[CentOS] rkhunter and prelink

Wed Aug 30 16:49:52 UTC 2017
Valeri Galtsev <galtsev at kicp.uchicago.edu>

On Wed, August 30, 2017 11:27 am, Christian, Mark wrote:
> On Wed, 2017-08-30 at 11:03 -0500, Valeri Galtsev wrote:
>> On Wed, August 30, 2017 10:43 am, Tony Schreiner wrote:
>> > This has come up for me on the most recent upgrade, add the line
>> >
>> > HASH_CMD=sha1sum
>> >
>> > On Wed, Aug 30, 2017 at 11:15 AM, <m.roth at 5-cent.us> wrote:
>> >
>> > > Can't remember if I posted this before... We're getting warnings
>> from
>> > > rkhunterWarning: Checking for prerequisites               [ Warning
>> ]
>> > >    All file hash checks will be skipped because:
>> > >    This system uses prelinking, but the hash function command does
>> not
>> > > look like SHA1 or MD5.
>> > >
>> > > Now, googling, I find people saying to rm /etc/prelink.cache, then
>> run
>> > > rkhunter --propupd.
>> > >
>> > > Works. And then, prelink runs in the middle of the night, via
>> > > /etc/cron.daily, and when the cron job of rkhunter runs, it's back
>> to
>> > > complaining.
>>
>> Prelink is evil, in a sense of what it does. Allegedly it helps to load
>> into memory binaries and libraries faster, for that it TOUCHES every one
>> of them regularly. This effectively defeats the way we watch for system
>> integrity by tracking all system files and libraries information, such
>> as:
>> file sizes, time stamps, inode numbers, checksums. The very moment
>> RedHat
>> made prelink installed by default, I was so upset that you can feel
>> these
>> my feelings in my writing now are still present. I got rid of prelink,
>> and
>> I rid of it specifically on my kickstart files. Two or three years down
>> the road RedHat came to its senses and removed prelink from what is
>> installed by default. I'm surprised, Mark, that you still have it some
>> place. Any specific reason? If not, get rid of prelink which does waaay
>> more harm than it does good IMHO.
> Or keep prelink and modify your HASH_CMD to "prelink -y
> /path/to/binary|sha1sum"

IMHO that means keeping the evil in the loop, the loop that should be
tightest, slimmest and awfully trusted. Which partly much defeats the
reasons why we watch the files. And it doesn't help with ever changing
file inode numbers, timestamps, only checksums (I use different from OP's
system integrity tools, so I'm not certain if the last matters for OP).
Anyway, my decision was to get rid of evil. But that is me who puts system
integrity three levels above how fast the system feels (and feeling is
only about how fast the application starts, not how fast it runs). Sorry,
my attitude to prelink will keep showing always ;-)

Valeri

>
> Mark
>
>
>>
>> Valeri
>>
>> > >
>> > > Anyone have any ideas what's going on here? I don't see anything in
>> the
>> > > prelink.conf, or any options in the prelink manpage to tell is what
>> hash
>> > > to use.
>> > >
>> > >      mark
>> > >
>> > > _______________________________________________
>> > > CentOS mailing list
>> > > CentOS at centos.org
>> > > https://lists.centos.org/mailman/listinfo/centos
>> > >
>> >
>> > _______________________________________________
>> > CentOS mailing list
>> > CentOS at centos.org
>> > https://lists.centos.org/mailman/listinfo/centos
>> >
>>
>>
>> ++++++++++++++++++++++++++++++++++++++++
>> Valeri Galtsev
>> Sr System Administrator
>> Department of Astronomy and Astrophysics
>> Kavli Institute for Cosmological Physics
>> University of Chicago
>> Phone: 773-702-4247
>> ++++++++++++++++++++++++++++++++++++++++
>> _______________________________________________
>> CentOS mailing list
>> CentOS at centos.org
>> https://lists.centos.org/mailman/listinfo/centos
> _______________________________________________
> CentOS mailing list
> CentOS at centos.org
> https://lists.centos.org/mailman/listinfo/centos
>


++++++++++++++++++++++++++++++++++++++++
Valeri Galtsev
Sr System Administrator
Department of Astronomy and Astrophysics
Kavli Institute for Cosmological Physics
University of Chicago
Phone: 773-702-4247
++++++++++++++++++++++++++++++++++++++++