[Aide] Once more, questions about ANF/ARF
Marc Haber
mh+aide at zugschlus.de
Sun Feb 19 22:42:57 EET 2006
On Sun, Feb 12, 2006 at 10:30:18PM +0100, Richard van den Berg wrote:
> Marc Haber wrote:
> > So, the ANF does seem to suppress the new .1.gz files from being
> > reported as new, and the ARF does seem to suppress the removed .6.gz
> > files from being reported as removed, but I don't understand what
> > happens with the _not_ new .2.gz files (they come from mv .1.gz .2.gz)
> > are reported as new, and why the _not_ removed .5.gz files (they go to
> > mv .5.gz to .6.gz) are reported as removed.
>
> What I think is happening, is that when the aide.db is created, a
> point-in-time snapshot (A) of your files is made:
<snip>
> Now, the next day when aide is run, error.log has become error.log.0,
> and error.log.1.gz is a new file. error.log.6.gz is removed. This looks
> like (B):
<snip>
> Again the next day, this will look like (C):
<snip>
> So when comparing C with A, error.log.2.gz is a new file and the
> original error.log.5.gz was removed.
Yes, that explanation makes sense.
> I think for your ruleset to work, you need to update your aide.db every
> day (so at point B). So C gets compared to B and not A.
How would you handle this in a daily cron job? I am thinking about
using --update always, and copying the new database to the old
database if aide output parses
### All files match AIDE database. Looks okay!
What do you think about that idea?
Greetings
Marc
--
-----------------------------------------------------------------------------
Marc Haber | "I don't trust Computers. They | Mailadresse im Header
Mannheim, Germany | lose things." Winona Ryder | Fon: *49 621 72739834
Nordisch by Nature | How to make an American Quilt | Fax: *49 621 72739835
More information about the Aide
mailing list