Tripwire signatures
Chris Purcell
redhat at cjp.us
Wed Jun 30 14:09:34 UTC 2004
I have a RH73 server that runs Tripwire on a nightly basis. I wrote a
short Perl script that checks the signatures of the Tripwire binaries
(twadmin, tripwire, and siggen) against their signatures that are stored
on a read-only medium. These signatures were created when Tripwire was
first installed a year ago. The server was up and running flawlessly for
over 300 days until the other day when it crashed with nothing in the logs
to show what happened. The next night I accidentally had yum updates
started so it did a yum update and updated over 3500 files. It didn't
touch the tripwire files, but for some reason the signatures on the
Tripwire binaries changed. The files haven't been modified since 2002,
according to the output of 'ls -l'. What would cause the signatures to
change besides a hacker trying to cover up this tracks?
Thanks,
Chris
More information about the redhat-list
mailing list