Error On Exit Of Prelink Child Process
Contents |
constantly reporting prelinkerrors January 28, 2013 1 Comment We added a couple of new boxes running CentOS 6 here at Hagen Hosting. They generally work really nicely, but I've been having this on going fight with AIDE and prelink. Prelink seems like a good idea aide error on starting prelink undo because it reduces the chance of an exploit working, but the honest truth is that prelink at least one of file's dependencies it is annoying, potentially troublesome in terms of legal issues and security. More over, from what I read, prelink doesn't add much centos aide prelink extra security. I find it particularly annoying when prelink runs each week and I'm confronted with the output from AIDE saying a bunch of files have changed. It would take hours to compare them all to see if usr sbin prelink they had changed because of an intrusion so I have to assume that they have changed because of prelink because they are listed in the prelink logs and timestamps match. But, you know, it just doesn't feel secure. More over prelink has become very annoying because for some reason that I have yet to work out, each night it keeps prelinking the same set of files. A few are compiled-from-source programs (like Apache), but some
Aide Disable Prelink
are standard libs. To get it to stop I had to run prelink on those files manually and keep re-running it until it stopped saying that some of the files needed prelinking. However after a valient attempt I've realised that prelink is just causing too many headaches and so I took the ultimate step -- to disable it. To disable prelink edit /etc/sysconfig/prelink.conf /etc/sysconfig/prelink and change PRELINKING=yes to PRELINKING=no Sometime in the next few days it will run prelink -ua to undo the pre-linking on all files then I'll be done with it and the only changes to the system will be updates (or bad stuff :-) Edit: 2014-05-22T13:25:56+00:00 I just had this error message coming up on a box after updating a library. prelinking is disabled but I would still get this same error message from AIDE. Running prelink -ua did not stop the error messages because running this command checks the value of PRELINKING and so it doesn't run - at least I think so. The error occurs because AIDE detects that the library has changed and so runs prelink directly on those files: 4574 [pid 12916] execve("/usr/sbin/prelink", ["/usr/sbin/prelink", "--verify", "/usr/local/apache2/modules/libph"...], [/* 44 vars */]) = 0 Since I have PRELINKING=no defined, but I was getting this error message, it would appear that if you specify a filename to p
check on one of my servers after updating it, I started seeing a large number of very concerning
Aide Prelink
warning messages: /usr/sbin/prelink: /bin/mailx: at least one of file's dependencies has what is prelink changed since prelinking Error on exit of prelink child process /usr/sbin/prelink: /bin/rpm: at least one of rhel prelink file's dependencies has changed since prelinking Error on exit of prelink child process /usr/sbin/prelink: /sbin/readahead: at least one of file's dependencies has changed since prelinking Error on https://perladmin.wordpress.com/2013/01/28/aide-constantly-reporting-prelink-errors/ exit of prelink child process /usr/sbin/prelink: /lib64/libkrb5.so.3.3: at least one of file's dependencies has changed since prelinking Error on exit of prelink child process /usr/sbin/prelink: /lib64/libgssapi_krb5.so.2.2: at least one of file's dependencies has changed since prelinking The list went on with maybe a total of forty packages and libraries. My initial reaction was 'Did I https://stelfox.net/blog/2014/08/dependency-prelink-issues/ get hacked?'. Before running the updates I ran an aide verification check which returned no issues and the files that were now displaying the issue were in the packages that got updated. What was the next worse scenario? The packages had been tampered with and I just installed malicious files. This didn't seem likely as the packages are all signed with GPG and an aide check would have caught tampering with my trust database, the gpg binary, or the aide binary. Still a key could have been comprimised. After some Googling I came across people with similar issues, (including one annoyingly paywalled RedHat article on the issue). Several people simply ended the conversation on the assumption the user with the issue had been hacked. Finally I came across one helpful individual with the fix. The binaries just need to have their prelink cache updated again. This can be accomplished with the following command on CentOS 6.5 (probably the same on others). /usr/sbin/prelink
in Sign up Sign up Linode ForumLinode Community Forums FAQ Search Members Register Login [ Anonymous ] Prelink on CentOS 6 Post new topic Reply to https://forum.linode.com/viewtopic.php?t=7880 topic Linode Forum » Linux Community Forums » Performance and Tuning Previous topic | Next topic Author Message Azathoth Post subject: Prelink on CentOS 6PostPosted: Fri Oct 07, 2011 4:48 am http://www.kinryokai.net/modules/news/article.php?storyid=214 Offline Senior Member Joined: Mon Dec 07, 2009 6:46 am Posts: 331 Hrm... Just installed a CentOS 6 (with latest patches via CR repo) node, moved and reconfigured everything from the old 5.7 error on node, ran aide --init and BAM! Code:/usr/sbin/prelink: /usr/sbin/hald: at least one of file's dependencies has changed since prelinkingError on exit of prelink child process/usr/sbin/prelink: /usr/sbin/lpasswd: at least one of file's dependencies has changed since prelinkingError on exit of prelink child process/usr/sbin/prelink: /usr/sbin/lchage: at least one of file's dependencies has changed since prelinkingError on exit of prelink child process... A bit of research led me to error on exit these: https://bugzilla.redhat.com/show_bug.cgi?id=705661 https://lwn.net/Articles/341244/ So it makes me wonder... is prelink really beneficial on the servers? We don't have CGI stuff so all the apps are run once and left running for days, weeks, months... startup time is definietely NOT an issue, but ASLR is, and we're going to deploy SELinux anyways. Anyone else ran into the same problem? Any suggestions? I'm making a snapshot backup now and will disable prelink, see if anything breaks. Top Profile Reply with quote Display posts from previous: All posts1 day7 days2 weeks1 month3 months6 months1 yearSort by AuthorPost timeSubject AscendingDescending Post new topic Reply to topic Linode Forum » Linux Community Forums » Performance and Tuning Who is online Users browsing this forum: No registered users and 0 guests You cannot post new topics in this forumYou cannot reply to topics in this forumYou cannot edit your posts in this forumYou cannot delete your posts in this forum Search for: Jump to: Select a forum ------------------ Linode.com Related Forums Linode.com Announcements System and Network Status Feature Request/Bug Report Sales Questions and Answers Customer Testimonials Linux Community Forums General Discussi
サイトマップ 検索 高度な検索 オンライン状況 12 人のユーザが現在オンラインです。 (3 人のユーザが ニュース を参照しています。)登録ユーザ: 0ゲスト: 12 もっと... サーバー制作:10:侵入検知システムの導入(aide) 投稿者: f-otake 投稿日時: 2014-5-6 9:09:07 (1009 ヒット) 参考URL:http://www.websec-room.com/2013/11/09/999# yum -y install aideAIDE の動作設定は、/etc/aide.conf で行いますが、ここではセキュリティー上の理由で公開しません。と言うのも、悪さをしようとする者は必ずAIDEのDBファイルを改竄しようとしますので、この場所が非常に大事になります。また下記に示してあるのはテスト時の場所で、最後にテストが終了後、この位置ではなく別の場所にしております。/etc/aide.confは参考URLを参照し、設定していってください。監視対象から外すには、先頭に ! を付けます。取り敢えず走らせ、メールが着ますので、よく変更になるdirectoryやファイルを設定していけばいいと思います。AIDEの持っているデータベースの初期化# aide --initありゃりゃエラーが出るぞ、/usr/sbin/prelink: /usr/sbin/mtr: at least one of file's dependencies has changed since prelinking Error on exit of prelink child processこれはインストール後、時間が経ちyum の updateが走り、リンク済みのバイナリと新しいバイナリではハッシュ値が合わないので、prelinkがエラーを出している見たい# /etc/cron.daily/prelinkでハッシュ値を更新する。再度# aide --initこれは全てのファイルをスキャンしているので時間がかかるAIDE, version 0.14 ### AIDE database at /var/lib/aide/aide.db.new.gz initialized.と表示されファイルが出来たので、出来たファイルを登録# cp /var/lib/aide/aide.db.new.gz /var/lib/aide/aide.db.gz改ざんのチェックをするために、ファイルを作成# echo "TEST" >> dummy.txtaideでチェックを実行# aide --ch