Checking systems with RPM verification (part 1)

February 23, 2006

I spent part of Monday poking through a Fedora Core system that had been partially compromised, and I was reminded yet again how one of my favorite RPM features isn't as widely known as it could be. Namely, that RPM keeps a handy database of the MD5 checksums about every file it's installed (as well as a pile of other information). The rpm command's -V option taps this database to verify the actual files on the system against what the database says they should be and makes it a handy system integrity checker.

The quick way to dump this information is 'rpm -Va', but this just gives a big file list. I use a little script I call check-rpmv to group the output by RPM, which makes it easier to sort through. In the hopes of avoiding rewriting check-rpmv from scratch yet again on yet another system where I don't have my usual tools handy, here it is:

#!/bin/sh
n=`mktemp /tmp/checkrpmv.XXXXX`
for i in `rpm -qa | sort`; do
 rpm -V $i >$n
 if test -s $n; then
   echo $i:
   sed 's/^/\t/' <$n
 fi
done
rm -f $n

Now, it's important to note that basic RPM verification is only really a semi-casual system verification tool if you're dealing with a cracked machine, since the database (and rpm itself) is just sitting there on the system. In the case on Monday we were reasonably sure the crackers hadn't gotten root, so it was not worth doing a bare metal upwards forensics check.

(Even if you suspect a root compromise, RPM verification is a useful and quick first pass. Especially as most crackers are just not all that clever and thorough.)

The other big thing I like RPM verification for is as a tool for hunting down how a system has been customized, since it will point out what configuration files have been changed and so on. Even if it's your own system, having your memory checked can be comforting (especially just before an upgrade).


Comments on this page:

From 24.98.83.96 at 2006-02-24 22:23:48:

Cool! There are several super useful rpm options burrowed deep down in the manual page. I have found some of the dependency linkage options valuable for dealing with RPM dependency headaches.

- Ryan http://daemons.net/~matty

Written on 23 February 2006.
« Peter Drucker on the Five Deadly Business Sins
Wanted: RSS feeds for vendor software updates »

Page tools: View Source, View Normal, Add Comment.
Search:
Login: Password:
Atom Syndication: Recent Comments.

Last modified: Thu Feb 23 02:55:53 2006
This dinky wiki is brought to you by the Insane Hackers Guild, Python sub-branch.