Preface this with we're an all windows shop & my *nix chops are not great. Good enough to get things working but not to the point where I always understand why some things happen.
Yesterday I set up a new OSSEC server (my first) on Debian 7.1. I have the server and 1 agent reporting. This morning I came in to find the following rule 550 Checksum changed alerts for the server. +/etc/group- +/etc/passwd +/etc/init.d/.depend.start +/etc/init.d/.depend.stop +/etc/shadow- +/etc/gshadow +/etc/shadow +/etc/gshadow- +/etc/group +/etc/passwd- +/etc/ld.so.cache The time sequence was between 5:58 & 6:01 so it looks like it was some automated process. I've searched and found references to prelinking causing this but that doesn't seem to be the issue here (doesn't seem to be enabled/installed and apparently ossec handles it properly now anyways?). I also checked the files and there doesn't seem to be any new or odd entries. I've got strong passwords on the server & this is the only nix box on the network. Any ideas what would cause this? -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. For more options, visit https://groups.google.com/groups/opt_out.
