[Aide] Once more, questions about ANF/ARF

Marc Haber mh+aide at zugschlus.de
Sun Feb 19 22:42:57 EET 2006


On Sun, Feb 12, 2006 at 10:30:18PM +0100, Richard van den Berg wrote:
> Marc Haber wrote:
> > So, the ANF does seem to suppress the new .1.gz files from being
> > reported as new, and the ARF does seem to suppress the removed .6.gz
> > files from being reported as removed, but I don't understand what
> > happens with the _not_ new .2.gz files (they come from mv .1.gz .2.gz)
> > are reported as new, and why the _not_ removed .5.gz files (they go to
> > mv .5.gz to .6.gz) are reported as removed.
> 
> What I think is happening, is that when the aide.db is created, a 
> point-in-time snapshot (A) of your files is made:

<snip>

> Now, the next day when aide is run, error.log has become error.log.0, 
> and error.log.1.gz is a new file. error.log.6.gz is removed. This looks 
> like (B):

<snip>

> Again the next day, this will look like (C):

<snip>

> So when comparing C with A, error.log.2.gz is a new file and the 
> original error.log.5.gz was removed.

Yes, that explanation makes sense.

> I think for your ruleset to work, you need to update your aide.db every 
> day (so at point B). So C gets compared to B and not A.

How would you handle this in a daily cron job? I am thinking about
using --update always, and copying the new database to the old
database if aide output parses
### All files match AIDE database. Looks okay!

What do you think about that idea?

Greetings
Marc

-- 
-----------------------------------------------------------------------------
Marc Haber         | "I don't trust Computers. They | Mailadresse im Header
Mannheim, Germany  |  lose things."    Winona Ryder | Fon: *49 621 72739834
Nordisch by Nature |  How to make an American Quilt | Fax: *49 621 72739835


More information about the Aide mailing list