[clue-tech] Anyone else using tripwire?
Angelo Bertolli
angelo at freeshell.org
Mon Dec 5 09:12:07 MST 2005
Whenever I get tripwire reports, I always see files that have changed in
/usr/sbin and /usr/lib
The stuff in /usr/sbin is just changing timestamp e.g.
Modified object name: /usr/sbin/update-gtk-immodules
Property: Expected Observed
------------- ----------- -----------
* Inode Number 167758 167802
* Modify Time Wed 11 May 2005 02:45:21 PM EDT
Sun 20 Nov 2005
03:29:48 PM EST
I can't really think of any reason why something in /usr/sbin should
have its timestamp updated
The stuff in /usr/lib is actually changing:
Modified object name: /usr/lib/libgdk_pixbuf_xlib-2.0.so.0.600.4
Property: Expected Observed
------------- ----------- -----------
* Inode Number 163919 163955
* Modify Time Wed 11 May 2005 02:46:36 PM EDT
Sun 20 Nov 2005
03:30:08 PM EST
* CRC32 A/zITz DeZs5j
* MD5 DUoNCBxLSXhktKS7pSMDhn A3aLt6y4fQyRFW0JwChAeP
That's even more scary, but I have no reason to believe this is incorrect.
Does anyone know why stuff would continuously be changing if there are
no updates to the system software?
Angelo
_______________________________________________
CLUE-tech mailing list
CLUE-tech at cluedenver.org
http://cluedenver.org/mailman/listinfo/clue-tech
More information about the clue-tech
mailing list