Issue

• Customer uses Tripwire to monitor tampering. When he updated following packages, Tripwire detect some file tampers.

    updated package list:
      lm_sensors-2.10.7-9.el5.x86_64.rpm
      lm_sensors-devel-2.10.7-9.el5.i386.rpm
      lm_sensors-devel-2.10.7-9.el5.x86_64.rpm
      net-snmp-5.3.2.2-14.el5.x86_64.rpm
      net-snmp-devel-5.3.2.2-14.el5.i386.rpm
      net-snmp-devel-5.3.2.2-14.el5.x86_64.rpm
      net-snmp-libs-5.3.2.2-14.el5.i386.rpm
      net-snmp-libs-5.3.2.2-14.el5.x86_64.rpm
      net-snmp-perl-5.3.2.2-14.el5.x86_64.rpm
      net-snmp-utils-5.3.2.2-14.el5.x86_64.rpm
      libsysfs-2.1.0-1.el5.i386.rpm
      libsysfs-2.1.0-1.el5.x86_64.rpm
      libsysfs-devel-2.1.0-1.el5.i386.rpm
      libsysfs-devel-2.1.0-1.el5.x86_64.rpm
      lm_sensors-2.10.7-9.el5.i386.rpm
  
    detected file list:
      "/usr/bin/encode_keychange"
      "/usr/bin/get_module"
      "/usr/bin/hpijs"
      "/usr/bin/ipmi_ui"
      "/usr/bin/ipmish" --- symlink to "/usr/bin/openipmish"
      "/usr/bin/openipmish"
      "/usr/bin/sensors"
      "/usr/bin/snmpbulkget"
      "/usr/bin/snmpbulkwalk"
      "/usr/bin/snmpdelta"
      "/usr/bin/snmpdf"
      "/usr/bin/snmpget"
      "/usr/bin/snmpgetnext"
      "/usr/bin/snmpinform" --- symlink to "/usr/bin/snmptrap"
      "/usr/bin/snmpnetstat"
      "/usr/bin/snmpset"
      "/usr/bin/snmpstatus"
      "/usr/bin/snmptable"
      "/usr/bin/snmptest"
      "/usr/bin/snmptranslate"
      "/usr/bin/snmptrap"
      "/usr/bin/snmpusm"
      "/usr/bin/snmpvacm"
      "/usr/bin/snmpwalk"
      "/usr/bin/systool"
      "/usr/sbin/hpiod"
      "/usr/sbin/i2cdetect"
      "/usr/sbin/i2cdump"
      "/usr/sbin/i2cget"
      "/usr/sbin/i2cset"
      "/usr/sbin/isadump"
      "/usr/sbin/isaset"
      "/sbin/multipath"
      "/sbin/multipathd"
  

• So, I have no idea what is happening in the Customer's system.

• Do you have any idea what situation symbolic links are updated at i-node generation number only, not updated time-stamp.