Checking systems with RPM verification (part 2)

There are at least two useful tricks beyond basic RPM verification that can be useful in some situations.

The first is that RPM's verification doesn't have to use the system database; instead it can get the MD5 checksums from a .rpm itself. This is done with 'rpm -V -p <rpm>'. Naturally the .rpm had better be the same version that's installed, and of course prelinking is still an issue if you don't trust the system that much.

The second is RPM's --root argument, which causes it to do all its work against a filesystem tree located somewhere other than /. This is useful if you want to verify something that you're not currently running, whether for disaster recovery or forensic analysis. This can be combined with the first trick to verify a system where you're dubious about both the system infrastructure and the version of the RPM database that the system has.

If you have to do this in the presence of prelinking, I think that for most people the best thing you can do is to un-prelink the system and then verify what's left (with __prelink_undo_cmd set to something like /bin/cat, just in case). A really clever attacker might still be able to hide things, but fortunately those are rare.

(If I had to do better than this, I'd create a custom version of prelink that has a --root argument and then hard-code it as the __prelink_undo_cmd when I was doing the verification.)

As a general disclaimer for people thinking about going to this much work: note that you should always bear in mind the basic principle of analyzing compromised machines. You can't really trust anything running on the machine itself; to the extent that you do, you are gambling that your attacker is not clever. In many cases you will win this gamble, because I don't think that very many cracker toolkits are exploiting RPM prelinking or bothering to compromise RPM and its database of checksums. However, it only takes one cracker to put together a toolkit that does it, and sooner or later someone will.

(Your odds are significantly worse if you believe that someone is specifically targeting RPM-based distributions with their attacks. I would be especially nervous about a package targeted specifically at Red Hat Enterprise Linux machines.)