[Aide] --compare wierdness

Vincent Danen vdanen at linsec.ca
Sun Jan 22 01:35:52 EET 2006 

How does --compare work?  I'm trying to compare aide.db and aide.db.new
just to see how it works and can't make it do what I think it should do.

[root at surtr aide]# ls -l aide.db*
-rw-------  1 root root 2547792 Jan 21 15:30 aide.db
-rw-------  1 root root 2589161 Jan 21 12:35 aide.db.new

[root at surtr aide]# grep database /etc/aide.conf |grep -v "^#"
database=file:@@{DBDIR}/aide.db
database_out=file:@@{DBDIR}/aide.db.new

[root at surtr aide]# aide --compare
Rule at line 188 has c and I flags enabled at the same time. If same inode is found, flag c is ignored
Rule at line 189 has c and I flags enabled at the same time. If same inode is found, flag c is ignored
Rule at line 190 has c and I flags enabled at the same time. If same inode is found, flag c is ignored
Must have both input databases defined for database compare.
[root at surtr aide]# aide --compare aide.db.new aide.db
Extra parameters given
[root at surtr aide]# aide --compare aide.db
Extra parameters given


This isn't overly intuitive and the man pages tell next to nothing.
What does it mean to have both input databases defined?  Reading the man
page, I can only have one "database" clause.  But for kicks, I tried
adding another one:

[root at surtr aide]# grep database /etc/aide.conf |grep -v "^#"
database=file:@@{DBDIR}/aide.db
database=file:@@{DBDIR}/aide.db.new
database_out=file:@@{DBDIR}/aide.db.new
[root at surtr aide]# aide --compare
Rule at line 189 has c and I flags enabled at the same time. If same inode is found, flag c is ignored
Rule at line 190 has c and I flags enabled at the same time. If same inode is found, flag c is ignored
Rule at line 191 has c and I flags enabled at the same time. If same inode is found, flag c is ignored
Must have both input databases defined for database compare.

So I can't figure out how to compare two databases.  Regardless, this
seems odd to me.  Why should a compare be restricted to a configuration
file definition?  Shouldn't I be able to just do:

aide --compare old.db new.db

?

That would be most logical.  I shouldn't have to have any of this
defined, and aide shouldn't care if I'm comparing something new or
old... I should be allowed to compare two database files from last year
if I want without changing my aide configuration file, right?

-- 
Annvix - Secure Linux Server: http://annvix.org/
"lynx -source http://linsec.ca/vdanen.asc | gpg --import"
{FEE30AD4 : 7F6C A60C 06C2 4811 FA1C  A2BC 2EBC 5E32 FEE3 0AD4}
Wasting time like it was free...
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 186 bytes
Desc: not available
Url : https://mailman.cs.tut.fi/pipermail/aide/attachments/20060121/87f86216/attachment.bin

More information about the Aide mailing list