/etc/prelink.cache
Rick Stevens
rstevens at internap.com
Wed Oct 31 21:12:03 UTC 2007
On Wed, 2007-10-31 at 08:51 -1000, Dave Burns wrote:
> I have aide, a file integrity monitor, watching the files on one of my
> boxes. It recently reported a change to /etc/prelink.cache.
>
> I am tempted to think that this file, being a cache, will tend to
> change without any reason obvious to me.
>
> And so it seems to me that I will get lots of false alarms and the
> only small amount of good it might accomplish is that if I ever have a
> real intrusion using that file it will provide a small but
> inconclusive clue.
>
> So I am tempted to reconfigure aide to ignore that file. Is this a bad
> idea? Are changes to this file more predictable than I am supposing?
There are a number of files that will change depending on system
activity and that's one of them. Lots of the files in /var/log will
also change (messages, dmesg, boot.log, wtmp, you get the idea).
prelink is run once a day via the system crontab and its control file
/etc/cron.daily/prelink. The cache will change if system libraries are
updated via yum/rpm or you build something that adds libraries to the
normal system directories. This is controlled by /etc/prelink.conf.
----------------------------------------------------------------------
- Rick Stevens, Principal Engineer rstevens at internap.com -
- CDN Systems, Internap, Inc. http://www.internap.com -
- -
- Time: Nature's way of keeping everything from happening at once. -
----------------------------------------------------------------------
More information about the fedora-list
mailing list