[Aide] AIDE reports file as changed but it's not
Marc Haber
mh+aide at zugschlus.de
Tue Feb 10 15:28:00 EET 2026
Hi,
On Tue, Feb 10, 2026 at 01:12:51PM +0000, John Jamerson wrote:
> Customer is concerned (as am I) that daily reports show the same file
>as "changed' when in reality, it has not changed in weeks.
How did you check that the file didn't change?
> I suspect this finding is caused by the setting of the file
>permissions. However, I could be very wrong. But that is the only
>thing I see that seems "out of the ordinary."
> The Daily AIDE result findings shows a “C” which the aide.conf
>(5) man page states is a checksum difference finding.
Yes, that is indeed the case.
> File in question: (full path redacted) /XXX/XXX/scripts/setup_env.sh
>
> -r-xr-x---. 1 project dev 4841 Jan 26 12:00 setup_env.sh
What does stat(1) say on that file?
> File: /XXX/XXX/scripts/setup_env.sh
>
> SHA256 : y5GG64O1+gKA/rNSVySZpKdy3cn4pkm4 |
>YKmFstRIVnlo8V6X+2QqPyaudN4HTsgs
>
> /t/xwNytP8w= | orwc+rgq2Ic=
Removing the gratuitous line breaks, that would be the SHA256 checksum
that was in the database for said file, and the SHA256 checksum the file
was found to have during the aide run.
Is SHA256 the only checksum you're using in your audit config?
Greetings
Marc
--
-----------------------------------------------------------------------------
Marc Haber | "I don't trust Computers. They | Mailadresse im Header
Leimen, Germany | lose things." Winona Ryder | Fon: *49 6224 1600402
Nordisch by Nature | How to make an American Quilt | Fax: *49 6224 1600421
More information about the Aide
mailing list