The Red Hat Package Manager (RPM) can be a powerful tool for verifying system integrity, which is very important when recovering from an attack.
The Red Hat Package Manager maintains a database of RPM statistics and supports verification of installed RPMs.
For example, the Package Manager can be used to verify that local files match the RPMs from which they were previously installed, even if you have deleted the original RPM.
You can se this feature to detect system tampering, on either a small or large scale. The following table shows some of the various options used with the rpm command:
rpm --V initscripts
Verifies that your installation of the initscripts RPM has not changed. Note that often you often
will have updated configuration files yourself, so you shouldn't do not necessarily be alarmed by alterations.
rpm --V <package>
Verify a particular package.
rpm --V -all
Verifies all packages contained in the database.
rpm -qf <suspect file>
Tells you which RPM package owns <file> if any. Some configuration files, such as /etc/lilo.conf and /etc/fstab, do not belong to any RPM, as they are created by the installer. Executable files that do not belong to an RPM may be grounds for suspicion.
The output of the rpm command consists of
RPM Verification RPM output Flags, which indicate
the type of changes made to a particular file. Note that a c indicates that the file is a configuration file. Generally, when a package is installed, you will only need to modify the configuration files to have it operate on your system.
Typically, there is no need to modify any of the other files included in an RPM.
Therefore, if changes have been made to a non-configuration file, they may be suspect. Additionally, if changes have been made to a configuration file more recently than you recall altering the file, you may wish to inspect that file more closely.
The following diagram explains how to read the output from the rpm command when verifying files.