-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On Aug 3, 2011, at 10:41 AM, Chris Phillips wrote: > Many Thanks Daniel, > > That is just what I needed to hear/read! > > I can see that we do have prelinking turned ON, but not sure it's a "choice" > rather than an OS default, so we may end up switching it OFF as I doubt we > see any benefits from it.
Prelinking seems to benefit desktop situations more than server situations, provided the server is mostly static with respect to the daemons running. So turning it off on a server could result in a few milliseconds of delay on a reboot or restart of a service, but overall likely won't cause any issues during normal operation. > Cheers, > -- > ChrisP > > Chris Phillips > Service Designer, intY Ltd. > +44 (0)1454 640 532 > > > -----Original Message----- > From: [email protected] [mailto:[email protected]] On > Behalf Of Daniel Cid > Sent: 03 August 2011 13:57 > To: [email protected] > Subject: Re: [ossec-list] Several hundred alerts for "Integrity checksum > changed" > > Probably because of prelinking... More details here: > > http://www.ossec.net/wiki/Know_How:Check_Sums > > Thanks, > > -- > Daniel B. Cid > dcid ( at ) ossec.net > > On Wed, Aug 3, 2011 at 9:11 AM, Chris Phillips <[email protected]> > wrote: >> Hi All, >> >> Recently, I received about 400+ "Alert Level 7" notifications, for a single >> server, all related to "Integrity checksum changed" events. >> >> I am really worried about this, but I can see no reason why it has happened. >> >> The situation has not re-occurred and has not happened on any of the other >> servers we have OSSEC installed on. >> >> Can anyone please explain what could cause this? I am hoping it's some sort >> of obscure but OK OSSEC anomaly! >> >> Cheers, >> -- >> ChrisP (slightly panicky) >> >> >> -----Original Message----- >> From: OSSEC HIDS >> Sent: 28 July 2011 08:46 >> To: Chris Phillips >> Subject: OSSEC Notification (myserver) - Alert level 7 >> >> OSSEC HIDS Notification. >> 2011 Jul 28 08:46:23 >> >> Received From: (myserver) >syscheck >> Rule: 550 fired (level 7) -> "Integrity checksum changed." >> Portion of the log(s): >> >> Integrity checksum changed for: '/sbin/debugfs' >> Old md5sum was: 'fd96fc82b74a47577835538ccf6d2adb' >> New md5sum is : 'c4c01019d7806734e857996adc63cf17' >> Old sha1sum was: 'c57a92218bd321ff8b27c154e2f5b29185530728' >> New sha1sum is : '4550b5743fe3368bc1bac683c60c14c232b671e5' >> >> --END OF NOTIFICATION >> > > Scanned by MailDefender - managed email security from intY - > www.maildefender.net > > Information in this electronic mail is confidential and may be legally > privileged. It is intended solely for the addressee. Access to this mail by > anyone else is unauthorised. If you are not the intended recipient any use, > disclosure, copying or distribution of this message is prohibited and may be > unlawful. When addressed to our customers, any information contained in this > message is subject to intY's Terms & Conditions. Please rely on your own > virus scanning and procedures with regard to any attachments to this message. > > Scanned by MailDefender - managed email security from intY - > www.maildefender.net > - --------------------------- Jason 'XenoPhage' Frisvold [email protected] - --------------------------- "Any sufficiently advanced magic is indistinguishable from technology." - - Niven's Inverse of Clarke's Third Law -----BEGIN PGP SIGNATURE----- Version: GnuPG/MacGPG2 v2.0.16 (Darwin) iEYEARECAAYFAk459JwACgkQ8CjzPZyTUTRdwQCeP6Lra2YR2n6sKIQr8NcGFPqq CD0An1/qMuY6e+fCM50CrAI2aI+1JRT9 =PE0i -----END PGP SIGNATURE-----
