|
|
Because your RPM database knows all about the packages and files you have installed on your system, you can use that information to compare the original executable commands, configuration files, and other package components against those items as they exist on your hard disk. To do that, you can use the -V option to RPM.
The basic format of the rpm command with the verify option is
# rpm -V package-name
Replace package.rpm with the package you want to verify. The output from that command will show you any files on your hard disk that are different in any way from how they were originally installed. Here is an example of running the rpm-V command on the initscripts package:
# rpm -V initscripts prelink: /bin/ipcalc: prelinked file size differs S.?....T /bin/ipcalc S.5....T c /etc/inittab S.5....T c /etc/rc.d/init.d/functions
The component (file or command) that was shown not to match the original is shown on the right. On the left are indications of what is wrong. The first message, prelink: /bin/ipcalc: prelinked file size differs indicates that the ipcalc command is somehow corrupted. The ? indicates that it is too damaged to be trusted.
The two other files shown (inittab and functions) illustrate two configuration files that have been modified (in my case, they were properly modified). Each of the lines starts with eight characters (either dots or some alphanumeric character). When a dot appears in the location, it means the item it represents passes the test. A letter or a question mark indicates that the test doesn't pass. Table 8-1 illustrates what each of the eight slots to start each line represent.
|
S |
The original file size differs from the current file size (indicating that someone has changed the content). This might reflect normal changes to configuration files. |
|
M |
The permission mode is different. Included in the permission mode are the read/write/execute values, as well as the file type. |
|
5 |
The md5sum value, generated from the original contents of the file, is different than it was for the original. This indicates that someone has changed the content of the file. |
|
D |
For a device file, the major and/or minor number are mismatched. |
|
L |
The readLink path is mismatched. |
|
U |
The user ownership is different than it was on the original. |
|
G |
The group ownership is different than it was on the original. |
|
T |
The time stamp on the file is different than it was on the original. |
From the output shown in Table 8-1, you can see for inittab and functions that the file size differs (S), the MD5 sum differs (5), and the time stamp on the file (T) differs as well. For configuration files, changes to the file size, MD5 sum, and time stamps are not unusual. What is unusual is if an executable file has been changed, because that could indicate that someone is trying to replace a real program with one that might be doing some mischief.
To see more details with the output shown, you can add -v or -vv options. This will show each item being checked.
| Cross-Reference |
For more information on using rpm with the -V option, refer to Chapter 10. Chapter 10 describes how the verify option of rpm can be used as part of a larger scheme for protecting the security of your Linux system. |
|
|