[RHEL5] Tripwire detect tampering in symbolic link.
Issue
-
Customer uses Tripwire to monitor tampering. When he updated following packages, Tripwire detect some file tampers.
updated package list: lm_sensors-2.10.7-9.el5.x86_64.rpm lm_sensors-devel-2.10.7-9.el5.i386.rpm lm_sensors-devel-2.10.7-9.el5.x86_64.rpm net-snmp-5.3.2.2-14.el5.x86_64.rpm net-snmp-devel-5.3.2.2-14.el5.i386.rpm net-snmp-devel-5.3.2.2-14.el5.x86_64.rpm net-snmp-libs-5.3.2.2-14.el5.i386.rpm net-snmp-libs-5.3.2.2-14.el5.x86_64.rpm net-snmp-perl-5.3.2.2-14.el5.x86_64.rpm net-snmp-utils-5.3.2.2-14.el5.x86_64.rpm libsysfs-2.1.0-1.el5.i386.rpm libsysfs-2.1.0-1.el5.x86_64.rpm libsysfs-devel-2.1.0-1.el5.i386.rpm libsysfs-devel-2.1.0-1.el5.x86_64.rpm lm_sensors-2.10.7-9.el5.i386.rpm detected file list: "/usr/bin/encode_keychange" "/usr/bin/get_module" "/usr/bin/hpijs" "/usr/bin/ipmi_ui" "/usr/bin/ipmish" --- symlink to "/usr/bin/openipmish" "/usr/bin/openipmish" "/usr/bin/sensors" "/usr/bin/snmpbulkget" "/usr/bin/snmpbulkwalk" "/usr/bin/snmpdelta" "/usr/bin/snmpdf" "/usr/bin/snmpget" "/usr/bin/snmpgetnext" "/usr/bin/snmpinform" --- symlink to "/usr/bin/snmptrap" "/usr/bin/snmpnetstat" "/usr/bin/snmpset" "/usr/bin/snmpstatus" "/usr/bin/snmptable" "/usr/bin/snmptest" "/usr/bin/snmptranslate" "/usr/bin/snmptrap" "/usr/bin/snmpusm" "/usr/bin/snmpvacm" "/usr/bin/snmpwalk" "/usr/bin/systool" "/usr/sbin/hpiod" "/usr/sbin/i2cdetect" "/usr/sbin/i2cdump" "/usr/sbin/i2cget" "/usr/sbin/i2cset" "/usr/sbin/isadump" "/usr/sbin/isaset" "/sbin/multipath" "/sbin/multipathd" -
So, I have no idea what is happening in the Customer's system.
- Do you have any idea what situation symbolic links are updated at i-node generation number only, not updated time-stamp.
Environment
- Red Hat Enterprise Linux 5
- net-snmp-libs-5.3.2.2-14.el5.x86_64
- net-snmp-utils-5.3.2.2-14.el5.x86_64
Subscriber exclusive content
A Red Hat subscription provides unlimited access to our knowledgebase, tools, and much more.