hi,

I'm running tripwire on my boxes, and the last report shows this:

Added: "/var/run/sudo/root/1"

I am worried about cause the function of sudo command , does anybody some idea if that is normal?

Thanks in advance,

It could be innocent enough or it might not be. /var/run/sudo is where sudo stores timestamps, however it might also be related to a symlinking attack. What's the file type and (if relevant) contents of the file in question? Also, it might be a good idea to run chkrootkit or something similar.

Steve