Re: /etc/prelink.cache

[Rick Stevens <rstevens internap com>]

On Wed, 2007-10-31 at 08:51 -1000, Dave Burns wrote:
> I have aide, a file integrity monitor, watching the files on one of my
> boxes. It recently reported a change to /etc/prelink.cache.
> 
> I am tempted to think that this file, being a cache, will tend to
> change without any reason obvious to me.
> 
> And so it seems to me that I will get lots of false alarms and the
> only small amount of good it might accomplish is that if I ever have a
> real intrusion using that file it will provide a small but
> inconclusive clue.
> 
> So I am tempted to reconfigure aide to ignore that file. Is this a bad
> idea? Are changes to this file more predictable than I am supposing?

There are a number of files that will change depending on system
activity and that's one of them.  Lots of the files in /var/log will
also change (messages, dmesg, boot.log, wtmp, you get the idea).

prelink is run once a day via the system crontab and its control file
/etc/cron.daily/prelink.  The cache will change if system libraries are
updated via yum/rpm or you build something that adds libraries to the
normal system directories.  This is controlled by /etc/prelink.conf.

----------------------------------------------------------------------
- Rick Stevens, Principal Engineer             rstevens internap com -
- CDN Systems, Internap, Inc.                http://www.internap.com -
-                                                                    -
-  Time: Nature's way of keeping everything from happening at once.  -
----------------------------------------------------------------------