[Aide] Once more, questions about ANF/ARF
Richard van den Berg
richard at vdberg.org
Sun Feb 12 23:30:18 EET 2006
Marc Haber wrote:
> So, the ANF does seem to suppress the new .1.gz files from being
> reported as new, and the ARF does seem to suppress the removed .6.gz
> files from being reported as removed, but I don't understand what
> happens with the _not_ new .2.gz files (they come from mv .1.gz .2.gz)
> are reported as new, and why the _not_ removed .5.gz files (they go to
> mv .5.gz to .6.gz) are reported as removed.
What I think is happening, is that when the aide.db is created, a
point-in-time snapshot (A) of your files is made:
inode filename
10001 error.log
10002 error.log.0
10003 error.log.1.gz
10004 error.log.2.gz
10005 error.log.3.gz
10006 error.log.4.gz
10007 error.log.5.gz
10008 error.log.6.gz
Now, the next day when aide is run, error.log has become error.log.0,
and error.log.1.gz is a new file. error.log.6.gz is removed. This looks
like (B):
inode filename
10010 error.log
10001 error.log.0
10011 error.log.1.gz
10003 error.log.2.gz
10004 error.log.3.gz
10005 error.log.4.gz
10006 error.log.5.gz
10007 error.log.6.gz
Again the next day, this will look like (C):
inode filename
10020 error.log
10010 error.log.0
10021 error.log.1.gz
10011 error.log.2.gz
10003 error.log.3.gz
10004 error.log.4.gz
10005 error.log.5.gz
10006 error.log.6.gz
So when comparing C with A, error.log.2.gz is a new file and the
original error.log.5.gz was removed.
I think for your ruleset to work, you need to update your aide.db every
day (so at point B). So C gets compared to B and not A.
Sincerely,
Richard van den Berg
More information about the Aide
mailing list