On Wed, 2007-10-31 at 08:51 -1000, Dave Burns wrote: > I have aide, a file integrity monitor, watching the files on one of my > boxes. It recently reported a change to /etc/prelink.cache. > > I am tempted to think that this file, being a cache, will tend to > change without any reason obvious to me. > > And so it seems to me that I will get lots of false alarms and the > only small amount of good it might accomplish is that if I ever have a > real intrusion using that file it will provide a small but > inconclusive clue. > > So I am tempted to reconfigure aide to ignore that file. Is this a bad > idea? Are changes to this file more predictable than I am supposing? There are a number of files that will change depending on system activity and that's one of them. Lots of the files in /var/log will also change (messages, dmesg, boot.log, wtmp, you get the idea). prelink is run once a day via the system crontab and its control file /etc/cron.daily/prelink. The cache will change if system libraries are updated via yum/rpm or you build something that adds libraries to the normal system directories. This is controlled by /etc/prelink.conf. ---------------------------------------------------------------------- - Rick Stevens, Principal Engineer rstevens@xxxxxxxxxxxx - - CDN Systems, Internap, Inc. http://www.internap.com - - - - Time: Nature's way of keeping everything from happening at once. - ----------------------------------------------------------------------
