3 Replies Latest reply on Aug 4, 2016 12:41 AM by aus_mick

    Application Control and Prelink detections on Linux Systems

    epository

      All,

       

      Our Linux systems are firing thousands of times a day for #PRELINK items.

       

      We cant find a way to suppress these, eventhough its legitimate behavior.

       

      Has anyone else run into this and were you able to fix it?

        • 1. Re: Application Control and Prelink detections on Linux Systems
          aus_mick

          epository,

           

          When you say firing thousands of times at day can you clarify what event its being reported? Is it that prelink is creating a bunch of new binaries that cannot be executed, or is it trying to write to (update) existing binaries which is being prevented? Have you considered adding the prelink binary as a trusted Updater so any changes it makes are dynamically reflected in the Solidcore inventory (whitelist)?

           

          ^Disclaimer: my Linux System Administration is limited so please undertake your own review of any advice provided for appropriateness based on your individual circumstances

           

          HTH,

          Mick

          • 2. Re: Application Control and Prelink detections on Linux Systems
            epository

            we are seeing the Object Name of this variety....usr/bin/ausyscall.#prelink#.XYZ123 with the last part random

             

            we also see aulast...auvirt....aureport...migratepages....libnumo...etc

             

            prelink also seems to be the updater

            • 3. Re: Application Control and Prelink detections on Linux Systems
              aus_mick

              I'm going to assume the Error Name is one of WRITE_DENIED if so have you considered adding the `/usr/bin/prelink` binary as an Updater? Are you managing Application Control via an ePO or are your installations locally managed?  Either way its relatively simple to add an Updater. I would be inclined to disable inheritance so that any sub-process executed by prelink doesn't assume the Updater privilege. Also it depends on your organisations policy around maintaining accountability of changes on a system, but if the goal is to minimise the amount of events generated and your IT policy permits then you could also suppress events so changes made by the prelink binary (while permitted) are not logged.

               

              HTH,

              Mick