tripwire reports major changes -- gcc or selinux or ...
Marcin Struzak
marcin at struzak.com
Tue Jul 12 17:26:16 UTC 2005
Daniel J Walsh wrote:
> >>I am running FC3 with tripwire-2.3.1-20.fdr.1.1 (RPM), and all of a
sudden, after months of successful "quite" or almost quiet bahvior, my
nightly check reports over 6500 changes. This is very unusual for an
"overnight" situation, and so I am trying to figure out what caused it.
> >>
> >>
> >>
> >
> >Prelinking can result in such changes (verify some key files with
"rpm -V"
> >or even "rpm -Va"). But first of all, you should update your tripwire
> >package to FC3's. It's tripwire-2.3.1-21 in Fedora Extras. Your one is
> >for FC1.
> >
> >
> >
> Are you seeing AVC messages in your log files? /var/log/messages and/or
> /var/log/audit/audit.log
FrontPage was giving me too much headache, so I set SELINUX to permissive,
as I was running SE just to check it out. I am definitely getting AVC
messages, but all related to FrontPage and httpd (FrontPage has its own
cgi-like executable that tries to access things in weird places, and all of
these get reported).
Thanks!
--Marcin
More information about the fedora-list
mailing list