[Aide] prelink patch
John Horne
john.horne at plymouth.ac.uk
Mon Feb 8 19:25:26 EET 2010
On Mon, 2010-02-08 at 08:45 -0600, Vijay Avarachen wrote:
>
> I compiled the latest snapshot with the prelink patch applied and
> installed it. Prior to initializing the aide db, I ran the prelink
> cronjob (CentOS 5). After initializing the aide db I ran a check
> (aide -C) expecting to see no fs changes. To my surprise, aide
> reported numerous changes, all of them directories and in each case
> the inode had changed.
>
The prelink cronjob does not force prelinking to run, but simply sees if
prelinking is required to be run (and does so if necessary). If you need
to force prelinking to run, then you can either run 'prelink -fa' from
the command line, or 'touch /var/lib/misc/prelink.force' and then run
the cronjob.
Prelinking will, to some extent, 'recreate' the relevant file, so it is
normal for the files inode number, and date/time values to change.
Things such as the ownership, permissions and SELinux attributes will,
of course, remain the same.
The prelink patch simply (sorry, no disrespect there!) provides the
original binary to aide, so that the checksum can be checked to see if
the file content has changed. But whenever prelinking has run on files,
then their inode numbers will change. The prelink patch has no control
over that. As such, I tend to monitor the checksum of prelinked files,
but not the inode numbers. I use:
#L: p+i+l+n+u+g+acl+selinux+xattrs
PRELINK = L-i+sha256+tiger
John.
--
John Horne Tel: +44 (0)1752 587287
University of Plymouth, UK Fax: +44 (0)1752 587001
More information about the Aide
mailing list