Malcolm Dsouza
2017-05-03 18:56:44 UTC
Hi,
We are presently using Aide for our Linux based Devices. As part of the
Aide alerts I observe that the checksum of certain files in /usr/lib,
/usr/bin and /lib show a Checksum alert as follows
*Changed files:*
f =... ..C: /usr/bin/myapp
f =... ..C: /usr/lib/libssl.so
However after in later aide reports (a week later or so) some of the above
alerts do not show up and the later aide reports show only
f =... ..C: /usr/bin/myapp
There are many instances of Checksum alerts (sha1) for various other
devices for different libraries and executables.
The root file system of the device cannot be accessed using login/remote
shell and hence I have come to conclude that this alert like a few other
ones shown for other devices are false positives.
We are using an ARM platform and a JFFS2 file system.
We have pre linking disabled and as I have read from many posts that pre
linking tends to result in false positives. Aide flags are set for
p+i+s+n+b+u+sha1
aide -v
Aide 0.15.1
Compiled with the following options:
WITH_MMAP
WITH_LSTAT64
WITH_READDIR64
WITH_ZLIB
WITH_GCRYPT
CONFIG_FILE = "/etc/aide.conf"
Could this be a problem in the GCRYPT library?
Could someone guide me as to how I can investigate the root cause of this
issue (what things can I try) and know for certain if this was indeed a
false positive?
Regards,
Max
We are presently using Aide for our Linux based Devices. As part of the
Aide alerts I observe that the checksum of certain files in /usr/lib,
/usr/bin and /lib show a Checksum alert as follows
*Changed files:*
f =... ..C: /usr/bin/myapp
f =... ..C: /usr/lib/libssl.so
However after in later aide reports (a week later or so) some of the above
alerts do not show up and the later aide reports show only
f =... ..C: /usr/bin/myapp
There are many instances of Checksum alerts (sha1) for various other
devices for different libraries and executables.
The root file system of the device cannot be accessed using login/remote
shell and hence I have come to conclude that this alert like a few other
ones shown for other devices are false positives.
We are using an ARM platform and a JFFS2 file system.
We have pre linking disabled and as I have read from many posts that pre
linking tends to result in false positives. Aide flags are set for
p+i+s+n+b+u+sha1
aide -v
Aide 0.15.1
Compiled with the following options:
WITH_MMAP
WITH_LSTAT64
WITH_READDIR64
WITH_ZLIB
WITH_GCRYPT
CONFIG_FILE = "/etc/aide.conf"
Could this be a problem in the GCRYPT library?
Could someone guide me as to how I can investigate the root cause of this
issue (what things can I try) and know for certain if this was indeed a
false positive?
Regards,
Max