Checking systems with RPM verification (part 1)
I spent part of Monday poking through a Fedora Core system that had
been partially compromised, and I was reminded yet again how one of my
favorite RPM features isn't as widely known as it could be. Namely, that
RPM keeps a handy database of the MD5 checksums about every file it's
installed (as well as a pile of other information). The rpm
command's
-V
option taps this database to verify the actual files on the system
against what the database says they should be and makes it a handy
system integrity checker.
The quick way to dump this information is 'rpm -Va
', but this just
gives a big file list. I use a little script I call check-rpmv
to
group the output by RPM, which makes it easier to sort through. In the
hopes of avoiding rewriting check-rpmv
from scratch yet again on yet
another system where I don't have my usual tools handy, here it is:
#!/bin/sh n=`mktemp /tmp/checkrpmv.XXXXX` for i in `rpm -qa | sort`; do rpm -V $i >$n if test -s $n; then echo $i: sed 's/^/\t/' <$n fi done rm -f $n
Now, it's important to note that basic RPM verification is only really
a semi-casual system verification tool if you're dealing with a cracked
machine, since the database (and rpm
itself) is just sitting there on
the system. In the case on Monday we were reasonably sure the crackers
hadn't gotten root, so it was not worth doing a bare metal upwards
forensics check.
(Even if you suspect a root compromise, RPM verification is a useful and quick first pass. Especially as most crackers are just not all that clever and thorough.)
The other big thing I like RPM verification for is as a tool for hunting down how a system has been customized, since it will point out what configuration files have been changed and so on. Even if it's your own system, having your memory checked can be comforting (especially just before an upgrade).
Comments on this page:
|
|