Keith Lofstrom wrote: > I run ancient old tripwire nightly on my machines. Yesterday, on my > SL4.4 laptop, I noticed that it had found changes to "vipw" and other > security related tools. A little concerned, I downloaded the latest > version of chkrootkit and ran it, finding no problems. I looked at > the yum logs, and found a yum upgrade of util-linux from sl-errata; > the header file shows that vipw and the rest had been updated. > > False alarm, I am probably safe, assuming no outbreak of evil at SL or > TUV (=The Upstream Vendor in North Carolina, for those wondering). > > I will react similarly if I ever see a change of the basic security > programs. Is there anything else a prudent administrator should check > when these programs change? > > Keith > If you are running tripwire on a machine, you should always check your yum update logs before your tripwire logs, so you aren't surprised. Also, you should be subscribed to [log in to unmask] so that you get the announcements about the released security errata. We do occasionally put out an errata without an e-mail, but not too often, and the users usually help remind us if this happens. To see which files can potentially change rpm -ql <package> If you are seeing a changed file outside of those files listed you need to check scripts. rpm -q --scripts --triggers <package> Troy -- __________________________________________________ Troy Dawson [log in to unmask] (630)840-6468 Fermilab ComputingDivision/LCSI/CSI DSS Group __________________________________________________