[clue-tech] Anyone else using tripwire?

Ballon, Mike Mike.Ballon at echostar.com
Mon Dec 5 09:49:58 MST 2005 

Inode changes have been turned off in the commercial product as TW
watches the permissions and hash as well.  I wouldn't worry about it too
much, just means the location of the file has changed.  The second item
that shows the change in file contents is something you should look at
if you haven't had any changes/updates to the system.

-----Original Message-----
From: clue-tech-bounces at cluedenver.org
[mailto:clue-tech-bounces at cluedenver.org] On Behalf Of Angelo Bertolli
Sent: Monday, December 05, 2005 9:12 AM
To: CLUE technical discussions - Q& A
Subject: [clue-tech] Anyone else using tripwire?

Whenever I get tripwire reports, I always see files that have changed in
/usr/sbin and /usr/lib

The stuff in /usr/sbin is just changing timestamp e.g.
Modified object name:  /usr/sbin/update-gtk-immodules

Property:            Expected                    Observed
-------------        -----------                 -----------
* Inode Number         167758                      167802
* Modify Time          Wed 11 May 2005 02:45:21 PM EDT
                                                 Sun 20 Nov 2005
03:29:48 PM EST


I can't really think of any reason why something in /usr/sbin should 
have its timestamp updated

The stuff in /usr/lib is actually changing:
Modified object name:  /usr/lib/libgdk_pixbuf_xlib-2.0.so.0.600.4

Property:            Expected                    Observed
-------------        -----------                 -----------
* Inode Number         163919                      163955
* Modify Time          Wed 11 May 2005 02:46:36 PM EDT
                                                 Sun 20 Nov 2005 
03:30:08 PM EST
* CRC32                A/zITz                      DeZs5j
* MD5                  DUoNCBxLSXhktKS7pSMDhn
A3aLt6y4fQyRFW0JwChAeP

That's even more scary, but I have no reason to believe this is
incorrect.

Does anyone know why stuff would continuously be changing if there are 
no updates to the system software?

Angelo

_______________________________________________
CLUE-tech mailing list
CLUE-tech at cluedenver.org
http://cluedenver.org/mailman/listinfo/clue-tech
_______________________________________________
CLUE-tech mailing list
CLUE-tech at cluedenver.org
http://cluedenver.org/mailman/listinfo/clue-tech

More information about the clue-tech mailing list