linux/RPMVerificationI written at 02:55:53; Add Comment
Checking systems with RPM verification (part 1)
I spent part of Monday poking through a Fedora Core system that had
been partially compromised, and I was reminded yet again how one of my
favorite RPM features isn't as widely known as it could be. Namely, that
RPM keeps a handy database of the MD5 checksums about every file it's
installed (as well as a pile of other information). The
The quick way to dump this information is '
#!/bin/sh n=`mktemp /tmp/checkrpmv.XXXXX` for i in `rpm -qa | sort`; do rpm -V $i >$n if test -s $n; then echo $i: sed 's/^/\t/' <$n fi done rm -f $n
Now, it's important to note that basic RPM verification is only really
a semi-casual system verification tool if you're dealing with a cracked
machine, since the database (and
(Even if you suspect a root compromise, RPM verification is a useful and quick first pass. Especially as most crackers are just not all that clever and thorough.)
The other big thing I like RPM verification for is as a tool for hunting down how a system has been customized, since it will point out what configuration files have been changed and so on. Even if it's your own system, having your memory checked can be comforting (especially just before an upgrade).
* * *
Atom feeds are available; see the bottom of most pages.