[Aide] Aide (over)reacts when Prelink has run
John Horne
john.horne at plymouth.ac.uk
Fri Apr 27 23:36:21 EEST 2007
On Fri, 2007-04-27 at 16:13 +0100, Rick van Rein wrote:
>
> I am running into loads of reported changes everytime prelink has run.
> This is a problem in that it makes it easy to overlook actual attacks.
>
> I find it a good thing if Aide notices a dependency (a library) has changed
> underneath a dependent (an executable), but not if this concerns only the
> loading location of the dependency (which AFAIK is what prelink sets).
>
> Is there a good way to work around these problems?
>
Hello,
As a newbie to Aide I too am trying to get Aide to work with prelinking
(on an FC6 system). Prelinking will change the inode and creation time
(as far as I know). As such I have created a specific rule for prelinked
files. The rule is 'L+b-i' where 'L' is the default of 'p+i+l+n+u+g+acl
+selinux+xattrs', as such the prelink rule ends up basically being 'p+b
+l+n+u+g'.
Next problem was which files are prelinked? The /etc/prelink.conf file
will list the directories prelink will look in, and this includes the
common command and library directories such as as /bin, /usr/bin,
/sbin, /lib etc.
I haven't had too much time to test this, but it seems to work to some
extent. Unfortunately prelinking, again as far as I know, only occurs
when an update is applied or once every 2 weeks I think. There is
an /etc/cron.daily job which will have the details.
I initially tried to find out what others did about this problem.
However, I was surprised that I could find little about using Aide with
prelinking. I would have thought it was a common problem.
John.
--
---------------------------------------------------------------
John Horne, University of Plymouth, UK Tel: +44 (0)1752 233914
E-mail: John.Horne at plymouth.ac.uk Fax: +44 (0)1752 233839
More information about the Aide
mailing list