CentOS 5 // aide 0.13.1

I installed aide on my CentOS server yesterday, and upon its first overnight integrity check, it found the following.

Whoops. It goes on to note that these changes include new inode numbers, new ctimes, and new md5/rmd160/sha256 hashes. Also, all the changes occurred at the time that /etc/cron.daily/prelink ran.

I found the issue mentioned on aide's mailing list archive as well: https://mailman.cs.tut.fi/pipermail/...il/000808.html

Both aide and prelink operate on a number of same directories (e.g. /bin, /usr/bin, /sbin, /usr/sbin, and so on.). This obviously is not going to be a peaceful coexistence as I have it currently configured. For aide to be able to do its job properly, prelink can not be modifying binaries (or I'll wind up on a wild goose chase every morning).

For the time-being, I've simply disabled the daily prelink cronjob. I'd rather be able to verify the integrity of binaries than have them prelinked.

Has anyone bumped into this issue with prelink and aide (or a similar HIDS)? Were you able to come up with a more elegant solution?

Gracias in advance.

After some reading and experimentation, I believe this is the solution I'll be going with. Utilizing prelink on a server is not terribly important to me. And I don't want to have to customize aide to the point of uselessness just to run prelink. YMMV.

On CentOS 5, you can disable prelink and revert all binaries to their pre-prelink state by specifying the PRELINKING=no directive in /etc/sysconfig/prelink.

I've added some tags to this post for the next guy who runs into the same problem.