== Checking systems with RPM verification (part 1)

I spent part of Monday poking through a Fedora Core system that had
been partially compromised, and I was reminded yet again how one of my
favorite RPM features isn't as widely known as it could be. Namely, that
RPM keeps a handy database of the MD5 checksums about every file it's
installed (as well as a pile of other information). The _rpm_ command's
_-V_ option taps this database to verify the actual files on the system
against what the database says they should be and makes it a handy
system integrity checker.

The quick way to dump this information is '_rpm -Va_', but this just
gives a big file list. I use a little script I call _check-rpmv_ to
group the output by RPM, which makes it easier to sort through. In the
hopes of avoiding rewriting _check-rpmv_ from scratch yet again on yet
another system where I don't have my usual tools handy, here it is:

 #!/bin/sh
 n=`mktemp /tmp/checkrpmv.XXXXX`
 for i in `rpm -qa | sort`; do
  rpm -V $i >$n
  if test -s $n; then
    echo $i:
    sed 's/^/\t/' <$n
  fi
 done
 rm -f $n

Now, it's important to note that basic RPM verification is only really
a semi-casual system verification tool if you're dealing with a cracked
machine, since the database (and _rpm_ itself) is just sitting there on
the system. In the case on Monday we were reasonably sure the crackers
hadn't gotten root, so it was not worth doing a bare metal upwards
forensics check.

(Even if you suspect a root compromise, RPM verification is a useful
and quick first pass. Especially as most crackers are just not all that
clever and thorough.)

The other big thing I like RPM verification for is as a tool for hunting
down how a system has been customized, since it will point out what
configuration files have been changed and so on. Even if it's your own
system, having your memory checked can be comforting (especially just
before an upgrade).