AIDE constantly reporting prelink errors

We added a couple of new boxes running CentOS 6 here at Hagen Hosting. They generally work really nicely, but I’ve been having this on going fight with AIDE and prelink.

Prelink seems like a good idea because it reduces the chance of an exploit working, but the honest truth is that it is annoying, potentially troublesome in terms of legal issues and security. More over, from what I read, prelink doesn’t add much extra security.

I find it particularly annoying when prelink runs each week and I’m confronted with the output from AIDE saying a bunch of files have changed. It would take hours to compare them all to see if they had changed because of an intrusion so I have to assume that they have changed because of prelink because they are listed in the prelink logs and timestamps match. But, you know, it just doesn’t feel secure.

More over prelink has become very annoying because for some reason that I have yet to work out, each night it keeps prelinking the same set of files. A few are compiled-from-source programs (like Apache), but some are standard libs.

To get it to stop I had to run prelink on those files manually and keep re-running it until it stopped saying that some of the files needed prelinking.

However after a valient attempt I’ve realised that prelink is just causing too many headaches and so I took the ultimate step — to disable it.

To disable prelink edit

/etc/sysconfig/prelink.conf

/etc/sysconfig/prelink

and change

PRELINKING=yes

to

PRELINKING=no

Sometime in the next few days it will run prelink -ua to undo the pre-linking on all files then I’ll be done with it and the only changes to the system will be updates (or bad stuff :-)

Edit: 2014-05-22T13:25:56+00:00

I just had this error message coming up on a box after updating a library. prelinking is disabled but I would still get this same error message from AIDE.

Running

prelink -ua

did not stop the error messages because running this command checks the value of PRELINKING and so it doesn’t run – at least I think so. The error occurs because AIDE detects that the library has changed and so runs prelink directly on those files:

4574 [pid 12916] execve("/usr/sbin/prelink", ["/usr/sbin/prelink", "--verify", "/usr/local/apache2/modules/libph"...], [/* 44 vars */]) = 0

Since I have PRELINKING=no defined, but I was getting this error message, it would appear that if you specify a filename to prelink then it runs as it normally would, regardless of this global setting. It makes sense, I suppose.

The answer therefore was to use this knowledge that prelink still works on specific files, but not globally, and “un-prelink” the library in question. In otherwords run;

prelink -ua <file>

Doing this caused AIDE to no longer run prelink.

aide.conf syntax errors contain junk line information

The latest servers that we added to run our e-Classifieds (r) platform use CentOS 6. I definitely like the boxes but Prelink and AIDE have been a pain.

After trying to stop AIDE checking some folders I started getting this report:

271:syntax error: <junk>
271:Error while reading configuration: <junk>

It turns out that this really was a syntax error. It really was on line 271 because rather daftly I had been thinking in terms of RegExps and added the line as

!^/usr/local/....

The ^ generates the syntax error. But apparently AIDE has a free/malloc/pointer bug in this error message as it prints random junk after the error message. Initally made me think that the error that was being reported was that the aide.conf file contained those characters and I couldn’t see then and therefore oooh filesystem/disk corruption… I was relieved to find that it was a bug in AIDE’s error message.

I moved my Blog to perladmin.oreally.co.uk

I moved my blog to WordPress hosted on my own box. It can now be accessed via the URL http://perladmin.oreally.co.uk/

As for why? Well I’ve played with wordpress on and off for a while, but I never really liked the previous versions that much and had given up several revisions ago. I decided to try looking at it again this time around and really prefered the interface. I’m still not at all convinced about much of the rest of it, particularly it being written in PHP since I have issues with that on several levels, but it is what it is. I decided to try it on line via this site with wordpress.com.

Interestingly enough Google must love this place because for certain searches the site is coming up in first place. Which is surprising, if not troubling since its a new site and if I can do it, any spammer can. I’ve even had people start stealing the content already, and there’s barely anything here…

But what I didn’t like is that I couldn’t customize it the way I wanted to. My PHP is limited but I know enough to hack on the code a little and wanted to try doing that on WP 2.6.2 as I have on earlier versions. I also wanted to try a different theme than the half dozen offered, and even something as simple as changing the CSS couldn’t be done without a paid update. This seemed a little much to ask for something so relatively simple, so I decided to move it off to my own box.

I’m not sure how well it will work since my box is about 10 years old, but hopefully it will be upgraded soon, and I have other options if needed :-)

So come on over to the new site, see if you like it:

http://perladmin.oreally.co.uk/

Colin.

How WP Changed My Program

I was just playing with the widgets and I like that when you add them to the widget list that you can then edit them in situ. It is a really clean way of dealing with the extra info for a widget which I’m just incorporating into my company’s app (which I’m sure I’ll continually refer to as “my application” or “my app”) because we have something similar using drag-and-drop to indicate the active components. In my case though the extra info is prompted for later and its very long winded. Making the widgets editable in situ like this would make it much clearer.

My only issue with making this change is that this is still in embedded HTML not templates… so lots of code repeating :p

Read more of this post