Thanks Dan, I'm certain that you are right. I was not aware of the prelinking process that runs on a cron but it now makes perfect sense. For those that are interested after Dan pointed me in the right direction I found the below post:
http://serverfault.com/questions/203730/ossec-integrity-checksum-alert-what-caused-the-change On Thursday, October 18, 2012 5:52:05 AM UTC-7, dan (ddpbsd) wrote: > > On Wed, Oct 17, 2012 at 7:39 PM, maxjar10 <[email protected]<javascript:>> > wrote: > > I have just installed ossec yesterday and today I was notified that > there > > was a change in /usr/bin/inotifywatch. I know that I had seen someone > post a > > configuration that ignored this file but I'm wondering if this is a safe > > thing to do. I can't figure out why this binary should change. > > > > Thanks! > > Figure out why it changed first, then decide. Was it prelinking? >
