How to respond to "Integrity checksum changed" event?

[Glen Peterson]

I received this email:

OSSEC HIDS Notification.
2020 Apr 17 01:54:51

Received From: myServer->syscheck
Rule: 550 fired (level 7) -> "Integrity checksum changed."

Integrity checksum changed for: '/usr/bin/git-receive-pack'

...

I got the same notification email for the following files:

/usr/bin/git

/usr/bin/git-upload-archive

/usr/bin/git-shell

/usr/bin/git-upload-pack

But none of these files have been changed since April 10th (and two of them are links):

$ sudo ls -l /usr/bin/git*

-rwxr-xr-x 1 root root 2351792 Apr 10 11:59 /usr/bin/git

lrwxrwxrwx 1 root root       3 Apr 10 11:59 /usr/bin/git-receive-pack -> git

-rwxr-xr-x 1 root root 1304912 Apr 10 11:59 /usr/bin/git-shell

lrwxrwxrwx 1 root root       3 Apr 10 11:59 /usr/bin/git-upload-archive -> git

-rwxr-xr-x 1 root root 1317120 Apr 10 11:59 /usr/bin/git-upload-pack

It looks like syscheck takes about 10 minutes to run (from /var/ossec/logs/ossec.log):

2020/04/13 17:00:33 ossec-syscheckd: INFO: Starting syscheck scan.

2020/04/13 17:10:23 ossec-syscheckd: INFO: Ending syscheck scan.

2020/04/13 20:40:23 rootcheck: INFO: Starting rootcheck scan.

2020/04/13 21:22:09 rootcheck: INFO: Ending rootcheck scan.

2020/04/14 13:12:09 ossec-syscheckd: INFO: Starting syscheck scan.

2020/04/14 13:22:00 ossec-syscheckd: INFO: Ending syscheck scan.

2020/04/14 17:27:00 rootcheck: INFO: Starting rootcheck scan.

2020/04/14 18:09:24 rootcheck: INFO: Ending rootcheck scan.

2020/04/15 09:24:24 ossec-syscheckd: INFO: Starting syscheck scan.

2020/04/15 09:34:14 ossec-syscheckd: INFO: Ending syscheck scan.

2020/04/15 14:14:14 rootcheck: INFO: Starting rootcheck scan.

2020/04/15 14:56:57 rootcheck: INFO: Ending rootcheck scan.

2020/04/16 05:36:57 ossec-syscheckd: INFO: Starting syscheck scan.

2020/04/16 05:46:47 ossec-syscheckd: INFO: Ending syscheck scan.

2020/04/16 11:01:47 rootcheck: INFO: Starting rootcheck scan.

2020/04/16 11:44:23 rootcheck: INFO: Ending rootcheck scan.

2020/04/17 01:49:23 ossec-syscheckd: INFO: Starting syscheck scan.

2020/04/17 01:55:02 ossec-maild: DEBUG: Running OS_Sendmail()

2020/04/17 01:55:02 ossec-maild [dns]: ERROR: connect() failed.

2020/04/17 01:55:17 ossec-maild: DEBUG: Running OS_Sendmail()

2020/04/17 01:55:17 ossec-maild [dns]: ERROR: connect() failed.

2020/04/17 01:55:52 ossec-maild: DEBUG: Running OS_Sendmail()

2020/04/17 01:55:52 ossec-maild [dns]: ERROR: connect() failed.

2020/04/17 01:56:42 ossec-maild: DEBUG: Running OS_Sendmail()

2020/04/17 01:56:42 ossec-maild [dns]: ERROR: connect() failed.

2020/04/17 01:59:13 ossec-syscheckd: INFO: Ending syscheck scan.

So I probably need to recheck my mail setup, but everything else looks fine.

I was curious what version of git I was running

$ apt list |grep ^git

git/bionic-updates,bionic-security,now 1:2.17.1-1ubuntu0.6 amd64 [installed]

...

It looks from the dropdown here like git-receive-pack has only changed in versions 

Changes in the git-receive-pack manual

2.24.1 → 2.26.1 no changes

2.24.0      11/04/19 2.18.1 → 2.23.2 no changes

2.18.0       06/21/18 2.13.3 → 2.17.4 no changes

2.13.2       06/24/17 2.11.1 → 2.12.5 no changes

2.11.0       11/29/16

https://git-scm.com/docs/git-receive-pack

So it doesn't immediately look like the change came from the git sources.  What has apt installed recently?

$ sudo less /var/log/apt/term.log

...

Log started: 2020-04-16  06:22:27

(Reading database ...  ... 100%^M(Reading database ... 135924 files and directories currently installed.)

Preparing to unpack .../git_1%3a2.17.1-1ubuntu0.6_amd64.deb ...

Unpacking git (1:2.17.1-1ubuntu0.6) over (1:2.17.1-1ubuntu0.5) ...

Setting up git (1:2.17.1-1ubuntu0.6) ...

Log ended: 2020-04-16  06:22:30

...

So I'm guessing that git was automatically updated last night by apt (the ubuntu package manager), probably for some ubuntu compatibility reason, which is probably all normal and fine.  But I still wonder:

 - Why is the last-modified date on the files in question April 10th?  Is that when they were built and tested before being promoted to the latest ubuntu packages?

 - Is this sort of generally what I should be doing when I receive these notifications?  How would I know if something like this represents tampering vs. normal system activity?  In the future, I guess I should look at /var/log/apt/term.log first.