How to Fix Aide “lgetfilecon_raw failed for / : No data available” errors
Recently at I observed that aide was generating extremely large reports. Upon closer inspection I noticed that the logs were full of lgetfilecon_raw errors, much like the following:
lgetfilecon_raw failed for /opt:No data available lgetfilecon_raw failed for /etc/exports:No data available lgetfilecon_raw failed for /etc/crontab:No data available lgetfilecon_raw failed for /etc/bashrc:No data available lgetfilecon_raw failed for /etc/group:No data available lgetfilecon_raw failed for /etc/sudoers:No data available lgetfilecon_raw failed for /etc/gshadow:No data available lgetfilecon_raw failed for /etc/aliases:No data available lgetfilecon_raw failed for /etc/sysctl.conf:No data available |
As it turns out the stock aide config that was in place was configured to check selinux contexts, and because we had selinux disabled aide was unable to read them. The fix was to redefine our groups so that they don’t inherit anything from the default groups. Redefining the following items in /etc/aide.conf was enough to fix the issue for me:
#/etc/aide.conf
ALLXTRAHASHES = sha1+rmd160+sha256+sha512+tiger
EVERYTHING = p+i+n+u+g+s+m+c+acl+xattrs+md5+ALLXTRAHASHES
NORMAL = p+i+n+u+g+s+m+c+acl+xattrs+md5+rmd160+sha256
DIR = p+i+n+u+g+acl+xattrs
PERMS = p+i+u+g+acl
LOG = p+u+g+i+n+S+acl+xattrs
LSPP = p+i+n+u+g+s+m+c+acl+xattrs+md5+sha256
DATAONLY = p+n+u+g+s+acl+xattrs+md5+sha256+rmd160+tiger |
After setting that, I was able to re-initialize the aide database and subsequent checks ran without error.
Hope that helps!
References: http://beginlinux.com/server/centos/using-advanced-intrusion-detection-environment
