search cancel

Starting from CA PAM version 4.X CA PAM administrators may receive mails alerts from AIDE

book

Article ID: 254302

calendar_today

Updated On:

Products

CA Privileged Access Manager (PAM)

Issue/Introduction

Starting with version 4.0.X of CA PAM it is possible that messages similar to the following are received by the members of the Global Administrators group

Subject: AIDE report for <machine_name>

This is an automated report generated by the Advanced Intrusion Detection Environment on <machine_name> started at 2022-11-12 06:25:01.

 

AIDE returned with exit code 4. Changed entries detected!

AIDE post run information

output database /var/lib/aide/aide.db.new was copied to /var/lib/aide/aide.db as requested by cron job configuration End of AIDE post run information

 

AIDE produced no errors.

 

Output of the daily AIDE run (61 lines):

Start timestamp: 2022-11-12 06:25:01 +0000 (AIDE 0.16) AIDE found differences between database and filesystem!!

New AIDE database written to /var/lib/aide/aide.db.new Verbose level: 6

 

Summary:

  Total number of entries:       2893

  Added entries:                      0

  Removed entries:                  0

  Changed entries:                   1

 

---------------------------------------------------

Changed entries:

---------------------------------------------------

... list of files here with details about sha256 signature for each one and its previous sha256 signature. For instance:

f >....   ..C.. .: /var/www/htdocs/uag/gatekeeper.ini

 

---------------------------------------------------

Detailed information about changes:

---------------------------------------------------

 

File: /var/www/htdocs/uag/gatekeeper.ini

  Size     : 1516                             | 1517

  SHA256   : SHolVQHKf9pRJPW/Skk6biIJrJoO9Nih | DVMGDwidQLHPYiTxdjKCqQbfiGyRhI+e

             m9uJrq2Mp7M=                     | tvOjyF9gSKY=

The purpose of this document is to clarify what the AIDE messages are

Environment

CA PAM releases starting 4.0

Cause

AIDE is an intrusion detection system that detects changes to files on the local system. It creates a database from the regular expression rules that it finds from the config file. Once this database is initialized it can be used to verify the integrity of the files. It has several message digest algorithms (md5, sha1, rmd160, tiger, haval, etc.) that are used to check the integrity of the file. More algorithms can be added with relative ease. All of the usual file attributes can also be checked for inconsistencies. AIDE was added to PAM starting version 4.0.0 and it will monitor folders defined in /etc/aide/aide.conf.d/40_aide_pam to detect unexpected change and report it if found. 

AIDE runs as a cron job every day at the scheduled time for daily jobs, 06:25 GMT, so changes in files it monitors will be reported at the next day. 

Resolution

Receiving a mail from AIDE regarding modification of files or folders in PAM may not necessarily mean the system has been tampered with. If such a mail is received please open a case with support specifying the exact message receive for them to take a look.