Verify operating system installed files in an RPM-based distribution.

So you’ve had a compromise and need to figure out which files (if any) were modified by the intruder, but you didn’t install Tripwire? Well, all is not lost if your distribution uses RPM for its package management system. While not as powerful as Tripwire, RPM can be useful for finding to what degree a system has been compromised. RPM keeps MD5 signatures for all the files it has ever installed. We can use this functionality to check the packages on a system against its signature database. In addition to MD5 checksums, you can also check a file’s size, user, group, mode, and modification time against that which is stored in the system’s RPM database.

To verify a single package, run this:

            rpm -V 
            package

If the intruder modified any binaries, it’s very likely that the ps command was one of them. Let’s check its signature:

# which ps
/bin/ps
# rpm -V `rpm -qf /bin/ps`
S.5....T   /bin/ps

Here we see from the S, 5, and T that the file’s size, checksum, and modification time has changed from when it was installed—not good at all. Note that only files that do not match the information contained in the package database will result in output.

If we want to verify all packages on the system, we can use the usual rpm option that specifies all packages, -a:

# rpm -Va S.5....T /bin/ps S.5....T c /etc/pam.d/system-auth S.5....T c /etc/security/access.conf S.5....T c /etc/pam.d/login S.5....T c ...