From jjamerson at ec.rr.com Tue Feb 10 15:12:51 2026 From: jjamerson at ec.rr.com (John Jamerson) Date: Tue, 10 Feb 2026 13:12:51 +0000 Subject: [Aide] AIDE reports file as changed but it's not Message-ID: Need advice/opinion on this issue. Thanks in advance. Customer is concerned (as am I) that daily reports show the same file as "changed' when in reality, it has not changed in weeks. BACKGROUND: Modified AIDE configuration is used as an ?Auditing tool? for file integrity and is used for contracted periodic outside Auditors. I suspect this finding is caused by the setting of the file permissions. However, I could be very wrong. But that is the only thing I see that seems "out of the ordinary." The Daily AIDE result findings shows a ?C? which the aide.conf (5) man page states is a checksum difference finding. ================================================================ File in question: (full path redacted) /XXX/XXX/scripts/setup_env.sh -r-xr-x---. 1 project dev 4841 Jan 26 12:00 setup_env.sh Date of this report/AIDE check: audit-2026-02-09_03:35:02.txt Contents of report: (which are repeated daily) Start timestamp: 2026-02-09 03:35:04 +0000 (AIDE 0.16) AIDE found differences between database and filesystem!! Verbose level: 20 Summary: Total number of entries: 36 Added entries: 0 Removed entries: 0 Changed entries: 1 --------------------------------------------------- Changed entries: --------------------------------------------------- f ... .C... : /XXX/XXX/scripts/setup_env.sh --------------------------------------------------- Detailed information about changes: --------------------------------------------------- File: /XXX/XXX/scripts/setup_env.sh SHA256 : y5GG64O1+gKA/rNSVySZpKdy3cn4pkm4 | YKmFstRIVnlo8V6X+2QqPyaudN4HTsgs /t/xwNytP8w= | orwc+rgq2Ic= --------------------------------------------------- The attributes of the (uncompressed) database(s): --------------------------------------------------- /XXX/XXX/XXX/scripts/audit-daily/base_initfiles/aide.db.gz SHA1 : cuhD06PS920kSibgfVSRTqZWnAw= SHA256 : i6+pXcecIDLyXvb/JOpjrcKEDNs1YEZo Hk0gmxC6Gac= SHA512 : ta1tUDRZIfuZuBklRh46L8rCNnoKyD1R uQ9xMGG1c+AAmaYIyGF1M4rY0AxkStqY H0OWxF1M2P1akR/2eceMTg== End timestamp: 2026-02-09 03:35:04 +0000 (run time: 0m 0s) V/R John Jamerson Senior Unix Admin -------------- next part -------------- An HTML attachment was scrubbed... URL: From mh+aide at zugschlus.de Tue Feb 10 15:28:00 2026 From: mh+aide at zugschlus.de (Marc Haber) Date: Tue, 10 Feb 2026 14:28:00 +0100 Subject: [Aide] AIDE reports file as changed but it's not In-Reply-To: Message-ID: Hi, On Tue, Feb 10, 2026 at 01:12:51PM +0000, John Jamerson wrote: > Customer is concerned (as am I) that daily reports show the same file >as "changed' when in reality, it has not changed in weeks. How did you check that the file didn't change? > I suspect this finding is caused by the setting of the file >permissions. However, I could be very wrong. But that is the only >thing I see that seems "out of the ordinary." > The Daily AIDE result findings shows a ?C? which the aide.conf >(5) man page states is a checksum difference finding. Yes, that is indeed the case. > File in question: (full path redacted) /XXX/XXX/scripts/setup_env.sh > > -r-xr-x---. 1 project dev 4841 Jan 26 12:00 setup_env.sh What does stat(1) say on that file? > File: /XXX/XXX/scripts/setup_env.sh > > SHA256 : y5GG64O1+gKA/rNSVySZpKdy3cn4pkm4 | >YKmFstRIVnlo8V6X+2QqPyaudN4HTsgs > > /t/xwNytP8w= | orwc+rgq2Ic= Removing the gratuitous line breaks, that would be the SHA256 checksum that was in the database for said file, and the SHA256 checksum the file was found to have during the aide run. Is SHA256 the only checksum you're using in your audit config? Greetings Marc -- ----------------------------------------------------------------------------- Marc Haber | "I don't trust Computers. They | Mailadresse im Header Leimen, Germany | lose things." Winona Ryder | Fon: *49 6224 1600402 Nordisch by Nature | How to make an American Quilt | Fax: *49 6224 1600421