|
Thanks for the question. That rule alerts you when a monitored file changes, which can tell you that either someone was changed without your permission (malicious) or that it was changed with your permission.
ASL will try to help you determine if this was due to a software update that was authorized, or via some other method. Just log into ASL, click on the ASL tab, then select File Integrity. If anything has changed you will it in that window (you may need to set the via farther back than today if this happened earlier). Then you will a listing of all the files that changes and when they changed. If you click on the filename it will then try to determine if its a managed piece of software, and if it is it will pull up the systems change log for that file to help you identify what it is and what package/rpm it may be part of.
From there, check your /var/log/yum.log file to see if anything was updated recently, and then see if it matches the files in the FI window. If they don't, then someone may made these changes without your permission. If they do match, then check your logs to see if you updated anything on the system.
I hope this helps, and if you have other questions please don't hesitate to ask.
_________________
Michael Shinn
Atomicorp - Security For Everyone
Co-Author of Troubleshooting Linux Firewalls.
|
Login
Register
FAQ
Search
