Thread: [Aide-devel] Re: aide 0.11 reporting directory as changed even if configured not to do so
Brought to you by:
hvhaugwitz,
rvdb
From: Marc H. <mh+...@zu...> - 2006-02-25 07:28:48
|
Hi, last sunday, I wrote this to aide[-users], and didn't receive an answer. Since this behavior is very annoying, I'd like to bother aide-devel and ask you guys for comments? Am I doing something wrong, or is this an aide bug? On Sun, Feb 19, 2006 at 07:55:42PM +0100, Marc Haber wrote: > From: Marc Haber <mh...@zu...> > Subject: aide 0.11 reporting directory as changed even if configured not to do so > To: Aide user mailinglist <ai...@cs...> > Date: Sun, 19 Feb 2006 19:55:42 +0100 > User-Agent: Mutt/1.5.9i > > Hi, > > I have aide configured like this: > > $ grep -hr /etc /etc/aide > /etc/cron.daily$ StaticDir > /etc$ StaticDir > /etc/adjtime$ Databases > /etc/motd$ Databases > /etc/mtab$ n+p+u > /etc/inetd.conf$ InetdConf > $ > > StaticDir = n+p+i+u+g > > Sometimes, aide reports /etc as being changed: > > changed:/etc > > Directory: /etc > Mtime : 2006-02-17 07:38:19 , 2006-02-18 07:11:56 > Ctime : 2006-02-17 07:38:19 , 2006-02-18 07:11:56 > > The time of the change correlates with the DHCP daemon re-newing the > IP lease, but aide shouldn't be reporting the changes to mtime and > ctime in the first place. > > Any ideas what might be wrong? Greetings Marc -- ----------------------------------------------------------------------------- Marc Haber | "I don't trust Computers. They | Mailadresse im Header Mannheim, Germany | lose things." Winona Ryder | Fon: *49 621 72739834 Nordisch by Nature | How to make an American Quilt | Fax: *49 621 72739835 |
From: Richard v. d. B. <ri...@vd...> - 2006-02-25 08:27:23
|
Marc Haber wrote: > last sunday, I wrote this to aide[-users], and didn't receive an > answer. Since this behavior is very annoying, I'd like to bother > aide-devel and ask you guys for comments? Am I doing something wrong, > or is this an aide bug? It looks like a bug, but probably hard to reproduce.. Which makes fixing it difficult. Sincerely, Richard van den Berg |
From: Marc H. <mh+...@zu...> - 2006-02-25 11:25:52
|
On Sat, Feb 25, 2006 at 09:26:49AM +0100, Richard van den Berg wrote: > Marc Haber wrote: > >last sunday, I wrote this to aide[-users], and didn't receive an > >answer. Since this behavior is very annoying, I'd like to bother > >aide-devel and ask you guys for comments? Am I doing something wrong, > >or is this an aide bug? > > It looks like a bug, but probably hard to reproduce.. Which makes fixing > it difficult. What can I do to help debugging? This bug is really annoying. Greetings Marc -- ----------------------------------------------------------------------------- Marc Haber | "I don't trust Computers. They | Mailadresse im Header Mannheim, Germany | lose things." Winona Ryder | Fon: *49 621 72739834 Nordisch by Nature | How to make an American Quilt | Fax: *49 621 72739835 |
From: Pablo V. <pa...@ip...> - 2006-02-26 19:18:21
|
On Sat, 25 Feb 2006, Marc Haber wrote: > Hi, > > last sunday, I wrote this to aide[-users], and didn't receive an > answer. Since this behavior is very annoying, I'd like to bother > aide-devel and ask you guys for comments? Am I doing something wrong, > or is this an aide bug? > > On Sun, Feb 19, 2006 at 07:55:42PM +0100, Marc Haber wrote: > > From: Marc Haber <mh...@zu...> > > Subject: aide 0.11 reporting directory as changed even if configured not to do so > > To: Aide user mailinglist <ai...@cs...> > > Date: Sun, 19 Feb 2006 19:55:42 +0100 > > User-Agent: Mutt/1.5.9i > > > > Hi, > > > > I have aide configured like this: > > > > $ grep -hr /etc /etc/aide > > /etc/cron.daily$ StaticDir > > /etc$ StaticDir > > /etc/adjtime$ Databases > > /etc/motd$ Databases > > /etc/mtab$ n+p+u > > /etc/inetd.conf$ InetdConf > > $ > > > > StaticDir = n+p+i+u+g > > > > Sometimes, aide reports /etc as being changed: > > > > changed:/etc > > > > Directory: /etc > > Mtime : 2006-02-17 07:38:19 , 2006-02-18 07:11:56 > > Ctime : 2006-02-17 07:38:19 , 2006-02-18 07:11:56 > > > > The time of the change correlates with the DHCP daemon re-newing the > > IP lease, but aide shouldn't be reporting the changes to mtime and > > ctime in the first place. > > > > Any ideas what might be wrong? > > Greetings > Marc It seems that [MC]time is stored to the aide database (because the old [MC]time exists). So aide database lines begining "@@db_spec" and "/etc" could help. Also running aide with -V255 and check what rule actually match to /etc directory. Pablo Virolainen |
From: Marc H. <mh+...@zu...> - 2006-02-26 19:40:37
|
On Sun, Feb 26, 2006 at 09:18:12PM +0200, Pablo Virolainen wrote: > On Sat, 25 Feb 2006, Marc Haber wrote: > It seems that [MC]time is stored to the aide database (because the old > [MC]time exists). > > So aide database lines begining "@@db_spec" and "/etc" could help. @@begin_db # This file was generated by Aide, version 0.11 # Time of generation was 2006-02-26 20:37:53 @@db_spec name lname attr perm bcount uid gid size mtime ctime inode lcount md5 sha1 rmd160 tiger crc32 haval gost /home/mh/tmp/fs/etc 0 4029 40775 8 1001 1001 4096 MTE0MDk4MjY3Mw== MTE0MDk4MjY3Mw== 688309 2 0 0 0 0 0 0 0 /home/mh/tmp/fs/etc/resolv.conf 0 2077 100664 0 1001 1001 0 0 0 0 1 0 0 0 0 0 0 0 @@end_db > Also running aide with -V255 and check what rule actually match to /etc > directory. It looks like the configuration line which matches / to Binlib causes the grief. See attached script and configuration file to reproduce the issue. Greetings Marc -- ----------------------------------------------------------------------------- Marc Haber | "I don't trust Computers. They | Mailadresse im Header Mannheim, Germany | lose things." Winona Ryder | Fon: *49 621 72739834 Nordisch by Nature | How to make an American Quilt | Fax: *49 621 72739835 |
From: Marc H. <mh+...@zu...> - 2006-03-02 21:54:57
|
On Sun, Feb 26, 2006 at 08:40:31PM +0100, Marc Haber wrote: > It looks like the configuration line which matches / to Binlib causes > the grief. > > See attached script and configuration file to reproduce the issue. Anything new about this? Greetings Marc -- ----------------------------------------------------------------------------- Marc Haber | "I don't trust Computers. They | Mailadresse im Header Mannheim, Germany | lose things." Winona Ryder | Fon: *49 621 72739834 Nordisch by Nature | How to make an American Quilt | Fax: *49 621 72739835 |
From: Pablo V. <pa...@ip...> - 2006-03-03 08:05:57
|
On Thu, 2 Mar 2006, Marc Haber wrote: > On Sun, Feb 26, 2006 at 08:40:31PM +0100, Marc Haber wrote: > > It looks like the configuration line which matches / to Binlib causes > > the grief. > > > > See attached script and configuration file to reproduce the issue. > > Anything new about this? > > Greetings > Marc If you change the rule order a bit, then you will get what you wanted. @@{FS}/etc$ StaticDir @@{FS}/etc/resolv.conf$ Databases @@{FS}/ Binlib You can check the effect of the change by first initialising aide database with your aide configuration. Then change the order and run aide -C. It should print following kind of report File @@{FS}/etc in databases has different attributes, 4029,2589 AIDE, version post-0.11 ### All files match AIDE database. Looks okay! Pablo Virolainen |
From: Marc H. <mh+...@zu...> - 2006-03-03 08:15:57
|
On Fri, Mar 03, 2006 at 10:05:49AM +0200, Pablo Virolainen wrote: > If you change the rule order a bit, then you will get what you wanted. > > @@{FS}/etc$ StaticDir > @@{FS}/etc/resolv.conf$ Databases > @@{FS}/ Binlib Ok, so that's the first time I have been aware that rule order in the configuration file matters. This is _very_ surprising sice aide usually operates on a "deepest match" algorithm. So it is actually a weird mixture of "first match" and "deepest match"? I don't understand that behavior from reading the manual. Maybe the algorithm building the tree needs to be described in more detail. Actually, I would greatly prefer the program code to be changed in a way that we _actually_ have a deepest match algorithm, as sorting the configuration would be a major inconvenience. Greetings Marc -- ----------------------------------------------------------------------------- Marc Haber | "I don't trust Computers. They | Mailadresse im Header Mannheim, Germany | lose things." Winona Ryder | Fon: *49 621 72739834 Nordisch by Nature | How to make an American Quilt | Fax: *49 621 72739835 |
From: Pablo V. <pa...@ip...> - 2006-03-03 08:42:12
|
On Fri, 3 Mar 2006, Marc Haber wrote: > On Fri, Mar 03, 2006 at 10:05:49AM +0200, Pablo Virolainen wrote: > > If you change the rule order a bit, then you will get what you wanted. > > > > @@{FS}/etc$ StaticDir > > @@{FS}/etc/resolv.conf$ Databases > > @@{FS}/ Binlib > > Ok, so that's the first time I have been aware that rule order in the > configuration file matters. This is _very_ surprising sice aide > usually operates on a "deepest match" algorithm. > > So it is actually a weird mixture of "first match" and "deepest match"? Aide uses deepest match (in sence of non-regexp directory entries). Inside the directory it uses first match. One must remember that /etc lies in the / directory. The main reason for choosing this kind of match mess is the fact, that we couldn't figure out how to tell which regexp match is the deepest. (just to illustate the problem, see following example) /etc/init*/*server$ all /etc/init.d/*erver$ Bin > I don't understand that behavior from reading the manual. Maybe the > algorithm building the tree needs to be described in more detail. Your aide.conf and the result could be helpfull example of the result. Pablo Virolainen |
From: Marc H. <mh+...@zu...> - 2006-03-09 20:13:43
|
On Fri, Mar 03, 2006 at 10:42:08AM +0200, Pablo Virolainen wrote: > On Fri, 3 Mar 2006, Marc Haber wrote: > > On Fri, Mar 03, 2006 at 10:05:49AM +0200, Pablo Virolainen wrote: > > > If you change the rule order a bit, then you will get what you wanted. > > > > > > @@{FS}/etc$ StaticDir > > > @@{FS}/etc/resolv.conf$ Databases > > > @@{FS}/ Binlib > > > > Ok, so that's the first time I have been aware that rule order in the > > configuration file matters. This is _very_ surprising sice aide > > usually operates on a "deepest match" algorithm. > > > > So it is actually a weird mixture of "first match" and "deepest match"? > > Aide uses deepest match (in sence of non-regexp directory entries). > Inside the directory it uses first match. One must remember that /etc lies > in the / directory. I see. So I had to turn around most of my configuration, which was considerably less pain than I originally expected. This has been running smoothly on my test box now and I am in the process of rolling out the new configuration scheme to more boxes. > > I don't understand that behavior from reading the manual. Maybe the > > algorithm building the tree needs to be described in more detail. > > Your aide.conf and the result could be helpfull example of the result. Yes. I'll submit a documentation patch as soon as I feel sufficiently secure in the topic. Greetings Marc -- ----------------------------------------------------------------------------- Marc Haber | "I don't trust Computers. They | Mailadresse im Header Mannheim, Germany | lose things." Winona Ryder | Fon: *49 621 72739834 Nordisch by Nature | How to make an American Quilt | Fax: *49 621 72739835 |
From: Marc H. <mh+...@zu...> - 2006-03-12 18:09:55
Attachments:
30-docs.dpatch
|
On Thu, Mar 09, 2006 at 09:13:36PM +0100, Marc Haber wrote: > Yes. I'll submit a documentation patch as soon as I feel sufficiently > secure in the topic. Here is the promised patch. I hope I didn't write anything more. I have also done some language corrections, but I am not a native speaker myself. I have tried to minimize the patch size, please consider re-wrapping the paragraphs after applying. Greetings Marc -- ----------------------------------------------------------------------------- Marc Haber | "I don't trust Computers. They | Mailadresse im Header Mannheim, Germany | lose things." Winona Ryder | Fon: *49 621 72739834 Nordisch by Nature | How to make an American Quilt | Fax: *49 621 72739835 |
From: Richard v. d. B. <ri...@vd...> - 2006-03-13 08:19:04
|
Marc Haber wrote: > Here is the promised patch. Applied to CVS, thanks. Sincerely, Richard van den Berg |