Uploaded image for project: 'RHEL'
  1. RHEL
  2. RHEL-28882

AIDE fails when using root_prefix option

    • Icon: Bug Bug
    • Resolution: Done-Errata
    • Icon: Major Major
    • rhel-9.5
    • CentOS Stream 9
    • aide
    • None
    • aide-0.16-102.el9
    • None
    • Important
    • 11a2c9828cc5d182a0a3090af4ee7687eb997f57
    • rhel-sst-security-special-projects
    • ssg_security
    • 26
    • None
    • False
    • Hide

      None

      Show
      None
    • Yes
    • None
    • Release Note Not Required
    • x86_64
    • None

      What were you trying to do that didn't work?

      Perform an aide check within dracut during the pre-pivot hook

      Please provide the package NVR for which bug is seen:

      aide-0.16-100

      How reproducible:

      100%

      Steps to reproduce

      1. Create a dracut module containing the AIDE binary.
      2. Conduct the below steps inside of dracut in the pre-pivot hook. This can be done by either configuring a dracut module to run them, or setting rd.break=pre-pivot in the kernel commandline and running the commands manually
      3.  finish mounting the root filesystem if needed with "chroot /sysroot /usr/bin/mount -a"
      4. In my case, the aide configuration and database were both located at /var/lib/aide, and has a symlink at the same path within the dracut root filesystem (e.g. /var/lib/aide -> /sysroot/var/lib/aide). I'm not sure if this is needed, or if you could run directly using the sysroot path.
      5. Run aide using the root_prefix option: `aide --check --config=$AIDE_DIR/aide.conf --before "root_prefix=/sysroot`

      Expected results

      Aide succesfully runs a check with the same result as if it was run after boot completes. Below logs taken by using a patched version of aide-0.16-100 (see linked commit and attached patch)

      ```

      Mar 12 14:50:59 localhost dracut-pre-pivot[1870]: AIDE found differences between database and filesystem!!
      Mar 12 14:50:59 localhost dracut-pre-pivot[1870]: Root prefix: /sysroot
      Mar 12 14:50:59 localhost dracut-pre-pivot[1870]: Summary:
      Mar 12 14:50:59 localhost dracut-pre-pivot[1870]:   Total number of entries:        23669
      Mar 12 14:50:59 localhost dracut-pre-pivot[1870]:   Added entries:                0
      Mar 12 14:50:59 localhost dracut-pre-pivot[1870]:   Removed entries:                2
      Mar 12 14:50:59 localhost dracut-pre-pivot[1870]:   Changed entries:                0

      ```

      Actual results

      AIDE logs numerous errors regards lstat and changed attributes:

      ```

      ...

      Mar 12 15:29:38 localhost dracut-pre-pivot[1874]: get_file_status: lstat() failed for /etc/subgid-: No such file or directory
      Mar 12 15:29:38 localhost dracut-pre-pivot[1874]: get_file_status: lstat() failed for /etc/polkit-1: No such file or directory
      Mar 12 15:29:38 localhost dracut-pre-pivot[1874]: get_file_status: lstat() failed for /etc/rsyslog.d: No such file or directory
      Mar 12 15:29:38 localhost dracut-pre-pivot[1874]: Entry /sysroot/etc/passwd was changed so that hash cannot be calculated for it
      Mar 12 15:29:38 localhost dracut-pre-pivot[1874]: Attribute size has been changed
      Mar 12 15:29:38 localhost dracut-pre-pivot[1874]: Attribute ctime has been changed
      Mar 12 15:29:38 localhost dracut-pre-pivot[1874]: Attribute mtime has been changed
      Mar 12 15:29:38 localhost dracut-pre-pivot[1874]: Attribute inode has been changed
      Mar 12 15:29:38 localhost dracut-pre-pivot[1874]: Attribute dev has been changed
      Mar 12 15:29:38 localhost dracut-pre-pivot[1874]: get_file_status: lstat() failed for /etc/firewalld: No such file or directory
      Mar 12 15:29:38 localhost dracut-pre-pivot[1874]: get_file_status: lstat() failed for /etc/opensc.conf: No such file or directory
      Mar 12 15:29:38 localhost dracut-pre-pivot[1874]: get_file_status: lstat() failed for /etc/ld.so.conf.d: No such file or directory

      ...

      Mar 12 15:29:39 localhost dracut-pre-pivot[1874]: Entry /usr/share/terminfo/v/vt102 in databases has different attributes: b8020081d b0020081d
      Mar 12 15:29:39 localhost dracut-pre-pivot[1874]: Entry /usr/share/terminfo/v/vt220 in databases has different attributes: b8020081d b0020081d
      Mar 12 15:29:39 localhost dracut-pre-pivot[1874]: Start timestamp: 2024-03-12 15:29:38 +0000 (AIDE 0.16)
      Mar 12 15:29:39 localhost dracut-pre-pivot[1874]: AIDE found differences between database and filesystem!!
      Mar 12 15:29:39 localhost dracut-pre-pivot[1874]: Root prefix: /sysroot
      Mar 12 15:29:39 localhost dracut-pre-pivot[1874]: Summary:
      Mar 12 15:29:39 localhost dracut-pre-pivot[1874]:   Total number of entries:        2145
      Mar 12 15:29:39 localhost dracut-pre-pivot[1874]:   Added entries:                34
      Mar 12 15:29:39 localhost dracut-pre-pivot[1874]:   Removed entries:                21560
      Mar 12 15:29:39 localhost dracut-pre-pivot[1874]:   Changed entries:                123

      ...

      ```
       

        1. aide.conf
          8 kB
          Tresys Technology
        2. rootPrefix.patch
          0.9 kB
          Tresys Technology

              rsroka@redhat.com Radovan Sroka
              isv@tresys.com Tresys Technology (Inactive)
              Radovan Sroka Radovan Sroka
              SSG Security QE SSG Security QE
              Votes:
              0 Vote for this issue
              Watchers:
              8 Start watching this issue

                Created:
                Updated:
                Resolved: