I have a weird problem with tripwire on at least two of my servers. A run of tripwire --check shows a few tripwire binaries have changed, which since I didn't do it is very suspicious:

-------------------------------------------------------------------------------

Rule Name: Tripwire Binaries (/usr/sbin/tripwire)

Severity Level: 100

-------------------------------------------------------------------------------

----------------------------------------

Modified Objects: 1

----------------------------------------

Modified object name: /usr/sbin/tripwire

Property: Expected Observed

------------- ----------- -----------

Object Type Regular File Regular File

Device Number 64768 64768

* Inode Number 9698 10390

Mode -rwxr-xr-x -rwxr-xr-x

Num Links 1 1

UID root (0) root (0)

GID root (0) root (0)

Size 1145520 1145520

Modify Time Mon 05 Jul 2010 08:55:49 PM EDT

Mon 05 Jul 2010 08:55:49 PM EDT

Blocks 2240 2240

* CRC32 XXXXX YYYYY

* MD5 XXXXXXXXXXMJedgAef0 XXXXXXXXXXPFRiVSdGoG/q

The inode number is fine, it's the CRC32 and MD5 sums that worry me. As per my usual procedure, I then issue rpm -V ${PACKAGE_NAME} to verify the package:

[emartin@mx1 ~]$ sudo rpm -V tripwire

S.5....T. c /etc/tripwire/twpol.txt

I expect twpol.txt to be changed since you update the policy. What is / isn't missing is the glaring alert that tripwire doesn't match the RPM. Also, the MD5 sum in tripwire on one machine doesn't match it on another, and neither do the SHA1 sums as computed from the command line. While I'm pretty good with CentOS, there are a few things that I'm still learning so I'm thinking that I'm missing something here. Can anybody please shed some light on this, especially the differing sha1sums? If these are binaries, shouldn't they have the same sha1um?

Also, do I need to blow away this machine and rebuild?

TIA,

--
Eric Martin