[Aide] I (ignore changed filename) woes
Virolainen Pablo
pablo at cs.tut.fi
Fri Oct 28 16:46:41 EEST 2005
On Fri, 28 Oct 2005, Virolainen Pablo wrote:
> On Fri, 28 Oct 2005, Marc Haber wrote:
>
>> Hi,
>>
>> on my test host, I am running the CVS snapshot from October 26. I have
>> a rule
>>
>> RotatedLogs = I+n+p+i+u+g+s+b+m+c+md5+sha1+rmd160+haval+gost+crc32+tiger
>>
>> and one
>>
>> /var/log/syslog/syslog\.[0-9][0-9]\.gz$ RotatedLogs
>>
>> However, when my syslog is rotated, and /var/log/syslog/syslog.10.gz
>> moves to /var/log/syslog/syslog.11.gz, this change is shown in the
>> aide output.
>>
>> File: /var/log/syslog/syslog.10.gz
>> Size : 863916 , 1031126
>> Bcount : 1696 , 2024
>> Mtime : 2005-10-11 07:45:01 , 2005-10-13 07:44:59
>> Ctime : 2005-10-27 07:44:15 , 2005-10-28 07:44:24
>> Inode : 180562 , 180563
>> MD5 : ZT6Jon9RC19clQ3LueW+fQ== , VLsNC6qHGe/qRNGde8U77g==
>> SHA1 : /D31JbLs8uwzXz8dMHqd8sGE2rw= , kojzzybYEiujhUnVKUBUCwurWDA=
>> RMD160 : FmadTUIjKhGGZvdrfD1R06SA5Wc= , CkCt3FS8bELVUipGR0vde01Lv68=
>> TIGER : YgHZwaLkEKveImqDc+6EO6QscFtUXbuV , 7hbMrciBkv6tx/wa7rSJLAxPRCTAeukj
>> CRC32 : yYMP6g== , 4qx5fQ==
>> HAVAL : My8zazLZiPHW13j6APssi5ei5LVpGnOhLI/kQqc, i06jS90awcgkXL3W2Wr+ZYZRk80gvBeLc4zl3YF
>> GOST : KDCJM2X0BY+jgy7IJG2UJ+39qR7m88epQaC0hsR, P9uCPajBGuED6KEkEs+N0ASDJKTEMdb3uT4tX/r
>>
>> File: /var/log/syslog/syslog.11.gz
>> Size : 1024800 , 863916
>> Bcount : 2016 , 1696
>> Mtime : 2005-10-09 07:51:32 , 2005-10-11 07:45:01
>> Ctime : 2005-10-27 07:44:15 , 2005-10-28 07:44:24
>> Inode : 180561 , 180562
>> MD5 : 0oXQIvu+T3X/5AvQ65Mtrg== , ZT6Jon9RC19clQ3LueW+fQ==
>> SHA1 : H7qdZT5/xEyqgZxOLLRM4oQB998= , /D31JbLs8uwzXz8dMHqd8sGE2rw=
>> RMD160 : bIhGs2R3jUpatgcKKacx2BJtODs= , FmadTUIjKhGGZvdrfD1R06SA5Wc=
>> TIGER : pJuy68VCApxOoLNri09X1tAZKfzY7zkF , YgHZwaLkEKveImqDc+6EO6QscFtUXbuV
>> CRC32 : RFE2QQ== , yYMP6g==
>> HAVAL : I9936r4JkKLw09av5U1BCxCri4awg2Eu+YVq6oq, My8zazLZiPHW13j6APssi5ei5LVpGnOhLI/kQqc
>> GOST : CarCEIUtsEVC2DlCSwwBkA2kJ+Dqkd32jBq6B47, KDCJM2X0BY+jgy7IJG2UJ+39qR7m88epQaC0hsR
>>
>> Any idea what I might be doing wrong? Is there any elegant way to
>> debug this?
>>
>> Maybe it'll help if somebody familiar with the aide code could explain
>> - in prose - how the new I setting works internally.
>
> I cannot remember that there is this kind of feature in AIDE. It would be
> nice to have.
Hm.. Someone has implemented this feature (which is good). One propably
should give warning about if rule has c and I enabled at the same time (or
just ignore c, if we are checking for changed filenames? For
implementatio check patch...)
--- gen_list.c Fri Oct 28 16:33:39 2005
+++ gen_list.c.orig Mon Oct 3 08:58:31 2005
@@ -1111,7 +1110,7 @@
oldData->filename,oldData->attr,newData->attr);
}
- localignorelist|=ignorelist;
+ localignorelist|=ignorelist|DB_CTIME;
/* Free the data if same else leave as is for report_tree */
if(compare_dbline(oldData, newData, localignorelist)==RETOK){
Duke NEMO / C.O.M.A
alias pablo the pallo virolainen
More information about the Aide
mailing list