https://community.hpe.com/t5/operating-system-linux/aide-software-integrity-app-amp-mtime-question/m-p/5088687#M49372 It's probably "prelink". It adds some information to executables and libraries to speed up loading. Read "man prelink" for a more detailed description.<BR /><BR />When using AIDE or tripwire, you'll generally want to run the prelinking manually after each update or software installation, and *only then* acknowledge the changes in the integrity application. Or if your server's workload does not involve starting a lot of processes frequently, you might choose to disable the prelink system.<BR /><BR />MK Tue, 22 Jan 2008 08:01:19 GMT Matti_Kurkela 2008-01-22T08:01:19Z https://community.hpe.com/t5/operating-system-linux/aide-software-integrity-app-amp-mtime-question/m-p/5088686#M49371 Hello everyone,<BR /><BR />We run RHEL4 on our ProLiant BL20p G3 servers and I'm playing-with/evaluatiing AIDE (software integrity app similar to tripwire) in order to install it on some new servers during the next weeks.<BR /><BR />I've been tweaking the configuration file and I've been running it for a couple of days. I run the "check" every night but last night I got a warning about 3 directories: they're mtime changed. I'm 100% sure my system wasn't hacked (as it is offline). I just found out that the modification time in these directories is the same as the time the scripts in /etc/cron.daily run. The directories were:<BR /><BR />/usr/lib64<BR />/usr/bin<BR />/lib64<BR /><BR />Does anyone knows what script on /etc/cron.daily might change mtime in these directories? A script could "touch" these files in order to change the mtime on purpose (don't see why) or a file could be removed or added from these directories (very unlikely). I did a search for new files in these directories but none were found.<BR /><BR />I could just remove the check for mtime in these directories but I don't think it would be wise.<BR /><BR />Thanks in advance,<BR />Jorge Fri, 18 Jan 2008 15:16:50 GMT https://community.hpe.com/t5/operating-system-linux/aide-software-integrity-app-amp-mtime-question/m-p/5088686#M49371 Jorge Fabregas 2008-01-18T15:16:50Z https://community.hpe.com/t5/operating-system-linux/aide-software-integrity-app-amp-mtime-question/m-p/5088687#M49372 It's probably "prelink". It adds some information to executables and libraries to speed up loading. Read "man prelink" for a more detailed description.<BR /><BR />When using AIDE or tripwire, you'll generally want to run the prelinking manually after each update or software installation, and *only then* acknowledge the changes in the integrity application. Or if your server's workload does not involve starting a lot of processes frequently, you might choose to disable the prelink system.<BR /><BR />MK Tue, 22 Jan 2008 08:01:19 GMT https://community.hpe.com/t5/operating-system-linux/aide-software-integrity-app-amp-mtime-question/m-p/5088687#M49372 Matti_Kurkela 2008-01-22T08:01:19Z https://community.hpe.com/t5/operating-system-linux/aide-software-integrity-app-amp-mtime-question/m-p/5088688#M49373 Thanks Matti. Right on. Prelink was indeed. Thanks also for the tip. I'll do that (run prelink manually after update and THEN recreate the AIDE database).<BR /><BR />All the best,<BR />Jorge Wed, 23 Jan 2008 13:43:41 GMT https://community.hpe.com/t5/operating-system-linux/aide-software-integrity-app-amp-mtime-question/m-p/5088688#M49373 Jorge Fabregas 2008-01-23T13:43:41Z