Debian Bug report logs - #475983
Suggestion: bind9 chroot rule

Toggle useless messages

Message #5 received at submit@bugs.debian.org (full text, mbox, reply):

From: Guido Bozzetto <reportbug@G-B.it>

To: Debian Bug Tracking System <submit@bugs.debian.org>

Subject: Suggestion: bind9 chroot rule

Date: Mon, 14 Apr 2008 11:06:14 +0200

Package: aide
Version: 0.13.1-9
Severity: wishlist
Tags: patch

I suggest the following changes to the rule 31_aide_bind9 to
automatically create the correct rules with bind9 running into a chroot
environment.
I suppose that the changes to bind9 standard installation are into
/etc/default/bind9: at the variable OPTIONS is added "-t <chroot>" to
permit the use of a previously created chroot environment for bind in
the <chroot> directory. 
The following aide's rule automatically extract the chroot directory,
if bind start with "-t" option, and correctly initialize the aide's
BINDCHROOT variable:

#! /bin/bash
. /etc/default/bind9
set $OPTIONS
for i in $@;do
  if [ "$1" == "-t" ]; then
    echo "@@define BINDCHROOT $2"
    break
  else
    shift
  fi
done
cat << !EOF
@@ifdef BINDCHROOT
@@{BINDCHROOT}/dev/log$ LowLogs
@@{BINDCHROOT}/dev VarDir
@@endif
@@{BINDCHROOT}/var/cache/bind VarFile
@@{BINDCHROOT}/var/log/bind/queries\.log$ Logs
@@{BINDCHROOT}/var/log/bind/queries\.log\.[0-8]$ RotatedLogs
@@{BINDCHROOT}/var/log/bind/queries\.log\.9$ RotatedLogs+ARF
@@{BINDCHROOT}/var/log/bind VarDir
@@{BINDCHROOT}/var/run/bind/run/named\.pid$ VarFile
@@{BINDCHROOT}/var/run/bind/run$ VarDir
!EOF

The changed /etc/default/bind9 is:

OPTIONS="-u bind"
# Set RESOLVCONF=no to not run resolvconf
RESOLVCONF=yes
OPTIONS="$OPTIONS -t $(grep ^bind: /etc/passwd|cut -f6 -d:)"

The important configuration directives in
~bind/etc/bind/named.conf are:

options {
        directory "/var/cache/bind";
};
# logging {
# 	channel "file-queries" {
# 		file "/var/log/bind/queries.log" versions 5 size 256m;
# 	};
#	category "queries" {
# 		"file-queries";
# 	};
# };

Thank you  for your attention,
                                       Guido Bozzetto.

-- System Information:
Debian Release: lenny/sid
  APT prefers stable
  APT policy: (560, 'stable'), (545, 'proposed-updates'), (540, 'stable'), (460, 'testing'), (445, 'testing-proposed-updates'), (440, 'testing'), (20, 'unstable')
Architecture: i386 (i686)

Kernel: Linux 2.6.24-1-686 (SMP w/2 CPU cores)
Locale: LANG=it_IT, LC_CTYPE=it_IT (charmap=ISO-8859-1)
Shell: /bin/sh linked to /bin/bash

Versions of packages aide depends on:
ii  aide-common        0.13.1-9              Advanced Intrusion Detection Envir
ii  bsd-mailx [mailx]  8.1.2-0.20071201cvs-2 A simple mail user agent
ii  liblockfile1       1.06.1                NFS-safe locking library, includes
ii  mailx              1:20071201-2          Transitional package for mailx ren
ii  ucf                3.006                 Update Configuration File: preserv

Versions of packages aide recommends:
ii  cron                          3.0pl1-100 management of regular background p

-- debconf information excluded

Message #10 received at 475983@bugs.debian.org (full text, mbox, reply):

From: Marc Haber <mh+debian-packages@zugschlus.de>

To: Guido Bozzetto <reportbug@G-B.it>, 475983@bugs.debian.org

Subject: Re: [Pkg-aide-maintainers] Bug#475983: Suggestion: bind9 chroot rule

Date: Sun, 4 May 2008 09:38:19 +0200

tags #475983 wontfix
thanks

On Mon, Apr 14, 2008 at 11:06:14AM +0200, Guido Bozzetto wrote:
> I suggest the following changes to the rule 31_aide_bind9 to
> automatically create the correct rules with bind9 running into a chroot
> environment.
> I suppose that the changes to bind9 standard installation are into
> /etc/default/bind9: at the variable OPTIONS is added "-t <chroot>" to
> permit the use of a previously created chroot environment for bind in
> the <chroot> directory. 
> The following aide's rule automatically extract the chroot directory,
> if bind start with "-t" option, and correctly initialize the aide's
> BINDCHROOT variable:

I currently think that this is driving the magic "too far". If one
decides to run bind chrooted, that one should also be able to modify
the aide rules themselves.

I might reconsider this decision should good arguments come in. Is
there any other rule in aide that parses third-party configuration
just to obtain a single setting? I know that the amanda rules do this,
but amanda rules would be a horrible mess otherwise.

Greetings
Marc

-- 
-----------------------------------------------------------------------------
Marc Haber         | "I don't trust Computers. They | Mailadresse im Header
Mannheim, Germany  |  lose things."    Winona Ryder | Fon: *49 621 72739834
Nordisch by Nature |  How to make an American Quilt | Fax: *49 3221 2323190

Message #17 received at 475983@bugs.debian.org (full text, mbox, reply):

From: Guido Bozzetto <reportbug@G-B.it>

To: Marc Haber <mh+debian-packages@zugschlus.de>

Cc: 475983@bugs.debian.org

Subject: Re: [Pkg-aide-maintainers] Bug#475983: Suggestion: bind9 chroot rule

Date: Mon, 5 May 2008 10:46:26 +0200

On domenica 04 maggio 2008, alle 09:38, Marc Haber wrote:
> tags #475983 wontfix
> thanks
> 
> On Mon, Apr 14, 2008 at 11:06:14AM +0200, Guido Bozzetto wrote:
> > I suggest the following changes to the rule 31_aide_bind9 to
> > automatically create the correct rules with bind9 running into a chroot
> > environment.
...
> > correctly initialize the aide's BINDCHROOT variable:

> I currently think that this is driving the magic "too far". If one
> decides to run bind chrooted, that one should also be able to modify
> the aide rules themselves.

OK, it's clear.

I think is usefull to insert something like example:
- directly in commented lines into 31_aide_bind9:

#! /bin/bash
#
# # Automagically extract chroot directory
# . /etc/default/bind9
# set $OPTIONS
# for i in $@;do
#   if [ "$1" == "-t" ]
#     then echo "@@define BINDCHROOT $2"; break
#     else shift
#   fi
# done
# # Or manually set chroot directory
# # BINDCHROOT=/var/cache/bind
cat << !EOF
@@ifdef BINDCHROOT
@@{BINDCHROOT}/dev/log$ LowLogs
@@{BINDCHROOT}/dev VarDir
@@endif
@@{BINDCHROOT}/var/cache/bind VarFile
@@{BINDCHROOT}/var/log/bind/queries\.log$ Logs
@@{BINDCHROOT}/var/log/bind/queries\.log\.0$ LoSerMemberLog
@@{BINDCHROOT}/var/log/bind/queries\.log\.[1-8]$ SerMemberLog
@@{BINDCHROOT}/var/log/bind/queries\.log\.9$ HiSerMemberLog
@@{BINDCHROOT}/var/log/bind VarDir
@@{BINDCHROOT}/var/run/bind/run/named\.pid$ VarFile
@@{BINDCHROOT}/var/run/bind/run$ VarDir
!EOF

- Surely is better to divide the proposed 31_aide_bind9 script
in 2 parts like inn2 (cfr.: 30_inn2_vars and 31_aide_inn2) so the
commented part is the 30_bind9_vars script

- Introduce /usr/share/doc/aide-common/examples/30_bind9_vars:

#! /bin/bash
#
# Initilize BINDCHROOT variable for 31_aide_bind9 while bind9 run
# in a chroot environment.
#
# Automagically extract chroot directory
. /etc/default/bind9
set $OPTIONS
for i in $@;do
  if [ "$1" == "-t" ]
    then echo "@@define BINDCHROOT $2"; break
    else shift
  fi
done
#
# Manually set chroot directory
#BINDCHROOT=/var/cache/bind


In the aide 0.13.1-10 about the rule 31_aide_bind9 I thing that:
- is misleading the name "BINDCHROOT", if initalized with the chroot
  dir of bind9 don't work correctly. If is not defined BINDCHROOT
  the rule 31_aide_bind9 work correctly and so is useless the 
@@define BINDCHROOT /var
  assignment. See the first example in the mail.
- the named.pid file is in /var/run/bind/run and not in the
  /var/run/bind directory. See the binary named:
~# strings /usr/sbin/named|grep named\.pid
/var/run/bind/run/named.pid
- in the /etc/bind9/named.conf.options installation file of bind9
  there is the directive
directory "/var/cache/bind";
  so is usefull to introduce:
@@{BINDCHROOT}/cache/bind VarFile
  (I think is better: @@{BINDCHROOT}/var/cache/bind VarFile)

I hope that is usefull, thank you for your attention.

                                Guido Bozzetto.

-- 
Guido Bozzetto - Systems & Network Administrator - CCDA

Message #22 received at 475983@bugs.debian.org (full text, mbox, reply):

From: Marc Haber <mh+debian-packages@zugschlus.de>

To: Guido Bozzetto <reportbug@G-B.it>, 475983@bugs.debian.org, 475983-submitter@bugs.debian.org

Cc: Marc Haber <mh+debian-packages@zugschlus.de>

Subject: Re: Bug#475983: [Pkg-aide-maintainers] Bug#475983: Suggestion: bind9 chroot rule

Date: Thu, 22 May 2008 16:06:54 +0200

On Mon, May 05, 2008 at 10:46:26AM +0200, Guido Bozzetto wrote:
> On domenica 04 maggio 2008, alle 09:38, Marc Haber wrote:
> > I currently think that this is driving the magic "too far". If one
> > decides to run bind chrooted, that one should also be able to modify
> > the aide rules themselves.
> 
> OK, it's clear.
> 
> I think is usefull to insert something like example:
> - directly in commented lines into 31_aide_bind9:
> 
> #! /bin/bash
> #
> # # Automagically extract chroot directory
> # . /etc/default/bind9
> # set $OPTIONS
> # for i in $@;do
> #   if [ "$1" == "-t" ]
> #     then echo "@@define BINDCHROOT $2"; break
> #     else shift
> #   fi
> # done
> # # Or manually set chroot directory
> # # BINDCHROOT=/var/cache/bind

I have put this code with a little more prose into 30_aide_bind9,
commented out. It is a good idea to show people what's possible with
the Debian configuration scheme.

> cat << !EOF
> @@ifdef BINDCHROOT
> @@{BINDCHROOT}/dev/log$ LowLogs
> @@{BINDCHROOT}/dev VarDir
> @@endif

I don't understand that. My systems don't have a /dev/log inside the
chroot.

> - in the /etc/bind9/named.conf.options installation file of bind9
>   there is the directive
> directory "/var/cache/bind";
>   so is usefull to introduce:

That would have to be

@@{BINDCHROOT}/var/cache/bind$ VarDir
@@{BINDCHROOT}/var/cache/bind/xxx$ VarFile

with xxx being a regexp that applies to all zone files that we are
slave for. But to achive that, we'd need to parse bind configuration
even more...

So it would probably be sensible to exclude /var/cache/bind entirely,
but I am not convinced about that yet.

Greetings
Marc

-- 
-----------------------------------------------------------------------------
Marc Haber         | "I don't trust Computers. They | Mailadresse im Header
Mannheim, Germany  |  lose things."    Winona Ryder | Fon: *49 621 72739834
Nordisch by Nature |  How to make an American Quilt | Fax: *49 621 72739835

Message #30 received at 475983-quiet@bugs.debian.org (full text, mbox, reply):

From: Guido Bozzetto <reportbug@G-B.it>

To: Marc Haber <mh+debian-packages@zugschlus.de>, 475983-quiet@bugs.debian.org

Subject: Re: Bug#475983: [Pkg-aide-maintainers] Bug#475983: Suggestion: bind9 chroot rule

Date: Tue, 27 May 2008 10:24:33 +0200

On giovedì 22 maggio 2008, alle 16:06, Marc Haber wrote:
> On Mon, May 05, 2008 at 10:46:26AM +0200, Guido Bozzetto wrote:
> > cat << !EOF
> > @@ifdef BINDCHROOT
> > @@{BINDCHROOT}/dev/log$ LowLogs
> > @@{BINDCHROOT}/dev VarDir
> > @@endif
> 
> I don't understand that. My systems don't have a /dev/log inside the
> chroot.

The device /dev/log is mandatory to start bind:
for example cfr.:
http://www.howtoforge.com/howto_bind_chroot_debian
http://www.bind9.net/manual/bind/9.3.2/Bv9ARM.ch07.html

the <bindchroot>/dev/log is provided by syslog daemon, for example with

sysklogd:
SYSLOGD="-a /var/lib/named/dev/log"

rsyslog_3.14.2:
RSYSLOGD_OPTIONS="-a $(grep ^bind: /etc/passwd|cut -f6 -d:)/dev/log"

rsyslog_3.16.1:
$AddUnixListenSocket /var/cache/bind/dev/log

syslog-ng_2.0.8:
unix-dgram("/var/cache/bind/dev/log");

> > - in the /etc/bind9/named.conf.options installation file of bind9
> >   there is the directive
> > directory "/var/cache/bind";
> >   so is usefull to introduce:
> 
> That would have to be
> 
> @@{BINDCHROOT}/var/cache/bind$ VarDir
> @@{BINDCHROOT}/var/cache/bind/xxx$ VarFile
> 
> with xxx being a regexp that applies to all zone files that we are
> slave for. But to achive that, we'd need to parse bind configuration
> even more...
> 
> So it would probably be sensible to exclude /var/cache/bind entirely,
> but I am not convinced about that yet.

Perhaps
@@{BINDCHROOT}/var/cache/bind$ VarDir
@@{BINDCHROOT}/var/cache/bind/[[:alnum:].]+$ VarFile
is better that exclude all.

                                   Thank you, Guido Bozzetto.

> Greetings
> Marc
> 
> -- 
> -----------------------------------------------------------------------------
> Marc Haber         | "I don't trust Computers. They | Mailadresse im Header
> Mannheim, Germany  |  lose things."    Winona Ryder | Fon: *49 621 72739834
> Nordisch by Nature |  How to make an American Quilt | Fax: *49 621 72739835

-- 
Guido Bozzetto - Systems & Network Administrator - CCDA
GTN S.P.A. - Viale Tricesimo 181 - I-33100 Udine (UD) - Italy
http://www.gtngroup.it/ - Ph./Fax: +39 0432 499311/45366

Message #35 received at 475983-quiet@bugs.debian.org (full text, mbox, reply):

From: Marc Haber <mh+debian-packages@zugschlus.de>

To: Guido Bozzetto <reportbug@G-B.it>

Cc: 475983-quiet@bugs.debian.org

Subject: Re: Bug#475983: [Pkg-aide-maintainers] Bug#475983: Suggestion: bind9 chroot rule

Date: Wed, 2 Jul 2008 10:12:56 +0200

Sorry for taking so long to reply.

On Tue, May 27, 2008 at 10:24:33AM +0200, Guido Bozzetto wrote:
> On giovedì 22 maggio 2008, alle 16:06, Marc Haber wrote:
> > On Mon, May 05, 2008 at 10:46:26AM +0200, Guido Bozzetto wrote:
> > > cat << !EOF
> > > @@ifdef BINDCHROOT
> > > @@{BINDCHROOT}/dev/log$ LowLogs
> > > @@{BINDCHROOT}/dev VarDir
> > > @@endif
> > 
> > I don't understand that. My systems don't have a /dev/log inside the
> > chroot.
> 
> The device /dev/log is mandatory to start bind:
> for example cfr.:
> http://www.howtoforge.com/howto_bind_chroot_debian
> http://www.bind9.net/manual/bind/9.3.2/Bv9ARM.ch07.html

I know the docs, but my systems show something different:
$ cat /etc/default/bind9
OPTIONS="-u bind -t /var/local/chroot/bind"
# Set RESOLVCONF=no to not run resolvconf
RESOLVCONF=no

$ ls -al /var/local/chroot/bind/dev/
total 8,0K
drwxr-sr-x 2 root staff 4,0K 2006-12-18 13:09 ./
drwxr-sr-x 6 root staff 4,0K 2006-12-18 13:09 ../
crw-rw-rw- 1 root root  1, 3 2006-10-14 17:31 null
crw-rw-rw- 1 root root  1, 8 2006-10-14 17:31 random
$ ls -l /var/local/chroot/bind/dev/
total 0
crw-rw-rw- 1 root root 1, 3 2006-10-14 17:31 null
crw-rw-rw- 1 root root 1, 8 2006-10-14 17:31 random
$ pstree -ap | grep [b]ind
  |-named,26482 -u bind -t /var/local/chroot/bind
$ pstree -ap | grep [n]amed
  |-named,26482 -u bind -t /var/local/chroot/bind
  |   |-{named},26483
  |   |-{named},26484
  |   `-{named},26485
$ sudo ls -al /proc/26482/root /proc/26483/root /proc/26484/root /proc/26485/root
lrwxrwxrwx 1 bind bind 0 2008-07-02 10:06 /proc/26482/root -> /mnt/var/var/local/chroot/bind
lrwxrwxrwx 1 bind bind 0 2008-07-02 10:08 /proc/26483/root -> /mnt/var/var/local/chroot/bind
lrwxrwxrwx 1 bind bind 0 2008-07-02 10:08 /proc/26484/root -> /mnt/var/var/local/chroot/bind
lrwxrwxrwx 1 bind bind 0 2008-07-02 10:08 /proc/26485/root -> /mnt/var/var/local/chroot/bind
$ grep named /var/log/syslog/syslog
[snippage]
Jul  2 07:56:04 torres named[26482]: loading configuration from '/etc/bind/named.conf'
$

So, my named does not have a log socket inside its chroot, it's
running chrooted, and can log just fine. Maybe it opens the log socket
before chrooting itself?

> Perhaps
> @@{BINDCHROOT}/var/cache/bind$ VarDir
> @@{BINDCHROOT}/var/cache/bind/[[:alnum:].]+$ VarFile
> is better that exclude all.

Agreed. I have committed that (with "-" added) to svn.

Greetings
Marc

-- 
-----------------------------------------------------------------------------
Marc Haber         | "I don't trust Computers. They | Mailadresse im Header
Mannheim, Germany  |  lose things."    Winona Ryder | Fon: *49 621 72739834
Nordisch by Nature |  How to make an American Quilt | Fax: *49 3221 2323190

Message #40 received at 475983-quiet@bugs.debian.org (full text, mbox, reply):

From: Guido Bozzetto <reportbug@G-B.it>

To: Marc Haber <mh+debian-packages@zugschlus.de>

Cc: 475983-quiet@bugs.debian.org

Subject: Re: Bug#475983: [Pkg-aide-maintainers] Bug#475983: Suggestion: bind9 chroot rule

Date: Wed, 2 Jul 2008 14:17:10 +0200

On mercoledì 02 luglio 2008, alle 10:12, Marc Haber wrote:
> On Tue, May 27, 2008 at 10:24:33AM +0200, Guido Bozzetto wrote:
> > On giovedì 22 maggio 2008, alle 16:06, Marc Haber wrote:
> > > On Mon, May 05, 2008 at 10:46:26AM +0200, Guido Bozzetto wrote:
> > > > cat << !EOF
> > > > @@ifdef BINDCHROOT
> > > > @@{BINDCHROOT}/dev/log$ LowLogs
> > > > @@{BINDCHROOT}/dev VarDir
> > > > @@endif
> > > 
> > > I don't understand that. My systems don't have a /dev/log inside the
> > > chroot.
> > 
> > The device /dev/log is mandatory to start bind:
> 
> I know the docs, but my systems show something different:
> $ cat /etc/default/bind9
> OPTIONS="-u bind -t /var/local/chroot/bind"
> 
> $ ls -l /var/local/chroot/bind/dev/
> total 0
> crw-rw-rw- 1 root root 1, 3 2006-10-14 17:31 null
> crw-rw-rw- 1 root root 1, 8 2006-10-14 17:31 random
> $ pstree -ap | grep [b]ind
>   |-named,26482 -u bind -t /var/local/chroot/bind
> $ grep named /var/log/syslog/syslog
> Jul  2 07:56:04 torres named[26482]: loading configuration from '/etc/bind/named.conf'
> 
> So, my named does not have a log socket inside its chroot, it's
> running chrooted, and can log just fine. Maybe it opens the log socket
> before chrooting itself?

Perhaps the chroot environment don't work ?
To definition any chrooted process can't access to external file
systems. I confirm your experience:
also without <chroot>/dev/log the logging work correctly.
I made a test with directives:
logging {
	channel "file-default" {
		syslog daemon; severity info;
...
	category "default" {
}
and log seems work correctly. :-((

This means that bind with "-t" isn't a real or complete chroot.
However the official documentation say make /dev/log into chroot.

                                         Ciao, Guido.

-- 
Guido Bozzetto      - http://E-Company.it/gb/ - ReportBug@G-B.it
GTN S.P.A.          - http://www.gtngroup.it/ - info@Nauta.it
Viale Tricesimo 181 - Ph.: +39 0432 499311
I-33100 Udine (UD)  - Fax: +39 0432 45366
Italy               - Systems & Network Administrator - CCDA
Key fingerprint = 4C26 1DE5 78BD 7ACB FBD2  DB50 740D D6E3 BFF3 B080

Message #45 received at 475983-quiet@bugs.debian.org (full text, mbox, reply):

From: Marc Haber <mh+debian-packages@zugschlus.de>

To: Guido Bozzetto <reportbug@G-B.it>

Cc: 475983-quiet@bugs.debian.org

Subject: Re: Bug#475983: [Pkg-aide-maintainers] Bug#475983: Suggestion: bind9 chroot rule

Date: Wed, 2 Jul 2008 15:54:06 +0200

On Wed, Jul 02, 2008 at 02:17:10PM +0200, Guido Bozzetto wrote:
> On mercoledì 02 luglio 2008, alle 10:12, Marc Haber wrote:
> > So, my named does not have a log socket inside its chroot, it's
> > running chrooted, and can log just fine. Maybe it opens the log socket
> > before chrooting itself?
> 
> Perhaps the chroot environment don't work ?
> To definition any chrooted process can't access to external file
> systems.

Modulo files and sockets opened before chrooting. And that's what
actually happens:

$ sudo strace -econnect,chroot /usr/sbin/named -g -u bind -t /var/local/bind
connect(3, {sa_family=AF_FILE, path="/dev/log"}, 110) = 0
connect(4, {sa_family=AF_FILE, path="/var/run/nscd/socket"}, 110) = -1 ENOENT (No such file or directory)
connect(4, {sa_family=AF_FILE, path="/var/run/nscd/socket"}, 110) = -1 ENOENT (No such file or directory)
connect(4, {sa_family=AF_FILE, path="/var/run/nscd/socket"}, 110) = -1 ENOENT (No such file or directory)
connect(4, {sa_family=AF_FILE, path="/var/run/nscd/socket"}, 110) = -1 ENOENT (No such file or directory)
chroot("/var/local/bind")               = 0
02-Jul-2008 13:52:50.950 starting BIND 9.5.0 -g -u bind -t /var/local/bind

So, bind first opens the log socket and then chroots itself.

Greetings
Marc

-- 
-----------------------------------------------------------------------------
Marc Haber         | "I don't trust Computers. They | Mailadresse im Header
Mannheim, Germany  |  lose things."    Winona Ryder | Fon: *49 621 72739834
Nordisch by Nature |  How to make an American Quilt | Fax: *49 3221 2323190

Message #50 received at 475983-close@bugs.debian.org (full text, mbox, reply):

From: Marc Haber <mh@nechayev.zugschlus.de>

To: 475983-close@bugs.debian.org

Subject: Bug#475983: fixed in aide 0.13.1-11

Date: Tue, 08 Sep 2009 16:32:24 +0000

Source: aide
Source-Version: 0.13.1-11

We believe that the bug you reported is fixed in the latest version of
aide, which is due to be installed in the Debian FTP archive:

aide-common_0.13.1-11_all.deb
  to pool/main/a/aide/aide-common_0.13.1-11_all.deb
aide-dynamic_0.13.1-11_i386.deb
  to pool/main/a/aide/aide-dynamic_0.13.1-11_i386.deb
aide-xen_0.13.1-11_i386.deb
  to pool/main/a/aide/aide-xen_0.13.1-11_i386.deb
aide_0.13.1-11.diff.gz
  to pool/main/a/aide/aide_0.13.1-11.diff.gz
aide_0.13.1-11.dsc
  to pool/main/a/aide/aide_0.13.1-11.dsc
aide_0.13.1-11_i386.deb
  to pool/main/a/aide/aide_0.13.1-11_i386.deb



A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 475983@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Marc Haber <mh@nechayev.zugschlus.de> (supplier of updated aide package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Format: 1.8
Date: Tue, 08 Sep 2009 14:45:51 +0200
Source: aide
Binary: aide aide-xen aide-dynamic aide-common aide-config-zg2
Architecture: source i386 all
Version: 0.13.1-11
Distribution: unstable
Urgency: low
Maintainer: Aide Maintainers <pkg-aide-maintainers@lists.alioth.debian.org>
Changed-By: Marc Haber <mh@nechayev.zugschlus.de>
Description: 
 aide       - Advanced Intrusion Detection Environment - static binary
 aide-common - Advanced Intrusion Detection Environment - Common files
 aide-config-zg2 - Advanced Intrusion Detection Environment - Zg2 configuration exte
 aide-dynamic - Advanced Intrusion Detection Environment - dynamic binary
 aide-xen   - Advanced Intrusion Detection Environment - static binary for XEN
Closes: 472692 475983 476502 500159 500438 501848 506747 520019 540748 540987 541345 541478 541680 542541 544414 544688 544690 544765 544768 544815 544816 544817 544818 545011 545014
Changes: 
 aide (0.13.1-11) unstable; urgency=low
 .
   * Fix ] typo in 31_aide_amanda-server. Closes: #476502
   * Add 30_aide_bind9 example to automatically snarf BINDCHROOT
     setting from /etc/default/bind9. Modify bind9 rules appropriately.
     Thanks to Guido Bozzetto. Closes: #475983
   * 31_aide_mailman: message number in archive dir can have six digits
   * 31_aide_proftpd: logs are in a subdir
   * Patches by Hannes von Haugwitz:
     * 31_aide_exim4_logs: fix log rotation
     * 31_aide_clamav: fix log rotation. Closes: #540748
     * 31_aide_munin: apply patch from Hannes von Haugwitz. Closes: #541680
     * 31_aide_cron-apt: fix log rotation: Closes: #540987
     * 31_aide_clamav-freshclam: fix log rotation. Closes: #544688
     * 31_aide_mailman: fix log rotation. Closes: #544765
     * 31_aide_apache2: fix log rotation. Closes: #544768
     * 31_aide_acpid: process pid file. Closes: #544817
     * 31_aide_clamav-freshclam, 31_aide_clamav: handle pid file.
       Closes: #544818
     * 31_aide_munin-nodes. don't fail if munin is not installed.
       Closes: #545011
     * 31_aide_bind9. Fix typo in svn version. Closes: #545014
   * New files by Hannes von Haugwitz:
     * 31_aide_rsyslogd
     * 31_aide_cracklib-runtime
     * 31_aide_logcheck
     * 31_aide_rkhunter
     * 31_aide_apt-file. Closes: #542541
     * 31_aide_hald. Closes: #541478
     * 31_aide_fail2ban. Closes: #541345
     * 31_aide_apt-show-versions. Closes: #544690
     * 31_aide_ddclient: Closes: #544815
     * 31_aide_apcupsd. Closes: #544816
   * Apply patches by Guido Günther:
     * New postgrey rule. Closes: #500438
     * Optimize munin rules (and add munin-nodes). Closes: #500159
     * fix udev backslash escaping (also thanks to Ian Redfern).
       Closes: #506747, #472692
   * 31_aide_syslog: replace with empty dummy
   * cron.daily: protect $LOGHEAD and $MAILHEAD with :- in two more
     places. Closes: #544414
   * more README.Debian clarifications, again, thanks to Russell Gadd
     and Bill Wohler.
   * remove obsolete TODO file
   * Fix typo in debian/control, thanks to Rogério Brito. Closes: #520019
   * debian/control: clarify that aide-xen should be used in both DomU
     and Dom0
   * Adapt Package to later Debian policy:
     * make sure that /var/run exists in daily cron job. Closes: #501848.
     * Add Homepage: field.
     * Standards-Version now 3.8.3
   * build depend on debhelper 5
   * add README.source refering to /usr/share/doc/dpatch/README.source.gz
   * Add lintian overrides to aide and aide-xen for embedded-zlib
     ./usr/bin/aide. The binaries _are_ statically linked as a feature.
   * Have aide-common depend on aide | aide-binary
   * depend on bsd-mailx instead of mailx
Checksums-Sha1: 
 d6239a76ac019e9fe8b1258b7168b941e9f711dc 1285 aide_0.13.1-11.dsc
 fcad4186a0d3a7fb3813f9dc143d2e1abfb7a15a 62501 aide_0.13.1-11.diff.gz
 3a0d0f8c3a19bbeb7df2bd187a5ce5a4cf65da14 534072 aide_0.13.1-11_i386.deb
 87cdd113e999e7829d0465518cbb25164e631932 87724 aide-common_0.13.1-11_all.deb
 0026a9053e8719f1361acb9ae3ccf5fd5938be54 566450 aide-xen_0.13.1-11_i386.deb
 403a21b602ce61f4514985034ddc00e8f0cb0776 100318 aide-dynamic_0.13.1-11_i386.deb
Checksums-Sha256: 
 52629180eaa3ab8f96148850ee8592e2e3c6acb186ec9b4bd10a6e0a2262b93a 1285 aide_0.13.1-11.dsc
 5f1691453af1cf12d6a661a9bae91e66bcc561e4b46f324cd09b678f1cd81f70 62501 aide_0.13.1-11.diff.gz
 93f1ff1292de2688eadbd6c06d9d725f26c1d772c93edc5b4358b84cd91e49d5 534072 aide_0.13.1-11_i386.deb
 b28b6a49617d0b21e273f1f144c56a12cd2ed17cc2e076d8f7762c90f999dc81 87724 aide-common_0.13.1-11_all.deb
 5d58e9e386521f0f4182316cda09c68fea0838221cc7cba67309cc31225051f1 566450 aide-xen_0.13.1-11_i386.deb
 9a97a64d303e6d25246b87f03a42bfc97f59757a211f136e425b36d4839db4b0 100318 aide-dynamic_0.13.1-11_i386.deb
Files: 
 7467c0ee9e05a7c8f57c6d3f1272740e 1285 admin optional aide_0.13.1-11.dsc
 aa264342f8a8b1f43b3a6533d40e26d0 62501 admin optional aide_0.13.1-11.diff.gz
 52eb36c1f5bb7fa51a3835478f8ea97f 534072 admin optional aide_0.13.1-11_i386.deb
 7360fb5bc2c74ba4555b07a3bc034784 87724 admin optional aide-common_0.13.1-11_all.deb
 fb4ba5346c9cb4011d5f8e636a088dd2 566450 admin optional aide-xen_0.13.1-11_i386.deb
 51fca545845414508ae3727797d3ac31 100318 admin optional aide-dynamic_0.13.1-11_i386.deb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)

iEYEARECAAYFAkqmZc0ACgkQgZalRGu6PISt5ACgsxeXmys+43KyZePbFaDPHinN
WpgAn3C+eKU794p+S29PIdHBs+zecCkB
=I1lk
-----END PGP SIGNATURE-----

Send a report that this bug log contains spam.