Note: I attempted to send this email few times but it did not show up on the ml. I apologize if you received this email more than once.
Hi, I might be beating a dead horse here, but I am trying get a better understanding of how this patch addresses the conflict of modified inodes following a prelink run. I am not an ANSI C programmer so please bear with me. I compiled the latest snapshot with the prelink patch applied and installed it. Prior to initializing the aide db, I ran the prelink cronjob (CentOS 5). After initializing the aide db I ran a check (aide -C) expecting to see no fs changes. To my surprise, aide reported numerous changes, all of them directories and in each case the inode had changed. All checks were done using NORMAL rule which is defined as follows: R=p+i+n+u+g+s+m+c+acl+xattrs+md5 L=p+i+n+u+g+acl+xattrs >=p+u+g+i+n+S+acl+xattrs NORMAL = R+rmd160+sha256 Here is a brief sample of aide report: AIDE found differences between database and filesystem!! Start timestamp: 2010-02-05 13:55:53 Summary: Total number of files: 34133 Added files: 0 Removed files: 0 Changed files: 18 --------------------------------------------------- Changed files: --------------------------------------------------- changed: /usr/sbin changed: /usr/lib <snip> -------------------------------------------------- Detailed information about changes: --------------------------------------------------- Directory: /usr/sbin Mtime : 2010-02-05 13:45:52 , 2010-02-05 13:46:04 Ctime : 2010-02-05 13:45:52 , 2010-02-05 13:46:04 Directory: /usr/lib Mtime : 2010-02-04 10:20:33 , 2010-02-05 13:47:09 Ctime : 2010-02-04 10:20:33 , 2010-02-05 13:47:09 <snip> AFAIK, the prelink patch works as follows: (1) Establish if the file is prelinked using some elf magic I do not understand yet. Explanation would be appreciated. (2) Prelinked files are ran through the "prelink --verify" command one at a time. According to the prelink man page: "It first applies an --undo operation on the file, then prelinks just that file again and compares this with the original file. If both are identical, it prints the file after --undo operation on standard output and exits with zero status. Otherwise it exits with error status." (3) Based on the result of (2) file is marked verified or flagged. Can someone please shed some light and help me gain a better understanding? My goal is to continue using prelink and enjoy its benefits without having to compromise my file integrity checks. Thanks, Vijay Avarachen -- "Knowledge is the only wealth that grows as you spend it, and diminishes as you save it." -- ancient Sanskrit saying _______________________________________________ Aide mailing list [email protected] https://mailman.cs.tut.fi/mailman/listinfo/aide
