Hello-

I have tripwire running daily. Sunday's report showed some file changes and additions I don't recognize, but it is a recently installed box (RH7.1), and I am new to this so I was wondering if anyone else has seen these and knows what they are- or if I should be worried. Also, the machine supposedly was untouched over the weekend, so I don't understand why Saturday's tripwire report is clean, but Sunday has system changes.

Here is the relavant part of the report:

* System boot changes severity:100 added:11 removed:0 modified:11

Added:
"/var/log/messages.1"
"/var/log/secure.1"
"/var/log/maillog.1"
"/var/log/spooler.1"
"/var/log/boot.log.1"
"/var/log/cron.1"
"/var/log/kernel.1"
"/var/log/syslog.1"
"/var/log/loginlog.1"
"/var/log/xferlog.1"
"/var/log/wtmp.1"

Modified:
"/var/log/boot.log"
"/var/log/cron"
"/var/log/kernel"
"/var/log/loginlog"
"/var/log/maillog"
"/var/log/messages"
"/var/log/secure"
"/var/log/spooler"
"/var/log/syslog"
"/var/log/wtmp"
"/var/log/xferlog"


Any help would be appreciated. Are these files supposed to be there? Why would they show up as modified/added on Sunday?

This comes from rotating logs by logrotate, which will backup a log sequentially and touch a new logfile. This pretty much fsck's over the previously stored signatures.

A solution could be to exclude all logfiles from examination except wtmp. These logfiles even tho some might be security related are not tampered the way wtmp/utmp are when someone wants to cover up gaining root.
Wtmp could be checked IMO with chkwtmp from chrootkit.

If you want to hold on to full coverage examination another strategy could be running different signature databases on different filesystem selections at different times.

HTH