On Thu, Sep 26, 2013 at 9:54 AM, Jay B <[email protected]> wrote: > Preface this with we're an all windows shop & my *nix chops are not great. > Good enough to get things working but not to the point where I always > understand why some things happen. > > Yesterday I set up a new OSSEC server (my first) on Debian 7.1. I have the > server and 1 agent reporting. > > This morning I came in to find the following rule 550 Checksum changed > alerts for the server. > > +/etc/group- > +/etc/passwd > +/etc/init.d/.depend.start > +/etc/init.d/.depend.stop > +/etc/shadow- > +/etc/gshadow > +/etc/shadow > +/etc/gshadow- > +/etc/group > +/etc/passwd- > +/etc/ld.so.cache > > The time sequence was between 5:58 & 6:01 so it looks like it was some > automated process. I've searched and found references to prelinking causing > this but that doesn't seem to be the issue here (doesn't seem to be > enabled/installed and apparently ossec handles it properly now anyways?). I > also checked the files and there doesn't seem to be any new or odd entries. > I've got strong passwords on the server & this is the only nix box on the > network. > > Any ideas what would cause this? > >
System updates? > -- > > --- > You received this message because you are subscribed to the Google Groups > "ossec-list" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to [email protected]. > For more options, visit https://groups.google.com/groups/opt_out. -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. For more options, visit https://groups.google.com/groups/opt_out.
