"aureport -x --summary" shows -> /usr/sbin/sshd;61b30d72 (deleted)

linux centos audit

On one of the machines running Centos i.e.

cat /etc/redhat-release 
CentOS Linux release 7.9.2009 (Core)

i found something strange by the command aureport -x --summary

 aureport -x --summary

Executable Summary Report
=================================
total  file
=================================
19328  /usr/bin/rpm
11802  /usr/sbin/crond
7713  /usr/sbin/sshd
4201  /usr/bin/grep
1564  /usr/libexec/postfix/pickup
1031  /usr/sbin/libvirtd
891  /usr/sbin/logrotate
866  /usr/sbin/unix_chkpwd
785  /usr/lib/systemd/systemd-logind
704  /usr/bin/ps
541  /usr/bin/su
302  /usr/bin/bash
295  /usr/sbin/xtables-multi
294  /usr/lib/systemd/systemd
222  /usr/bin/sudo
171  /usr/bin/id
135  /usr/bin/systemd-tmpfiles
66  /usr/bin/python2.7
48  /usr/bin/date
46  /usr/sbin/brctl
41  /usr/bin/ls
32  /usr/bin/ssh
31  /usr/bin/diff
30  /usr/sbin/sendmail.postfix
29  /usr/sbin/anacron
27  /usr/lib/polkit-1/polkitd
27  /usr/bin/pkla-check-authorization
24  /usr/libexec/postfix/cleanup
24  /usr/libexec/postfix/trivial-rewrite
24  /usr/libexec/postfix/local
20  /usr/sbin/virtlogd
18  /usr/sbin/postdrop
15  /usr/sbin/ebtables-restore
10  /usr/bin/kmod
6  /usr/bin/vim
6  /usr/libexec/postfix/master
5  /usr/sbin/sshd;61b30d72 (deleted)
4  /usr/bin/ssh-keygen
3  /usr/sbin/postfix
3  /usr/sbin/postlog
3  /usr/lib/systemd/systemd-update-utmp
3  /usr/sbin/autrace
2  /usr/bin/cpio
1  /usr/bin/getent
1  /usr/bin/chown
1  /usr/sbin/ip

what does "61b30d72 (deleted)" means

rkhunter does not show any warrning or susspect files! i.e.

rkhunter --update --propupd
[ Rootkit Hunter version 1.4.6 ]

and then

rkhunter -c -sk

!!!all green!!!

what 61b30d72 means?


It means that the executable file /usr/sbin/sshd which the report line refers to has been deleted between the time of the audit log entry and the time of the report. The most probable cause is that it has been replaced by an update. This explanation is supported by the fact that there is another line /usr/sbin/sshd without the mention deleted which would refer to the updated executable which was present at the time the report was created.

Related

HA-Proxy and ACL for http-request deny
Is there a command line two-factor authentication verification code generator?
Dnsmasq server does not work when configured as the primary DNS in my router
Changes in compression rate
Helm: how to add elements to a list of default values?
Windows CLI way to copy to the same directory and only change the case of the filename?
Certbot https not working for example.com, only for www.example.com
Any reason not to use 512-bytes clusters for NTFS?
SQL developer refine connections view
Eclipse always Building workspace
What are Solidity Events
Pause an outlook vba code for 5-10 seconds and after run the script