Keith Lofstrom wrote:
I run ancient old tripwire nightly on my machines. Yesterday, on my
SL4.4 laptop, I noticed that it had found changes to "vipw" and other
security related tools. A little concerned, I downloaded the latest
version of chkrootkit and ran it, finding no problems. I looked at
the yum logs, and found a yum upgrade of util-linux from sl-errata;
the header file shows that vipw and the rest had been updated.
False alarm, I am probably safe, assuming no outbreak of evil at SL or
TUV (=The Upstream Vendor in North Carolina, for those wondering).
I will react similarly if I ever see a change of the basic security
programs. Is there anything else a prudent administrator should check
when these programs change?
Keith
If you are running tripwire on a machine, you should always check your
yum update logs before your tripwire logs, so you aren't surprised.
Also, you should be subscribed to [EMAIL PROTECTED] so
that you get the announcements about the released security errata. We
do occasionally put out an errata without an e-mail, but not too often,
and the users usually help remind us if this happens.
To see which files can potentially change
rpm -ql <package>
If you are seeing a changed file outside of those files listed you need
to check scripts.
rpm -q --scripts --triggers <package>
Troy
--
__________________________________________________
Troy Dawson [EMAIL PROTECTED] (630)840-6468
Fermilab ComputingDivision/LCSI/CSI DSS Group
__________________________________________________
