What if you want to verify that the files associated
with a package haven’t been corrupted
or compromised? For example, if you suspect
your system has been accessed
by a non-authorized user, you can verify that the files from a package have not been changed with the RPM verify feature. Of course, if the unauthorized user altered the RPM database,
the results may not be accurate. It is always best to back up to a known secure state of the file system if you suspect foul play.
If the verify function
is used, file properties such as file size, MD5 sum, file permissions,
file type, and file ownership
are compared to the original values stored in the RPM database. To verify that the files are associated with a package,
use the following command:
rpm -V <package name>
If no output is returned, the files from the package have not been modified
since installation.
If a file, such as a configuration file, has been modified, the output is similar to.
Output from rpm -V httpd
.M.....T c /etc/httpd/conf/httpd.conf
To verify the files from all the packages installed,
use the rpm -Va command.
The output
is similar to Listing
Sample Output from rpm -Va
....L... c
/etc/pam.d/system-auth
..5....T c /etc/inittab
missing /usr/lib/mozilla-1.7.12/chrome/overlayinfo/browser
missing /usr/lib/mozilla-1.7.12/chrome/overlayinfo/browser/content
missing /usr/lib/mozilla-1.7.12/chrome/overlayinfo/browser/skin
missing /usr/lib/mozilla-1.7.12/chrome/overlayinfo/cookie
missing /usr/lib/mozilla-1.7.12/chrome/overlayinfo/cookie/content
missing /usr/lib/mozilla-1.7.12/chrome/overlayinfo/editor
missing /usr/lib/mozilla-1.7.12/chrome/overlayinfo/editor/content
missing /usr/lib/mozilla-1.7.12/chrome/overlayinfo/global
missing /usr/lib/mozilla-1.7.12/chrome/overlayinfo/global/content
missing /usr/lib/mozilla-1.7.12/chrome/overlayinfo/global/skin
S.5....T
c /etc/ntp/ntpservers
S.5....T
c /etc/audit.rules
The c to the left of the filename indicates that the file is a configuration
file.
Other possible attribute
markers included for documentation files, g for ghost files (file contents are not included in the package payload), l for license files, and r for readme files.
The letters, numbers, and dots at the beginning
of each line detail how the file differs
from the original state of the file.
if a file is no longer installed, the word missing appears instead of the sequence of codes.
Otherwise the eight letters, numbers, and dots represent
eight different tests performed to verify the file. the codes that appear in the sequence in the order in which they appear if any
of the tests fail. If a dot is shown instead of a code letter or number, the test passed.
RPM Verification Codes
Code
Explanation
S File size has changed
M Mode has changed,
including file permissions and file type
5 MD5 sum has changed
D Device major or minor number
has changed
L The path of the symbolic link has changed
U The owner of the file has changed
G The group of the file has changed
T The last modified
time has changed
0 comments:
Post a Comment