CentOS 5 // aide 0.13.1
I installed
aide on my CentOS server yesterday, and upon its first overnight integrity check, it found the following.
Code:
---------------------------------------------------
Changed files:
---------------------------------------------------
changed: /etc/prelink.cache
changed: /usr/sbin
changed: /usr/sbin/aide
changed: /usr/lib
changed: /usr/lib/libgpg-error.so.0.3.0
changed: /usr/lib/libgcrypt.so.11.2.2
changed: /lib
changed: /lib/libacl.so.1.1.0
changed: /lib/libm-2.5.so
...
Whoops. It goes on to note that these changes include new inode numbers, new ctimes, and new md5/rmd160/sha256 hashes. Also, all the changes occurred at the time that /etc/cron.daily/prelink ran.
I found the issue mentioned on aide's mailing list archive as well:
https://mailman.cs.tut.fi/pipermail/...il/000808.html
Both aide and prelink operate on a number of same directories (e.g. /bin, /usr/bin, /sbin, /usr/sbin, and so on.). This obviously is not going to be a peaceful coexistence as I have it currently configured. For aide to be able to do its job properly, prelink can not be modifying binaries (or I'll wind up on a wild goose chase every morning).
For the time-being, I've simply disabled the daily prelink cronjob. I'd rather be able to verify the integrity of binaries than have them prelinked.
Has anyone bumped into this issue with prelink and aide (or a similar HIDS)? Were you able to come up with a more elegant solution?
Gracias in advance.