlus.de> wrote:

> I have instead committed the following patch to the README file which
> will hopefully make things a lot more clearer than they were explained
> in the previous README file. I'd appreciate your comments.

Excellent!

> +   - set COMMAND="update" and COPYNEWDB="yes" and live with the fact
> +     that changes to the filesystem will only be reported once and never
> +     again.

I found that setting COPYNEWDB to yes suits me well.

I also found that because this setting trashes the old database, you
don't have a chance to later run aide --compare to see how a particular
file changed. I therefore added AIDEARGS="-V5" to /etc/default/aide.
Because you're updating the database every day, the emails still tend to
be small, and even if they are large and get truncated (due to a system
update, say), you still have the output in /var/log/aide.

I think it would be good to mention that issue in the COMMAND="update"
and COPYNEWDB="yes" item.

-- 
Bill Wohler <wohler@newt.com>  http://www.newt.com/wohler/  GnuPG ID:610BD9AD

Message #126 received at 442214@bugs.debian.org (full text, mbox, reply):

From: Marc Haber <mh+debian-packages@zugschlus.de>

To: Bill Wohler <wohler@newt.com>

Cc: Andreas Tille <tillea@rki.de>, 442214@bugs.debian.org

Subject: Re: Bug#442214: aide: Aide issues false alarms

Date: Fri, 25 Jul 2008 10:47:01 +0200

On Wed, Jul 23, 2008 at 01:45:05PM -0700, Bill Wohler wrote:
> Marc Haber <mh+debian-packages@zugschlus.de> wrote:
> I also found that because this setting trashes the old database, you
> don't have a chance to later run aide --compare to see how a particular
> file changed. I therefore added AIDEARGS="-V5" to /etc/default/aide.

The default, -V4, gives at least a list about which files changed, and
if one wants more verbose reports, he is free to refer to the manpage
to change the verbosity level.

> I think it would be good to mention that issue in the COMMAND="update"
> and COPYNEWDB="yes" item.

I do not think that it is a good idea to re-iterate every possible
outcome of every configuration option in every possible place. I am
not convinced.

Greetings
Marc

-- 
-----------------------------------------------------------------------------
Marc Haber         | "I don't trust Computers. They | Mailadresse im Header
Mannheim, Germany  |  lose things."    Winona Ryder | Fon: *49 621 72739834
Nordisch by Nature |  How to make an American Quilt | Fax: *49 3221 2323190

Message #131 received at 442214@bugs.debian.org (full text, mbox, reply):

From: Bill Wohler <wohler@newt.com>

To: Marc Haber <mh+debian-packages@zugschlus.de>

Cc: Andreas Tille <tillea@rki.de>, 442214@bugs.debian.org

Subject: Re: Bug#442214: aide: Aide issues false alarms

Date: Fri, 25 Jul 2008 09:38:47 -0700

Marc Haber <mh+debian-packages@zugschlus.de> wrote:

> On Wed, Jul 23, 2008 at 01:45:05PM -0700, Bill Wohler wrote:
> > Marc Haber <mh+debian-packages@zugschlus.de> wrote:
> > I also found that because this setting trashes the old database, you
> > don't have a chance to later run aide --compare to see how a particular
> > file changed. I therefore added AIDEARGS="-V5" to /etc/default/aide.
> 
> The default, -V4, gives at least a list about which files changed, and
> if one wants more verbose reports, he is free to refer to the manpage
> to change the verbosity level.

Yes, but...

> > I think it would be good to mention that issue in the COMMAND="update"
> > and COPYNEWDB="yes" item.
> 
> I do not think that it is a good idea to re-iterate every possible
> outcome of every configuration option in every possible place.

Of course not, but this is important. If you used the defaults, and you
set COPYNEWDB to yes and the first message you get had some files which
might have indicated a break-in, you'd want to see the specific changes.
Or, more likely, you might not realize the unintended consequences of
the setting until later. I was truly shocked when I realized it.

It's your call, of course, but I like it when documentation discusses
more than just the options and the settings and goes into the
justifications, ramifications, and best practices. Just because you can
do something doesn't mean you should. I think this is an important
aspect to point out. Somewhere. Thanks!

-- 
Bill Wohler <wohler@newt.com>  http://www.newt.com/wohler/  GnuPG ID:610BD9AD

Message #136 received at 442214@bugs.debian.org (full text, mbox, reply):

From: Marc Haber <mh+debian-packages@zugschlus.de>

To: Bill Wohler <wohler@newt.com>

Cc: Andreas Tille <tillea@rki.de>, 442214@bugs.debian.org

Subject: Re: Bug#442214: aide: Aide issues false alarms

Date: Sun, 27 Jul 2008 11:28:56 +0200

On Fri, Jul 25, 2008 at 09:38:47AM -0700, Bill Wohler wrote:
> Marc Haber <mh+debian-packages@zugschlus.de> wrote:
> > On Wed, Jul 23, 2008 at 01:45:05PM -0700, Bill Wohler wrote:
> > > I think it would be good to mention that issue in the COMMAND="update"
> > > and COPYNEWDB="yes" item.
> > 
> > I do not think that it is a good idea to re-iterate every possible
> > outcome of every configuration option in every possible place.
> 
> Of course not, but this is important. If you used the defaults, and you
> set COPYNEWDB to yes and the first message you get had some files which
> might have indicated a break-in, you'd want to see the specific changes.
> Or, more likely, you might not realize the unintended consequences of
> the setting until later. I was truly shocked when I realized it.

You have a point here, I have included this in README.Debian:

--- debian/aide-common.README.Debian    (revision 754)
+++ debian/aide-common.README.Debian    (working copy)
@@ -102,13 +102,15 @@

 After running aide, the newly generated database which was created
 with COMMAND="update" is optionally copied over the old reference
-database. Doing this unconditionally (COPYNEWDB="yes") might be
-dangerous since detected changes are only reported once. This is the
-reason for COPYNEWDB="no" being the default. A third option,
-COPYNEWDB="ifnochange" only copies the new database over the old one
-if aide has not detected any changes. This might be necessary for the
-ANF/ARF feature to properly handle logs that have been rotated
-multiple times.
+database. This might be necessary for the ANF/ARF feature to properly
+handle logs that have been rotated multiple times. COPYNEWDB="no" is
+the default because automatically copying the database unconditionally
+(COPYNEWDB="yes") might be dangerous since detected changes are only
+reported once. Additionally, if you do not manually increase the
+verbosity level by setting (for example) AIDEARGE="-V5" in
+/etc/default/aide, you lose the possibility of inspecting the changes
+more closely. A third option, COPYNEWDB="ifnochange" only copies the
+new database over the old one if aide has not detected any changes.

Greetings
Marc

-- 
-----------------------------------------------------------------------------
Marc Haber         | "I don't trust Computers. They | Mailadresse im Header
Mannheim, Germany  |  lose things."    Winona Ryder | Fon: *49 621 72739834
Nordisch by Nature |  How to make an American Quilt | Fax: *49 3221 2323190

Message #141 received at 442214@bugs.debian.org (full text, mbox, reply):

From: Bill Wohler <wohler@newt.com>

To: Marc Haber <mh+debian-packages@zugschlus.de>

Cc: Andreas Tille <tillea@rki.de>, 442214@bugs.debian.org

Subject: Re: Bug#442214: aide: Aide issues false alarms

Date: Sun, 27 Jul 2008 08:21:31 -0700

Marc Haber <mh+debian-packages@zugschlus.de> wrote:

>            This might be necessary for the ANF/ARF feature to properly
> +handle logs that have been rotated multiple times. COPYNEWDB="no" is
> +the default because automatically copying the database unconditionally
> +(COPYNEWDB="yes") might be dangerous since detected changes are only
> +reported once. Additionally, if you do not manually increase the
> +verbosity level by setting (for example) AIDEARGE="-V5" in
> +/etc/default/aide, you lose the possibility of inspecting the changes
> +more closely.

Since COPYNEWDB="yes" was parenthetical, that last sentence seems more
associated with the subject of the previous subject, namely,
COPYNEWDB="no". What do you think of this?

COPYNEWDB="no" is the default because automatically copying the database
unconditionally (COPYNEWDB="yes") might be dangerous since detected
changes are only reported once. Because changes are only reported once
when using COPYNEWDB="yes" and you lose the possibility of inspecting
the changes more closely, increase the verbosity level by setting, for
example, AIDEARGE="-V5" in /etc/default/aide so that the report has
enough detail to diagnose problems.

-- 
Bill Wohler <wohler@newt.com>  http://www.newt.com/wohler/  GnuPG ID:610BD9AD

Message #146 received at 442214@bugs.debian.org (full text, mbox, reply):

From: Marc Haber <mh+debian-packages@zugschlus.de>

To: Bill Wohler <wohler@newt.com>

Cc: Andreas Tille <tillea@rki.de>, 442214@bugs.debian.org

Subject: Re: Bug#442214: aide: Aide issues false alarms

Date: Sun, 27 Jul 2008 17:32:27 +0200

On Sun, Jul 27, 2008 at 08:21:31AM -0700, Bill Wohler wrote:
> Marc Haber <mh+debian-packages@zugschlus.de> wrote:
> >            This might be necessary for the ANF/ARF feature to properly
> > +handle logs that have been rotated multiple times. COPYNEWDB="no" is
> > +the default because automatically copying the database unconditionally
> > +(COPYNEWDB="yes") might be dangerous since detected changes are only
> > +reported once. Additionally, if you do not manually increase the
> > +verbosity level by setting (for example) AIDEARGE="-V5" in
> > +/etc/default/aide, you lose the possibility of inspecting the changes
> > +more closely.
> 
> Since COPYNEWDB="yes" was parenthetical, that last sentence seems more
> associated with the subject of the previous subject, namely,
> COPYNEWDB="no". What do you think of this?

I do not understand clearly. COPYNEWDB="no" always allows you to
inspect the changes more closely by re-running aide.

> COPYNEWDB="no" is the default because automatically copying the database
> unconditionally (COPYNEWDB="yes") might be dangerous since detected
> changes are only reported once. Because changes are only reported once
> when using COPYNEWDB="yes" and you lose the possibility of inspecting
> the changes more closely, increase the verbosity level by setting, for
> example, AIDEARGE="-V5" in /etc/default/aide so that the report has
> enough detail to diagnose problems.

"Changes are only reported once" is repeated, that's a stylistical
issue that jumps even into my non-native eyes. Additionally, the long
second sentence is kind of hard to parse. I still prefer my version,
but that may be a language issue.

Greetings
Marc

-- 
-----------------------------------------------------------------------------
Marc Haber         | "I don't trust Computers. They | Mailadresse im Header
Mannheim, Germany  |  lose things."    Winona Ryder | Fon: *49 621 72739834
Nordisch by Nature |  How to make an American Quilt | Fax: *49 3221 2323190

Message #151 received at 442214@bugs.debian.org (full text, mbox, reply):

From: Bill Wohler <wohler@newt.com>

To: Marc Haber <mh+debian-packages@zugschlus.de>

Cc: Andreas Tille <tillea@rki.de>, 442214@bugs.debian.org

Subject: Re: Bug#442214: aide: Aide issues false alarms

Date: Sun, 27 Jul 2008 08:42:14 -0700

Marc Haber <mh+debian-packages@zugschlus.de> wrote:

> On Sun, Jul 27, 2008 at 08:21:31AM -0700, Bill Wohler wrote:
> > Marc Haber <mh+debian-packages@zugschlus.de> wrote:
> > >            This might be necessary for the ANF/ARF feature to properly
> > > +handle logs that have been rotated multiple times. COPYNEWDB="no" is
> > > +the default because automatically copying the database unconditionally
> > > +(COPYNEWDB="yes") might be dangerous since detected changes are only
> > > +reported once. Additionally, if you do not manually increase the
> > > +verbosity level by setting (for example) AIDEARGE="-V5" in
> > > +/etc/default/aide, you lose the possibility of inspecting the changes
> > > +more closely.
> > 
> > Since COPYNEWDB="yes" was parenthetical, that last sentence seems more
> > associated with the subject of the previous subject, namely,
> > COPYNEWDB="no". What do you think of this?
> 
> I do not understand clearly. COPYNEWDB="no" always allows you to
> inspect the changes more closely by re-running aide.

It seems the warning (beginning with Additionally) applies if
COPYNEWDB="no".

> > COPYNEWDB="no" is the default because automatically copying the database
> > unconditionally (COPYNEWDB="yes") might be dangerous since detected
> > changes are only reported once. Because changes are only reported once
> > when using COPYNEWDB="yes" and you lose the possibility of inspecting
> > the changes more closely, increase the verbosity level by setting, for
> > example, AIDEARGE="-V5" in /etc/default/aide so that the report has
> > enough detail to diagnose problems.
> 
> "Changes are only reported once" is repeated, that's a stylistical
> issue that jumps even into my non-native eyes.

Good catch!

>                                                Additionally, the long
> second sentence is kind of hard to parse.

OK.

>                                           I still prefer my version,
> but that may be a language issue.

:-). I'd be toast if this were German.

If you can't think of some verbiage to associate the warning more
tightly with COPYNEWDB="yes" than COPYNEWDB="no" in a few moments, don't
worry about it.

-- 
Bill Wohler <wohler@newt.com>  http://www.newt.com/wohler/  GnuPG ID:610BD9AD

Message #156 received at 442214@bugs.debian.org (full text, mbox, reply):

From: Marc Haber <mh+debian-packages@zugschlus.de>

To: Bill Wohler <wohler@newt.com>, 442214@bugs.debian.org

Cc: Andreas Tille <tillea@rki.de>

Subject: Re: [Pkg-aide-maintainers] Bug#442214: aide: Aide issues false alarms

Date: Sun, 27 Jul 2008 22:26:34 +0200

On Sun, Jul 27, 2008 at 08:42:14AM -0700, Bill Wohler wrote:
> Marc Haber <mh+debian-packages@zugschlus.de> wrote:
> > On Sun, Jul 27, 2008 at 08:21:31AM -0700, Bill Wohler wrote:
> > > Marc Haber <mh+debian-packages@zugschlus.de> wrote:
> > > >            This might be necessary for the ANF/ARF feature to properly
> > > > +handle logs that have been rotated multiple times. COPYNEWDB="no" is
> > > > +the default because automatically copying the database unconditionally
> > > > +(COPYNEWDB="yes") might be dangerous since detected changes are only
> > > > +reported once. Additionally, if you do not manually increase the
> > > > +verbosity level by setting (for example) AIDEARGE="-V5" in
> > > > +/etc/default/aide, you lose the possibility of inspecting the changes
> > > > +more closely.
> > > 
> > > Since COPYNEWDB="yes" was parenthetical, that last sentence seems more
> > > associated with the subject of the previous subject, namely,
> > > COPYNEWDB="no". What do you think of this?
> > 
> > I do not understand clearly. COPYNEWDB="no" always allows you to
> > inspect the changes more closely by re-running aide.
> 
> It seems the warning (beginning with Additionally) applies if
> COPYNEWDB="no".

Ah. now I understand. How about this:

Index: debian/aide-common.README.Debian
===================================================================
--- debian/aide-common.README.Debian    (revision 758)
+++ debian/aide-common.README.Debian    (working copy)
@@ -106,11 +106,14 @@
 handle logs that have been rotated multiple times. COPYNEWDB="no" is
 the default because automatically copying the database unconditionally
 (COPYNEWDB="yes") might be dangerous since detected changes are only
-reported once. Additionally, if you do not manually increase the
-verbosity level by setting (for example) AIDEARGE="-V5" in
+reported once. If you use COPYNEWDB="yes" and do not manually increase
+the verbosity level by setting (for example) AIDEARGE="-V5" in
 /etc/default/aide, you lose the possibility of inspecting the changes
 more closely. A third option, COPYNEWDB="ifnochange" only copies the
-new database over the old one if aide has not detected any changes.
+new database over the old one if aide has not detected any changes. In
+this case, you need to manually copy over the databases after the
+first report showing changes, or your ANF+ARF rules (including rotated
+log files etc) are going to stop working.

 The cron job then mails aide's output to the address configured as
 MAILTO if either

Greetings
Marc

-- 
-----------------------------------------------------------------------------
Marc Haber         | "I don't trust Computers. They | Mailadresse im Header
Mannheim, Germany  |  lose things."    Winona Ryder | Fon: *49 621 72739834
Nordisch by Nature |  How to make an American Quilt | Fax: *49 3221 2323190

Message #161 received at 442214@bugs.debian.org (full text, mbox, reply):

From: Bill Wohler <wohler@newt.com>

To: Marc Haber <mh+debian-packages@zugschlus.de>

Cc: 442214@bugs.debian.org, Andreas Tille <tillea@rki.de>

Subject: Re: [Pkg-aide-maintainers] Bug#442214: aide: Aide issues false alarms

Date: Sun, 27 Jul 2008 13:40:13 -0700

Marc Haber <mh+debian-packages@zugschlus.de> wrote:

> Ah. now I understand. How about this:
> 
> Index: debian/aide-common.README.Debian
> ===================================================================
> --- debian/aide-common.README.Debian    (revision 758)
> +++ debian/aide-common.README.Debian    (working copy)
> @@ -106,11 +106,14 @@
>  handle logs that have been rotated multiple times. COPYNEWDB="no" is
>  the default because automatically copying the database unconditionally
>  (COPYNEWDB="yes") might be dangerous since detected changes are only
> -reported once. Additionally, if you do not manually increase the
> -verbosity level by setting (for example) AIDEARGE="-V5" in
> +reported once. If you use COPYNEWDB="yes" and do not manually increase
> +the verbosity level by setting (for example) AIDEARGE="-V5" in
>  /etc/default/aide, you lose the possibility of inspecting the changes
>  more closely. A third option, COPYNEWDB="ifnochange" only copies the
> -new database over the old one if aide has not detected any changes.
> +new database over the old one if aide has not detected any changes. In
> +this case, you need to manually copy over the databases after the
> +first report showing changes, or your ANF+ARF rules (including rotated
> +log files etc) are going to stop working.

Sehr gut! Die einzige Dinge ist s/AIDEARGE/AIDEARGS/ :-).

Danke schön.

-- 
Bill Wohler <wohler@newt.com>  http://www.newt.com/wohler/  GnuPG ID:610BD9AD

Message #166 received at 442214@bugs.debian.org (full text, mbox, reply):

From: Marc Haber <mh+debian-packages@zugschlus.de>

To: Bill Wohler <wohler@newt.com>

Cc: 442214@bugs.debian.org, Andreas Tille <tillea@rki.de>

Subject: Re: [Pkg-aide-maintainers] Bug#442214: aide: Aide issues false alarms

Date: Sun, 27 Jul 2008 22:46:20 +0200

On Sun, Jul 27, 2008 at 01:40:13PM -0700, Bill Wohler wrote:
> Sehr gut! Die einzige Dinge ist s/AIDEARGE/AIDEARGS/ :-).

Fixed in svn, thanks.

Greetings
Marc

-- 
-----------------------------------------------------------------------------
Marc Haber         | "I don't trust Computers. They | Mailadresse im Header
Mannheim, Germany  |  lose things."    Winona Ryder | Fon: *49 621 72739834
Nordisch by Nature |  How to make an American Quilt | Fax: *49 3221 2323190

Message #176 received at 442214@bugs.debian.org (full text, mbox, reply):

From: Marco Gaiarin <gaio@sv.lnf.it>

To: 442214@bugs.debian.org

Subject: Still this on lenny...

Date: Thu, 8 Apr 2010 09:44:26 +0200

I'm hitting this bug on lenny, aide 0.13.1-10.

Clearly i've:

	COMMAND=update
	COPYNEWDB=ifnochange

But still sporadically i got:

 ---------------------------------------------------
 Added files:
 ---------------------------------------------------
 added: /var/log/exim4/mainlog.2.gz
 added: /var/log/exim4/rejectlog.2.gz
 added: /var/log/syslog.2.gz
 added: /var/log/user.log.2.gz

 ---------------------------------------------------
 Removed files:
 ---------------------------------------------------
 removed: /var/log/ntop/access.log.4.gz
 removed: /var/log/exim4/mainlog.10.gz
 removed: /var/log/exim4/rejectlog.10.gz
 removed: /var/log/user.log.4.gz

 ---------------------------------------------------
 Changed files:
 ---------------------------------------------------
 changed: /var/log/exim4/mainlog
 changed: /var/log/exim4/rejectlog
 changed: /var/log/exim4/mainlog.1
 changed: /var/log/exim4/rejectlog.1
 changed: /var/log/syslog
 changed: /var/log/syslog.1
 changed: /var/log/user.log.1
 changed: /var/log/user.log
 changed: /var/log/syslog.7.gz


But if i look at /var/log/exim4 now (after some hours...):

 tank:~# ls -la /var/log/exim4/
 totale 2784
 drwxr-s---  2 Debian-exim adm    4096  8 apr 06:34 .
 drwxr-xr-x 13 root        root   4096  8 apr 06:34 ..
 -rw-r-----  1 Debian-exim adm   87293  8 apr 09:22 mainlog
 -rw-r-----  1 Debian-exim adm  552522  8 apr 06:34 mainlog.1
 -rw-r-----  1 Debian-exim adm   88305 30 mar 06:34 mainlog.10.gz
 -rw-r-----  1 Debian-exim adm  101723  7 apr 06:33 mainlog.2.gz
 -rw-r-----  1 Debian-exim adm   66851  6 apr 06:33 mainlog.3.gz
 -rw-r-----  1 Debian-exim adm   79894  5 apr 06:33 mainlog.4.gz
 -rw-r-----  1 Debian-exim adm   75787  4 apr 06:34 mainlog.5.gz
 -rw-r-----  1 Debian-exim adm   85616  3 apr 06:34 mainlog.6.gz
 -rw-r-----  1 Debian-exim adm  118557  2 apr 06:34 mainlog.7.gz
 -rw-r-----  1 Debian-exim adm  104152  1 apr 06:34 mainlog.8.gz
 -rw-r-----  1 Debian-exim adm  112329 31 mar 06:34 mainlog.9.gz
 -rw-r-----  1 Debian-exim adm       0  5 feb 17:41 paniclog
 -rw-r-----  1 Debian-exim adm   87683  8 apr 09:22 rejectlog
 -rw-r-----  1 Debian-exim adm  458763  8 apr 06:27 rejectlog.1
 -rw-r-----  1 Debian-exim adm   77745 30 mar 06:33 rejectlog.10.gz
 -rw-r-----  1 Debian-exim adm   87661  7 apr 06:30 rejectlog.2.gz
 -rw-r-----  1 Debian-exim adm   56135  6 apr 06:31 rejectlog.3.gz
 -rw-r-----  1 Debian-exim adm   65614  5 apr 06:29 rejectlog.4.gz
 -rw-r-----  1 Debian-exim adm   59657  4 apr 06:33 rejectlog.5.gz
 -rw-r-----  1 Debian-exim adm   77438  3 apr 06:30 rejectlog.6.gz
 -rw-r-----  1 Debian-exim adm   91157  2 apr 06:30 rejectlog.7.gz
 -rw-r-----  1 Debian-exim adm   79454  1 apr 06:33 rejectlog.8.gz
 -rw-r-----  1 Debian-exim adm   97203 31 mar 06:25 rejectlog.9.gz

/var/log/exim4/mainlog.10.gz are there, could be simply that last run
of aide (not this night, but last night) got scheduled between log
rotation?

Speaking clearly: seems to me that the trouble here arise when aide got
scheduled not before, not after but *between* a log rotation task.
This mangle the ANF and ARF rules, and next run bump this message.
I got these aide messages mostly on weekends (where weekly rotation
occur and probably load on machine is bigger), but also appears
randomly on workdays.
Note that i use aide on my firewalls, old (PII/PIII) box with not so
much horsepower, so probably on 'modern' and performant hardware this
could be very tricky to trigger.


/etc/cron.daily/aide seems too complicated for my scripting skills,
there's an easy way to make sure aide does not run between log
rotation?


Many thanks.

-- 
dott. Marco Gaiarin				    GNUPG Key ID: 240A3D66
  Associazione ``La Nostra Famiglia''                http://www.sv.lnf.it/
  Polo FVG  -  Via della Bontà, 7 - 33078  -  San Vito al Tagliamento (PN)
  marco.gaiarin(at)sv.lnf.it	  tel +39-0434-842711  fax +39-0434-842797

		Dona il 5 PER MILLE a LA NOSTRA FAMIGLIA!
	   http://www.lanostrafamiglia.it/chi_siamo/5xmille.php
	(cf 00307430132, categoria ONLUS oppure RICERCA SANITARIA)

Message #181 received at 442214@bugs.debian.org (full text, mbox, reply):

From: Hannes von Haugwitz <hannes@vonhaugwitz.com>

To: Marco Gaiarin <gaio@sv.lnf.it>, 442214@bugs.debian.org

Subject: Re: [Pkg-aide-maintainers] Bug#442214: Still this on lenny...

Date: Thu, 01 Jul 2010 08:24:35 +0200

Hi,

Marc has recently uploaded the latest version to lenny-backports.

Please try this version and provide feedback if that solves your problem.

Thanks

Hannes

Message #186 received at 442214@bugs.debian.org (full text, mbox, reply):

From: Marco Gaiarin <gaio@sv.lnf.it>

To: Hannes von Haugwitz <hannes@vonhaugwitz.com>, 442214@bugs.debian.org

Subject: Re: Bug#442214: [Pkg-aide-maintainers] Bug#442214: Still this on lenny...

Date: Mon, 12 Jul 2010 11:45:20 +0200

Mandi! Hannes von Haugwitz
  In chel di` si favelave...

> Marc has recently uploaded the latest version to lenny-backports.
> Please try this version and provide feedback if that solves your problem.

I've simply updated to the backport version, and let the weekend pass.

No, same problem, i hit modifications on syslog and exim logs, as
before.

Message #191 received at 442214-done@bugs.debian.org (full text, mbox, reply):

From: Hannes von Haugwitz <hannes@vonhaugwitz.com>

To: 442214-done@bugs.debian.org, Marco Gaiarin <gaio@sv.lnf.it>

Subject: Re: Bug#442214: Still this on lenny...

Date: Sat, 31 Jul 2010 16:16:15 +0200

Hi,

to get a working log file handling you have either to set COPYNEWDB to 
'yes' or you have to copy the new database over the old database as soon 
as the first changes were reported and before the next aide run (see 
also README.Debian.gz).

As the complete bug report concerns configuration issues I close this 
bug now.

Regards

Hannes

Send a report that this bug log contains spam.