On Fri, Apr 18, 2014 at 06:17:45AM -0400, Eric Martin wrote:
I have a weird problem with tripwire on at least two of my servers. A run of tripwire --check shows a few tripwire binaries have changed, which since I didn't do it is very suspicious:
I expect twpol.txt to be changed since you update the policy. What is / isn't missing is the glaring alert that tripwire doesn't match the RPM. Also, the MD5 sum in tripwire on one machine doesn't match it on another, and neither do the SHA1 sums as computed from the command line. While I'm pretty good with CentOS, there are a few things that I'm still learning so I'm thinking that I'm missing something here. Can anybody please shed some light on this, especially the differing sha1sums? If these are binaries, shouldn't they have the same sha1um?
One word. Prelink. rpm -V undoes the prelink on-the-fly to be able to checksum the original unmodified binary.
Also, do I need to blow away this machine and rebuild?
No, but you may want to un-prelink all your binaries and then disable prelink from running again.