search for: poorlydocumented

...auditctl -w /usr/sbin/asterisk -p war -k asterisk-bin >then you can get a report on who modified it and when by using: >ausearch -f /usr/sbin/asterisk >Its a start, but eventually you might need to monitor even keystrokes with pam_tty_audit.so to understand who is doing this: >http://poorlydocumented.com/2014/05/enabling-pam_tty_audit-on-rhel-centos-o r-scientific-linux/ Thanks I'll keep that in mind. Just to report back, stopping pre-linking as detailed yesterday and setting immutable with chattr on the Asterisk executable on the Head Office box here appears to have solved the problem. T...

Hi guys Thanks for the pointers - I'll look into the possible compromise scenario though I've got no idea how I'll counter it -if- I manage to detect it...! I've disabled prelinking (thanks Tony!) and I'll see if that helps. Interesting thing I've now discovered (had this failure again at the head office this morning) is the "growth" in the file's size is