Our Linux systems are firing thousands of times a day for #PRELINK items.
We cant find a way to suppress these, eventhough its legitimate behavior.
Has anyone else run into this and were you able to fix it?
When you say firing thousands of times at day can you clarify what event its being reported? Is it that prelink is creating a bunch of new binaries that cannot be executed, or is it trying to write to (update) existing binaries which is being prevented? Have you considered adding the prelink binary as a trusted Updater so any changes it makes are dynamically reflected in the Solidcore inventory (whitelist)?
^Disclaimer: my Linux System Administration is limited so please undertake your own review of any advice provided for appropriateness based on your individual circumstances
we are seeing the Object Name of this variety....usr/bin/ausyscall.#prelink#.XYZ123 with the last part random
we also see aulast...auvirt....aureport...migratepages....libnumo...etc
prelink also seems to be the updater
I'm going to assume the Error Name is one of WRITE_DENIED if so have you considered adding the `/usr/bin/prelink` binary as an Updater? Are you managing Application Control via an ePO or are your installations locally managed? Either way its relatively simple to add an Updater. I would be inclined to disable inheritance so that any sub-process executed by prelink doesn't assume the Updater privilege. Also it depends on your organisations policy around maintaining accountability of changes on a system, but if the goal is to minimise the amount of events generated and your IT policy permits then you could also suppress events so changes made by the prelink binary (while permitted) are not logged.