[Aide] Displayed SHA output
John Horne
john.horne at plymouth.ac.uk
Thu Jan 28 13:56:34 EET 2010
Hello,
I am looking again at the use of prelink with aide, and am running aide
version 0.13.1-15 which is rebuilt from the FC13 source rpm to run on
Fedora 11. There seems to be no problem with that.
However, if I run 'prelink -fa', this causes the prelink check to fail
for many of the binaries in /usr/bin. This is expected and gives errors
such as:
/usr/sbin/prelink: /bin/sort: at least one of file's dependencies
has changed since prelinking
/usr/sbin/prelink: /bin/mv: at least one of file's dependencies has
changed since prelinking
Aide also shows that the files have changed:
---------------------------------------------------
Changed files:
---------------------------------------------------
changed: /bin/sort
changed: /bin/mv
Aide also shows the details of the changed files. For the examples above
I get:
File: /bin/sort
SHA1 : U6vSgd5KPT0eAvp9y9y7EBECBpw= , <NONE>
File: /bin/mv
SHA1 : rCnlRcVwveBFJ89SbRWu/CpRlBU= , <NONE>
However, for some files I get the exact same values shown (I have
wrapped the lines):
File: /sbin/iptunnel
SHA1 : aIrShKMxDzf8o4KHzxvZ64atmME= ,
2jmj7l5rSw0yVb/vlWAYkK/YBwk=
File: /sbin/findfs
SHA1 : gQI6iYvZ0MgGKb9tr0osSU/Fvf0= ,
2jmj7l5rSw0yVb/vlWAYkK/YBwk=
File: /sbin/fsck.ext2
SHA1 : 5LGCsZTPG5ZcCG8YhG5WaaKvNN8= ,
2jmj7l5rSw0yVb/vlWAYkK/YBwk=
As can be seen the second 'sha1' values for each file are the same
despite these three files being completely different. (Aide actually
shows many files, not just these three, with the exact same value of
'2jmj7l5rSw0yVb/vlWAYkK/YBwk='.)
All the displayed values look like base64, so why aren't the actual SHA1
values being shown instead? Secondly, I am at a bit of a loss as to why
the second values in the examples above (for iptunnel, findfs and
fsck.ext2) are all the same. Any thoughts on that?
Thanks,
John.
--
John Horne, University of Plymouth, UK
Tel: +44 (0)1752 587287 Fax: +44 (0)1752 587001
More information about the Aide
mailing list