Wandering Thoughts: Recent Entries For 2006/02/23

Checking systems with RPM verification (part 1)

I spent part of Monday poking through a Fedora Core system that had been partially compromised, and I was reminded yet again how one of my favorite RPM features isn't as widely known as it could be. Namely, that RPM keeps a handy database of the MD5 checksums about every file it's installed (as well as a pile of other information). The rpm command's -V option taps this database to verify the actual files on the system against what the database says they should be and makes it a handy system integrity checker.

The quick way to dump this information is 'rpm -Va', but this just gives a big file list. I use a little script I call check-rpmv to group the output by RPM, which makes it easier to sort through. In the hopes of avoiding rewriting check-rpmv from scratch yet again on yet another system where I don't have my usual tools handy, here it is:

#!/bin/sh
n=`mktemp /tmp/checkrpmv.XXXXX`
for i in `rpm -qa | sort`; do
 rpm -V $i >$n
 if test -s $n; then
   echo $i:
   sed 's/^/\t/' <$n
 fi
done
rm -f $n

Now, it's important to note that basic RPM verification is only really a semi-casual system verification tool if you're dealing with a cracked machine, since the database (and rpm itself) is just sitting there on the system. In the case on Monday we were reasonably sure the crackers hadn't gotten root, so it was not worth doing a bare metal upwards forensics check.

(Even if you suspect a root compromise, RPM verification is a useful and quick first pass. Especially as most crackers are just not all that clever and thorough.)

The other big thing I like RPM verification for is as a tool for hunting down how a system has been customized, since it will point out what configuration files have been changed and so on. Even if it's your own system, having your memory checked can be comforting (especially just before an upgrade).