[Aide] AIDE reports file as changed but it's not

John Jamerson jjamerson at ec.rr.com
Tue Feb 10 15:12:51 EET 2026 


	Need advice/opinion on this issue. Thanks in advance. 

	Customer is concerned (as am I) that daily reports show the same file
as "changed' when in reality, it has not changed in weeks. 

	BACKGROUND: Modified AIDE configuration is used as an “Auditing
tool” for file integrity and is used for contracted periodic outside
Auditors. 

	I suspect this finding is caused by the setting of the file
permissions. However, I could be very wrong. But that is the only
thing I see that seems "out of the ordinary." 

	The Daily AIDE result findings shows a “C” which the aide.conf
(5) man page states is a checksum difference finding. 

	================================================================ 

	File in question: (full path redacted) /XXX/XXX/scripts/setup_env.sh 

	-r-xr-x---. 1 project dev 4841 Jan 26 12:00 setup_env.sh 

	Date of this report/AIDE check: 

	audit-2026-02-09_03:35:02.txt 

	Contents of report: (which are repeated daily) 

	Start timestamp: 2026-02-09 03:35:04 +0000 (AIDE 0.16) 

	AIDE found differences between database and filesystem!! 

	Verbose level: 20 

	Summary: 

	 Total number of entries: 36 

	 Added entries: 0 

	 Removed entries: 0 

	 Changed entries: 1 

	--------------------------------------------------- 

	Changed entries: 

	--------------------------------------------------- 

	f ... .C... : /XXX/XXX/scripts/setup_env.sh 

	--------------------------------------------------- 

	Detailed information about changes: 

	--------------------------------------------------- 

	File: /XXX/XXX/scripts/setup_env.sh 

	 SHA256 : y5GG64O1+gKA/rNSVySZpKdy3cn4pkm4 |
YKmFstRIVnlo8V6X+2QqPyaudN4HTsgs 

	 /t/xwNytP8w= | orwc+rgq2Ic= 

	--------------------------------------------------- 

	The attributes of the (uncompressed) database(s): 

	--------------------------------------------------- 

	/XXX/XXX/XXX/scripts/audit-daily/base_initfiles/aide.db.gz 

	 SHA1 : cuhD06PS920kSibgfVSRTqZWnAw= 

	 SHA256 : i6+pXcecIDLyXvb/JOpjrcKEDNs1YEZo 

	 Hk0gmxC6Gac= 

	 SHA512 : ta1tUDRZIfuZuBklRh46L8rCNnoKyD1R 

	 uQ9xMGG1c+AAmaYIyGF1M4rY0AxkStqY 

	 H0OWxF1M2P1akR/2eceMTg== 

	End timestamp: 2026-02-09 03:35:04 +0000 (run time: 0m 0s) 

	V/R 

	John Jamerson 

	Senior Unix Admin 


-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://www.ipi.fi/pipermail/aide/attachments/20260210/28102e19/attachment.htm>

More information about the Aide mailing list