search cancel

AIDE report(unknown) alert generated for file gatekeeper.ini

book

Article ID: 254303

calendar_today

Updated On:

Products

CA Privileged Access Manager (PAM)

Issue/Introduction

In version 4.0.1, after setting webservices in debug, the following error is reported by AIDE

Subject: AIDE report for <machine_name>

 

This is an automated report generated by the Advanced Intrusion Detection Environment on <machine_name> started at 2022-11-12 06:25:01.

 

AIDE returned with exit code 4. Changed entries detected!

AIDE post run information

output database /var/lib/aide/aide.db.new was copied to /var/lib/aide/aide.db as requested by cron job configuration End of AIDE post run information

 

AIDE produced no errors.

 

Output of the daily AIDE run (61 lines):

Start timestamp: 2022-11-12 06:25:01 +0000 (AIDE 0.16) AIDE found differences between database and filesystem!!

New AIDE database written to /var/lib/aide/aide.db.new Verbose level: 6

 

Summary:

  Total number of entries:       2893

  Added entries:                      0

  Removed entries:                  0

  Changed entries:                   1

---------------------------------------------------

Changed entries:

---------------------------------------------------

f >....   ..C.. .: /var/www/htdocs/uag/gatekeeper.ini

---------------------------------------------------

Detailed information about changes:

---------------------------------------------------

File: /var/www/htdocs/uag/gatekeeper.ini

  Size     : 1516                             | 1517

  SHA256   : SHolVQHKf9pRJPW/Skk6biIJrJoO9Nih | DVMGDwidQLHPYiTxdjKCqQbfiGyRhI+e

             m9uJrq2Mp7M=                     | tvOjyF9gSKY=

 

This article clarifies this message and whether it should be a case for concern

Environment

CA PAM 4.0 and 4.0.1

Cause

There is a know issue resolved in defect DE521644 for AIDE reporting changes to gatekeeper.ini whenever the webservices log is set to debug. This error message, when received in versions 4.0 or 4.0.1 is thus harmless.

Resolution

No action is necessary unless the error message is received for a release which should already include the fix in DE521644. If this is the case, further investigation is required and it will be a good idea to open a support ticket for further investigation.