On Sat, 2006-08-12 at 23:15 +0200, kadafax wrote: > William L. Maltby wrote: > > On Sat, 2006-08-12 at 19:10 +0200, kadafax wrote: > > > >><snip> > >> ... several changes on files who were not (at first > >> sight) affected by a recent update (the list is below). > >> Is there a logic explanation for those changes to happen ? The "rpm -Va" > >> command does not output md5sum change for those files. > >> > > > > Date/time looks like it might be a cron scheduled event. My bet is > > prelink. Have you looked at the crontabs and/or logs? > > > prelink appears there: > [root at server cron]# ll /etc/cron.daily/ > total 76 > lrwxrwxrwx 1 root root 28 Jun 29 20:27 00-logwatch -> > ../log.d/scripts/logwatch.pl > -rwxr-xr-x 1 root root 418 Feb 21 2005 00-makewhatis.cron > -rwxr-xr-x 1 root root 276 Feb 21 2005 0anacron > -rwxr-xr-x 1 root root 117 Mar 31 2005 epylog.cron > -rwxr-xr-x 1 root root 180 Aug 23 2005 logrotate > -rwxr-xr-x 1 root root 2133 Dec 1 2004 prelink > -rwxr-xr-x 1 root root 104 Jan 1 2006 rpm > -rwxr-xr-x 1 root root 121 Aug 22 2005 slocate.cron > -rwxr-xr-x 1 root root 286 Feb 21 2005 tmpwatch > -rwxr-xr-x 1 root root 158 Feb 18 15:38 yum.cron > > Nothing in logs ( grep cron /var/log/messages*) $ locate prelink /etc/prelink.cache ... /var/log/prelink.log /var/log/prelink.log.1.bz2 <snip> > > Is it possible for a cron job to modify binary's checksum and inode ? Yes. If cron is user with proper permissions, ACLs don't prevent and SELinux doesn't prevent. Cron is (in effect) just another user (may be root) that runs jobs automatically. I suggest you investigate the software that may be affecting the systems you have under your control. Prelink will change size, date, i-node, ... > <snip> -- Bill -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 189 bytes Desc: This is a digitally signed message part URL: <http://lists.centos.org/pipermail/centos/attachments/20060812/87f34c07/attachment-0005.sig>