[Aide] prelink patch

Vijay Avarachen vavarachen at gmail.com
Fri Feb 5 22:59:03 EET 2010 

Hi,
   I might be beating a dead horse here, but I am trying get a better
understanding of how this patch addresses the conflict of modified
inodes following a prelink run.  I am not an ANSI C programmer so
please bear with me.

I compiled the latest snapshot with the prelink patch applied and
installed it.  Prior to initializing the aide db, I ran the prelink
cronjob (CentOS 5).  After initializing the aide db I ran a check
(aide -C) expecting to see no fs changes.  To my surprise, aide
reported numerous changes, all of them directories and in each case
the inode had changed.  All checks were done using NORMAL rule which
is defined as follows:

R=p+i+n+u+g+s+m+c+acl+xattrs+md5
L=p+i+n+u+g+acl+xattrs
>=p+u+g+i+n+S+acl+xattrs
NORMAL = R+rmd160+sha256

Here is a brief sample of aide report:

AIDE found differences between database and filesystem!!
Start timestamp: 2010-02-05 13:55:53

Summary:
  Total number of files:        34133
  Added files:                  0
  Removed files:                0
  Changed files:                18
---------------------------------------------------
Changed files:
---------------------------------------------------
changed: /usr/sbin
changed: /usr/lib
<snip>
--------------------------------------------------
Detailed information about changes:
---------------------------------------------------
Directory: /usr/sbin
  Mtime    : 2010-02-05 13:45:52              , 2010-02-05 13:46:04
  Ctime    : 2010-02-05 13:45:52              , 2010-02-05 13:46:04

Directory: /usr/lib
  Mtime    : 2010-02-04 10:20:33              , 2010-02-05 13:47:09
  Ctime    : 2010-02-04 10:20:33              , 2010-02-05 13:47:09
<snip>

AFAIK, the prelink patch works as follows:
(1) Establish if the file is prelinked using some elf magic I do not
understand yet. Explanation would be appreciated.
(2) Prelinked files are ran through the "prelink --verify" command one
at a time.  According to the prelink man page:
"It first applies an --undo operation on the file, then prelinks just
that file  again  and compares this with the original file. If both
are identical, it prints the file after --undo operation on standard
output and exits with zero status. Otherwise it exits with error
status."
(3) Based on the result of (2) file is marked verified or flagged.

Can someone please shed some light and help me gain a better
understanding?  My goal is to continue using prelink and enjoy its
benefits without having to compromise my file integrity checks.

Thanks,
Vijay Avarachen
--
"Knowledge is the only wealth that grows as you spend it, and
diminishes as you save it."
-- ancient Sanskrit saying

More information about the Aide mailing list