[Aide] Aide (over)reacts when Prelink has run

John Horne john.horne at plymouth.ac.uk
Fri Apr 27 23:36:21 EEST 2007


On Fri, 2007-04-27 at 16:13 +0100, Rick van Rein wrote:
>
> I am running into loads of reported changes everytime prelink has run.
> This is a problem in that it makes it easy to overlook actual attacks.
> 
> I find it a good thing if Aide notices a dependency (a library) has changed
> underneath a dependent (an executable), but not if this concerns only the
> loading location of the dependency (which AFAIK is what prelink sets).
> 
> Is there a good way to work around these problems?
> 
Hello,

As a newbie to Aide I too am trying to get Aide to work with prelinking
(on an FC6 system). Prelinking will change the inode and creation time
(as far as I know). As such I have created a specific rule for prelinked
files. The rule is 'L+b-i' where 'L' is the default of 'p+i+l+n+u+g+acl
+selinux+xattrs', as such the prelink rule ends up basically being 'p+b
+l+n+u+g'.

Next problem was which files are prelinked? The /etc/prelink.conf file
will list the directories prelink will look in, and this includes the
common command and library directories such as  as /bin, /usr/bin,
/sbin, /lib etc.

I haven't had too much time to test this, but it seems to work to some
extent. Unfortunately prelinking, again as far as I know, only occurs
when an update is applied or once every 2 weeks I think. There is
an /etc/cron.daily job which will have the details.

I initially tried to find out what others did about this problem.
However, I was surprised that I could find little about using Aide with
prelinking. I would have thought it was a common problem.


John.

-- 
---------------------------------------------------------------
John Horne, University of Plymouth, UK  Tel: +44 (0)1752 233914
E-mail: John.Horne at plymouth.ac.uk       Fax: +44 (0)1752 233839


More information about the Aide mailing list