I use Tripwire to verify my router host hasn’t been cracked. A cron job runs every night in which Tripwire checks important system files to make sure they haven’t been changed. When system updates are done (via yum or apt-get), these files are expected to change.
Before an update, I run a manual tripwire check with
tripwire --check and verify it with
tripwire --update -r <report name>. After the update is done, I do this again to approve the system changes. The big surprise is seeing the tripwire report the next day. It shows lots of modified files! The first time this happened, I feared the worst. So I verified the changed files with
rpm -qf <changed file name> to get the changed packages, then
rpm -V <package name>. The packages were fine.
What happened was the files were relinked. There’s another cron job that runs prelink every night. Prelink optimizes dynamically linked shared libraries and binaries so they load faster. You can see what prelink changed by looking at its log in