Bug#245423: aide regularly forgets about /sbin and /dev
On Mon, Oct 02, 2006 at 04:19:17PM +0200, Marc Haber wrote: On Wed, Sep 27, 2006 at 10:56:09AM +0200, Bill Allombert wrote: I never experienced the bug with gzip_dbout=no for some months now, so I am confident this fixed it. Very well, thanks. Can you set dzip_dbout again to verify that hypothesis? I did that and today the bug occured again. Cheers, Bill. -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Bug#245423: aide regularly forgets about /sbin and /dev
On Wed, Nov 15, 2006 at 09:09:10PM +0100, Bill Allombert wrote: On Mon, Oct 02, 2006 at 04:19:17PM +0200, Marc Haber wrote: On Wed, Sep 27, 2006 at 10:56:09AM +0200, Bill Allombert wrote: I never experienced the bug with gzip_dbout=no for some months now, so I am confident this fixed it. Very well, thanks. Can you set dzip_dbout again to verify that hypothesis? I did that and today the bug occured again. Which version of aide? Any chance that a cron job and a manual aide run were running concurrently? Greetings Marc -- - Marc Haber | I don't trust Computers. They | Mailadresse im Header Mannheim, Germany | lose things.Winona Ryder | Fon: *49 621 72739834 Nordisch by Nature | How to make an American Quilt | Fax: *49 621 72739835 -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Bug#245423: aide regularly forgets about /sbin and /dev
The only reason I can think of that would result in a corrupt gzipped aide.db (and not in a corrupt/incomplete plaintext aide.db) is when aide exists before gzclose() is called. Plaintext aide.db is flushed after every line, for gzip this is skipped because it degrades the compression a lot. I looked through the code, and there is no way for gzclose() not to be called when aide exists normally. So I expect aide to abort() at some point without it being obvious in the output on stderr. There are too many cases where abort() is used, so I cannot find the root cause at this time. What I did to try and work around the issue is close aide.db as soon as possible (before the reporting is done). So basically, when a report (with or without differences found) is printed you will know gzclose() has been called, and the aide.db.new normally closed. This change is now in CVS and will be in aide-0.12-rc2. Another important thing to note is that the real problem (the aide.db being corrupted) occurs in the aide --update before the aide --update (or aide --check) that reports the many added files. It would be very interesting to see an aide -V255 --update that actually created the corrupt aide.db.new. Sincerely, Richard van den Berg -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Bug#245423: [Pkg-aide-maintainers] Bug#245423: aide regularly forgets about /sbin and /dev
Hi, On Wed, Oct 04, 2006 at 12:28:37PM +0200, Richard van den Berg wrote: What I did to try and work around the issue is close aide.db as soon as possible (before the reporting is done). So basically, when a report (with or without differences found) is printed you will know gzclose() has been called, and the aide.db.new normally closed. This change is now in CVS and will be in aide-0.12-rc2. I'm going to package aide 0.12-rc2 for experimental as soon as possible. Since Debian is going to freeze on October 18, we will be releasing with aide 0.11 though. Another important thing to note is that the real problem (the aide.db being corrupted) occurs in the aide --update before the aide --update (or aide --check) that reports the many added files. It would be very interesting to see an aide -V255 --update that actually created the corrupt aide.db.new. I am trying to reproduce this on a host that will go out of service on October 31 and is not being used productively any more. I hope that I will be able to deliver the logs you need. Greetings Marc -- - Marc Haber | I don't trust Computers. They | Mailadresse im Header Mannheim, Germany | lose things.Winona Ryder | Fon: *49 621 72739834 Nordisch by Nature | How to make an American Quilt | Fax: *49 621 72739835 -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Bug#245423: [Pkg-aide-maintainers] Bug#245423: aide regularly forgets about /sbin and /dev
On Wed, Sep 27, 2006 at 10:56:09AM +0200, Bill Allombert wrote: I never experienced the bug with gzip_dbout=no for some months now, so I am confident this fixed it. Very well, thanks. Can you set dzip_dbout again to verify that hypothesis? I would suggest gzip_dbout=no be set as the default until a proper fix is found. During the configuration re-work, the gzip_dbout=yes statement was removed from the default configuration, and the default is no. Which kind of explains why we don't get any more bug reports about that. I have, however, nudged upstream to take a closer look at this issue. Greetings Marc -- - Marc Haber | I don't trust Computers. They | Mailadresse im Header Mannheim, Germany | lose things.Winona Ryder | Fon: *49 621 72739834 Nordisch by Nature | How to make an American Quilt | Fax: *49 621 72739835 -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Bug#245423: aide regularly forgets about /sbin and /dev
On Thu, Jul 20, 2006 at 11:50:31PM +0200, Marc Haber wrote: On Thu, Jul 20, 2006 at 07:31:54PM +0200, Bill Allombert wrote: On Tue, Jul 18, 2006 at 04:21:27PM +0200, Marc Haber wrote: May I remind? I suspect that we have a bug in the gzip code which I'd love to report upstream. Well, I did that and the bug has not show up yet, but since it was less than one month ago, it might be only by luck. Can you please keep us posted? I never experienced the bug with gzip_dbout=no for some months now, so I am confident this fixed it. I would suggest gzip_dbout=no be set as the default until a proper fix is found. Cheers, Bill. -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Bug#245423: aide regularly forgets about /sbin and /dev
On Tue, Jul 18, 2006 at 04:21:27PM +0200, Marc Haber wrote: On Fri, Jun 23, 2006 at 11:54:19PM +0200, Marc Haber wrote: On Fri, Jun 23, 2006 at 10:19:56PM +0200, Bill Allombert wrote: On Fri, Jun 23, 2006 at 11:23:14AM +0200, Marc Haber wrote: Are you using gzipped db, or did you gzip the files before encrypting them in the message? I am using the standard Debian config which say gzip_dbout=yes I did not gzipped them manually. Ok, please try to reproduce the issue with gzip_dbout=no. May I remind? I suspect that we have a bug in the gzip code which I'd love to report upstream. Well, I did that and the bug has not show up yet, but since it was less than one month ago, it might be only by luck. Cheers, Bill. -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Bug#245423: aide regularly forgets about /sbin and /dev
On Thu, Jul 20, 2006 at 07:31:54PM +0200, Bill Allombert wrote: On Tue, Jul 18, 2006 at 04:21:27PM +0200, Marc Haber wrote: May I remind? I suspect that we have a bug in the gzip code which I'd love to report upstream. Well, I did that and the bug has not show up yet, but since it was less than one month ago, it might be only by luck. Can you please keep us posted? And possibly try with the CVS snapshot that is packaged in experimental? Greetings Marc -- - Marc Haber | I don't trust Computers. They | Mailadresse im Header Mannheim, Germany | lose things.Winona Ryder | Fon: *49 621 72739834 Nordisch by Nature | How to make an American Quilt | Fax: *49 621 72739835 -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Bug#245423: [Pkg-aide-maintainers] Bug#245423: aide regularly forgets about /sbin and /dev
On Fri, Jun 23, 2006 at 11:54:19PM +0200, Marc Haber wrote: On Fri, Jun 23, 2006 at 10:19:56PM +0200, Bill Allombert wrote: On Fri, Jun 23, 2006 at 11:23:14AM +0200, Marc Haber wrote: Are you using gzipped db, or did you gzip the files before encrypting them in the message? I am using the standard Debian config which say gzip_dbout=yes I did not gzipped them manually. Ok, please try to reproduce the issue with gzip_dbout=no. May I remind? I suspect that we have a bug in the gzip code which I'd love to report upstream. Greetings Marc -- - Marc Haber | I don't trust Computers. They | Mailadresse im Header Mannheim, Germany | lose things.Winona Ryder | Fon: *49 621 72739834 Nordisch by Nature | How to make an American Quilt | Fax: *49 621 72739835 -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Bug#245423: [Pkg-aide-maintainers] Bug#245423: aide regularly forgets about /sbin and /dev
On Thu, Jun 22, 2006 at 05:58:29PM +0200, Marc Haber wrote: Can you send me - in private - a corrupted and the correct database generated after the corrupted one? I have received the files in private, encrypted e-mail and will take a look at the later today. Greetings Marc -- - Marc Haber | I don't trust Computers. They | Mailadresse im Header Mannheim, Germany | lose things.Winona Ryder | Fon: *49 621 72739834 Nordisch by Nature | How to make an American Quilt | Fax: *49 621 72739835 -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Bug#245423: [Pkg-aide-maintainers] Bug#245423: aide regularly forgets about /sbin and /dev
On Fri, Jun 23, 2006 at 07:34:02AM +0200, Marc Haber wrote: On Thu, Jun 22, 2006 at 05:58:29PM +0200, Marc Haber wrote: Can you send me - in private - a corrupted and the correct database generated after the corrupted one? I have received the files in private, encrypted e-mail and will take a look at the later today. This looks familiar to me. The broken db stops right in the middle of a data line. Are you using gzipped db, or did you gzip the files before encrypting them in the message? If you're using gzipped db, try gzip_dbout=no just out of curiosity. Greetings Marc -- - Marc Haber | I don't trust Computers. They | Mailadresse im Header Mannheim, Germany | lose things.Winona Ryder | Fon: *49 621 72739834 Nordisch by Nature | How to make an American Quilt | Fax: *49 621 72739835 -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Bug#245423: [Pkg-aide-maintainers] Bug#245423: aide regularly forgets about /sbin and /dev
On Fri, Jun 23, 2006 at 11:23:14AM +0200, Marc Haber wrote: On Fri, Jun 23, 2006 at 07:34:02AM +0200, Marc Haber wrote: On Thu, Jun 22, 2006 at 05:58:29PM +0200, Marc Haber wrote: Can you send me - in private - a corrupted and the correct database generated after the corrupted one? I have received the files in private, encrypted e-mail and will take a look at the later today. This looks familiar to me. The broken db stops right in the middle of a data line. Are you using gzipped db, or did you gzip the files before encrypting them in the message? I am using the standard Debian config which say gzip_dbout=yes I did not gzipped them manually. Cheers, Bill. -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Bug#245423: [Pkg-aide-maintainers] Bug#245423: aide regularly forgets about /sbin and /dev
On Fri, Jun 23, 2006 at 10:19:56PM +0200, Bill Allombert wrote: On Fri, Jun 23, 2006 at 11:23:14AM +0200, Marc Haber wrote: Are you using gzipped db, or did you gzip the files before encrypting them in the message? I am using the standard Debian config which say gzip_dbout=yes I did not gzipped them manually. Ok, please try to reproduce the issue with gzip_dbout=no. Greetings Marc -- - Marc Haber | I don't trust Computers. They | Mailadresse im Header Mannheim, Germany | lose things.Winona Ryder | Fon: *49 621 72739834 Nordisch by Nature | How to make an American Quilt | Fax: *49 621 72739835 -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Bug#245423: [Pkg-aide-maintainers] Bug#245423: aide regularly forgets about /sbin and /dev
On Fri, Jun 16, 2006 at 04:06:31PM +0200, [EMAIL PROTECTED] wrote: Experimentally, the corruption happens randomly when writing the database. When I get a corrupted db, regenerating the database with the same underlying filesystem lead to a non-corrupted db. OTOH, trying to read a corrupted db never succeed. You mean that one aide --update generates a corrupt database while the next aide --update, called immediately afterwards without touching any aide-related files, generates a correct one? Greetings Marc -- - Marc Haber | I don't trust Computers. They | Mailadresse im Header Mannheim, Germany | lose things.Winona Ryder | Fon: *49 621 72739834 Nordisch by Nature | How to make an American Quilt | Fax: *49 621 72739835 -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Bug#245423: [Pkg-aide-maintainers] Bug#245423: aide regularly forgets about /sbin and /dev
On Thu, Jun 22, 2006 at 03:53:38PM +0200, Marc Haber wrote: On Fri, Jun 16, 2006 at 04:06:31PM +0200, [EMAIL PROTECTED] wrote: Experimentally, the corruption happens randomly when writing the database. When I get a corrupted db, regenerating the database with the same underlying filesystem lead to a non-corrupted db. OTOH, trying to read a corrupted db never succeed. You mean that one aide --update generates a corrupt database while the next aide --update, called immediately afterwards without touching any aide-related files, generates a correct one? Yes, I do aide --update mv /var/lib/aide/aide.db.new /var/lib/aide/aide.db aide --check If that reports a lot of missing files, I restart the process and it works. This is the way I work around the bug. I wonder if aide does not work better if the files are already in the ernel cache. (The box has 1Gb of RAM, and the amount of file data processed by aide is much smaller than that.) cheers, -- Bill. [EMAIL PROTECTED] Imagine a large red swirl here. -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Bug#245423: [Pkg-aide-maintainers] Bug#245423: aide regularly forgets about /sbin and /dev
On Thu, Jun 22, 2006 at 04:52:20PM +0200, Bill Allombert wrote: Yes, I do aide --update mv /var/lib/aide/aide.db.new /var/lib/aide/aide.db aide --check If that reports a lot of missing files, I restart the process and it works. Do you start again with aide --update, or with aide --check? If you start again with aide --update, that update goes against the corrupt database which you copied over the last known good one. Greetings Marc -- - Marc Haber | I don't trust Computers. They | Mailadresse im Header Mannheim, Germany | lose things.Winona Ryder | Fon: *49 621 72739834 Nordisch by Nature | How to make an American Quilt | Fax: *49 621 72739835 -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Bug#245423: [Pkg-aide-maintainers] Bug#245423: aide regularly forgets about /sbin and /dev
On Thu, Jun 22, 2006 at 04:57:43PM +0200, Marc Haber wrote: On Thu, Jun 22, 2006 at 04:52:20PM +0200, Bill Allombert wrote: Yes, I do aide --update mv /var/lib/aide/aide.db.new /var/lib/aide/aide.db aide --check If that reports a lot of missing files, I restart the process and it works. Do you start again with aide --update, or with aide --check? Both actually: I run aide --check several time and I always get that the db is corrupted miss files. Then I do aide --update and I get a working db. If you start again with aide --update, that update goes against the corrupt database which you copied over the last known good one. Experimentally the aide.db.new resulting from aide --update is not affected by the current aide.db being corrupted. What do you suggest I do instead of aide --update ? Cheers, -- Bill. [EMAIL PROTECTED] Imagine a large red swirl here. -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Bug#245423: [Pkg-aide-maintainers] Bug#245423: aide regularly forgets about /sbin and /dev
On Thu, Jun 22, 2006 at 05:30:25PM +0200, Bill Allombert wrote: Both actually: I run aide --check several time and I always get that the db is corrupted miss files. Yes, so your aide.db is corrupted. Then I do aide --update and I get a working db. Do you get a gazillion of new file reports as well? If you start again with aide --update, that update goes against the corrupt database which you copied over the last known good one. Experimentally the aide.db.new resulting from aide --update is not affected by the current aide.db being corrupted. That is as expected since the new database (aide.db.new) is generated from the file system without consulting the current aide.db. Then, both databases are compared with each other, resulting in the final aide report. What do you suggest I do instead of aide --update ? Actually, the only difference of --update and --check is that --check doesn't write the new database, so I always use --update. Can you send me - in private - a corrupted and the correct database generated after the corrupted one? If you deem your file names too private to send out, I can understand that, and thus take no for an answer. Greetings Marc -- - Marc Haber | I don't trust Computers. They | Mailadresse im Header Mannheim, Germany | lose things.Winona Ryder | Fon: *49 621 72739834 Nordisch by Nature | How to make an American Quilt | Fax: *49 621 72739835 -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Bug#245423: aide regularly forgets about /sbin and /dev
On Thu, Jun 01, 2006 at 05:22:47PM +0200, [EMAIL PROTECTED] wrote: On Tue, Apr 12, 2005 at 01:39:05PM +, Guillaume Tamboise wrote: Package: aide Version: 0.10-6.1 Followup-For: Bug #245423 I am facing the same issue with /sbin and with a certain number of files in /dev. I have been using aide for woody for a long time and never face this issue. The issue came on board quickly after I moved to Sarge. Hello Debian AIDE maintainers, I am seeing the same issue on my server: aide worked fine on woody, but I have recently upgraded to sarge and today I get a report where /sbin and /lib files are added. Experimentally, the corruption happens randomly when writing the database. When I get a corrupted db, regenerating the database with the same underlying filesystem lead to a non-corrupted db. OTOH, trying to read a corrupted db never succeed. So the problem might be with the underlying db engine. Cheers, -- Bill. [EMAIL PROTECTED] Imagine a large red swirl here. -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Bug#245423: aide regularly forgets about /sbin and /dev
On Tue, Apr 12, 2005 at 01:39:05PM +, Guillaume Tamboise wrote: Package: aide Version: 0.10-6.1 Followup-For: Bug #245423 I am facing the same issue with /sbin and with a certain number of files in /dev. I have been using aide for woody for a long time and never face this issue. The issue came on board quickly after I moved to Sarge. Hello Debian AIDE maintainers, I am seeing the same issue on my server: aide worked fine on woody, but I have recently upgraded to sarge and today I get a report where /sbin and /lib files are added. The aide report include the message Not enough parameters in db:14869 so it seems as if the db was corrupted and the data about /lib and /sbin could not be found anymore. Here the head of the report (after the denoised summary): Output of the daily AIDE run (358 lines): Not enough parameters in db:14869 AIDE found differences between database and filesystem!! Start timestamp: 2006-06-01 06:25:01 Summary: Total number of files=15182,added files=313,removed files=4,changed files=32 This problem make aide rather useless for me. Cheers, -- Bill. [EMAIL PROTECTED] Imagine a large red swirl here. -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Bug#245423: [Pkg-aide-maintainers] Bug#245423: aide regularly forgets about /sbin and /dev
On Thu, Jun 01, 2006 at 05:22:47PM +0200, [EMAIL PROTECTED] wrote: This problem make aide rather useless for me. Do you have the possibility of trying a later aide version than the one in sarge? Greetings Marc -- - Marc Haber | I don't trust Computers. They | Mailadresse im Header Mannheim, Germany | lose things.Winona Ryder | Fon: *49 621 72739834 Nordisch by Nature | How to make an American Quilt | Fax: *49 621 72739835 -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Bug#245423: aide regularly forgets about /sbin and /dev
forwarded #245423 https://sourceforge.net/tracker/index.php?func=detailaid=1448359group_id=86976atid=581579 thanks On Wed, Mar 08, 2006 at 02:02:30PM -0700, Will Aoki wrote: On Thu, Feb 23, 2006 at 10:32:59AM +0100, Marc Haber wrote: On Tue, Jan 17, 2006 at 04:31:24PM -0700, Will Aoki wrote: This problem occurs on my various systems with great regularity. I can trigger it reliably by making largeish changes to the filesystem which modify existing files (such as by installing the recent perl security updates) and running an 'aide -u' to update the database. Is it still reproducible with aide 0.11? Yes, I just managed to reproduce it on two servers using the aide_0.11-1 package rebuilt on sarge. I have forwarded this upstream for further debugging. Greetings Marc -- - Marc Haber | I don't trust Computers. They | Mailadresse im Header Mannheim, Germany | lose things.Winona Ryder | Fon: *49 621 72739834 Nordisch by Nature | How to make an American Quilt | Fax: *49 621 72739835 -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Bug#245423: aide regularly forgets about /sbin and /dev
On Thu, Feb 23, 2006 at 10:32:59AM +0100, Marc Haber wrote: On Tue, Jan 17, 2006 at 04:31:24PM -0700, Will Aoki wrote: This problem occurs on my various systems with great regularity. I can trigger it reliably by making largeish changes to the filesystem which modify existing files (such as by installing the recent perl security updates) and running an 'aide -u' to update the database. Is it still reproducible with aide 0.11? Yes, I just managed to reproduce it on two servers using the aide_0.11-1 package rebuilt on sarge. -- William Aoki KD7YAF[EMAIL PROTECTED]5-1924 -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Bug#245423: aide regularly forgets about /sbin and /dev
On Tue, Jan 17, 2006 at 04:31:24PM -0700, Will Aoki wrote: This problem occurs on my various systems with great regularity. I can trigger it reliably by making largeish changes to the filesystem which modify existing files (such as by installing the recent perl security updates) and running an 'aide -u' to update the database. Is it still reproducible with aide 0.11? If it would help, I should be able to prepare a UML image that exhibits the bug, though it might take me a week or so to get around to it. Maybe it would be a good idea to address this issue directly on upstream's mailing list. Greetings Marc -- - Marc Haber | I don't trust Computers. They | Mailadresse im Header Mannheim, Germany | lose things.Winona Ryder | Fon: *49 621 72739834 Nordisch by Nature | How to make an American Quilt | Fax: *49 621 72739835 -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Bug#245423: aide regularly forgets about /sbin and /dev
This problem occurs on my various systems with great regularity. I can trigger it reliably by making largeish changes to the filesystem which modify existing files (such as by installing the recent perl security updates) and running an 'aide -u' to update the database. If it would help, I should be able to prepare a UML image that exhibits the bug, though it might take me a week or so to get around to it. -- William Aoki KD7YAF[EMAIL PROTECTED]5-1924 -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Bug#245423: aide regularly forgets about /sbin and /dev
tags #245423 unreproducible thanks On Tue, Apr 12, 2005 at 01:39:05PM +, Guillaume Tamboise wrote: I am facing the same issue with /sbin and with a certain number of files in /dev. I have been using aide for woody for a long time and never face this issue. The issue came on board quickly after I moved to Sarge. I cannot reproduce this with aide 0.10-11 on sid and the config file you attached: [80/[EMAIL PROTECTED] sid]:~$ sudo aide --update AIDE, version 0.10 ### All files match AIDE database. Looks okay! ### AIDE database initialized. [81/[EMAIL PROTECTED] sid]:~$ sudo cp /var/lib/aide/aide.db.new /var/lib/aide/aide.db [82/[EMAIL PROTECTED] sid]:~$ sudo aide --check AIDE, version 0.10 ### All files match AIDE database. Looks okay! [83/[EMAIL PROTECTED] sid]:~$ dpkg --list aide ii aide 0.10-11Advanced Intrusion Detection Environment [84/[EMAIL PROTECTED] sid]:~$ Can you give more hints about how to reproduce this issue? Greetings Marc -- - Marc Haber | I don't trust Computers. They | Mailadresse im Header Mannheim, Germany | lose things.Winona Ryder | Fon: *49 621 72739834 Nordisch by Nature | How to make an American Quilt | Fax: *49 621 72739835 -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Bug#245423: aide regularly forgets about /sbin and /dev
Package: aide Version: 0.10-6.1 Followup-For: Bug #245423 I am facing the same issue with /sbin and with a certain number of files in /dev. I have been using aide for woody for a long time and never face this issue. The issue came on board quickly after I moved to Sarge. -- System Information: Debian Release: 3.1 APT prefers testing APT policy: (500, 'testing') Architecture: i386 (i686) Kernel: Linux 2.6.10 Locale: LANG=C, LC_CTYPE=C (charmap=ANSI_X3.4-1968) Versions of packages aide depends on: ii debconf 1.4.30.11 Debian configuration management sy ii libc62.3.2.ds1-20GNU C Library: Shared libraries an ii mailx1:8.1.2-0.20040524cvs-4 A simple mail user agent -- debconf information: * aide/aideinit: false * aide/mustaideinit: * aideinit/copynew: true aideinit/overwritenew: true aide/newlibdir: false * aide/setmailaddress: aideinit/warnnew: # AIDE conf database=file:/var/lib/aide/aide.db database_out=file:/var/lib/aide/aide.db.new # Change this to no or remove it to not gzip output # (only useful on systems with few CPU cycles to spare) gzip_dbout=yes # Here are all the things we can check - these are the default rules # #p: permissions #i: inode #n: number of links #u: user #g: group #s: size #b: block count #m: mtime #a: atime #c: ctime #S: check for growing size #md5:md5 checksum #sha1: sha1 checksum #rmd160: rmd160 checksum #tiger: tiger checksum #R: p+i+n+u+g+s+m+c+md5 #L: p+i+n+u+g #E: Empty group #: Growing logfile p+u+g+i+n+S #haval: haval checksum #gost: gost checksum #crc32: crc32 checksum # Defines formerly set here have been moved to /etc/default/aide. # Custom rules Binlib = p+i+n+u+g+s+b+m+md5+sha1 ConfFiles = p+i+n+u+g+s+b+m+c+md5+sha1 Logs = p+i+n+u+g+S Devices = p+i+n+u+g+s+b+md5+sha1 Databases = p+n+u+g StaticDir = p+i+n+u+g ManPages = p+i+n+u+g+s+b+m+md5+sha1 # Next decide what directories/files you want in the database # Kernel, system map, etc. =/boot$ Binlib # Binaries /bin Binlib /usr/bin Binlib /usr/sbin Binlib /sbin Binlib /usr/local/bin Binlib /usr/local/sbin Binlib /usr/games Binlib # Libraries /lib Binlib /usr/lib Binlib /usr/local/lib Binlib # Log files =/var/log$ StaticDir !/var/log/ksymoops /var/log/aide/aide.log(.[0-9])?(.gz)? Databases /var/log/aide/error.log(.[0-9])?(.gz)? Databases /var/log/setuid.changes(.[0-9])?(.gz)? Databases !/var/log/aide /var/log Logs # Devices !/dev/pts # If you get spurious warnings about being unable to mmap() /dev/cpu/mtrr, # you may uncomment this to get rid of them. They're harmless but sometimes # annoying. #!/dev/cpu/mtrr !/dev/xconsole /dev Devices # Other miscellaneous files /var/run$ StaticDir !/var/run # Test only the directory when dealing with /proc /proc$ StaticDir !/proc # You can look through these examples to get further ideas # MD5 sum files - especially useful with debsums -g /var/lib/dpkg/info/([^\.]+).md5sums u+g+s+m+md5+sha1 # Check crontabs #/var/spool/anacron/cron.daily Databases #/var/spool/anacron/cron.monthly Databases #/var/spool/anacron/cron.weekly Databases #/var/spool/cron Databases #/var/spool/cron/crontabs Databases # manpages can be trojaned, especially depending on *roff implementation #/usr/man ManPages #/usr/share/man ManPages #/usr/local/man ManPages # docs #/usr/doc ManPages #/usr/share/doc ManPages # check users' home directories #/home Binlib # check sources for modifications #/usr/src L #/usr/local/src L # Check headers for same #/usr/include L #/usr/local/include L