Opened 18 years ago

Closed 18 years ago

Last modified 9 years ago

#60 closed defect (fixed)

Checksum not correct after Database Init using [Prelink]

Reported by: dejongm@… Owned by: rainer
Priority: major Milestone: 2.3.4
Component: main Version: 2.3.3
Keywords: Cc:

Description

Hello, When invoking a database init, the initial checksums on files is that of the file itself, not one from /usr/sbin/prelink --verify. Only when running 'samhain -t update' seems to fix this problem and update the DB correctly.

Sorry if this is a known issue. Couldn't find any reference to it.

Thanks, Markjan

Attachments (3)

samhainrc (16.0 KB ) - added by anonymous 18 years ago.
samhainrc.small (12.5 KB ) - added by dejongm@… 18 years ago.
strace.log.gz (33.6 KB ) - added by dejongm@… 18 years ago.

Download all attachments as: .zip

Change History (10)

comment:1 by dejongm@…, 18 years ago

Additional Info.... This seems to only happen when running samhain in the foreground. Running 

samhain -t update --foreground

Does not update the checksum correctly, while running 

samhain -t update

works fine. This problem also seems to affect version 2.2.6.

comment:2 by rainer, 18 years ago

Cannot reproduce this issue. Need more details (OS, configure options used for compiling, runtime configuration file).

comment:3 by anonymous, 18 years ago

We are running version 2.3.3 on Centos 4.4 64bit with the following config options: 

./configure --with-libwrap --with-prelude

Current configuration is attached.

An example is the following, but close to 2000 executables/libs are affected. Notice that checksum for /usr/lib64/autofs/lookup_userhome.so remains listed as E1679579 B6342E83 88ECC471 33AC485C 57E53606 FBF49140 thoughout unless the process runs in the background. 

#> samhain -H /usr/lib64/autofs/lookup_userhome.so
/usr/lib64/autofs/lookup_userhome.so: E1679579 B6342E83 88ECC471  33AC485C 57E53606 FBF49140

#> samhain -t init (runs in foreground)

#> samhain -a -d /var/lib/samhain/samhain_file |grep lookup.userhome.so
6033153   64768 -rwxr-xr-x 33261 ------------     0   1 root         0 root         0     15752 [2007-02-15T15:53:18] [2006-08-15T20:33:50] [2007-04-23T12:09:39] E1679579B6342E8388ECC47133AC485C57E53606FBF49140 /usr/lib64/autofs/lookup_userhome.so

samhain -t check --foreground reports nothing regarding /usr/lib64/autofs/lookup_userhome.so

samhain -t check reports the following when run in the background: 

#> samhain -t check
#> tail -f /var/log/samhain_log |grep lookup_userhome
CRIT   :  [2007-04-23T08:58:15-0400] msg=<POLICY [Prelink] C--------->, path=</usr/lib64/autofs/lookup_userhome.so>, chksum_old=<E1679579B6342E8388ECC47133AC485C57E53606FBF49140>, chksum_new=<45548A96A21382860D4119EA362E4379268AB0356AAF6A92>,

When running samhain -t update in the foreground, the database is not updated: 

#> samhain -t update --foreground
#> samhain -a -d /var/lib/samhain/samhain_file |grep lookup.userhome.so
6033153   64768 -rwxr-xr-x 33261 ------------     0   1 root         0 root         0     15752 [2007-02-15T15:53:18] [2006-08-15T20:33:50] [2007-04-23T12:09:39] E1679579B6342E8388ECC47133AC485C57E53606FBF49140 /usr/lib64/autofs/lookup_userhome.so

Yet when run in the background: 

#> samhain -t update
#> samhain -a -d /var/lib/samhain/samhain_file |grep lookup.userhome.so
6033153   64768 -rwxr-xr-x 33261 ------------     0   1 root         0 root         0     15752 [2007-02-15T15:53:18] [2006-08-15T20:33:50] [2007-04-23T13:03:07] 45548A96A21382860D4119EA362E4379268AB0356AAF6A92 /usr/lib64/autofs/lookup_userhome.so

by anonymous, 18 years ago

Attachment: samhainrc added

comment:4 by rainer, 18 years ago

Does the problem persist if you switch off logging to prelude?

by dejongm@…, 18 years ago

Attachment: samhainrc.small added

by dejongm@…, 18 years ago

Attachment: strace.log.gz added

comment:5 by rainer, 18 years ago

The strace looks like the file is not un-prelinked, but just dumped to stdout, so presumably it wasn't prelinked. This could be checked by running 

prelink --verify /usr/lib64/autofs/lookup_userhome.so >foobar
md5sum foobar /usr/lib64/autofs/lookup_userhome.so

In that case the checksum computed by samhain would be incorrect if samhain is running in the background. I can reproduce this problem if prelude logging is on: it seems that libprelude, which is running in a separate thread, is polluting the stdout file descriptor with some verbose messages like 'Connecting to foobar prelude manager'. As a result, the checksumming routine in the calling process reads and processes these messages in addition to the content of the file that is dumped by prelink --verify .

comment:6 by anonymous, 18 years ago

You are correct.. It seems I had it backwards in that the checksum is incorrect when run in the background, not the other way around. This was verified with the commands mentioned above 

[root@host210 ~]# prelink --verify   /usr/lib64/autofs/lookup_userhome.so > /tmp/prelink.out
[root@host210 ~]# md5sum /tmp/prelink.out
bf28cd0360ea9abdcf16beb89cba9132  /tmp/prelink.out
[root@host210 ~]# md5sum /tmp/prelink.out  /usr/lib64/autofs/lookup_userhome.so
bf28cd0360ea9abdcf16beb89cba9132  /tmp/prelink.out
bf28cd0360ea9abdcf16beb89cba9132  /usr/lib64/autofs/lookup_userhome.so

Let me know if their is anything else I can do to help!

Thanks, Markjan

comment:7 by rainer, 18 years ago

Milestone: 2.3.4
Resolution: fixed
Status: newclosed

Fixed in changeset [102].

Note: See TracTickets for help on using tickets.