Visit Jeremy's Blog.
Go Back > Forums > Linux Forums > Linux - Security
User Name
Linux - Security This forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.


  Search this Thread
Old 09-14-2007, 08:56 AM   #1
Senior Member
Registered: Nov 2004
Location: Texas
Distribution: RHEL, Scientific Linux, Debian, Fedora
Posts: 3,935
Blog Entries: 5

Rep: Reputation: Disabled
Lightbulb aide + prelink issues

CentOS 5 // aide 0.13.1

I installed aide on my CentOS server yesterday, and upon its first overnight integrity check, it found the following.

Changed files:

changed: /etc/prelink.cache
changed: /usr/sbin
changed: /usr/sbin/aide
changed: /usr/lib
changed: /usr/lib/
changed: /usr/lib/
changed: /lib
changed: /lib/
changed: /lib/
Whoops. It goes on to note that these changes include new inode numbers, new ctimes, and new md5/rmd160/sha256 hashes. Also, all the changes occurred at the time that /etc/cron.daily/prelink ran.

I found the issue mentioned on aide's mailing list archive as well:

Both aide and prelink operate on a number of same directories (e.g. /bin, /usr/bin, /sbin, /usr/sbin, and so on.). This obviously is not going to be a peaceful coexistence as I have it currently configured. For aide to be able to do its job properly, prelink can not be modifying binaries (or I'll wind up on a wild goose chase every morning).

For the time-being, I've simply disabled the daily prelink cronjob. I'd rather be able to verify the integrity of binaries than have them prelinked.

Has anyone bumped into this issue with prelink and aide (or a similar HIDS)? Were you able to come up with a more elegant solution?

Gracias in advance.
Old 09-15-2007, 03:43 PM   #2
Senior Member
Registered: Nov 2004
Location: Texas
Distribution: RHEL, Scientific Linux, Debian, Fedora
Posts: 3,935
Blog Entries: 5

Original Poster
Rep: Reputation: Disabled
After some reading and experimentation, I believe this is the solution I'll be going with. Utilizing prelink on a server is not terribly important to me. And I don't want to have to customize aide to the point of uselessness just to run prelink. YMMV.

On CentOS 5, you can disable prelink and revert all binaries to their pre-prelink state by specifying the PRELINKING=no directive in /etc/sysconfig/prelink.

I've added some tags to this post for the next guy who runs into the same problem.


aide, prelink prelinking

Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off

Similar Threads
Thread Thread Starter Forum Replies Last Post
prelink and tripwire hank43 Linux - Server 0 04-08-2007 07:05 PM
prelink amnesty_puppy Debian 4 05-11-2005 12:57 PM
Whoops with prelink andrewjg Linux - Software 2 03-02-2005 06:16 PM
Prelink and performance mr666white Linux - Software 5 08-31-2004 09:21 AM
aide cuckoopint Linux - Security 3 04-22-2003 02:50 PM > Forums > Linux Forums > Linux - Security

All times are GMT -5. The time now is 07:05 PM.

Main Menu
Write for LQ is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration