This was in a recent Tripwire report of a Debian Linux (virtual) server:
### Attr Observed (what it is) Expected (what it should be)
### =========== ============================= =============================
/dev/char/253:0
md5 (sig1): 3cArKelJk8b0VTK4Q80.nV 3Z4Cv6zdER0tKfg3lDqPM3
First of all, what is /dev/char/253:0? Secondly, should I be concerned that it changed?
UPDATE. One of my colleagues said that this can happen with a server reboot, which, since I had rebooted the server the previous day, is probably what triggered the Tripwire alert.
The /dev folder is where linux stores files generally associated with devices. Most of these are special files that are mapped or linked with individual devices, such as hard drives, cd-roms, USB devices, etc..
It would seem to me that monitoring these files for changes would result in a lot of changes being detected, depending on the device and how the file is used. I haven't worked with a /char directory too frequently, but I believe it contains "Character Devices," which are characterwise/steraming interfaces, as opposed to block devices, such as hard drives and CD-ROMs.
To answer your question, I would think you could safely disregard this message, after verifying that whatever device is mapped to 253:0 is expected.
For more information, check out:
http://tldp.org/LDP/sag/html/dev-fs.html
and
http://en.wikipedia.org/wiki/Device_file#Character_devices