AIDE constantly reporting prelink errors

We added a couple of new boxes running CentOS 6 here at Hagen Hosting. They generally work really nicely, but I’ve been having this on going fight with AIDE and prelink.

Prelink seems like a good idea because it reduces the chance of an exploit working, but the honest truth is that it is annoying, potentially troublesome in terms of legal issues and security. More over, from what I read, prelink doesn’t add much extra security.

I find it particularly annoying when prelink runs each week and I’m confronted with the output from AIDE saying a bunch of files have changed. It would take hours to compare them all to see if they had changed because of an intrusion so I have to assume that they have changed because of prelink because they are listed in the prelink logs and timestamps match. But, you know, it just doesn’t feel secure.

More over prelink has become very annoying because for some reason that I have yet to work out, each night it keeps prelinking the same set of files. A few are compiled-from-source programs (like Apache), but some are standard libs.

To get it to stop I had to run prelink on those files manually and keep re-running it until it stopped saying that some of the files needed prelinking.

However after a valient attempt I’ve realised that prelink is just causing too many headaches and so I took the ultimate step — to disable it.

To disable prelink edit

/etc/sysconfig/prelink.conf

/etc/sysconfig/prelink

and change

PRELINKING=yes

to

PRELINKING=no

Sometime in the next few days it will run prelink -ua to undo the pre-linking on all files then I’ll be done with it and the only changes to the system will be updates (or bad stuff :-)

Edit: 2014-05-22T13:25:56+00:00

I just had this error message coming up on a box after updating a library. prelinking is disabled but I would still get this same error message from AIDE.

Running

prelink -ua

did not stop the error messages because running this command checks the value of PRELINKING and so it doesn’t run – at least I think so. The error occurs because AIDE detects that the library has changed and so runs prelink directly on those files:

4574 [pid 12916] execve("/usr/sbin/prelink", ["/usr/sbin/prelink", "--verify", "/usr/local/apache2/modules/libph"...], [/* 44 vars */]) = 0

Since I have PRELINKING=no defined, but I was getting this error message, it would appear that if you specify a filename to prelink then it runs as it normally would, regardless of this global setting. It makes sense, I suppose.

The answer therefore was to use this knowledge that prelink still works on specific files, but not globally, and “un-prelink” the library in question. In otherwords run;

prelink -ua <file>

Doing this caused AIDE to no longer run prelink.

Advertisements

2 Responses to AIDE constantly reporting prelink errors

  1. Jason Ashby says:

    Thanks for the info and the link to the lwn.net discussion, it was quite helpful.

    After disabling PRELINKING in /etc/sysconfig/prelink on a CentOS 6.4 host, I get the following when rerunning /usr/sbin/aide –init

    /usr/sbin/prelink: /usr/sbin/thin_restore: at least one of file’s dependencies has changed since prelinking
    Error on exit of prelink child process

    I’m guessing prelink -ua needs to run first? I’ll try running that manually.

  2. mrOrange says:

    Superb, thank you very much for the edit, I had(!) been having these issues for a while. I initially had simply removed prelink altogether, but AIDE would still put out two prelink warnings during check and updates, which whilst fine and harmless, was annoying the heck out of me.

    To be absolutely sure it would work, I ran the prelink -ua on one of the libraries reported as having dependencies issues, updated the AIDE db, checked again and it was gone – all the proof I needed that it was going to work.

    Once again, many thanks for your investigative work on this, saved me a lot of time and frustration.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: