Keith Lofstrom wrote:
> I run ancient old tripwire nightly on my machines.  Yesterday, on my
> SL4.4 laptop, I noticed that it had found changes to  "vipw" and other
> security related tools.  A little concerned, I downloaded the latest
> version of chkrootkit and ran it, finding no problems.  I looked at
> the yum logs, and found a yum upgrade of util-linux from sl-errata;
> the header file shows that vipw and the rest had been updated. 
> 
> False alarm, I am probably safe, assuming no outbreak of evil at SL or
> TUV (=The Upstream Vendor in North Carolina, for those wondering).
> 
> I will react similarly if I ever see a change of the basic security
> programs.  Is there anything else a prudent administrator should check
> when these programs change?  
> 
> Keith
> 

If you are running tripwire on a machine, you should always check your 
yum update logs before your tripwire logs, so you aren't surprised.

Also, you should be subscribed to [log in to unmask] so 
that you get the announcements about the released security errata.  We 
do occasionally put out an errata without an e-mail, but not too often, 
and the users usually help remind us if this happens.

To see which files can potentially change
   rpm -ql <package>
If you are seeing a changed file outside of those files listed you need 
to check scripts.
   rpm -q --scripts --triggers <package>

Troy
-- 
__________________________________________________
Troy Dawson  [log in to unmask]  (630)840-6468
Fermilab  ComputingDivision/LCSI/CSI DSS Group
__________________________________________________