At 08:43 PM 4/22/02, you wrote: >this is a great clue, doing as you said i have found that the xmame and >Xwrapper files referenced in the messages i posted are present twice each in >the suid_md5.diff file and appear on different lines in the suid_md5.today >and suid_md5.yesterday, if i understand what is happenning with these three >files correctly then this would cause the behaviour i described? >i believe that a similar thing has happened with the other files, if i am >happy that my files are okay perhaps i should delete these files (some of >them) and let msec start from scratch, i've just upgraded to the latest >version of msec as florin suggested so i shall wait till the morning to see >what happens
Bascule, Glad my tip helped. Part of what msec does is to detect changes on your system from day to day and to detect files with strange settings, for example files with a group or user number which is not in /etc/passwd or /etc/group. Generally, I'd expect the file lists to be in the same order every time, although when msec finds new files (or when old files go away), the actual line number will change. If you want another opinion on the files, feel free to create a tarball of /var/log/security and email it to me (off-list). If you do wipe the directory, then the next report will probably show ALL the strange files... David
