Michael Schwendt wrote:
On Mon, 11 Jul 2005 17:34:16 -0700, Marcin Struzak wrote:
I am running FC3 with tripwire-2.3.1-20.fdr.1.1 (RPM), and all of a sudden, after months of successful "quite" or almost quiet bahvior, my nightly check reports over 6500 changes. This is very unusual for an "overnight" situation, and so I am trying to figure out what caused it.
Prelinking can result in such changes (verify some key files with "rpm -V"
or even "rpm -Va"). But first of all, you should update your tripwire
package to FC3's. It's tripwire-2.3.1-21 in Fedora Extras. Your one is
for FC1.
Are you seeing AVC messages in your log files? /var/log/messages and/or
/var/log/audit/audit.log
--
