Tripwire reporting a changed /dev/char

Question

This was in a recent Tripwire report of a Debian Linux (virtual) server:

### Attr        Observed (what it is)         Expected (what it should be)
### =========== ============================= =============================
/dev/char/253:0
    md5 (sig1): 3cArKelJk8b0VTK4Q80.nV        3Z4Cv6zdER0tKfg3lDqPM3

First of all, what is /dev/char/253:0? Secondly, should I be concerned that it changed?

UPDATE. One of my colleagues said that this can happen with a server reboot, which, since I had rebooted the server the previous day, is probably what triggered the Tripwire alert.

Answer 1

The /dev folder is where linux stores files generally associated with devices. Most of these are special files that are mapped or linked with individual devices, such as hard drives, cd-roms, USB devices, etc..

It would seem to me that monitoring these files for changes would result in a lot of changes being detected, depending on the device and how the file is used. I haven't worked with a /char directory too frequently, but I believe it contains "Character Devices," which are characterwise/steraming interfaces, as opposed to block devices, such as hard drives and CD-ROMs.

To answer your question, I would think you could safely disregard this message, after verifying that whatever device is mapped to 253:0 is expected.

For more information, check out:

http://tldp.org/LDP/sag/html/dev-fs.html

and

http://en.wikipedia.org/wiki/Device_file#Character_devices