Host Security  «Prev  Next»

Lesson 13RPM verification
ObjectiveDescribe RPM verification.

RPM Verification in Redhat

The Red Hat Package Manager (RPM) can be a powerful tool for verifying system integrity, which is very important when recovering from an attack. The Red Hat Package Manager maintains a database of RPM statistics and supports verification of installed RPMs. For example, the Package Manager can be used to verify that local files match the RPMs from which they were previously installed, even if you have deleted the original RPM. You can se this feature to detect system tampering, on either a small or large scale. The following table shows some of the various options used with the rpm command:

Command DESCRIPTION
rpm --V initscripts Verifies that your installation of the initscripts RPM has not changed. Note that often you often will have updated configuration files yourself, so you shouldn't do not necessarily be alarmed by alterations.
rpm --V <package> Verify a particular package.
rpm --V -all Verifies all packages contained in the database.
rpm -qf <suspect file> Tells you which RPM package owns <file> if any. Some configuration files, such as /etc/lilo.conf and /etc/fstab, do not belong to any RPM, as they are created by the installer. Executable files that do not belong to an RPM may be grounds for suspicion.

The output of the rpm command consists of RPM Verification RPM output Flags, which indicate the type of changes made to a particular file.
Note that a c indicates that the file is a configuration file. Generally, when a package is installed, you will only need to modify the configuration files to have it operate on your system. Typically, there is no need to modify any of the other files included in an RPM. Therefore, if changes have been made to a non-configuration file, they may be suspect. Additionally, if changes have been made to a configuration file more recently than you recall altering the file, you may wish to inspect that file more closely.

The following diagram explains how to read the output from the rpm command when verifying files.
RPM Output

Reading RPM Output

RPM

For additional information on the rpm command, see the man pages by using man rpm.
The next lesson concludes this module.
Verify Package integrity using RPM
Click on the link to the left to learn about how to Verify Package integrity using RPM.