[CentOS] Several files's checksum change without reason

Sat Aug 12 22:25:35 UTC 2006
William L. Maltby <BillsCentOS at triad.rr.com>

On Sat, 2006-08-12 at 23:15 +0200, kadafax wrote:
> William L. Maltby wrote:
> > On Sat, 2006-08-12 at 19:10 +0200, kadafax wrote:
> >   
> >><snip>

> >> ... several changes on files who were not (at first 
> >> sight) affected by a recent update (the list is below).
> >> Is there a logic explanation for those changes to happen ? The "rpm -Va" 
> >> command does not output md5sum change for those files.
> >>     
> >
> > Date/time looks like it might be a cron scheduled event. My bet is
> > prelink. Have you looked at the crontabs and/or logs?
> >   
> prelink appears there:
> [root at server cron]# ll /etc/cron.daily/
> total 76
> lrwxrwxrwx  1 root root   28 Jun 29 20:27 00-logwatch -> 
> ../log.d/scripts/logwatch.pl
> -rwxr-xr-x  1 root root  418 Feb 21  2005 00-makewhatis.cron
> -rwxr-xr-x  1 root root  276 Feb 21  2005 0anacron
> -rwxr-xr-x  1 root root  117 Mar 31  2005 epylog.cron
> -rwxr-xr-x  1 root root  180 Aug 23  2005 logrotate

> -rwxr-xr-x  1 root root 2133 Dec  1  2004 prelink
> -rwxr-xr-x  1 root root  104 Jan  1  2006 rpm
> -rwxr-xr-x  1 root root  121 Aug 22  2005 slocate.cron
> -rwxr-xr-x  1 root root  286 Feb 21  2005 tmpwatch
> -rwxr-xr-x  1 root root  158 Feb 18 15:38 yum.cron
>
> Nothing in logs ( grep cron /var/log/messages*)


$ locate prelink
/etc/prelink.cache

...

/var/log/prelink.log
/var/log/prelink.log.1.bz2

<snip>

> 
> Is it possible for a cron job to modify binary's checksum and inode ?

Yes. If cron is user with proper permissions, ACLs don't prevent and
SELinux doesn't prevent. Cron is (in effect) just another user (may be
root) that runs jobs automatically.

I suggest you investigate the software that may be affecting the systems
you have under your control.

Prelink will change size, date, i-node, ...

> <snip>

-- 
Bill
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 189 bytes
Desc: This is a digitally signed message part
URL: <http://lists.centos.org/pipermail/centos/attachments/20060812/87f34c07/attachment-0005.sig>