Subject: | |
From: | |
Reply To: | |
Date: | Mon, 21 May 2007 08:57:35 -0500 |
Content-Type: | text/plain |
Parts/Attachments: |
|
|
Keith Lofstrom wrote:
> I run ancient old tripwire nightly on my machines. Yesterday, on my
> SL4.4 laptop, I noticed that it had found changes to "vipw" and other
> security related tools. A little concerned, I downloaded the latest
> version of chkrootkit and ran it, finding no problems. I looked at
> the yum logs, and found a yum upgrade of util-linux from sl-errata;
> the header file shows that vipw and the rest had been updated.
>
> False alarm, I am probably safe, assuming no outbreak of evil at SL or
> TUV (=The Upstream Vendor in North Carolina, for those wondering).
>
> I will react similarly if I ever see a change of the basic security
> programs. Is there anything else a prudent administrator should check
> when these programs change?
>
> Keith
>
If you are running tripwire on a machine, you should always check your
yum update logs before your tripwire logs, so you aren't surprised.
Also, you should be subscribed to [log in to unmask] so
that you get the announcements about the released security errata. We
do occasionally put out an errata without an e-mail, but not too often,
and the users usually help remind us if this happens.
To see which files can potentially change
rpm -ql <package>
If you are seeing a changed file outside of those files listed you need
to check scripts.
rpm -q --scripts --triggers <package>
Troy
--
__________________________________________________
Troy Dawson [log in to unmask] (630)840-6468
Fermilab ComputingDivision/LCSI/CSI DSS Group
__________________________________________________
|
|
|