[Aide] aide --update questions and error codes

Marc Haber mh+aide at zugschlus.de
Fri May 27 14:52:14 EEST 2016


Hi Andrew,

On Thu, May 26, 2016 at 02:23:46PM -0400, Andrew Huffman wrote:
> I'm working on an Ansible role to deploy and configure aide.  I have a
> question on the --update option.
> 
> When is the proper time to use 'aide --update'?  Is it post configuration
> change, or are there better use cases for --update?

I usually run aide --update manually after changes, and additionally
in the daily cron job. I then look at the output, and, if
unsuspicious, copy over aide.db.new over aide.db without a backup.
That doesn't scale though.

>   The documentation confused me on this, as this is really the first
>   time I've configured and made use of aide, and trying to wrap my
>   head around the proper way to use it.  Should I replace the
>   aide.db.gz with aide.db.new.gz after an aide --update, and backup
>   the original aide.db.gz?

If you don't replace aide.db.gz with aide.db.new.gz after --update,
the changes you have already seen will be shown again since the
reference DB didn't change. You generally do not want this behavior.

If you're on Debian, the daily cron job has an option to automatically
copy over the database always, never, or if no changes were detected:

# This parameter defines what to do with a new database created by
# COMMAND=update. It is ignored if COMMAND!=update.
# no: Do not copy new database to old database. This is the default.
# yes: Copy new database to old database. This means that changes to the
#   file system are only reported once. Possibly dangerous.
# ifnochange: Copy new database to old database if no changes have
#   been reported. This is needed for ANF/ARF to work reliably.
# COPYNEWDB=no
COPYNEWDB=ifnochange

> 2nd Question, is there a detailed list of every return code for aide as I
> only found a listing of when aide --check is run?  I'm getting return code
> 7 after an aide --update, where I'm getting some feedback from stdout about
> trying to read ACLs on files that no longer exist.

aide --update is aide --check paired with aide --init, so the exit
codes should be the same. return code 7 is 

DIAGNOSTICS
       Normally, the exit status is 0 if no errors occurred. Except when the --check,
       --compare or --update command was requested, in which case the exit status  is
       defined as:

       1 * (new files detected?)     +

       2 * (removed files detected?) +

       4 * (changed files detected?)

the combination of "new files, removed files, change files detected".

Greetings
Marc

-- 
-----------------------------------------------------------------------------
Marc Haber         | "I don't trust Computers. They | Mailadresse im Header
Leimen, Germany    |  lose things."    Winona Ryder | Fon: *49 6224 1600402
Nordisch by Nature |  How to make an American Quilt | Fax: *49 6224 1600421


More information about the Aide mailing list