The Do-It-Yourself Way with rpmverify

If you are running some flavor of a Linux RPM-based distribution (e.g., Fedora, Red Hat Enterprise, Mandrake, or SUSE), it is possible to use the package management system to do basic verifications. rpmverify (or rpm -V) provides a set of options to check files installed with rpm.

Warning

Remember that because the RPM database is not signed itself, a sophisticated hacker could modify the database file after having changed a file under RPM.

This command compares each file recorded in the installation database (RPM database) to the actual file on disk and reports only the files that show one or more differences. The output format is the series of eight attributes as described in Table 20-3, followed by an attribute type from Table 20-4, followed by a filename.

Table 20-3. rpmverify attribute comparison flag results

Flag

Description

.

Attribute matching

?

Comparison could not be performed—for example, no read rights on the file to be verified

S

File size differs

M

Mode differs (permissions and file type)

5

MD5 sum differs

D

Device Major/Minor number mismatch

L

Link path mismatch

U

User ownership differs

G

Group ownership differs

T

Modification time differs

Table 20-4. rpmverify file attributes

Attribute

Description

c

Configuration file

d

Documentation file

G

Ghost file; file content not included in package payload

l

License file

r

Readme file

Here is an example run:

[emoret@simca-1000 ˜]$ sudo rpmverify -qa
S.5....T  c /etc/yum.conf
S.5....T  c /etc/pam.d/login
S.5....T  c /etc/xinetd.d/tftp
.....U..    /tftpboot
.M......    /usr/local/src
SM5....T  c /etc/sysconfig/syslog
S.5....T  c /etc/syslog.conf
S.5....T  c /etc/sudoers
S.5....T  c /etc/vsftpd/ftpusers
S.5....T  c /etc/vsftpd/user_list
SM5....T  c /etc/vsftpd/vsftpd.conf
S.5....T  c /etc/pam.d/rsh
S.5....T  c /etc/xinetd.d/rsh
S.5....T  c /etc/xinetd.d/telnet
S.5....T  c /etc/openldap/slapd.conf
S.5...GT  c /etc/alsa/pcm/dsnoop.conf
S.5....T  c /usr/share/sgml/docbook/xmlcatalog
SM5....T    /usr/lib/xorg/modules/drivers/vmware_drv.so
S.5....T    /etc/rc.d/init.d/snortd
S.5....T  c /etc/snort/snort.conf
.M......    /etc/rc.d/init.d
S.5....T  c /root/.bashrc
S.5....T  c /root/.cshrc
....L...  c /etc/pam.d/system-auth
....L...    /usr/bin/pirut
..5....T  c /etc/inittab
S.5....T  c /etc/rc.d/rc.local
.......T    /etc/selinux/targeted/modules/semanage.read.LOCK
.......T    /etc/selinux/targeted/modules/semanage.trans.LOCK

In this run you can see that file size, MD5 sum, and last modification time differ for both configuration files /etc/pam.d/login and /etc/xinetd.d/tftp.

Warning

Files created outside of the RPM database go unchecked.