OSSEC integrity checksum alert - what caused the change?

Question

Recently installed OSSEC on Linux machine to test.

Most results are expected, however yesterday I received emails with a number of notifications about Integrity checksum changing on files such as /usr/bin/whoami /usr/bin/md5sum /usr/bin/ls and about another 50 similar files

Since I didn't install any new versions of these files, how do I find out what caused the integrity checksum to change 2 days after I installed the OSSEC program?

Eureka

score 6 · Accepted Answer · answered Nov 19 '10 at 02:26

6

Two reasons are:

You've actually been hacked
Prelinking is enabled

You can disable prelinking by editing /etc/sysconfig/prelink from:

PRELINKING=yes

to:

PRELINKING=no

And running:

prelink -ua

Source: http://www.ossec.net/wiki/Know_How:Check_Sums

answered Nov 19 '10 at 02:26

Rob Olmos

2,220
1
15
25

2

Thank you very much. That has explained the constant changes I saw. I then did some further searching and also found information on another option as well Source: http://www.mail-archive.com/ossec-list@googlegroups.com/msg04568.html – Eureka Ikara Nov 19 '10 at 04:18

OSSEC integrity checksum alert - what caused the change?

1 Answers1

Linked