[Aide] Aide alerts - Aide detects files added that are already present on the Filesystem
M D
dsmm4444 at gmail.com
Sat Jun 16 02:03:18 EEST 2018
Hi,
I am using an ARM based environment with a NAND Flash using a JFFS2 filesystem.
I have aide configured with p+i+u+n+s for /root
1) I observe in some instances that files that are already present are
detected as added.
2) In some cases, the same file is detected as added and removed
3) In some cases, I observe database read errors such as
gzread() failed: gzerr=: Input/output error!
Not enough parameters in db:531
Could not read permissions from database. String 10064t
Could not read permissions from database. String 10075u
AIDE 0.15.1 found differences between database and filesystem!!
Start timestamp: 2018-01-02 11:13:02
Summary:
Total number of files: 2049
Added files: 1
Removed files: 1
Changed files: 2
---------------------------------------------------
Added files:
---------------------------------------------------
f++++++++++++: /lib/modules/kernel/drivers/net/usb/cdc_ncm.ko
---------------------------------------------------
Removed files:
---------------------------------------------------
f------------: /lib/modules//kernel/drivers/net/usb/cdc_ncmnko
---------------------------------------------------
Changed files:
---------------------------------------------------
f =.p. ...: /root/.bash_profile
>From my analysis, I would dismiss these are false positives. However I
wanted to understand how aide detects these alerts. Is aide not
compatible with NAND flash and jffs2?
To rule such error alerts out in the future is there any
recommendation in terms of something I can do in the aide conf? Is
this something I can do in terms of compilation?
Regards.
Max
More information about the Aide
mailing list