I have several systems running Centos 6 with rkhunter installed. I have a daily cron running rkhunter and reporting back via email.
I very often get reports like:
---------------------- Start Rootkit Hunter Scan ----------------------
Warning: The file properties have changed:
File: /sbin/fsck
Current inode: 6029384 Stored inode: 6029326
Warning: The file properties have changed:
File: /sbin/ip
Current inode: 6029506 Stored inode: 6029343
Warning: The file properties have changed:
File: /sbin/nologin
Current inode: 6029443 Stored inode: 6029531
Warning: The file properties have changed:
File: /bin/dmesg
Current inode: 13369362 Stored inode: 13369366
From what I understand, rkhunter will usually report a changed hash and/or modification date on the scanned files to, so this leads me to think that there is no real change.
My question: is there some other activity on the machine that could make the inode change (running ext4) or is this really yum
making regular (~ once a week) changes to these files as part of normal security updates?