From OSSEC Wiki

Why does ossec tell me the the checksum of /usr/bin/foobar has changed?

Why?

Well it has changed (obviously), but why? There are two reasons why this can happen.

• 1 - You box has been owned.

• 2 - Your box has prelinking (long explanation) enabled.

You can check to see if prelinking is the reason on most Linux distributions by using the prelink command.

     	[user@foobar log]# md5sum /usr/bin/perl
     	9a9245039782813967a6706a45f623c6  /usr/bin/perl
     	[user@foobar log]# rpm -qf --dump /usr/bin/perl | grep /usr/bin/perl
     	/usr/bin/perl 11192 1194523209 e7640cdfec7a02f3d4b4c984fb20a304 0100755 
     	root root 0 0 0 X
     	[user@foobar ~]# prelink -y --md5 /usr/bin/perl
     	e7640cdfec7a02f3d4b4c984fb20a304  /usr/bin/perl

As you can see the prelink command gives the hash that matches the hash from the signed rpm. If you just do a check sum on the binary it can differ at two different points in time and be inconsistent across systems.

Answer.

According to Daniel B. Cid the simple answer is to disable prelinking or simply be aware that it happens.

You can disable prelinking by editing /etc/sysconfig/prelink and changing:

     	PRELINKING=yes

to:

     	PRELINKING=no

Prelinking will automatically be undone next time prelink runs, but you can do this immediately by executing:

     	[root@foobar ~]# prelink -ua

You should be aware that the next time ossec runs a large number of alerts will be generated.