On Fri, Apr 18, 2014 at 06:17:45AM -0400, Eric Martin wrote:
> I have a weird problem with tripwire on at least two of my servers.  A run
> of tripwire --check shows a few tripwire binaries have changed, which since
> I didn't do it is very suspicious:

> I expect twpol.txt to be changed since you update the policy.  What is /
> isn't missing is the glaring alert that tripwire doesn't match the RPM.
>  Also, the MD5 sum in tripwire on one machine doesn't match it on another,
> and neither do the SHA1 sums as computed from the command line.  While I'm
> pretty good with CentOS, there are a few things that I'm still learning so
> I'm thinking that I'm missing something here.  Can anybody please shed some
> light on this, especially the differing sha1sums?  If these are binaries,
> shouldn't they have the same sha1um?

One word.  Prelink.  rpm -V undoes the prelink on-the-fly to be able
to checksum the original unmodified binary.

> Also, do I need to blow away this machine and rebuild?

No, but you may want to un-prelink all your binaries and then disable
prelink from running again.
_______________________________________________
Wlug mailing list
Wlug@mail.wlug.org
http://mail.wlug.org/mailman/listinfo/wlug