Disable Prelinking

An XCCDF Rule

Description

The prelinking feature changes binaries in an attempt to decrease their startup time. In order to disable it, change or add the following line inside the file /etc/sysconfig/prelink:

PRELINKING=no

Next, run the following command to return binaries to a normal, non-prelinked state:

$ sudo /usr/sbin/prelink -ua

Rationale

Because the prelinking feature changes binaries, it can interfere with the operation of certain software and/or modes such as AIDE, FIPS, etc.

ID: xccdf_org.ssgproject.content_rule_disable_prelink
Severity: Medium
References: 11 13 14 2 3 9

5.10.1.3

APO01.06 BAI02.01 BAI03.05 BAI06.01 BAI10.01 BAI10.02 BAI10.03 BAI10.05 DSS04.07 DSS05.03 DSS06.02 DSS06.06

3.13.11

CCI-000803 CCI-002450

4.3.4.3.2 4.3.4.3.3 4.3.4.4.4

SR 3.1 SR 3.3 SR 3.4 SR 3.8 SR 4.1 SR 7.6

A.11.2.4 A.12.1.2 A.12.2.1 A.12.5.1 A.12.6.2 A.14.1.2 A.14.1.3 A.14.2.2 A.14.2.3 A.14.2.4 A.8.2.3

CIP-003-8 R4.2 CIP-007-3 R5.1

CM-6(a) SC-13

PR.DS-1 PR.DS-6 PR.DS-8 PR.IP-1

Req-11.5

1.6.4

CCE-91341-8
Updated: about 1 year ago

# prelink not installed
if test -e /etc/sysconfig/prelink -o -e /usr/sbin/prelink; then
    if grep -q ^PRELINKING /etc/sysconfig/prelink
    then
        sed -i 's/^PRELINKING[:blank:]*=[:blank:]*[:alpha:]*/PRELINKING=no/' /etc/sysconfig/prelink
    else        printf '\n' >> /etc/sysconfig/prelink
        printf '%s\n' '# Set PRELINKING=no per security requirements' 'PRELINKING=no' >> /etc/sysconfig/prelink
    fi

    # Undo previous prelink changes to binaries if prelink is available.
    if test -x /usr/sbin/prelink; then
        /usr/sbin/prelink -ua
    fi
fi

- name: Does prelink file exist
  stat:
    path: /etc/sysconfig/prelink
  register: prelink_exists
  tags:
  - CCE-91341-8  - CJIS-5.10.1.3
  - NIST-800-171-3.13.11
  - NIST-800-53-CM-6(a)
  - NIST-800-53-SC-13
  - PCI-DSS-Req-11.5
  - disable_prelink
  - low_complexity
  - low_disruption
  - medium_severity
  - no_reboot_needed
  - restrict_strategy

- name: Disable prelinking
  lineinfile:
    path: /etc/sysconfig/prelink
    regexp: ^PRELINKING=
    line: PRELINKING=no
  when: prelink_exists.stat.exists
  tags:
  - CCE-91341-8
  - CJIS-5.10.1.3
  - NIST-800-171-3.13.11
  - NIST-800-53-CM-6(a)
  - NIST-800-53-SC-13
  - PCI-DSS-Req-11.5
  - disable_prelink
  - low_complexity
  - low_disruption
  - medium_severity
  - no_reboot_needed
  - restrict_strategy

Disable Prelinking

Description

Rationale

Remediation - Shell Script

Remediation - Ansible