Hi, We are presently using Aide for our Linux based Devices. As part of the Aide alerts I observe that the checksum of certain files in /usr/lib, /usr/bin and /lib show a Checksum alert as follows
*Changed files:* f =... ..C: /usr/bin/myapp f =... ..C: /usr/lib/libssl.so However after in later aide reports (a week later or so) some of the above alerts do not show up and the later aide reports show only f =... ..C: /usr/bin/myapp There are many instances of Checksum alerts (sha1) for various other devices for different libraries and executables. The root file system of the device cannot be accessed using login/remote shell and hence I have come to conclude that this alert like a few other ones shown for other devices are false positives. We are using an ARM platform and a JFFS2 file system. We have pre linking disabled and as I have read from many posts that pre linking tends to result in false positives. Aide flags are set for p+i+s+n+b+u+sha1 aide -v Aide 0.15.1 Compiled with the following options: WITH_MMAP WITH_LSTAT64 WITH_READDIR64 WITH_ZLIB WITH_GCRYPT CONFIG_FILE = "/etc/aide.conf" Could this be a problem in the GCRYPT library? Could someone guide me as to how I can investigate the root cause of this issue (what things can I try) and know for certain if this was indeed a false positive? Regards, Max
_______________________________________________ Aide mailing list [email protected] https://www.ipi.fi/mailman/listinfo/aide
