[CentOS] rkhunter and prelink

Christian, Mark mark.christian at intel.com
Wed Aug 30 16:27:16 UTC 2017 

On Wed, 2017-08-30 at 11:03 -0500, Valeri Galtsev wrote:
> On Wed, August 30, 2017 10:43 am, Tony Schreiner wrote:
> > This has come up for me on the most recent upgrade, add the line
> > 
> > HASH_CMD=sha1sum
> > 
> > On Wed, Aug 30, 2017 at 11:15 AM, <m.roth at 5-cent.us> wrote:
> > 
> > > Can't remember if I posted this before... We're getting warnings from
> > > rkhunterWarning: Checking for prerequisites               [ Warning ]
> > >    All file hash checks will be skipped because:
> > >    This system uses prelinking, but the hash function command does not
> > > look like SHA1 or MD5.
> > > 
> > > Now, googling, I find people saying to rm /etc/prelink.cache, then run
> > > rkhunter --propupd.
> > > 
> > > Works. And then, prelink runs in the middle of the night, via
> > > /etc/cron.daily, and when the cron job of rkhunter runs, it's back to
> > > complaining.
> 
> Prelink is evil, in a sense of what it does. Allegedly it helps to load
> into memory binaries and libraries faster, for that it TOUCHES every one
> of them regularly. This effectively defeats the way we watch for system
> integrity by tracking all system files and libraries information, such as:
> file sizes, time stamps, inode numbers, checksums. The very moment RedHat
> made prelink installed by default, I was so upset that you can feel these
> my feelings in my writing now are still present. I got rid of prelink, and
> I rid of it specifically on my kickstart files. Two or three years down
> the road RedHat came to its senses and removed prelink from what is
> installed by default. I'm surprised, Mark, that you still have it some
> place. Any specific reason? If not, get rid of prelink which does waaay
> more harm than it does good IMHO.
Or keep prelink and modify your HASH_CMD to "prelink -y /path/to/binary|sha1sum"

Mark


> 
> Valeri
> 
> > > 
> > > Anyone have any ideas what's going on here? I don't see anything in the
> > > prelink.conf, or any options in the prelink manpage to tell is what hash
> > > to use.
> > > 
> > >      mark
> > > 
> > > _______________________________________________
> > > CentOS mailing list
> > > CentOS at centos.org
> > > https://lists.centos.org/mailman/listinfo/centos
> > > 
> > 
> > _______________________________________________
> > CentOS mailing list
> > CentOS at centos.org
> > https://lists.centos.org/mailman/listinfo/centos
> > 
> 
> 
> ++++++++++++++++++++++++++++++++++++++++
> Valeri Galtsev
> Sr System Administrator
> Department of Astronomy and Astrophysics
> Kavli Institute for Cosmological Physics
> University of Chicago
> Phone: 773-702-4247
> ++++++++++++++++++++++++++++++++++++++++
> _______________________________________________
> CentOS mailing list
> CentOS at centos.org
> https://lists.centos.org/mailman/listinfo/centos

More information about the CentOS mailing list