How to Fix Aide “lgetfilecon_raw failed for / : No data available” errors


Recently at I observed that aide was generating extremely large reports. Upon closer inspection I noticed that the logs were full of lgetfilecon_raw errors, much like the following:

lgetfilecon_raw failed for /opt:No data available
lgetfilecon_raw failed for /etc/exports:No data available
lgetfilecon_raw failed for /etc/crontab:No data available
lgetfilecon_raw failed for /etc/bashrc:No data available
lgetfilecon_raw failed for /etc/group:No data available
lgetfilecon_raw failed for /etc/sudoers:No data available
lgetfilecon_raw failed for /etc/gshadow:No data available
lgetfilecon_raw failed for /etc/aliases:No data available
lgetfilecon_raw failed for /etc/sysctl.conf:No data available

As it turns out the stock aide config that was in place was configured to check selinux contexts, and because we had selinux disabled aide was unable to read them. The fix was to redefine our groups so that they don’t inherit anything from the default groups. Redefining the following items in /etc/aide.conf was enough to fix the issue for me:

#/etc/aide.conf
ALLXTRAHASHES = sha1+rmd160+sha256+sha512+tiger
EVERYTHING = p+i+n+u+g+s+m+c+acl+xattrs+md5+ALLXTRAHASHES
NORMAL = p+i+n+u+g+s+m+c+acl+xattrs+md5+rmd160+sha256
DIR = p+i+n+u+g+acl+xattrs
PERMS = p+i+u+g+acl
LOG = p+u+g+i+n+S+acl+xattrs
LSPP = p+i+n+u+g+s+m+c+acl+xattrs+md5+sha256
DATAONLY = p+n+u+g+s+acl+xattrs+md5+sha256+rmd160+tiger

After setting that, I was able to re-initialize the aide database and subsequent checks ran without error.

Hope that helps!

References: http://beginlinux.com/server/centos/using-advanced-intrusion-detection-environment

Related posts:

  1. How to fix yum [Errno -1] Metadata file does not match checksum
  2. Fixing “No such file or directory” locale errors
  3. Resolving Puppet Error: Could not retrieve catalog from remote server: undefined method `closed?’ for nil:NilClass
  4. Fixing pivotroot: pivot_root(/sysroot,/sysroot/initrd) failed: 2 umount error

4 Responses to “How to Fix Aide “lgetfilecon_raw failed for / : No data available” errors”

  1. tom Says:
    September 18th, 2012 at 11:05 pm

    thanks … very useful

    [Reply]

  2. Dale Carter Says:
    February 25th, 2015 at 10:02 pm

    Thankyou I was having problems on Centos 5.11 with running AIDE with SE Linux disabled and by doing as you have said in the /etc/aide.conf file, my aide –init ran properly.

    Thank you for sharing. A Big Help.

    [Reply]

  3. tartare Says:
    September 17th, 2015 at 12:01 pm

    Very usefull. Thanks a lot

    [Reply]

  4. Cuthbert Says:
    September 25th, 2015 at 5:27 am

    You can definitely see your enuthsiasm in the work you write. The arena hopes for even more passionate writers like you who aren’t afraid to say how they believe. All the time follow your heart. The point of quotations is that one can use another’s words to be insulting. by Amanda Cross.

    [Reply]

Join the Conversation