[Aide] Once more, questions about ANF/ARF

Richard van den Berg richard at vdberg.org
Sun Feb 12 23:30:18 EET 2006


Marc Haber wrote:
> So, the ANF does seem to suppress the new .1.gz files from being
> reported as new, and the ARF does seem to suppress the removed .6.gz
> files from being reported as removed, but I don't understand what
> happens with the _not_ new .2.gz files (they come from mv .1.gz .2.gz)
> are reported as new, and why the _not_ removed .5.gz files (they go to
> mv .5.gz to .6.gz) are reported as removed.

What I think is happening, is that when the aide.db is created, a 
point-in-time snapshot (A) of your files is made:

inode	filename
10001	error.log
10002	error.log.0
10003	error.log.1.gz
10004	error.log.2.gz
10005	error.log.3.gz
10006	error.log.4.gz
10007	error.log.5.gz
10008	error.log.6.gz

Now, the next day when aide is run, error.log has become error.log.0, 
and error.log.1.gz is a new file. error.log.6.gz is removed. This looks 
like (B):

inode	filename
10010	error.log
10001	error.log.0
10011	error.log.1.gz
10003	error.log.2.gz
10004	error.log.3.gz
10005	error.log.4.gz
10006	error.log.5.gz
10007	error.log.6.gz

Again the next day, this will look like (C):

inode	filename
10020	error.log
10010	error.log.0
10021	error.log.1.gz
10011	error.log.2.gz
10003	error.log.3.gz
10004	error.log.4.gz
10005	error.log.5.gz
10006	error.log.6.gz

So when comparing C with A, error.log.2.gz is a new file and the 
original error.log.5.gz was removed.

I think for your ruleset to work, you need to update your aide.db every 
day (so at point B). So C gets compared to B and not A.

Sincerely,

Richard van den Berg


More information about the Aide mailing list