tripwire reports major changes -- gcc or selinux or ...
Scot L. Harris
webid at cfl.rr.com
Tue Jul 12 00:53:53 UTC 2005
On Mon, 2005-07-11 at 20:34, Marcin Struzak wrote:
> I am running FC3 with tripwire-2.3.1-20.fdr.1.1 (RPM), and all of a
> sudden, after months of successful "quite" or almost quiet bahvior, my
> nightly check reports over 6500 changes. This is very unusual for an
> "overnight" situation, and so I am trying to figure out what caused
> it.
>
> I did an up2date on glibc (which triggered other packages, such as
> gcc, cpp, and libgcc), required to compile FrontPage extensions, and I
> also played with SE_Linux (set SELINUX from enforcing to permissive,
> with a reboot in between), but I see files from all kinds of packages
> as changed. Most of the ones that should not change have a different
> inode number, different CRC32 and different MD5; sizes, times, etc,
> are the same.
>
> Any ideas as to what may have triggered such an avalanche of changes?
> How possibly can the same file have a different CRC? Does SE_Linux do
> something to actual files on the disk? Maybe to the inode table? I
> thought it maintained a database for the kernel to consult, and the
> actual files were independent.
>
> Thanks in advance.
hmm, you updated glibc. Could it be that prelink ran after that and
linked all those executables to modified libraries?
:)
--
Scot L. Harris
webid at cfl.rr.com
Beggars should be no choosers.
-- John Heywood
More information about the fedora-list
mailing list