There is a way to verify files related to specific package against original RPM content:
# Verify `vsftpd` package. rpm -V vsftpd
How to complete the chain and verify that
rpm command itself hasn’t been changed?
If I replace
rpm by a script which always succeeds, this type of verification will never fail.
This turns out to be quite a difficult problem, if you limit yourself to the single system which you’re trying to validate.
Fortunately, we live in the real world, where there is more than one computer!
Some possibilities for verifying the binary include:
Using another reference system which has the same package version of RPM installed, take a hash of the binary and compare it on each system.
For added assurance, reinstall the signed package from the repositories on the reference system before doing the comparison.
# yum reinstall rpm ... Complete! # rpm -q rpm rpm-4.11.3-17.el7.x86_64 # sha256sum /usr/bin/rpm 743810f3c3a9e5eea8ba9bc87351db6b4e8c6393018b9bb56beb873a64ae5431 /usr/bin/rpm
Use a host-based intrusion detection system such as OSSEC or Tripwire to detect unexpected changes to your filesystem. This won’t guarantee that your binaries are unaltered, of course, but if done properly it can give you warning that an attack is in progress.
Note that both of these fail if prelinking is in use, which is one reason why it’s generally not enabled by default anymore on recent systems.
This work is licensed under a Creative Commons Attribution-ShareAlike 3.0 Unported License.