[NTLUG:Discuss] Intrusion and Detection
Kelledin
kelledin at users.sourceforge.net
Mon Dec 24 12:24:19 CST 2001
> I'm not a fan of RPM packages in general, but one nice feature that you can
> do is
> something like
>
> rpm -V procps util-linux
>
> will compare the files installed from the util-linux and procps packages to
> what is on the
> system currently. So... if someone was to modify /bin/login or /bin/ps
> the -V ( verify )
> option for RPM would point this out to you.
>
> There is nothing to say that a hacker doesn't update /bin/login or /bin/ps
> with RPM,
> but it might show that someone unpacked a .tgz file and replaced those files
> with
> hacked ones.
Another thing to note is that when an RPM is built, the builder can select
verification options on a per-file basis. If the package builder doesn't
specify anything verification-wise for a file, rpm -V defaults to checking all
properties of a file except its actual contents (and even this is verified by
an md5 sum). Some package builders will actually build packages with certain
files (config files especially) marked so that certain attributes *don't* get
verified in an rpm -V, and AFAIK the sysadmin has no control over this unless
he/she rebuilds and updates the package.
Kelledin
----------------------------------------------------------
[ Kelledin at Valhalla ~ ] # kill -9 1
init: Just what do you think you're doing, Dave?
More information about the Discuss
mailing list