Find Compromised Packages with RPM
Verify operating system installed files in an RPM-based distribution.
So you’ve had a
compromise and need to figure out which files (if any) were modified
by the intruder, but you didn’t install
Tripwire
? Well,
all is not lost if your distribution uses
RPM for its package
management system. While not as
powerful as Tripwire
, RPM can be useful for
finding to what degree a system has been compromised. RPM keeps
MD5 signatures for all
the files it has ever installed. We can use this functionality to
check the packages on a system against its signature
database. In addition to MD5
checksums, you can also check a file’s size, user,
group, mode, and modification time against that which is stored in
the system’s RPM database.
To verify a single package, run this:
rpm -V
package
If the intruder modified any binaries, it’s very
likely that the ps
command was one of them.
Let’s check its signature:
#which ps
/bin/ps #rpm -V `rpm -qf /bin/ps`
S.5....T /bin/ps
Here we see from the S
, 5
, and
T
that the file’s size, checksum,
and modification time has changed from when it was
installed—not good at all.
Note that only files that do not match the information
contained in the package database will result in output.
If we want to verify all packages on the system, we can use the usual
rpm
option that specifies all packages,
-a
:
# rpm -Va
S.5....T /bin/ps S.5....T c /etc/pam.d/system-auth S.5....T c /etc/security/access.conf S.5....T c /etc/pam.d/login S.5....T c ...
Get Network Security Hacks now with the O’Reilly learning platform.
O’Reilly members experience books, live events, courses curated by job role, and more from O’Reilly and nearly 200 top publishers.