Hi,
On Tue, Feb 10, 2026 at 01:12:51PM +0000, John Jamerson wrote:
Customer is concerned (as am I) that daily reports show the same file
as "changed' when in reality, it has not changed in weeks.
How did you check that the file didn't change?
I suspect this finding is caused by the setting of the file
permissions. However, I could be very wrong. But that is the only
thing I see that seems "out of the ordinary."
The Daily AIDE result findings shows a āCā which the aide.conf
(5) man page states is a checksum difference finding.
Yes, that is indeed the case.
File in question: (full path redacted) /XXX/XXX/scripts/setup_env.sh
-r-xr-x---. 1 project dev 4841 Jan 26 12:00 setup_env.sh
What does stat(1) say on that file?
File: /XXX/XXX/scripts/setup_env.sh
SHA256 : y5GG64O1+gKA/rNSVySZpKdy3cn4pkm4 |
YKmFstRIVnlo8V6X+2QqPyaudN4HTsgs
/t/xwNytP8w= | orwc+rgq2Ic=
Removing the gratuitous line breaks, that would be the SHA256 checksum
that was in the database for said file, and the SHA256 checksum the file
was found to have during the aide run.
Is SHA256 the only checksum you're using in your audit config?
Greetings
Marc
--
-----------------------------------------------------------------------------
Marc Haber | "I don't trust Computers. They | Mailadresse im Header
Leimen, Germany | lose things." Winona Ryder | Fon: *49 6224 1600402
Nordisch by Nature | How to make an American Quilt | Fax: *49 6224 1600421
_______________________________________________
Aide mailing list
[email protected]
https://www.ipi.fi/mailman/listinfo/aide
