[Aide] Could use some help understanding aide --check output.

Milosh Djuric merithium at internode.on.net
Sun Aug 10 15:49:55 EEST 2008 

Hi,

I installed aide for the first time on two centos boxes the other day,  
just ran a --check and got some unexpected output:

File: /etc/prelink.cache
   Inode    : 3797861                          , 3800582

Directory: /usr/sbin
   Mtime    : 2008-08-08 23:37:06              , 2008-08-09 04:02:57
   Ctime    : 2008-08-08 23:37:06              , 2008-08-09 04:02:57

File: /usr/sbin/aide
   Size     : 175960                           , 177556
   Ctime    : 2008-08-08 23:37:06              , 2008-08-09 04:02:57
   Inode    : 3602156                          , 3606389
   MD5      : Q9C2dhy6i3vMC4oZXXVmgw==         , cfe/scpjDm1HE0aG0IQU4A==
   RMD160   : Z4qaX7wpT/MoKhGnc2QP89IlHMc=     ,  
hPtq8rG6b5q4hSUE7GZrdayYEzI=
   SHA256   : UenTQV6k2wHoo557AwM2s8JSQS3891yP ,  
DARHq6MD3h7CSaYTqBjFo9JPfTFrATaq

Directory: /root
   Mtime    : 2008-08-08 20:48:06              , 2008-08-10 21:28:08
   Ctime    : 2008-08-08 20:48:06              , 2008-08-10 21:28:08
   Linkcount: 2                                , 3

Directory: /lib
   Mtime    : 2008-08-07 01:55:54              , 2008-08-09 04:02:57
   Ctime    : 2008-08-07 01:55:54              , 2008-08-09 04:02:57

File: /lib/libaudit.so.0.0.0
   Ctime    : 2008-08-07 01:55:41              , 2008-08-09 04:02:57
   Inode    : 6219889                          , 6220039
   MD5      : 76MreiTqUchdxLD1O+g4Vw==         , o+JZsoTEZrTmHjJfdMDN8A==
   RMD160   : L8oM0xOqKmb6hDuGHiVk38gStnc=     ,  
zGw8Nu+r1+LFFpXz+63MMrL5Gg0=
   SHA256   : O3FtpJsNFrH7fJggmQXZhmO6vHF2hIj5 ,  
jiarOAecPKObny+vrP1H9FHk8GDMqN2H

File: /lib/libattr.so.1.1.0
   Ctime    : 2008-08-07 01:55:49              , 2008-08-09 04:02:57
   Inode    : 6219988                          , 6220012
   MD5      : RSAvZNqIiPGKjlvLvQVT0g==         , x4mxJJOpl+D9F4dgShYmGg==
   RMD160   : mqd4KQdd3SHkGgtnzXVN1TRC+v4=     ,  
nOa1VoJb+yN0Q06gxxuzKzliemY=
   SHA256   : sDPmULLEY+PJT/wQTR6Fh6L9vBkhkXJo ,  
dTiFlhYSaI+Ouh0clXlEWZQNCap+5GnI

File: /lib/libacl.so.1.1.0
   Ctime    : 2008-08-07 01:55:49              , 2008-08-09 04:02:57
   Inode    : 6221445                          , 6220037
   MD5      : yfVzGtsn4S+wRSo554WK6Q==         , Qh7aYK77OV/QUK534ZNPUw==
   RMD160   : oP7ozvMi+Lafy+JcFq2Knd5r/xQ=     ,  
+6pYeQLtQU+w8F6EtG/o2e1m0kg=
   SHA256   : lH+ZhZ9HD5VMqJdTyO5j/RbwIvfyfg9C ,  
T9HJIQ6n3Jhzy2Yw9Q7LvaR7Ffwbd8cH

This machine is a webserver facing the internet, however it's pureley for  
personal use and gets some 4-5 stray hits a day. It's also a clean build,  
with SELinux enabled and the latest yum updates. I ran chkrootkit which  
came back clean. As I previously mentioned though, I installed AIDE on two  
machines, whats strange is the md5 sums don't match, but the filesize is  
the same.

Can anyone shed some light on this? I doub't the machine has been  
compromised (it always a possibility though) but I'd like to understand  
what is happening.

Thanks.

More information about the Aide mailing list